Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2016

Google to Distrust WoSign/StartCom Certificates

Google to Distrust WoSign/StartCom Certificates

Google has joined Mozilla and Apple and will distrust WoSign and StartCom certificates beginning in 2017. That leaves Microsoft as the only major browser holdout.

Tens of thousands of desktops, laptops, servers, appliances and apps running in the cloud for businesses and government agencies trust WoSign and StartCom, certificate authorities (CAs) that up until recently played a key role in web security by issuing digital certificates to website operators. These certificates are trusted by browsers to authenticate secure connections to websites.

But on August 17, Google was notified by GitHub's security team that WoSign had issued a certificate for one of GitHub's domains without its authorization. This prompted an investigation, conducted in public as a collaboration with Mozilla and the security community, which found a number of other cases of WoSign mis-issuance.

The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements.

"WoSign and StartCom, their secretly acquired subsidiary, have made a mockery of the global system of trust that runs e-commerce and allows us to safely run downloaded apps on our computers,” said Kevin Bocek, vice president of Security Strategy and Threat Intelligence for Venafi, in an email. “It's encouraging to see Google join Apple and Mozilla in taking the right steps to obliterate WoSign and StartCom as being trusted in browsers. Microsoft must do the same. Inaction is unconscionable.”

Further, StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies and issuance systems with WoSign's. However, when pressed, neither company would be transparent about their relationship.

“Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy,” said Andrew Whalley of Chrome Security, in a post. “CAs who issue certificates outside the policies required by browsers and industry bodies can put the security and privacy of every web user at risk.”

Google is taking a phased approach to distrust: Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21 will not be trusted. In subsequent Chrome releases, pre-existing certificates will be phased out, culminating in the full distrust of these CAs.

Enterprises will need to take action too. Bocek added, “Organizations need to follow the guidance of NIST and others to automate their response to eliminate obliterate unneeded and unnecessary CAs from their systems. Most businesses and governments don’t know what certificates they use and what CAs they trust. The status quo leaves businesses with an unacceptable level of risk.”

Photo © Denis Linine/

Source: Information Security Magazine

Sophos Buys Machine Learning Vendor Barricade

Sophos Buys Machine Learning Vendor Barricade

Sophos has announced the acquisition of Irish security firm Barricade, adding behavior-based analytics to its endpoint offering.

Barricade offer a technology platform that it claims can enhance the ability to identify malicious or suspicious behaviour by using machine learning and artificial intelligence. It said that this works by extending the capabilities of rule-based detection technologies, that will be increasingly challenged to keep up with the growth of sophisticated and complex attack patterns.

Sophos will maintain the offices in the Republic of Ireland with Barricade CEO David Coallier and the team of developers, data scientists and engineers joining the Sophos Cloud group.

Coallier said: “We are proud of the technology we have built and are pleased to join the team at Sophos focused on artificial intelligence and machine learning based security analytics. Driving the development of our technology into a comprehensive security solution that every IT professional can use presents us with the next phase in our exciting journey.”

Bill Lucchini, senior vice president and general manager of the Cloud Security Group at Sophos said that the team and technology from Barricade will strengthen Sophos’ synchronized security capabilities, and its next-generation network and endpoint protection portfolio.

“Barricade has an impressive team of experts in data science and machine learning, and they share the Sophos vision for security made simple,” Lucchini said.

“Delivering advanced protection to partners and customers without adding layers of complexity is at the core of our product strategy. Enterprise-grade security should be available to all organizations, and the acquisition of Barricade will accelerate the next phase of synchronized security innovation across the Sophos central management platform.”

Brian Honan, CEO of BH Consulting, told Infosecurity: “This is a very interesting move by Sophos in that it allows them to expand their detection and response capabilities. For Barricade this is a great example of Irish innovation and technology leading the way in cyber security.

“Ireland is fast becoming a centre of excellence for cybersecurity with many indigenous firms developing ground breaking solutions, while major multi-national cybersecurity firms are establishing their European Headquarters and their research and development centres here.”

Andrew Kellett, principal analyst at Ovum told Infosecurity that this was an important acquisition for Sophos, and because of the way that the endpoint protection, detection, and remediation market is going, they could not afford to be without an analytical/machine learning capability.

“Rather than moving Sophos in a new direction, I would think of this as adding to the completeness of their overall offering,” he said. “Pulling back on the temporary advantage that the next-generation folks had is another way of looking at it.

“Perhaps just as relevant for Sophos is what their mainstream competition is doing: Trend Micro with its XGen analytical and MI technology; and Symantec/Blue Coat with its new release that includes analytics and MI. Basically the big players have been filling in the gaps in their endpoint protection portfolios during the last year, adding unknown threat detection capabilities, and I would see the Sophos acquisition as important from that point of view.”

Source: Information Security Magazine

Sundown Becomes a Rising Star on the EK Scene

Sundown Becomes a Rising Star on the EK Scene

There’s a new-ish kid on the block when it comes to exploit kits (EKs): Sundown. And over the last six months it has risen in the ranks to become the No. 2 EK, behind RIG.

An examination from Cisco Talos shows that the Sundown EK, despite operating on a relatively small infrastructure footprint, has what appears to be one of the largest domain-shadowing implementations out there. It has recently been exclusively delivering banking trojans.

“The campaign operated out of a handful of IPs, but we ended up finding in excess of 80K malicious subdomains associated with more than 500 domains leveraging various registrant accounts,” said researcher Nick Biasini, in an analysis. “This translates into a kit that will largely evade traditional blacklisting solutions.”

Sundown is highly vigilant and the subdomains in use were recycled quickly to help in avoiding detection. In some cases, it appeared to use single-use domain-shadowing, which is incredibly difficult to stop by using blacklisting. During Cisco Talos’ monitoring, the amount of subdomains registered in a given day reached a peak of slightly more than 4,300. For a 24-hour period, one Sundown campaign was seen generating approximately three subdomains a minute for the entire day.

Interestingly, Sundown is not historically one of the big guns. Cisco Talos explained that it has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange.

“These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits,” Biasini noted. “It's not to say these kits aren't significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.”

But in the last six months, the exploit kit landscape has seen some major changes, including the Nuclear EK ceasing operations in April/May, and arrests in Russia coinciding with the end of Angler in June. Recently, Neutrino also has been added to the list of exploit kits that have stopped being actively used in 2016.

“What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking Trojans,” researchers said.

The thousands of Sundown subdomains are associated with several hundred different domains; the majority of which were owned by two distinct registrant accounts, hosted in the Netherlands. But despite the Dutch connection, the authors of the kit aren’t exactly interested in obfuscation. They’ve created a brand identity for themselves (complete with a logo): The Yugoslavian Business Network.

“The fact that they re-use exploits, wildcard domains and don't take much effort to hide their kit from sight indicates that they either lack the sophistication we have seen from other kits or plainly don't care to hide their activity,” Biasini said. “It also shows that you don't need sophistication to compromise users. It will be interesting to watch how this landscape changes over the next six months to a year. It's obvious that there is a major opportunity for some motivated miscreants to enter the exploit kit market.”

Photo © Markus Gann

Source: Information Security Magazine

Flash, Windows Zero-days Are Being Actively Exploited in the Wild

Flash, Windows Zero-days Are Being Actively Exploited in the Wild

New zero-day vulnerabilities in Adobe Flash and Windows are being actively exploited in the wild.

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. The Adobe flaw is a use-after-free vulnerability that could lead to code execution (CVE-2016-7855).

“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” Adobe said in its security bulletin.

The Google security group reported the flaws to Adobe and Microsoft back on Oct. 21, and while Adobe updated Flash to address the issue, Microsoft has yet to push a patch.

“We are…disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” Google said in its blog. “This vulnerability is particularly serious because we know it is being actively exploited.”

The Adobe update is available via Adobe's updater and via the Chrome auto-update; Chrome's sandbox now blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability. “The flaw can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” the Google team reported.

Users should verify that auto-updaters have already updated Flash—and to manually update if not—and to apply Windows patches from Microsoft when they become available for the Windows vulnerability.

Photo © Stanislaw Mikulski/

Source: Information Security Magazine

Fake Palo Alto Cyber-conference Invites Deliver Spy Trojan

Fake Palo Alto Cyber-conference Invites Deliver Spy Trojan

Threat actors with a healthy sense of irony are using fake offers for free registrations to Palo Alto Networks’ upcoming Cyber Security Summit to deliver malware.

The event is being hosted on November 3 in Jakarta, Indonesia, and Palo Alto researcher Robert Falcone explained that the effort is related to ongoing Operation Lotus Blossom attack campaigns in the Asia Pacific region. The phishing emails ultimately deliver a payload that is a variant of the Emissary Trojan, which is an Operation Lotus Blossom go-to bit of code.

The Emissary trojan is a cyber-espionage tool. While it lacks more advanced functionality like screen capturing, it is still able to carry out most tasks desired by threat actors: exfiltration of files, the ability to download and execute additional payloads, and gaining remote shell access. Its authors have developed several updated versions of Emissary to remain undetected and fresh over time.

Emissary installs in the background while a decoy document showing an image of a previous invitation to the Cyber Security Summit is displayed.

“The malicious email will have an attachment named “[FREE INVITATIONS] CyberSecurity Summit.doc” that if opened will exploit CVE-2012-0158,” he said in an analysis. “Palo Alto Networks hosts cybersecurity summits all over the world, and in many cases we send invitations via email to individuals we believe would be interested in attending….The legitimate invitation emails from Palo Alto Networks did not carry any attachments.”

The file name contains the first portion of the subject of the legitimate invitation emails that Palo Alto sent out, suggesting the Operation Lotus Blossom actors received the email themselves.

Palo Alto was able to determine that the threat actor used Microsoft Word to crop the images from screenshots that the actor took, which offered insight into the threat actor’s system.

“The threat actor is running Windows localized for Chinese users, which suggests the actor’s primary language is Chinese,” Falcone said. “The ‘CH’ icon in the Windows tray shows that the built-in Windows input method editor (IME) is currently set to Chinese. Also, the screenshot shows a popular application in China called Sogou Pinyin, which is an IME that allows a user to type Chinese characters using Pinyin. Pinyin is critical to be able to type Chinese characters using a standard Latin alphabet keyboard, further suggesting the threat actor speaks Chinese.”

Palo Alto has halted its email invitations, so users should disregard all new emails related to invitations to the conference.

Photo © Klagyivik Vikton

Source: Information Security Magazine

#FutureDecoded NCSC Stresses Need for Transparency over Fear

#FutureDecoded NCSC Stresses Need for Transparency over Fear

In order to get the best of new and advanced technologies in the future, cybersecurity needs a fresh transparency beyond the realm of fear.

Speaking at Microsoft Future Decoded in London, Dr Ian Levy, technical director of the National Cyber Security Centre, said that he did not believe that society could benefit from new technologies like artificial intelligence, machine learning and Big Data “unless we fundamentally fix the narrative around cybersecurity”.

Pointing at the 1972 paper on Computer Security Technology Planning Study and 2014 Heartbleed bug, Levy said that the impact from that OpenSSL vulnerability was not as bad as everyone made out, yet for almost 45 years the same programming error exists.

“As we become more and more dependent on machines, and rely on machines to do things for us, we have to change the narrative,” he said.

Levy said that modern cybersecurity replicates the witch doctor concept, where belief is placed in a magic amulet, “and we need to start talking about this as a lot of the attacks that we see on the internet today are not purported by religious icons”.

Levy went on to say that advice on not opening attachments or click links unless you trust them “was the most stupid advice I have ever heard”, as what is my granny going to do to determine untrusted email? “We are blaming the user…we are trying to get the user to compensate for the system design, that is stupid and we need to fix it.”

He said that the second most stupid piece of advice was around changing passwords every 30 or 60 days. “We did some research and we saw the average number of passwords people use on a day to day basis, and the average complexity and average change window – I can tell you that the answer is not to go away and remember a different 660 digit number every single month. Who reckons they could do that? Well my granny cannot.”

“We are trying to make the UK a more safe and secure place, so this sort of advice has to go; we have to make it more user-centric and stop blaming the user and give them information and let them make decisions.”

Levy claimed that cybersecurity runs on fear, and everything is focused on making it sound really bad, and then you have to buy the magic amulet. “There is no policy that I am aware of that allows this to happen, no public policy where you allow fear to rule in the public’s perception,” he said.

“So my job is to change that fear into evidence using data – how to change cybersecurity from a magic amulet into a data-based discipline where you can have a strategic effect on the security of the country. How do you do it – read the National Cyber Security Strategy. That’s a novelty in cybersecurity.

“How many times have we been told that cybercrime costs £27 billion a year to the UK economy? Once. How many times has there been evidence underneath that to prove it? Never as far as I can tell. I want to generate real data so that we can have metrics, metrics that mean something to the average person on the street.”

He claimed that until value-based, risk management decisions can be made about technology, we will never reap the benefits of all of the new stuff that is coming.

He said: “People will be too scared to get into an autonomous vehicle as hackers can get in. people will be too scared to have a machine calculate their premiums based on their Fitbit data because hackers can break in. Let’s bring some transparency to cybersecurity as only through transparency do you build trust, and only through trust can you build transparencies in the technology we will use in the future.”

Source: Information Security Magazine

National Cyber Security Strategy Aims to Defend, Deter, Develop

National Cyber Security Strategy Aims to Defend, Deter, Develop

Chancellor Phillip Hammond has launched the new UK cybersecurity strategy, built on developing future talent, protecting what we have, and identifying the malicious few.

Speaking at the Microsoft Future Decoded conference in London, Chancellor of the Exchequer Phillip Hammond launched the government’s National Cyber Security Strategy for the next five years which he said is built on three core pillars: defend, deter, develop. “This is under-pinned by £1.9 billion of transformational investment,” he said.

Hammond confirmed that some UK services were tied up in the recent IoT-enabled attack on Dyn, but said that services were recovered fast, while attacks using spear phishing, on insecure code and weak cryptography were prominent.

“These attacks demonstrate serious consequences such as significant loss of data, financial costs, disruption of services, reputational damage and threats to the infrastructure of the state itself,” he said. “We have to respond to this threat and by addressing it here in the UK we start from scratch. In the last parliament we invested £860M over five years to significantly enhance our government networks, improve our incident response and tackle cybercrime.

“We must keep up with the scale and pace of the threat that we face. So today, I am launching the government’s National Cyber Security Strategy for the next five years.” He said that the three pillars are all supported by the new National Cyber Security Centre, which will offer a dedicated and outward-facing authority on cybersecurity issues.

Hammond said that trust in the internet is vital as without it, trust in all digital benefits will fall away. “We need a secure cyber-space and we need to work together to deliver it.”


Hammond said that government and critical national infrastructure will be strengthened, while working with industry taking a more active cyber-defense approach. “Supporting industry’s use of automated techniques to block, disrupt and neutralize malicious activity before it reaches the user; the public have much to gain from active cyber-defense and with the proper safeguards in place to protect privacy, these measures have the potential to be transformational and ensuring UK internet users are secure by default,” he said.


Hammond said the government will deter those who “seek to steal from us, threaten us or otherwise harm our interests in cyber-space”. This would involve boosting policing, and investment in offensive cyber-capabilities as there was a need to “detect, trace and retaliate in kind” as this was likely to be the best deterrent.” He said that “turning the other cheek” was not an option, and developing a full counter-offensive capability was needed, and it was the government's duty to demonstrate that they cannot act with impunity.


Hammond said that we will develop the capabilities we need in our economy and society to keep pace with the threat in the future, and investment will be made in the next generation of students, experts and businesses. “I can announce that we are creating our next cybersecurity research institute, a virtual network of UK universities that are dedicated to technical research and supported by government to focus on hardware and will look to improve the security of smartphones, tablets and laptops through innovative use of novel technology,” he said.

The strategy follows on from George Osborne’s announcement from November 2015, and Hammond called it a major step in the fight against cyber-attack. “It is a key component for the government’s ambition for Britain to be the best place in the world to run a tech business, and it sets out how we intend to deliver that partnership with business to achieve that objective,” he said.

Paul Briault, Director of Digital Security and API Management at CA Technologies, said: “The government’s plans to increase national cyber-defense efforts are a positive move, providing reassurance for businesses and consumers at the same time as bolstering our national security.

“Businesses and government agencies will need to work together to assess the security needs of enterprises and their responsibility for protecting customer data, without hindering the work that intelligence agencies need to do in order to protect the country from criminals and potential terrorist attacks.”

James Tolfree, UK Director at Cryptzone, said that talk of ‘Strike back’ represents quite a change in mindset, as this recognizes that the cyber-space is the new battleground.

“You can’t be in a battle space with only a defensive position, especially when dealing with state-sponsored cyber-attack strategies,” he said. “The reality is of course that cyber-defense is the responsibility of us all. Government should lead much of the initiative but the responsibility and cost needs to be borne by government, industry and us as individuals; in much the same way we expect government to lead on other areas of crime, but it is all our responsibility to make sure our homes are fitted with adequate locks and alarms, and that we use them.

“It is a little too early to say what this will mean for cybersecurity in the UK," Tolfree continued. "It is encouraging that part of the funding has been ear-marked for training cybersecurity professions as there is currently a noticeable skills-gap here in the UK. It is also encouraging that funding will be available to innovative start-up cyber security businesses. The UK has long been respected for its skills in this sector, but in order to maintain this position, strong investment from both government and industry is needed.”

Source: Information Security Magazine

Firms Value Threat Intel … But Fail to Use it Properly

Firms Value Threat Intel … But Fail to Use it Properly

The vast majority of security professionals in the UK and North American rate threat intelligence as an important part of cybersecurity but inadequate tools, training and processes are holding organizations back, according to a new study.

Security vendor Anomali polled over 1000 security professionals in the two geographies to find that two-thirds of organizations either have or are planning to deploy a threat intelligence platform and 70% are looking to improve threat intelligence efforts going forward.

However, 70% admitted they’re generating simply too much data, or that it’s too complex to be used effectively.

Major factors contributing to the ineffectiveness of threat intelligence programs included lack of staff expertise (69%), lack of ownership (58%) and lack of suitable technologies (52%).

As a result, half (49%) claimed the IT security team doesn’t read or receive threat reports, while 43% said data isn’t used to drive decision making in the security operations center.

Jonathan Martin, operations director Emea at Anomali, told Infosecurity that the right tools can help organizations with stretched resources, by automating up to 80% of responses.

“The information needed to understand the severity of actors, TTPs, campaigns etc. is usually spread far and wide across the internet and often restricted viewing from within a corporate network, so of course the right tools are essential,” he added.

“But in addition, organizations must ensure that security teams they do have in place are highly trained and ready to go, with the necessary knowledge to make the right decisions under stressful situations meaning that the impact of an attack can be greatly reduced.”

Once the right tools and staff are in place, it’s all about what you do with that data, which requires effective planning, claimed Martin.

“Organizations must have a formal threat response plan in place to ensure they are using threat intelligence data in the most effective way, to enable fast decisions to be made and preventative action disseminated quickly,” he concluded.

“This plan has to be rigorously tested to ensure its correct and it works, the time to find out if its effective is not under the pressure of an attack. This can be critical in ensuring both brand and data are protected.”

Source: Information Security Magazine