US Needs Top Cyber Coordinator, Better Hacker ‘Deterrence’: Panel

US Needs Top Cyber Coordinator, Better Hacker ‘Deterrence’: Panel

The US needs a top-level cybersecurity coordinator and a better strategy of “deterrence” to protect against hackers and other cyber threats, a congressionally mandated commission said Wednesday.

Defense in cyberspace requires a series of government reforms and policies to strike back at attackers, according to the report by the Cyberspace Solarium Commission.

The bipartisan panel which included lawmakers and private sector experts made more than 80 recommendations ranging from reforms in the executive and legislative branches to better cooperation with allies to secure cyberspace.

“The reality is that we are dangerously insecure,” said a statement from Senator Angus King and Representative Mike Gallagher, co-chairs of the panel which took its name from an Eisenhower-era foreign policy project.

“Your entire life — your paycheck, your health care, your electricity — increasingly relies on networks of digital devices that store, process and analyze data. These networks are vulnerable, if not already compromised.”

Panel members described the required effort as equivalent to preventing another 9/11 attack.

The panel recommended the establishment of White House cabinet-level “national cyber director” to direct coordination within government and the private sector.

Additionally, the panel cited the need for a stronger deterrence strategy to demonstrate that attackers in cyberspace would pay a price.

“Deterrence is possible in cyberspace,” the report said.

“Today most cyber actors feel undeterred, if not emboldened, to target our personal data and public infrastructure… through our inability or unwillingness to identify and punish our cyber adversaries, we are signaling that interfering in American elections or stealing billions in US intellectual property is acceptable.”

It said the US government and private sector must “defend themselves and strike back with speed and agility.”

The commission said cyber defense should rely on a “layered” strategy that imposes costs on attackers.

“A key, but not the only, element of cost imposition is the military instrument of power,” the report said.

“The United States must maintain the capacity, resilience, and readiness to employ cyber and non-cyber capabilities across the spectrum of engagement from competition to crisis and conflict.”

Source: US Needs Top Cyber Coordinator, Better Hacker ‘Deterrence’: Panel

Vulnerability in Intel Chipsets Allows Hackers to Obtain Protected Data

Vulnerability in Intel Chipsets Allows Hackers to Obtain Protected Data

Most Intel chipsets released in the past five years are affected by a vulnerability that can be exploited to obtain encrypted data and compromise data protection technologies, Positive Technologies revealed on Thursday.

Intel first learned about the flaw, tracked as CVE-2019-0090, from a partner, and addressed it in an advisory published in May 2019. The weakness was later independently discovered by Positive Technologies, which has now published a blog post describing its findings. The company also plans on publishing a detailed research paper in the upcoming period.

According to Positive Technologies, CVE-2019-0090 is an unfixable vulnerability that affects the Converged Security and Management Engine (CSME) boot ROM on most Intel chipsets and system on chips (SoCs), except for Ice Point chipsets.

CSME is responsible for the initial authentication of Intel-based systems by loading and verifying firmware components. It authenticates the UEFI using BootGuard, it checks the Power Management Controller, and it also provides the cryptographic basis for Intel’s data protection technologies, including digital rights management (DRM), firmware Trusted Platform Module (TPM), and Identity Protection Technology (IPT).

Another vulnerability found in Intel chips

The company’s researchers discovered that a vulnerability in the CSME boot ROM can pose a serious risk to users and organizations relying on Intel protection technology.

“An early-stage vulnerability in ROM enables control over reading of the Chipset Key and generation of all other encryption keys. One of these keys is for the Integrity Control Value Blob (ICVB). With this key, attackers can forge the code of any Intel CSME firmware module in a way that authenticity checks cannot detect. This is functionally equivalent to a breach of the private key for the Intel CSME firmware digital signature, but limited to a specific platform,” Positive Technologies explained in a blog post.

Mark Ermolov, lead specialist of OS and hardware security at Positive Technologies, told SecurityWeek that once an attacker has obtained this chipset key, they can decrypt any data encrypted using Intel Platform Trust Technology (PTT).

“Standard Windows BitLocker hard drive encryption supports Intel PTT if there isn’t a dedicated TPM chip. BitLocker is increasingly used in corporate Windows 10 machines to encrypt drives in order to prevent data theft or exposure. So any data that was encrypted using Intel PTT technology could be decrypted, such as bank account information, passwords and other log-in credentials, and any confidential files relating to intellectual property. Attackers can also write malware to run on Intel CSME with all consequences (stealing private information, completely blocking access to the computer and encrypting information, extorting money and so on),” Ermolov explained.

This chipset key can also be abused to forge a device’s Enhanced Privacy ID (EPID) attestation. EPID is used for the remote attestation of trusted systems. It enables the identification of individual computers and it has been used to protect digital content, secure financial transactions, and to provide IoT attestation.

While Intel claims that physical access is required to obtain the key, Positive Technologies says a remote attacker may also be able to achieve this task if they have access to the targeted PC.

Once the key has been obtained, Ermolov says, “the attacker, being at any place and at any time, can pretend to be the victim’s computer and, for example, perform financial operations on his behalf. Access to the victim’s computer is no longer needed.”

Positive Technologies has found a way to recover an encrypted chipset key, but in order to decrypt it they need a hardware key, which is strongly protected and they have yet to obtain it. However, the company believes it’s only a matter of time and pointed out that the same hardware key is used for an entire chipset model. Ermolov estimates that the hardware key will be obtained by the middle of 2020.

This means that, for the time being, the EPID remote certification scheme cannot be hacked, but Ermolov says an attacker can already achieve arbitrary code execution with elevated privileges on the CSME.

Positive Technologies has compared the vulnerability to an unpatchable iOS bootrom exploit released last year.

Intel has described the vulnerability as an insufficient access control issue that impacts CSME, as well as the Trusted Execution Engine Interface (TXE) and Server Platform Services (SPS).

Positive Technologies says Intel has been trying to address the issue by blocking potential exploitation vectors. The cybersecurity firm claims Intel has only patched one vector, but its experts believe there are multiple other ways to exploit the flaw.

Intel updated its initial advisory last month to credit Positive Technologies. The tech giant has emphasized previously provided security guidance related to CVE-2019-0090, advising users to prevent physical access to their devices, installing updates as soon as they become available, and ensuring that they can detect and prevent intrusions and exploitation.

Hackers Scanning for Apache Tomcat Servers Vulnerable to Ghostcat Attacks

Hackers Scanning for Apache Tomcat Servers Vulnerable to Ghostcat Attacks

Hackers have started scanning the web in search of Apache Tomcat servers affected by a recently disclosed vulnerability tracked as CVE-2020-1938 and dubbed Ghostcat.

Threat intelligence service Bad Packets reported on March 1 that it had started seeing mass scanning activity targeting the vulnerability and urged organizations to patch their installations as soon as possible.

Bad Packets told SecurityWeek on Wednesday that the scanning activity they have detected is designed to enumerate vulnerable servers by checking for the path “/WEB-INF/web.xml”.Ghostcat

Proof-of-concept (PoC) exploits have been released by various researchers and several of them reference this path.

“Outside of known security researchers, we’ve detected hundreds of unique scans originating from hosts in China checking for the vulnerability,” Bad Packets said.

The Ghostcat vulnerability has existed for more than a decade and it affects versions 6, 7, 8 and 9 of Apache Tomcat. The flaw was reported by Chinese cybersecurity firm Chaitin Tech to the Apache Software Foundation on January 3. Patches were made available last month with the release of versions 9.0.31, 8.5.51 and 7.0.100.

The security hole is related to the Apache JServ Protocol (AJP) protocol, which is designed to improve performance by proxying inbound requests from a web server through to an application server.

A remote, unauthenticated attacker can exploit it to access configuration and source code files. If the server allows users to upload files, the flaw can also be exploited for arbitrary code execution.

Ghostcat affects the default configuration of Tomcat and many servers are vulnerable to attacks directly from the internet. ONYPHE reported in late February that a scan had identified over 170,000 potentially vulnerable devices.

Source: Hackers Scanning for Apache Tomcat Servers Vulnerable to Ghostcat Attacks

T-Mobile Notifying Customers of Data Breach

T-Mobile Notifying Customers of Data Breach

Wireless carrier T-Mobile is sending notifications to its customers to inform them of a data breach that resulted in some of their personal information being compromised

The incident, the company says, was a sophisticated, malicious attack that targeted its email vendor. As part of the assault, unknown adversaries gained unauthorized access to the email accounts of some T-Mobile employees.

Because some of these accounts contained account information for T-Mobile customers and employees, the attack essentially resulted in that data being accessed by a third-party.

Customer data that appears to have been compromised in the incident includes names and addresses, phone numbers, account numbers, rate plans and features, and billing information.

According to the wireless carrier, no financial information (such as credit card details) or Social Security numbers were affected by this data breach.

“An investigation was immediately commenced, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was affected. We immediately reported this matter to federal law enforcement and are actively cooperating in their investigation,” the notification reads.

The company also says it has no evidence that the exposed information “has been used to commit fraud or otherwise misused,” but encourages users to update the PIN or passcode on their T-Mobile account.

Some of the affected individuals, the carrier says, might not receive a notification, either because of outdated contact information or because that person is no longer a T-Mobile customer. The company encourages those who believe they might have been affected to contact Customer Care for additional information and assistance.

T-Mobile says the attack was identified and shut down by its cyber-security team recently, but does not provide a specific timeframe for when that happened, nor does it reveal details on how many of its customers might have been impacted.

SecurityWeek has contacted T-Mobile via email for additional clarifications on the incident and will update the article as soon as a reply arrives.

Source: T-Mobile Notifying Customers of Data Breach

Alleged Member of ‘Dark Overlord’ Hacker Group Extradited From UK to US

Alleged Member of ‘Dark Overlord’ Hacker Group Extradited From UK to US

A UK national suspected of being a member of the notorious hacker group called The Dark Overlord has been extradited to the United States, the U.S. Department of Justice announced on Wednesday.

Nathan Wyatt, 39, has been charged by U.S. authorities on six counts of aggravated identity theft, threatening to damage a protected computer, and conspiracy.

The Dark Overlord hacked into the systems of many companies in the United Kingdom and the United States. The cybercriminals stole information from the targeted organizations and used that information to convince them to pay a ransom.

According to the indictment made public by the Justice Department, Wyatt used phone and email accounts to send threatening messages to The Dark Overlord victims in an effort to get them to pay up.

Victims included companies in the film, healthcare, finance, legal and various other industries. U.S. prosecutors have focused on the attacks targeting one accounting and four healthcare companies.

The indictment references Wyatt’s alleged activities from February 2016 until June 2017. Wyatt has been in jail in the United Kingdom since 2017 after pleading guilty to separate charges related to blackmail, possession of a fake passport, and using stolen payment card data.

“Today’s extradition shows that the hackers hiding behind The Dark Overlord moniker will be held accountable for their alleged extortion of American companies,” said Brian A. Benczkowski, assistant attorney general for the Criminal Division of the Department of Justice. “We are thankful for the close cooperation of our partners in the United Kingdom in ensuring that the defendant will face justice in U.S. court.”

In May 2018, police in Serbia claimed to have arrested another alleged member of The Dark Overlord, but Motherboard reported at the time that the group had continued to operate.

Related: First Cypriot to Be Extradited to US, on Hacking Charges

Related: Nigerian Extradited to U.S. Over Role in Major Cybercrime Scheme

Related: Russian Accused of $20M Credit Card Fraud Extradited to US

Related: Lithuanian Extradited to U.S. Over Hacking, Fraud Charges

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Source: Alleged Member of ‘Dark Overlord’ Hacker Group Extradited From UK to US

Bill to Protect U.S. Energy Grid From Cyberattacks Passes With NDAA

Bill to Protect U.S. Energy Grid From Cyberattacks Passes With NDAA

Legislation that aims to protect the U.S. energy grid from cyberattacks passed the House this week after being added to the 2020 National Defense Authorization Act (NDAA).

The 2020 NDAA passed the House by a vote of 377 to 48 and President Donald Trump is expected to sign it soon.

The annual military bill includes the Securing Energy Infrastructure Act, which establishes a two-year pilot program within Energy Department national laboratories with the goal of identifying vulnerabilities and isolating critical grid systems.

The Securing Energy Infrastructure Act was introduced by Sen. Angus King and Sen. Jim Risch, and a companion bill has been introduced in the House of Representatives by Rep. Dutch Ruppersberger and Rep. John Carter.

The bill proposes solutions such as the use of analog backup systems, which could prevent cyberattacks from causing too much damage.

“This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult,” according to a press release from Sen. Angus’ office.

The bill also requires the creation of a working group that would analyze the solutions proposed by national laboratories and develop a national strategy for protecting the energy grid.

“The energy grid powers our financial transactions, communications networks, healthcare services and most of our daily life– so if this critical infrastructure is compromised by a hacker, these building blocks of American life are at risk,” said Senator King. “Protecting our energy grid is commonsense, bipartisan, and vital to national security, and I’m happy this year’s NDAA will enshrine this needed provision into law.”

The cyber and physical security of North America’s energy grid was tested recently as part of a major exercise called GridEx V. More than 6,500 participants representing more than 425 government and energy sector organizations in the United States, Canada and Mexico took part in the two-day exercise.

Earlier this year, a power utility in the U.S. reported interruptions to electrical system operations as a result of a denial-of-service (DoS) attack that involved the exploitation of a known vulnerability in Cisco firewalls.

Related: House Passes Bill to Enhance Industrial Cybersecurity

Related: U.S. Energy Firm Fined $2.7 Million Over Data Security Incident

Related: U.S. to Help Secure Baltic Energy Grid Against Cyber Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Source: Bill to Protect U.S. Energy Grid From Cyberattacks Passes With NDAA