Information Technology

In the world of DevSecOps, a little empathy goes a long way — particularly when it comes to expectations for your developers. 

While security pros have been steeped in common security flaws and the OWASP Top 10 for years, most developers never took a security course at the university level. As security pros, our job is to enable and support developers who may have the best intentions for security but who also face competing priorities — they are not security pros, and security is just one of many issues they need to consider. 
Our job is to integrate security into the developer experience and make it easier for them to get secure products in customers’ hands. Many of the advances in application security processes and tooling — gamified training, contextually relevant remediation guidance, integration with the developer’s toolset, developer security champions — have been driven by that reality. 
When my colleague on the application development and delivery team, John Bratincevic, and I started to research low-code security, we realized that security teams were going to need to extend that perspective to a brand-new class of developers. Low-code developers fall into two buckets: professional developers who leverage low-code to improve speed and responsiveness and citizen developers who sit outside of IT and development. Citizen developers not only have never taken a secure development class but likely have not taken any development classes at all — therefore, common application security concepts will be even more foreign. 
What does this mean for security teams? Three key points: 
Application developers may no longer just work on the development team. Spend some time understanding your organization’s low-code strategy, who is developing what sorts of low-code applications, and where they sit. 
It’s time to expand your network again — get to know the citizen developers in your organization and start building the security team’s credibility with these new stakeholders. 
Security training will look different — the abstraction of low-code means that citizen developers are less likely to introduce an SQL injection than they are to misconfigure permissions or leak data. Focus on the security principles most aligned with how low-code developers build applications. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.      
This post was written by Principal Analyst Sandy Carielli, and it originally appeared here.  More

The United States Judiciary has announced an audit into its systems, following concerns its case file system has been compromised.
In making the announcement, the Judiciary said the Administrative Office of the US Courts was working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents, particularly sealed filings.
“An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation,” it said. “Due to the nature of the attacks, the review of this matter and its impact is ongoing.”
With the investigation ongoing, Judiciary said federal courts across the country will be adding new security procedures aimed at protecting highly sensitive confidential documents filed with the courts.
Moving forward, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a “secure electronic device”, such as a thumb drive, and stored in a “secure, stand-alone computer system”. The documents will not be uploaded to CM/ECF. 
Filings not considered highly sensitive will continue to be sealed in CM/ECF “as necessary”.
“The federal Judiciary’s foremost concern must be the integrity of and public trust in the operation and administration of its courts,” Secretary of the Judicial Conference of the United States James C. Duff said.

The Judiciary said following guidance from the Department of Homeland Security, its courts have suspended all national and local use of SolarWinds Orion products.
Earlier this week, the US Department of Justice (DOJ) confirmed that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees.
The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450. The DOJ said it has now blocked the attacker’s point of entry.
Four US cybersecurity agencies on Monday released a joint statement formally accusing the Russian government of orchestrating the SolarWinds supply chain attack.
US officials said that “an advanced persistent threat actor, likely Russian in origin” was responsible for the SolarWinds hack, which officials described as “an intelligence gathering effort”.
HERE’S MORE More

A duo of French security researchers has discovered a vulnerability impacting chips used inside Google Titan and YubiKey hardware security keys.

The vulnerability allows threat actors to recover the primary encryption key used by the hardware security key to generate cryptographic tokens for two-factor authentication (2FA) operations.
Once obtained, the two security researchers say the encryption key, an ECDSA private key, would allow threat actors to clone Titan, YubiKey, and other keys to bypass 2FA procedures.
Attack requires physical access
However, while the attack sounds disastrous for Google and Yubico security key owners, its severity is not what it seems.
In a 60-page PDF report, Victor Lomne and Thomas Roche, researchers with Montpellier-based NinjaLab, explain the intricacies of the attack, also tracked as CVE-2021-3011.
For starters, the attack won’t work remotely against a device, over the internet, or over a local network. To exploit any Google Titan or Yubico security key, an attacker would first need to get their hands on a security key in the first place.
Temporarily stealing and then returning a security key isn’t impossible and is not out of the threat model of many of today’s government workers or high profile executives, which means this attack can’t be entirely ruled out or ignored.
Titan casing is hard to open, leaves marks

However, Lomne and Roche argue that there are other unexpected protections that come with Google Titan keys, in the form of the key’s casing.
“The plastic casing is made of two parts which are strongly glued together, and it is not easy to separate them with a knife, cutter or scalpel,” the researchers said.
“We used a hot air gun to soften the white plastic,and to be able to easily separate the two casing parts with a scalpel. The procedure is easy toperform and, done carefully, allows to keep the Printed Circuit Board (PCB) safe,” the two added.
However, Lomne and Roche also point out that “one part of the casing, soften[ed] due to the application of hot air,” and usually permanently deforms, leaving attackers in the position of being unable to put the security key back together once they’ve obtained the encryption key — unless they come prepared with a 3D-printed casing model to replace the original.

Image: NinjaLab
A side-channel attack using electromagnetic radiations
But once the casing has been opened and the attackers have access to the security key’s chip, researchers say they can then perform a “side-channel attack.”
The term, which is specific to the cyber-security world, describes an attack where threat actors observe a computer system from the outside, record its activity, and then use their observations on how the device activity fluctuates to infer details about what’s going on inside.
In this case, for their side-channel attack, the NinjaLab researchers analyzed electromagnetic radiations coming off the chip while processing cryptographic operations.
Researchers said that by studying around 6,000 operations taking place on NXP A7005a microcontroller, the chip used inside Google Titan security keys, they were able to reconstruct the primary ECDSA encryption key used in signing every cryptographic token ever generated on the device.
The good news for Titan and YubiKey owners is that this process usually takes hours to execute, requires expensive gear, and custom software.

Image: NinjaLab
Normally, this type of attack would be out of the reach of regular hackers, but security researchers warn that certain threat actors, such as three-letter intelligence agencies, usually have the capabilities to pull this off.
“Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered,” Lemne and Roche said.
What’s vulnerable?
As for what’s vulnerable, the researchers said they tested their attack on the NXP A7005a chip, which is currently used for the following security key models:
Google Titan Security Key (all versions)
Yubico Yubikey Neo
Feitian FIDO NFC USB-A / K9
Feitian MultiPass FIDO / K13
Feitian ePass FIDO USB-C / K21
Feitian FIDO NFC USB-C / K40
In addition, the attack also works on NXP JavaCard chips, usually employed for smartcards, such as J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF.
Contacted via email, Google echoed the research team’s findings, namely that this attack is hard to pull off in normal circumstances.
In addition, Google also added that its security keys service is also capable of detecting clones using a server-side feature called FIDO U2F counters, which the NinjaLab team also recommended as a good countermeasure for their attack in their paper. However, the research team also points out that even if counters are used, there is a short time span after the clone has been created when it still could be used.
Nonetheless, as a closing note, the French security researchers also urged users to continue using hardware-based FIDO U2F security keys, such as Titan and YubiKey, despite the findings of their report. Instead, users should take precautions to safeguard devices if they believe they might be targets of interest to advanced threat actors. More

Image: QuinceCreative
The operators of the Ryuk ransomware are believed to have earned more than $150 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.

In a joint report published today, threat intel company Advanced Intelligence and cybersecurity firm HYAS said they tracked payments to 61 Bitcoin addresses previously attributed and linked to Ryuk ransomware attacks.
“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” the two companies said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”
AdvIntel and HYAS say the extorted funds are gathered in holding accounts, passed to money laundering services, and are then either funneled back into the criminal market and used to pay for other criminal services or are cashed out at real cryptocurrency exchanges.
But what the two companies have found odd was that while other ransomware groups typically used lesser-known exchanges to cash out funds, Ryuk converted Bitcoin into real fiat currency using accounts on two very well-established crypto-portals, such as Binance and Huobi, most likely using stolen identities.

Image: AdvIntel
But today’s joint AdvIntel and HYAS report also provides a more up-to-date figure in regards to Ryuk operations.
The last figure we had came from February 2020, when FBI officials spoke at the RSA security conference. At the time, the FBI said that Ryuk was, by far, the most profitable ransomware gang active on the scene, having made more than $61.26 million from ransom payments between February 2018 and October 2019, based on complaints received by the FBI Internet Crime Complaint Center.

Image: FBI

With today’s report and the $150 million figure, it is clear that Ryuk has maintained its spot at the top, at least, for now.
Over the past year, other ransomware gangs, such as REvil, Maze, and Egregor, have also made a name for themselves and have also been very active, infecting hundreds of companies.
However, there haven’t been any reports on the estimated sum these groups have made.
The latest such report came from security firm McAfee in August 2020 when the company published a report estimating that the Netwalker ransomware gang made around $25 million in ransom payments between March and August 2020. More

Data stolen in a cyber-attack against a London council last year has been leaked online by the hackers responsible for the attack.  
Hackney council, which provides services for 280,000 residents in the UK capital, was hit by what was labeled a “serious” cyber-attack last October, taking many IT systems out of operation, with some still disrupted currently.  

It now appears that the information that was stolen during the attack has been published to the dark web by the criminals, although the council said that only a limited set of data was at risk. According to the council’s latest update, the documents have not been leaked to a “widely available forum”, and are not visible through search engines on the Internet.  
The Mayor of Hackney Philip Glanville said: “I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.” 
“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.” 
While the majority of sensitive and personal information held by the council appears to be unaffected, Hackney council said that it is working with the National Cyber Security Centre, the National Crime Agency, the Information Commissioner’s Office and the Metropolitan Police to investigate what has been published exactly and assess which actions need to be taken. 
Now several months after the attack happened, the exact nature of the intrusion is still unclear. The council has avoided disclosing details to make sure it does not inadvertently assist the attackers.  

Only legacy and non-cloud-based systems, such as making payments or approving licensing, have been affected, while newer services and systems linked to managing the Covid-19 pandemic have remained up-and-running.  
Although many systems have since been fully or partially restored, the council has already said that it expects some services to remain unavailable or disrupted for the months to come. 
Hackney council’s service status page still indicates that services are “significantly disrupted” due to a “serious cyber-attack”, and recommends that residents and businesses avoid contacting the council unless absolutely necessary. 
For example, the council is currently unable to process applications for most types of licenses, to add to the housing waiting list or for council tax reductions. Disruptions and delays to payment systems remain, as well as to claims for housing benefits. Voting preferences cannot be updated, and residents are currently unable to report noise complaints online. 
Phone lines, however, remain open for essential help and emergency support. 
“It is utterly deplorable that organised criminals chose last year to deliberately attack Hackney, damaging services and stealing from our borough, our staff, and our residents in this way, and all while we were in the middle of responding to a global pandemic,” said Glanville. 
“Now four months on, at the start of a new year and as we are all responding to the second wave, they have decided to compound that attack and now release stolen data. Working with our partners we will do everything we can to help bring them to justice.” 
Last year also saw an attack on Redcar and Cleveland council in North East England, which affected 135,000 people and came at a cost of more than £10 million ($13.5 million).   More

Cobalt Strike and Metasploit, two penetration testing toolkits usually employed by security researchers, have been used to host more than a quarter of all the malware command and control (C&C) servers that have been deployed in 2020, threat intelligence firm Recorded Future said in a report today.

The security firm said it tracked more than 10,000 malware C&C servers last year, across more than 80 malware strains.
The malware operations were the work of both state-sponsored and financially-motivated hacking groups.
These groups deployed malware using various methods. If the malware managed to infect victim devices, it would report back to a command and control server from where it would request new commands or upload stolen information.
Under the hood, these C&C servers can be custom-built for a specific malware family, or they can use well-known technologies, either closed or open-sourced projects.
Across the years, the infosec industry has noted a rising trend in the use of open source security tools as part of malware operations, and especially the increased usage of “offensive security tools,” also known as OST, red-team tools, or penetration testing toolkits.
The most complex of these tools work by simulating an attacker’s actions, including the ability to host a malware C&C in order to test if a company’s defenses can detect web traffic from infected hosts to the “fake” malware C&C server.

But malware operators also quickly realized that they could also adopt these “good guy” tools as their own and then hide real malware traffic inside what companies and security firms might label as a routine “penetration test.”
According to Recorded Future, two of these penetration testing toolkits have now become the top two most widely used technologies for hosting malware C&C servers — namely Cobalt Strike (13.5% of all 2020 malware C&C servers) and Metasploit (with 10.5%).
The first is Cobalt Strike, a closed-source “adversary emulation” toolkit that malware authors cracked and abused for years, spotted on 1,441 servers last year.
The second is Metasploit, an open source penetration testing toolkit developed by security firm Rapid7, which was similarly widely adopted by malware authors due to the fact that it has constantly received updates across the years.
Third on the list of most popular malware C&C servers was PupyRAT, a remote administration trojan. While not a security tool, PupyRAT ranked third because its codebase has been open-sourced on GitHub in 2018, leading to a rise in adoption among cybercrime operations.

Image: Recorded Future
However, besides Cobalt Strike and Metasploit, many other offensive security tools have also been abused by malware operations as well, although to a lesser degree.
Even so, the groups who abused these tools included many state-sponsored hacking groups engaged in cyber-espionage operations, Recorded Future said.

Image: Recorded Future
But the Recorded Future report also looked at other facets of a malware C&C server’s operations. Other observations include:
On average, command and control servers had a lifespan (that is, the amount of time the server hosted the malicious infrastructure) of 54.8 days.
Monitoring only “suspicious” hosting providers can leave blindspots, as 33% of C&C servers were hosted in the US, many on reputable providers.
The hosting providers that had the most command and control servers on their infrastructure were all U.S.-based: Amazon, Digital Ocean, and Choopa.

Image: Recorded Future More

Yesterday’s piece on “What should you do with an old Android smartphone” generated a lot of comments. Because I recommended installing a security app, one of the most popular questions was, predictably, which one?
That’s a tough question.
It’s tough because testing security apps means throwing existing vulnerabilities at it, which doesn’t tell you how well it will handle future vulnerabilities. Another issue is that it’s impossible to gauge what kind of performance hit that the app will have across the myriad of devices out there.
So, this is what I suggest you do.
Must read: Here’s why your iPhone Lightning charging cable only works one way (and how to fix it)
Try more than one.
Before I go any further, let me warn you that there are a lot of fake security apps out there. On top of that, there are ones that do little to nothing. Whether you go with something on this list or something different, I suggest you don’t venture away from the big names, the same names who were making security apps for Windows systems a decade ago.

Venturing too far off the beaten path could very well result in you installing the very same badware on your Android device that you are trying to avoid.
Here’s my list — it’s quite short — of recommended apps. There are three free apps here, and one paid-for app. I’ve run all of them on a variety of devices and been happy with the results. 

Price: Free
Why do I like this: No ads! That’s a rarity when it comes to free security apps. It’s not as flashy or whizz-bang as the other apps, but it has scored amazingly well in the AV-TEST testing and gets the job done.
View Now at Google Play Store

Price: Free
Why do I like this: Another app that got the job done. Again, it does show ads, but I didn’t find them intrusive. It also has features such as “Boost RAM” that you can play with. 
View Now at Google Play Store

Price: $14.99 for the first year
Why do I like this: Gives you great protection from malware with the least impact on system performance (as tested by AV-TEST). My only gripe with is that the VPN came with unlimited data rather than the 200MB/day, which feels low.
View Now at BitDefender
Bonus.
Quite a few people have asked me what VPN I use. It’s the same one I have been using for years, and none of the others I’ve tested has come close to it in terms of awesomeness.

Price: From $34.99 per year for 3 devices
Why do I like this: It’s fast, easy to use, and I’ve put terabytes through it across many countries without any problems at all.
View Now at Google Play Store
Do you have a security app installed on your smartphone? If so, which one? Let me know in the comments down below. More

Hackers are being invited to uncover cybersecurity vulnerabilities in the computer systems used by the US military as part of the ‘Hack the Army’ bug county challenge.
Both military and civilian hackers are being invited to discover and disclose digital vulnerabilities in the US Department of the Army in a program run by The Defense Digital Service (DDS) and HackerOne.

More on privacy

The aim is for cybersecurity researchers to uncover and disclose security vulnerabilities in army systems so they can be resolved before they are discovered and exploited by malicious hackers. Civilian hackers who successfully discover valid security bugs could receive a financial reward.
SEE: Security Awareness and Training policy (TechRepublic Premium)
“Bug bounty programs are a unique and effective force multiplier for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals,” said Brigadier General Adam C. Volant, U.S. Army Cyber Command Director of Operations.
“By crowdsourcing solutions with the help of the world’s best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs,” he added.
The bug bounty program is open to both military and civilian participants and runs from January 6, 2021 through February 17, 2021.

Hack the Army 3.0 is the DDS’s eleventh bug bounty progam with HackerOne and the third with the US Army. Previous programs include Hack the Pentagon, Hack the Defense Travel System and Hack the Air Force.
“We are proud of our continued partnership with the Army to challenge the status quo in strengthening the security of military systems and shifting government culture by engaging ethical hackers to address vulnerabilities” said Brett Goldstein, director of the Defense Digital Service. 
SEE: Meet the hackers who earn millions for saving the web, one bug at a time
Participation in the Hack the Army 3.0 bug bounty challenge is open by invitation only to civilian hackers and active US military personel. 
“We’re calling on civilian and military hackers to show us what they’ve got in this bug bounty and to help train the future force,” Goldstein said.
MORE ON CYBERSECURITY More