Cloud-surfing orgs under attack, Microsoft antivirus for Chrome, Windows 10 S bypass, non-RSA gigs, and more
Your guide to this week in infosec
Roundup Here's a roundup of this week's security news, beyond what we've already covered.
Besides RSA: BSides and OURSA
Sunday saw the start of the two-day BSides SF conference, which caters more for hackers – white, gray, and black hat – rather than this week's RSA Conference, which is aimed more at sales and marketing execs, and IT buyers. Both events took place in San Francisco this week; BSides being an unofficial offshoot of the RSA Conference.
El Reg had a chance to chat to Marcus "MalwareTech" Hutchins at BSides, the British reverse-engineer who last year stopped the Wannacry ransomware outbreak in its tracks, and was unexpectedly collared by the FBI on allegations he authored software nasties. He denies any wrongdoing, and has had to stay in California while awaiting trial in the US. After BSides. He popped over to Milwaukee, Wisconsin, for another court hearing as part of the ongoing proceedings.
Another $1000+ spent on flying to a court hearing for a day D:— MalwareTech (@MalwareTechBlog) April 20, 2018
Hutchins, who is a popular figure in the computer-security community, was controversially cuffed after the Feds nabbed another bloke, who was encouraged to spill all the names he could. The Brit couldn't say much at all about his case, for legal reasons, however, to your humble hack, he came across as a smart young man who hasn't let his involuntary sojourn in America sour him to his information-security profession.
Meanwhile, OURSA was also held this week in San Francisco. It was organized after RSA Conference's list of speakers for 2018 only had one woman keynote speaker. RSAC organizers claimed there just weren't that many women in the industry, hence the lack of diversity on the lineup, so OURSA was kickstarted to prove them wrong.
In the space of a few days, the OURSA organizers had assembled 14 eminently qualified woman speakers, and one bloke to leaven the mix, and the show sold out in less than 24 hours. You can watch the streamed sessions right here. We're still watching through it all; you can catch a summary here and here.
A big bunch of researchers and vendors waited until this conference week to emit details of their work – a somewhat nonsensical strategy that meant a lot of interesting research got buried in the flood of press releases. Here's a summary of what you may have missed.
The illicit hacking market is worth $1.5Tr annually, according to Dr Michael McGuire, senior lecturer in criminology at the UK's University of Surrey. Ransomware accounted for a lowly $1bn, while illicit markets saw turnover of over $860bn. Clearly the wages of sin are good.
Remember when cloud was being touted as the silver bullet of security by letting professionals handle your data? According to a McAfee survey this isn't working. One in five companies using public cloud systems have been attacked, and 25 per cent had suffered data theft. Nevertheless, 83 per cent store sensitive data in public cloud networks.
To help stop breakings the Online Trust Alliance (OTA), an offshoot of the Internet Society set up by the fathers of the internet Vint Cerf and Bob Kahn, have released a checklist [PDF] of what needs to be locked down on IoT devices to protect the network.
Bug bounty expert and founder of Luta Security Katie Moussouris gave a very well received talk at RSA on the pitfalls of bounty programs. For a start, firing one up means you get a lot of dodgy-looking activity on your networks as researchers start probing. There's also vulnerability fatigue: Moussouris set up Microsoft's first bounty scheme and the job of sorting through thousands of suggested bugs, and accompanying documentation, can be a soul-killing one.
Meanwhile, at BSides, there was an excellent presentation from Tiberius Axinte, team leader at security shop Bitdefender, detailed a new form of state-sponsored malware specifically targeting macOS users. Not only does it come with the usual keylogger and backdoor, but also steals iOS backup so can snaffle voicemails and contacts.
LinkedIn has fixed a bug in its website software that could have been exploited by other sites to snatch visitors' names and email addresses from their LinkedIn profiles. This autofill-class flaw was found and reported by Jack Cable.
Intel has patched a bug in its firmware that could be exploited by malware, or a malicious logged in user, with administrator privileges to delete, or tamper with, the system's firmware. You should install this security update as soon as you can from your motherboard or computer's manufacturer.
Microsoft has extended the backend of its Windows Defender antivirus and anti-phishing tech to Google Chrome, through an extension you can install. Basically, it stops you from clicking on links to dodgy websites that try to spread malware or steal your personal information, like Google's Safe Browsing feature that's built into Chrome.
"If you click a malicious link in an email or navigate to a site designed to trick you into disclosing financial, personal or other sensitive information, or a website that hosts malware, Windows Defender Browser Protection will check it against a constantly updated list of malicious URLs known to Microsoft," Redmond explained.
Speaking of Microsoft, Windows Defender Firewall is going to support Windows Subsystem for Linux processes, judging by the release notes for Windows 10 Insider Preview Build 17650 (RS5).
And Chinese anti-malware maker Qihoo 360 has spotted miscreants exploiting a zero-day – ie, unpatched – vulnerability in Internet Explorer, via booby-trapped Office documents, to infect and hijack victims. Microsoft has been alerted to the flaw and the ongoing attack, we're told.
Do you use TaskRabbit? Well, it got hacked. Punters are advised to change their passwords.
Georgia on our minds
One of the prevailing sentiments at all three shows this week was the universal contempt among information security professionals for the anti-hacking law now sitting on the desk of Georgia governor Nathan Deal awaiting his signature.
This legislation was partially inspired by the ransomware attack that caused havoc in Atlanta last month and left some city systems offline for days. It introduces severe penalties for hackers, but also for those who seek to defeat internet scumbags.
Under the proposed law, computer security researchers could face prosecution if they investigate systems looking for vulnerabilities. There's a very poorly worded exemption for businesses – such a professional penetration-testing outfits – however, is a freelance vulnerability researcher running a one-man consultancy a business? That's up to a prosecutor.
Even more disturbing is a provision that allows organizations who have been hacked to "hack back." This looks great on TV and the movies, but in the real world it's a prospect that makes many security folk's blood run cold. Some pimply faced youth in the IT department sees what they think is an attack and sends off one of their own, which triggers another round of retaliation, escalating until people's files and privacy are wrecked.
A cunning hacker could also take over the servers of a company he or she wanted to disrupt, fire off an attack from there against someone known to hack back, and get them to take down his original target while providing plausible deniability if he or she is caught. The possibilities for mayhem are endless.
The bill has passed both the senate and house of reps in Georgia, and is now with Governor Deal. Security professionals are urging a veto, and so far the bill remains unsigned. But, after 40 days, it will become law whether or not the governor deploys his John Hancock.
There were red faces at the Wall Street Journal, and presumably a panicked former North Korean, after the paper published a report on North Korean hackers. An interesting topic, but the scribes at the paper obviously didn't have a clue about operational security after they had to publish this correction:
"An earlier version of this article incorrectly included the name of a defector familiar with North Korea's cyber training, whose identity was included in violation of the agreement with the source." So that's his or her relatives still in North Korea off to a labor or death camp, then. ®