Wednesday 18 September 2013

F5 Networks buys Versafe to boost security offerings

F5 headquarters
F5 Networks has announced the acquisition of Israeli security firm Versafe in a move to boost the protection it can offer customers. Financial terms of the deal were not disclosed.
The firm said making the acquisition would help it bring even greater protection to its customers by ensuring that it is even more secure to access data, applications and manage security credentials over its network.
F5 chief technology officer Karl Triebes said this was vital as security threats facing businesses continue to evolve.
“Web applications are under increasing attack, which can lead to the theft of intellectual property, money, sensitive data and identity,” he said. “Versafe provides comprehensive, real-time detection and protection for every user, every device and every browser.”
The firm said some of the benefits of the deal would include improving the protection of its Application Delivery Firewall product to defend against fraud, phishing and malware attacks, and to improve protection of user credentials in its Identity and Access Management service.
The two firms had already been working closely together under F5’s Technology Alliance Partner programme and co-founder of Versafe Eyal Gruner said the deal would help the firm increase its expertise now it was part of the F5 fold.
“Businesses with mission-critical and sensitive web operations need a trusted advisor for security and one with a deep understanding of cybercrime,” he said.
“Together, F5 and Versafe plan to provide this support and deliver immediate protection against fraud, phishing, pharming, man-in-the-middle and malware threats.”
The deal is the latest acquisition by a network firm looking to boost its security offerings, after Cisco announced plans to pay a whopping $2.7bn for Sourcefire earlier this year.

“Chemical Trojans” baked into circuits could offer invisible way to steal secrets

“Hardware Trojans” could be baked invisibly into circuits by attackers, allowing them to grab secret keys from computer components without fear of detection – even by advanced inspection systems using optical microscopes.
The “Trojan” circuits could be used to steal secrets even from highly secure environments such as military installations or banks. The proposed Trojans would not differ from “real” chips in any of their metal components or polysilicon layers – instead, attackers would alter the “doping” of crystals in a few transistors. “Dopants” are trace impurities used to alter the electrical properties of crystals.
Such “dopant Trojans” could allow attackers to siphon off security keys remotely – and would be extremely difficult to detect, University of Massachusetts researchers warn.
In a paper, “Stealthy Dopant-Level Hardware Trojans”, researchers led by Georg T Becker of the University of Massachusetts
showed how it’s possible to create hardware Trojans which could not be detected by most security methods by simply altering the doping of “a few” transistors.
The researchers also showed off that a Trojan made in this way would allow an attacker to break any key generated by Intel’s secure RNG design, and claim that such chips can “compromise the security of a meaningful real-world target.”
Current security methods often rely on a “golden chip”, where an optical microscope scans a component layer by layer against a sample known to be “good”. The researchers claim that their dopant Trojans would be immune to this.
“Layout-level hardware Trojans that can resist optical inspection, which is believed to be a reliable way to detect layout-level hardware Trojans,” the researchers write. “ The proposed Trojans are inserted bymodifying only the polarity of dopant in the active area and are therefore practically invisible to optical reverse-engineering. From a technical point of view, such modications are certainly feasible in practice.”
The researchers warn that  introducing such chips into the supply chain may be easier than many companies imagine.
“Even if chips are manufactured in a trusted fab, there is the risk that chips with hardware Trojans could be introduced into the supply chain. The discovery of counterfeit chips in industrial and military products over the last years has made this threat much more conceivable.”
“The dopant Trojan can be used to compromise the security of a meaningful real-world target while avoiding detection by functional testing as well as Trojan detection mechanisms,” the researchers say. “Detecting this new type of Trojans is a great challenge. They set a new lower bar on how much overhead can be expected from a hardware Trojan in practice (i.e. zero!). Future work should include developing new methods to detect thesesub-transistor level hardware Trojans.”
Technology companies including Cisco, IBM and Microsoft already back an Open Group programme to protect computer hardware from spyware added to components in the supply chain. The goal is to “safeguard the global supply chain against the increased sophistication of cybersecurity attacks,” Open Group said in a statement. A new open standard, Open Trusted Technology Provider Standard (O-TTPS), aims to provide governments and companies with peace of mind when buying off-the-shelf IT products.
ESET researcher David Harley says in a blog post , “There’s a lot more to a supply chain than the production line. The number of entry points for the insertion of malicious software is so much greater, right up to the time the system hits the customer’s desk.”

“More trouble” brewing as mobile threats multiply “exponentially”, ex-ISACA chief warns

Mobile threats are becoming more complex, and more difficult to deal with as more and more devices become connected, a former vice-president of security trade body ISACA has warned.
“Expect more trouble,” Rolf von Roessing warned an audience of IT professionals at the 2013 EuroCACS conference. Roessing warned that iPhone users would not be immune – and that even companies which attempted to audit and control mobile devices would still find 30-40% “flying under the radar”.
““Android is currently more of a target than iOS, but attacks are happening against Apple mobile devices and, when they are breached, it is usually fairly serious,” Roessing said, according to a report in Computer Weekly.
Roessing described the threats affecting Android as multiplying “almost exponentially”. He recommended that staff addressed the problem of apps which have extensive “permissions” to access functions on devices.
Roessing said that firms which allowed users to “bring your own device” – BYOD – faced additional challenges, such as brand-locked mobiles which prevent the use of device management systems, and individuals who refused to hand over personal devices for security audits.
Roessing described the complex network of threats from connected “internet of things” devices and accelerating network speeds as a “tidal wave”.
“For effective protection, security professionals need access to mobile operating systems, but this is not always possible and consequently 30% to 40% of devices are under the radar,” said von Roessing.
“In the light of bring your own device (BYOD) programmes, it is more important than ever for end users to be aware of the risks involved,” Roessing said. “Organizations need to set aside adequate budgets to deal with these challenges comprehensively, otherwise all efforts will simply be a waste of money because of all the security gaps,” he said.
Roessing advised that companies ensure users are aware of risks – and recommended that companies rely on either an internal team to deal with security, or a trusted third party which could react quickly in event of a breach.
ESET Senior Researcher Stephen Cobb analyzes some of the risks facing Android users in a detailed blog post here. Cobb also offers tips on security for businesses in a guide, “Cybersecurity: Road Map for Businesses.”

Microsoft rushes out emergency fix for Internet Explorer after “targeted attacks”

Microsoft has released an emergency fix for a vulnerability in all versions of Internet Explorer – warning that targeted attacks are already attempting to exploit it.  Malicious websites could use the vulnerability to remotely run code on victim’s machines, Microsoft warned.
Microsoft described the targeted attacks against IE 8 and IE 9 as “extremely limited” so far, according to NBC News. The company admitted that other versions of the browser were vulnerable, but only IE 8 and IE 9 have been targeted so far. Cybercriminals are willing to pay large amounts of money to access such “zero day” vulnerabilities, often picking specific targets to attack while the vulnerability is still “fresh” and unknown, according to Jim Finkle of Reuters.
In a blog post, Dustin Childs of Microsoft’s Security Response Center said that the risks for users lay in attackers compromising trusted websites – or convincing them to click links in emails or instant messages.
“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,” Childs wrote.  “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message.”
Child’s post also offers advice on how to mitigate the threat for users continuing to browse via Internet Explorer.
Microsoft has released a “Fix It” as a temporary solution, which can be downloaded from Microsoft’s site. Microsoft said that it will provide a more permanent solution either through its regular security update schedule, or through an “out of cycle” update.
“We are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability,” Microsoft says.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Fake card reader “texts” PINs to thieves instantly – and drains bank accounts in three hours

Most people are suspicious when a waiter takes a little too long to run a debit or credit card transaction – but a new pre-hacked card reader can steal details instantly, and “text” them to cybercriminals.
Gangs using the readers can empty bank accounts in three hours, according to Russian security experts – the $2,000 reader is offered as a “package” with a money laundering service built in.
Shown off in a video leaked to tech site The Register,  the card reader – looking very similar to models used in restaurants worldwide – is shown to “read” numbers including the PIN, which are then displayed on a computer screen.
In the video, the information is transferred via cable – but if the terminal is fitted with a GSM SIM card, it can “text” the information direct from a shop or restaurant table to teams of criminals. The device is offered as a package – alongside a “service” where teams of criminals use cloned cards to buy fake goods, demand refunds, then take the cash.  The video is used as a sales tool for the $2,000 device, which is sold on underground forums in Russia, according to The Register’s report.
Thieves can strip a customer’s bank account in under three hours, according to Russian security investigators Group-IB.

ESET Senior Research Fellow David Harley says, “The most worrying aspect of this story is the support services package. Unfortunately, developing such support networks is something for which Eastern European gangs have shown particular flair in recent years.”
“I suspect that we’ll see similar packages associated with banking Trojans that have the functionality to access information from smart card readers attached to Windows machines. “
“We have detected a new group that sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own ‘grey’ merchants: it seems they buy fake stuff, and then cash-out money,” said Andrey Komarov of Group-IB.
“It takes less than three hours. According to our information, this kind of service is really new, and it is also being used by different cybercriminals against the Russian bank Sberbank.”
Targeting point-of-sale terminals is not new, however – nor is it restricted to Russia. American bookstore Barnes & Noble admitted that data thieves had installed corrupted terminals in 63 stores in 2012, according to USA Today.
In September last year, an arrest of four men trading counterfeit debit cards led to a fifth suspect, who had a stash of counterfeit point of sales terminals, some partially disassembled, according to Toronto detective Ian Nichol, speaking to USA Today.
“Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing,” Visa says in a guide for businesses on how to prevent such fraud.

Obama Petitions FCC To Legalize Cell Phone Unlocking

The administration sent a petition to the FCC asking it to come up with new rules to override a law scheduled to take effect in January. The law would make it a crime punishable by up to five years in prison to unlock your cell phone without permission from your carrier.

New Microsoft IE zero-day vulnerability in the wild

Microsoft announced to be aware of a new IE Zero Day vulnerability (CVE-2013-3893) that affects Windows browsers IE 8 and IE 9 recently targeted by hackers.

Microsoft announced to be aware of the presence of a zero-day vulnerability (CVE-2013-3893) in its browser IE. Windows browsers IE 8 and IE 9 are affected by serious zero-day vulnerability recently targeted by hackers during attacks.
Microsoft confirmed that the flaw was unknown before the attacks and for this reason it is working on an official patch to protect its customers’ browser, anyway due the severity of the bug it has released a fix to protect the users. The official advisory issued today describes the IE zero-day vulnerability  as a  remote code bug that could be exploited by hackers to install malware on the victim’s machine just visiting a malicious link.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
MS zero-day vulnerability
We discussed several times on the efficiency of a zero-day vulnerability in the browsers and the possible risks related to its exploitation, victims could be infected despite they adopt all necessary countermeasures due the lack of knowledge on the flaw.
The exploitation of a zero-day flaw is very common for state-sponsored attacks, typically the discovery of such bugs requests a great effort in research and it’s expensive,  spear-phishing attacks and watering hole attacks are the most common attack scenarios. A hacker could host a website that serves maliciously exploit  for the this zero-day vulnerability, another possibility is the impairment of website usually visited by victims.
In the specific case if the attacker successfully exploited the zero-day vulnerability could gain the same user rights as the current user, due this reason MS confirmed that whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Applying the fix prepared by Microsoft may limit some functionalities of IE, so if user notices problems he can reverse the  fix.

Officials: Edward Snowden's Leaks Were Masked By Job Duties

Investigators have a good idea what documents NSA leaker Edward Snowden got and how he got them. Officials now tell NPR that he had access to a file-sharing site on the NSA's internal website, and it was actually his responsibility to move sensitive documents to a more secure location

Netflix IT department shuns BYOD security in favour of "freedom and responsibility"

netflix-logo-image
SAN FRANCISCO: The enterprise technology manager of movie and TV streaming giant Netflix has spoken of the balance his department has to strike in a company which strongly believes in freedom and responsibility among its employees while securing data and protecting networks.
Justin Slaten, speaking at a panel on security and ease of use at BoxWorks, explained that Netflix's corporate culture requires a certain degree of compromise when working on IT products for staff members.
"Our corporate culture is known as pioneering. Our culture is for freedom and responsibility," he said. "In IT it's hard to balance the freedom and responsibility while giving everybody the tools they need to be effective at their job and making sure there are no data leaks.
"The biggest challenges are in security – we put a lot of trust in our partners [vendors] – we work very closely with them and we encourage everybody in the department to join calls with vendors to talk about where they may be failing and succeeding, and what to do better."
The attitude of freedom also comes to the firm's BYOD culture, with Slaten admitting that he and his team "doesn't believe" in mobile device management (MDM). "We believe in securing the content and not necessarily the device," he explained. "People will use any device, we don't have any policy, we just protect the data."
Slaten stated that his priorities lie with creating an experience that is a frictionless as possible, so that while his teams have a choice as to how they work, they don't "go rogue" and start breaking protocol. Specifically talking about how the firm uses Box, he said that he had been able to strike this balance.
"As soon as there's friction and you find people finding tools on their own. If you're too locked down they'll find a way to share [files]. We have to stay ahead of the curve to allow them to do their job well by letting them have the freedom to use the tools they want to use."
Netflix's chief cloud architect Adrian Cockcroft took part in V3's Hot Seat column in June, opening up on his everyday work life and personal ambitions.
Netflix now boasts 40 million users and this week became the first online-only TV series producer to win an Emmy, picking up two for its hit series House of Cards.