BIG DATA, BIG MESS: SOUND RISK INTELLIGENCE THROUGH COMPLETE CONTEXT

When it comes to cybersecurity, perhaps nothing has been as highly touted as the answer to every executive’s prayers as big data.

Years after “big data” became just another marketing buzzword, organizations are still grappling with the issue of how to use that data in a practical way.

Data is useful, but only if it’s being properly interpreted and conveyed. The problem isn’t with data, but with the way in which people are using it. Simply put, data alone is missing context.

Data alone presents a few problems, but many of them emerge from a single misguided view – 
that big data is the answer, not part of the answer.

Data without “complete context” is like a box of chocolates without the filling. It looks tasty, but bite into any of it and its nothing but air. All the good stuff is missing.

D-LINK PATCHES FLAWS IN IP CAMERAS, WIRELESS RANGE EXTENDERS

D-Link has released firmware updates to address serious security holes affecting the company’s DCS-93xL IP cameras and the DAP-1320 wireless range extender.

According to an advisory published by the CERT Coordination Center at Carnegie Mellon University, Tangible Security researchers discovered a high-severity unrestricted file upload vulnerability (CVE-2015-2049) in the D-Link DCS-93xL family of network cameras.

The flaw affects firmware version 1.04 and possibly other versions. The camera models that run the vulnerable firmware are DCS-931L, DCS-930L, DCS-932L, and DCS-933L.

A remote, authenticated attacker can exploit the vulnerability to upload arbitrary files to a specified location on the device. The flaw can be leveraged to create, modify or delete data, and possibly even execute arbitrary code, CERT said.

The same Tangible Security researchers also identified a command injection vulnerability (CVE-2015-2050) in the firmware update mechanism of D-Link DAP-1320 wireless range extenders.

“The D-Link DAP-1320 Rev Ax firmware version 1.11 (released 22 Dec 2013) has been shown to be vulnerable. Other firmware versions prior to version 1.21b05 may also be vulnerable,” CERT noted in a separate advisory.

A remote, unauthenticated attacker can exploit the firmware update mechanism bug to execute arbitrary commands on the device. However, the attack only works if network communications can be intercepted and manipulated, CERT said.

The security hole affecting D-Link DAP-1320 has been addressed with the release of firmware version 1.21b05. As for the network cameras, the issue is fixed in the recently released version 1.10 (Rev A) and version 2.01 (Rev B) of the firmware.

D-Link’s own security advisories, which might contain additional details on the bugs, are currently undergoing approval, but the company advises users to update the firmware on their devices.

Earlier this month, D-Link released firmware updates to address multiple vulnerabilities affecting several DIR routers. The flaws, related to the ncc/ncc2 service, could have been exploited to hijack DNS configurations, inject arbitrary commands, and gain access to sensitive information.

QUALYS RELEASES SSL LABS APIS FOR AUTOMATED WEBSITE TESTING

Cloud security and compliance solutions provider Qualys today announced the availability of free assessment APIs and a new tool that enable SSL Labs users to automate SSL vulnerability testing for websites.

Qualys SSL Labs is a non-commercial research effort that provides documentation on deploying SSL/TLS correctly, and tools that can be used to test a browser’s SSL implementation and a server’s configuration.

According to the company, the addition of API access allows security experts who manage more than one website to consolidate testing, detect configuration changes that might introduce vulnerabilities, and receive certificate expiration notifications.

The new server assessment APIs provide full access to the SSL Labs server inspection functionality, and allow users to conduct scheduled and bulk testing. The APIs also enable the integration of SSL Labs assessment with an organization’s security policies, Qualys said.

Automated and bulk testing can be carried out with ssllabs-scan, an open source command-line scanning tool that doubles as the reference API client. The new SSL Labs APIs, which can be used freely for non-commercial purposes, have already been integrated by third-party tools such as .Net Wrapper and Seccubus.

“Many organizations struggle to fully understand their exposure to various SSL/TLS security issues, due to the complexities of secure server configuration and constant change and attack disclosure in this space,” said Ivan Ristic, director of engineering at Qualys. “By offering free API access, we are enabling our users to automate website testing and regularly check their configuration in order to ensure websites are secure and protected from SSL vulnerabilities.”

Some major organizations are already planning on putting the new APIs to good use. According to Qualys, the Czech Republic (CZ) domain registry will use them to monitor over 1 million domains.

SOUTH KOREA ACCUSES NORTH OF CYBER-ATTACKS ON NUCLEAR PLANTS

South Korea’s government accused North Korea Tuesday of carrying out cyber-attackslast December on its nuclear power plant operator, describing them as a provocation which threatened people’s lives and safety.

“We condemn North Korea’s persistent cyber-terror targeting our country and the international community,” the unification ministry said after investigators concluded the North was behind the attacks.

“It’s a clear provocation against our security,” the ministry said in a statement, accusing Pyongyang of “taking the life and safety of our people as a hostage”.

Tensions between the neighbors are running high after the South this month held joint military drills with the United States, which the North has condemned as provocative rehearsals for invasion.

Last December hackers published designs, manuals and other information about South Korean reactors on Twitter, along with personal information about workers at their operating company, Korea Hydro and Nuclear Power (KHNP).

The leaks prompted the South to heighten cyber-security and form an investigation team involving experts, government officials and state prosecutors.

The team on Tuesday said the hackers intended to cause a malfunction at atomic reactors, but failed to break into their control system.

It said malicious codes used in the cyber-attacks were similar to those which North Korean hackers have employed before.

“We’ve reached the conclusion that the crime was committed by a group of North Korean hackers seeking to stir up social unrest and agitation in our country,” the investigators said in a statement.

They said the hackers used multiple Internet protocol addresses based in China to send some 6,000 “phishing” emails to over 3,570 former and current KHNP workers to steal the data.

‘Social chaos’

KHNP officials have said the 23 nuclear reactors, which supply about 30 percent of the country’s electricity, were safe because their control system was separated from external networks.

They also said the material leaked by the hackers was not classified and did not affect safety.

Seoul has blamed North Korean hackers for a series of cyber-attacks on military institutions, banks, government agencies, TV broadcasters and media websites in recent years.

The United States also said the North was behind a cyber-attack which damaged the computer network of Sony’s Hollywood film unit over its controversial North Korea-themed satirical film “The Interview” last year.

Pyongyang denied involvement in the Sony hack but strongly condemned the film, which features a fictional plot to assassinate leader Kim Jong-Un.

South Korea’s unification ministry on Tuesday blasted Pyongyang for seeking to throw South Korea into “social chaos” with cyber-attacks on its crucial infrastructure.

North Korea has become increasingly bellicose in recent weeks ahead of large-scale joint military drills between the US and South Korea. One of the joint drills, Key Resolve, wound up last week, while the other, Foal Eagle, is set to continue until April 24.

The exercises are always a particularly testing time for relations between the two Koreas, who remain technically at war because the 1950-53 Korean conflict ended with a ceasefire, rather than a peace treaty.

North Korea displayed displeasure when this year’s drills began by firing two short-range missiles into the sea off its east coast. Last week it fired another seven surface-to-air missiles into the sea.

FREAK ATTACKS MADE CHEAPER BY REPEATED RSA KEYS: RESEARCHERS

The number of servers affected by the recently disclosed FREAK bug has decreased considerably over the past couple of weeks, but researchers have determined that a large number of potential targets are vulnerable, and attacks could be much cheaper and easier to pull off than initially believed.

The FREAK (Factoring attack on RSA-EXPORT Keys) vulnerability exists because many SSL/TLS servers still support weak, export-grade RSA ciphers. An attacker who can intercept the connection can force the client to use the weak cipher and decrypt encrypted communications.

The flaw affects popular cryptographic software libraries such as OpenSSL, BoringSSL, LibReSSL, Microsoft’s Secure Channel (Schannel), and Apple’s Secure Transport. The bug has been patched in these libraries, but according to researchers at the Royal Holloway University of London, there are still over 2 million vulnerable servers.

On March 3, when the vulnerability was disclosed, experts noted that 26% of all HTTPS servers were vulnerable. Last week, Royal Holloway researchers conducted a scan using a modified version of the zmap tool to determine how many servers still support export-grade ciphersuites. Of the 22,730,626 hosts they scanned, 2,215,504 offered export-grade 512-bit RSA keys, which represents 9.7% of the total.

As cryptography experts noted after the FREAK flaw was uncovered, an attacker can normally recover the private key needed to decrypt communications in roughly 7.5 hours using Amazon’s EC2 service and it would cost them $104.

However, researchers have now determined that an attack can be much cheaper and less time-consuming because many of the identified keys are duplicates.

“We observed 664,336 duplicate moduli in the set of 2,215,504 512-bit moduli obtained from our scanning. One single modulus was found 28,394 times, two further moduli arose more than 1,000 times each and a total of 1,176 moduli were seen 100 times or more each,” researchers explained in their paper.

Apparently, the key that shows up over 28,000 times corresponds to a router with an SSL VPN module. An attacker can crack the key for $100 and then use it to target all of the affected devices, which would result in a cost of only 0.3 cents per host.

As for the remaining 1,551,168 unique 512-bit RSA keys, researchers managed to factor 90 of them, corresponding to close to 300 hosts, in just 167 seconds on eight 3.3Ghz Xeon cores by using a program developed in 2012.

“The computation took less than 3 minutes on an 8-core system, saving the $9,000 that a cloud computation would have cost if each modulus had been attacked directly. We consider this to be a good return on investment for a Friday afternoon’s work,” researchers said.

Windows 10 for Phones UI Leaked in Screenshots of Unreleased Build

New set of screenshots of Microsoft’s Windows 10 for phones platform have been leaked to the Web revealing some new functions and apart from user interface changes that may arrive in the final consumer version. The images do not show the build number of the OS running on the handset, but are claimed to be from an as-yet-unreleased 8.15.12521 build.

Leaked by Polish website Windowsmania (via WMPoweruser), the Windows 10 for phones build 12521 seen in the images sports several new features, such as the inclusion of LED notifications for phone updates, Windows Store, and other apps. This also triggers the rumour of future Microsoft Lumia devices featuring LED hardware design. Currently, the Lumia 730, Lumia 735, and Lumia 930 feature an LED notification light.

The screenshots also suggest that users would be able to change or delete their primary Microsoft account from the Windows 10 device without resetting their handsets. On deleting the account, all the apps installed by the user will be removed. Additionally, like Windows 10 for desktops, the Windows 10 for phones will also let users set which apps can use the onboard microphone. Customisation of sync settings are also possible.

Another change seen in the screenshots is the new circular user avatar, which until now in Windows Phone 8.1 was square. New sleek oval shaped toggle buttons are also seen in the leaked screenshots, as well as new wire-frame status icons. Also seen is the ability to import or export contacts from SIM card, as well as the new Messaging and People apps.

In the meanwhile, an unreleased Microsoft Windows 10 build for desktops was leakedvia torrent websites revealing more features. Build 10036 of the Windows 10 Technical Preview reportedly sports new icons, functions and the use of peer-to-peer (P2P) protocol for updates. A transparent Start Menu button, a new user interface for Wi-Fi connectivity, new task view virtual desktop are other features inside the leaked OS build 10036.

Micromax’s Yu Confirms Lollipop for ‘Project Caesar'; Takes a Dig at Xiaomi

Micromax subsidiary Yu Televentures has started teasing its upcoming smartphone. The company took to social platforms such as Facebook and Twitter to confirm that the successor to the Yureka smartphone, codenamed ‘Project Caesar’, will run Android 5.0 Lollipop.

The company also mocked Xiaomi’s Mi devices that still run Android 4.4 KitKat out-of-the-box while Google’s Android 5.0 Lollipop has been around for some time. TheFacebook post read, “KitKat in the age of Lollipop? Give Me a break!”

Notably, the letter ‘M’ in the word ‘Me’ in the image resembles Xiaomi’s Mi logo and clearly takes a dig at the company’s recently launched Xiaomi Redmi 2 and Xiaomi MiPad – both run MIUI 6 skin based on Android 4.4 KitKat. The tagline notes, “Project Caesar: Stay tuned, the fYUture is coming!”

The company shared another teaser on Facebook that said, “Lollipop comes pre-loaded with Project Caesar! Why would YU buy anything else?”

The details about the “Project Caesar” phone are limited at the moment. A recent report, citing Micromax Co-Founder Rahul Sharma, tipped that the handset will run on the ‘Android L’ or Lollipop version of Cyanogen OS, implying a slightly customised version of CM12S and will launch for the Indian market in April.

We can expect more details about the upcoming Yu’s “Project Caesar” phone to come as the launch nears.

Yu earlier this month also confirmed the Android 5.0 Lollipop update for its Yureka smartphone to roll out soon.

To recall, Yu Televentures partnered Cyanogen last year to offer a customised user experience to buyers of its Yureka smartphone and adopted an online sale strategy to counter other brands such as Motorola and Xiaomi among others.

NATIVE HADOOP SECURITY TOOLS FALL SHORT IN BIG DATA ENVIRONMENTS: SURVEY

While an overwhelming majority of Hadoop users agree that data security is a critical requirement, most disagree or are not sure that its native security tools provide enough protection for their sensitive data, according to a recent survey.

When a small but targeted audience of 150 attendees at last month’s Strata + Hadoop World Summit in San Jose were, Calif. were asked whether data security is a critical requirement for their Hadoop data lake or hub, 86 percent said that it was.

The survey, conducted Protegrity, a provider of enterprise data security solutions, also found that 80 percent of respondents said their organizations will be spending more on Hadoop-related projects this year.

“When 89 percent of the Big Data professionals we surveyed disagree or are not sure that security tools native to Hadoop provide enough protection for their sensitive data, it demonstrates a tremendous need for increased education around Big Data security and the availability of more robust data security solutions for Hadoop,” said Protegrity CEO Suni Munshani.

In terms of usage, 80 percent of those surveyed indicated that their organizations are already using Hadoop in production environments.

“Enterprises are storing and processing data across many execution engines at a scale that has not been possible before. This in turn has made security a crucial component of enterprise Hadoop,” said Munshani. “Given how those surveyed said that production deployments and spending on Hadoop Big Data projects are increasing, responsible organizations are looking to apply enterprise-grade security to their highly sensitive data in Hadoop to meet corporate risk management standards, privacy policies and complex compliance and regulatory requirements.”

“While not surprising, these findings are alarming. They show that in the past few years enterprise technology environments have changed dramatically but the tools used to secure them haven’t adapted accordingly,” Andrew Rubin, CEO of Illumio, told SecurityWeek. “Today, 80 percent of the traffic within data centers, which include Hadoop databases, ha s little-to-no form of network security applied. There is an absolute lack of needed segmentation, encryption or visualization of any sort.”

“Since the vast bulk of breaches occur inside the data center, IT managers must turn to new approaches and invest in solutions that reduce attack surfaces, enable encryption and stay a step ahead of the most worrisome threats,” Rubin added.

MICROSOFT TARGETS CODE HIJACKING WITH RELEASE OF EMET 5.2

Microsoft has released version 5.2 of its Enhanced Mitigation Experience Toolkit (EMET), which offers increased security protections in several areas, including code hijacking attacks and improvements in Attack Surface Reduction (ASR) mitigation.

For those unfamiliar with the tool, as Microsoft explains it, EMET “anticipates the most common actions and techniques adversaries might use” in compromising a computer, and helps protect systems against new and undiscovered threats and exploits by diverting, terminating, blocking, and invalidating those actions and techniques.

According to Microsoft, EMET 5.2’s native DLLs have been compiled with Control Flow Guard (CFG), a new feature introduced in Visual Studio 2015 that helps detect and stop attempts of code hijacking. EMET native DLLs (i.e. EMET.DLL) are injected into the application process EMET protects, Microsoft said.

Because Microsoft strongly encourages 3rd party developers to recompile their application to take advantage of the latest security technology, EMET has been compiled with CFG. More information on CFG is available in a blog post from the this Visual C++ Team.

Additionally, the configuration for the ASR mitigation in EMET 5.2 has been improved to stop attempts to run the VBScript extension when loaded in the Internet Explorer’s Internet Zone. This would mitigate the exploitation technique known as “VBScript God Mode” observed in recent attacks, Microsoft explained.

Finally, EMET 5.2 fully supports alerting and reporting from Modern Internet Explorer, or Desktop IE with Enhanced Protected Mode enabled.

While EMET does add an extra layer of security against various attacks, the toolkit has been bypassed or disarmed on several occasions by researchers in the past.

In late September 2014, researchers at presented a method that can be used to disarm EMET 5.0. Not long after, in Nov. 2014, researcher René Freingruber found “numerous methods to get around the basic protection mechanisms of EMET.”

Additionally, while the tool is stable overall, users should be cautious when using it, as Microsoft has warned that some security mitigation technologies may break applications. The software giant strongly suggests thoroughly testing EMET in all target use scenarios before rolling it out to a production environment.

“There is no one tool capable of preventing all attacks. EMET is designed to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system,” a Microsoft spokesperson previously told SecurityWeek.

FACEBOOK SAYS DROP IN U.S. GOVERNMENT DATA REQUESTS DURING FINAL 6 MONTHS OF 2014

U.S. government requests for Facebook user data dropped off in the second half of 2014, according to the social networking site’s latest Transparency Report.

During the final six months of the year, requests for data from the U.S. government fell to 14,274, down from 15,433 during the first half of the year. The requests in the second half of the year dealt with 21,731 accounts. Facebook provided at least some of the requested data in around 79 percent of the cases. The largest category of requests was search warrants, which accounted for 7,924 of the cases. The second largest category is subpoenas, which accounted for 4,638. Somewhere between zero and 999 of the requests were National Security Letters.

“Overall, we continue to see an increase in government requests for data and content restrictions,”blogged Monika Bickert, Facebook’s head of global policy management, and Chris Sonderby, the company’s deputy general counsel. “The amount of content restricted for violating local law increased by 11% over the previous half, to 9,707 pieces of content restricted, up from 8,774. We saw a rise in content restriction requests from countries like Turkey and Russia, and declines in places like Pakistan.”

“The number of government requests for account data remained relatively flat, with a slight increase to 35,051 from 34,946,” they blogged. “There was an increase in data requests from certain governments such as India, and decline in requests from countries such as the United States and Germany.”

The amount of content restricted for violating local law increased by 11 percent over the previous half of the year, according to Facebook.

Last month, Twitter released its own transparency report and revealed that governments made a total of 4,929 requests for user information in 2014. That number was up from 2,567 in the United States. According to the report, Twitter provided information to the U.S. government in 80 percent of the cases.

RESEARCHER TO REVEAL MAC OS X DLL HIJACKING ATTACK

DLL hijacking is not just a Windows thing: it turns out that a conceptually similar attack is possible for OS X systems.

According to new research from Synack’s Patrick Wardle, DLL hijacking on Macs can be used to circumvent security features like Apple’s Gatekeeper to infect vulnerable computers. Wardle will be presenting on the issue this week at the CanSecWest Applied Security conference in Vancouver.

“OS X dylib [dynamic library] hijacking is conceptually similar to Windows DLL hijacking,” explained Wardle, director of research at Synack. “In both cases, there exist situations where the OS loader will look for required dependent libraries in multiple places. If the legitimate library is not found in a primary location, e.g. the first directory the loader looks in, the attacker can then plant a malicious library there. From then on, whenever the application is launched – either by the OS or by the user – the loader will now find and blindly load the attacker’s malicious library since the loader first looks in the location where the attacker planted they library.”

The attack relies on leveraging vulnerable apps, and Wardle plans to release an open source python script and a UI application that can be used to scan for them. A scan of his computer, he noted, turned up nearly 150 vulnerable applications, including both Apple applications and third-party apps.

The attack circumvents Gatekeeper, an anti-malware feature that allows users to restrict what sources they can install applications from in order to reduce the likelihood of being infected by a Trojan horse. The feature is included in OS X Lion 10.7.5, OS X Mountain Lion and later versions of the operating system.

“The details of the attack will be revealed at the conference,” he stated. “However, I can summarize. There exists a situation where Gatekeeper does not validate everything that is downloaded as it should in a software package such as .dmg file. This opens up a scenario where an attacker can create a software package or infect a legitimate download that Gatekeeper will trust when the user opens it. So even if the user has set Gatekeeper to only allow code from the Mac App Store…the attacker’s malicious unsigned dylib will still be loaded and allowed to execute, thus infecting the user.”

The attack is quite elegant as it abuses legitimate functionality of the operating system but is very simple for an attacker to use, added Wardle.

“It can be used in attack scenarios such as persistence, load-time process injection, etc,” he explained. “Other attacks that achieve similar goals…are complex, and easily detected [and] prevented. Using this dylib hijack attack, an attacker can achieve the same goal by simply dropping a dylib bundle. That’s it. That combined with the tools I’ll be releasing…make this a trivial, yet fairly devastating attack.”

CanSecWest will be held from March 18 to March 20.