Monday, 29 July 2013

Been hacked? Don't dial 999: The plods are too dense, sniffs sec bigwig 'The problem is too big for the authorities to handle'

Police are powerless to stop super-smart criminals from hacking the world's biggest companies, a top-ranking security bod has warned.
Juniper Networks' security chief said there was simply no longer any point in calling the police when hackers and DDoSers came to call, because the cops can't do anything. He wants to see a world where big firms share information about potential targets and stop them before any damage can be done.
Henrik Davidson, the firm's director of security, said: "The problem is too big for the authorities to handle, playing into the hands of the cyber criminals. Additionally there are complications with the global complexity that hacking presents. Who is responsible if a hacker based in Asia attacks a European company? We’ve simply reached a stage where the IT security industry needs to be able to protect itself."
Davidson made the comments while telling El Reg about Juniper's new "next generation data centre security" system, which now incorporates anti-DDoS defence systems. We visited Juniper's Dutch testing lab, where they show off their latest data centre and networking technology.
Amsterdam is, of course, famous for two things - and neither were on offer at Juniper Networks' Dutch outpost. Instead the big data shifting bods wanted to show off their sexy racks, although not in the way that most visitors to the city would understand.
Money is not discussed in the Juniper Proof of Concept lab, where customers - and the nerdier type of journalist - come to coo over various bits of data centre gubbins. Which is just as well, because with prices stretching into the tens of thousands of euros, this is not a place for the casual shopper.
Juniper told us their new data centre security system offers a four-pronged manner of repelling hackers and DDoS assaults.
The system allows companies to collect the "fingerprints" of individual hackers, by building up a picture of the attacker based on 200 characteristics, including browser settings, time zone and even fonts. This allows for the blocking of individual devices, a more sophisticated form of defence than simple IP blocking.
The newest part of this system is called DDoS Secure, which Juniper claims is capable not only of repelling traditional large-scale DDoS attacks, but also the newer “low and slow” attacks, which use slow, small-scale traffic to bypass security and bring down servers.
DDoS Secure monitors incoming and outgoing traffic, learning which IP addresses and devices can be trusted. It can detect unusual activity from a user and then respond by blocking them.
Whenever a threat at one port or other vulnerable point is identified, its details are immediately sent to other access points in order to make sure the attacker is repelled.
Juniper claimed its "Active Defence" system not only worked by fending off attacks, but by identifying threats and stopping them.
Davidson added: "Active Defence allows you to identify the bad guys before they attack. If you know who the bad guys are, and where they are coming from, you can make life difficult for your attackers if they try and break your defences.
"Attackers can be identified by a deception point, of which there are thousands. This allows you to identify the characteristics of their device, what fonts they use, what patches they have installed and their IP address, among others. With that you can push a digital fingerprint to the cloud and share the details with partners and other vendors to ensure that more organisations do not face the same threat."
According to a Juniper survey of 4,771 IT execs worldwide, 60 per cent said their systems had been attacked in the past 12 months. But the same percentage of execs were unhappy with their current defence systems, including next-generation firewalls and IP blocking.
"For 40 anti-virus systems, there is only a 5% catch rate," Davidson continued. "According to William Fallon’s book The Cyber-readiness Reality Check the number of organisations under attack is close to 100%. More than a third of cyber security execs at companies with revenues greater than $100 million are unable to see an attack once it finds its way into the perimeter of their system. It’s like leaving your front door wide open when there is a burglar in the neighbourhood.
"Traditional security methods just aren’t passing the test and companies don’t stand a chance as cyber-crime becomes increasingly sophisticated and more frequent."
Juniper's bosses stepped down on Wednesday in happy circumstances, with the firm's profits and sales both up

FACTBOX - Hacking talks that got axed


REUTERS - Hacking experts and product manufacturers have sometimes been at odds over whether the disclosure of security vulnerabilities is helpful, or harmful, to the public interest.
Lawsuits, or even the threat of legal action, have resulted in the cancellation of some hacking presentations in recent years. Here are some examples, ahead of this week's Black Hat and Def Con hacking conferences in Las Vegas:
2005 - Cisco Systems Inc (CSCO.O) persuaded security firm Internet Security Systems to pull a discussion on hacking routers by researcher Michael Lynn at the Black Hat annual hacking conference in Las Vegas.
On the eve of the conference, Black Hat organizers had workers tear out Lynn's presentation materials from a printed handbook given out to thousands of attendees. Lynn gave the talk anyway, was fired by ISS, and an injunction was obtained to block further public discussion.
2007 - Security firm IOActive Inc pulled a talk that researcher Chris Paget was due to present at Black Hat DC on bugs in radio-frequency identification, or RFID, technology, saying it was pressured to do so by RFID technology firm HID Global Corp.
2008 - Three MIT undergrads canceled a Def Con talk in Las Vegas on hacking the "Charlie Card" payment cards for Boston's subway system after an injunction by a U.S. federal court. A judge later rescinded the order, allowing them to go public.
2013 - Three European computer scientists canceled a talk on hacking the locks of luxury cars at a prestigious U.S. academic conference to be held in August, after Volkswagen AG (VOWG_p.DE) obtained a restraining order from a British court.
Their paper, which was titled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer," identified ways to hack into the lock systems of luxury cars including Porsches, Audis, Bentleys and Lamborghinis.

DARPA-Funded Hackers Gain Control Of Toyota Prius, Ford Escape

redOrbit Staff & Wire Reports – Your Universe Online



Two computer hackers who have successfully managed to hack into and manipulate a pair of widely-owned automobiles will present their findings at the Def Con hacking conference in Las Vegas this week, various media outlets are reporting.
According to FoxNews.com, veteran hackers Charlie Miller and Chris Valasek have discovered a way to remotely force a 2010 Toyota Prius to stop suddenly at high speeds or accelerate without the driver’s foot even being on the gas pedal. Likewise, they claim to be able to disable the breaks of a 2010 Ford Escape at “very low speeds.”
The two “white hats” (the name given for hackers to try to detect software vulnerabilities before criminals can exploit them) received funding from the US Defense Advanced Research Projects Agency (DARPA) for their research, according to the International Business Times.
Miller, a security engineer at Twitter, and Valasek, director of security intelligence for Seattle-based IOActive, were tasked by government officials to find out how vulnerable cars could be to computer hacks. They will publish blueprints of the techniques they discovered for attacking the two vehicles in a 100-page white paper, as well as all associated software used in their project, during this week’s conference.
Their findings might sound downright frightening, but Reuters reporter Jim Finkle said that Prius and Escape owners shouldn’t be too concerned just yet. After all, in order to manipulate the cars, the duo had to be seated within the vehicle and use laptops connected directly to each car’s computer network.
“They will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack,” Finkle said. Miller and Valasek said that they are releasing the data hoping that their “white hat” colleagues will be able to build upon their efforts and discover additional automotive security flaws that could be corrected.
“At the moment there are people who are in the know, there are naysayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” Miller told BBC News Technology Reporter Zoe Kleinman. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
So how did they do it? According to Kleinman, they used cables to connect their laptops to the electronic control units (ECUs) of the vehicles using the on-board diagnostics post, which is also used by mechanics to discover problems with the vehicles.
The ECUs are the part of the computer network responsible for acceleration, braking, steering and several other aspects of the car’s regular operations process. Once Miller and Valasek gained access to it, they were able to write programs that sent instructions to the car network and overrode the drivers’ commands, she added.
Toyota spokesman John Hanson told reporters that the company was reviewing the duo’s research, calling the hacks “entirely possible” and stating that the manufacturer is “absolutely” taking the findings seriously.
Conversely, Craig Daitch of Ford said that since the attack was not “performed remotely” but required “highly aggressive direct physical manipulation of one vehicle over an elongated period of time,” it most likely did not pose “a risk to customers and any mass level.”

IBM unveils software to identify and predict security risk

IBM announced an integrated security intelligence solution that helps organizations identify key vulnerabilities in real-time.

QRadar Vulnerability Manager gives security officers a prioritized view across their network, allowing them to fortify their defenses. By aggregating vulnerability information into a single view, security teams can see the results from multiple network, endpoint, database or application scanners where it can be reviewed and managed.


More than 70,000 security vulnerabilities exist today, with more than a dozen more being reported every day. The rapid expansion of social, mobile and cloud computing can further increase the threat landscape as each new device attached to a network further expands potential vulnerabilities.

Part of the IBM Security Intelligence Platform, QRadar Vulnerability Manager (QVM) is a software module that combs through security holes to help close them to potential exploits, excluding those hidden behind firewalls, associated with inactive applications or otherwise unreachable from external attacks.

By activating a license key, this new software can automatically scan the network and perform the analysis helping security teams direct their staff resources.

“Traditional vulnerability management solutions are fundamentally broken,” said Brendan Hannigan, General Manager, IBM Security Systems. “Vulnerability scanning today lacks network-wide visibility, contextual awareness and real-time scanning. These gaps mean even well-known and preventable vulnerabilities can be lost in an overload of data, leaving organizations exposed to high risks.”

QRadar Vulnerability Manager helps clients reduce the remediation and mitigation burden by aggregating vulnerability information into a single risk-based view where it can be quickly prioritized. Security teams can see the results from multiple network, endpoint, database or application scanners alongside the latest X-Force Threat Intelligence alerts and incident reports from the National Vulnerability Database. QRadar Vulnerability Manager also includes its own embedded, PCI-certified scanner which can be scheduled to run periodically or triggered based on network events.

"QRadar Vulnerability Manager is a breakthrough for the IT security industry,” said Murray Benadie Managing Director, Zenith Systems, an IBM Business Partner. “It can cut a huge list of vulnerabilities in half, if not more. Users will quickly see vulnerabilities on their networks, without trying to mash products together– that is how information falls through the cracks. This is a true game changer.”

IBM is enhancing its intrusion prevention platform with the introduction of the IBM Security Network Protection XGS 5100. Fully integrated with IBM Security QRadar, the platform now provides ongoing network data feeds to help identify stealthy Secure Socket Layer attacks (SSL--a security protocol to enable Web sites to pass sensitive information securely in an encrypted format), in addition to providing real-time protection from advanced threats and heightened levels of network visibility and control. This enhanced intrusion prevention platform also includes IBM’s unique virtual patch technology to provide vulnerability protection when a software patch is not yet available.

NTODefend now more effectively blocks application vulnerabilities

NT OBJECTives announced that its NTODefend solution now blocks application vulnerabilities by approximately 30% more than the previous version. As a result, NTODefend’s virtual patching solutions now automatically block an average of 95% of an application’s vulnerabilities when leveraged with intrusion detection and prevention technology based on Snort, like Sourcefire’s Next Gen IPS or ModSecurity’s WAF.

“Few enterprise security teams actually have time to properly train their WAFs to provide the necessary protection, leaving applications and enterprises vulnerable to an ever-changing landscape of threats,” said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. “By strengthening our solution with more accurate rules, we are able to save security teams time, improve the effectiveness of their WAF or IPS, and better protect their web applications from attacks.”

Most types of web application security software offer virtual patching solutions that merely turn on the default rules packaged with the WAF or IPS; however, in many cases, custom rules are necessary and critical in order to more effectively block discovered vulnerabilities without blocking desirable traffic.

NTODefend automatically leverages knowledge of the application with information about the vulnerability that instantly creates a custom rule to block the vulnerability. The impact of this custom rule is significant. According to a 2011 study by Larry Suto, web application firewalls become up to 39% more effective in blocking web application vulnerabilities when layered with Dynamic Application Security Testing (DAST) solutions.

NTODefend enables enterprise security teams to create custom rules to patch their WAF or IPS against vulnerabilities discovered in automated NTOSpider scans. With NTODefend, security professionals are able to patch web application vulnerabilities immediately, expediting the days or weeks it can take to build a custom rule for a WAF or IPS, or the time it takes to deliver a source code patch. This provides developers with the time they need to identify the root cause of the problem and fix it in the code.

Users simply take the results of their NTOSpider web application security software scan, import them into NTODefend, and generate strong customized rules that target the application’s vulnerabilities, which increases the WAF’s accuracy and ability to protect WAF/IPS. These filters are able to pinpoint vulnerabilities without blocking desirable traffic.

The improved rules enhancement enables an almost 47% increase in the application vulnerabilities blocked using NTODefend and Sourcefire or ModSecurity.