Home Tags Business Continuity

Tag: Business Continuity

An unwelcome PITSTOP Glitches at distributed denial-of-service mitigation biz Incapsula left the websites it defends offline twice on Thursday. Incapsula blamed "connectivity issues" for the global PITSTOP, aka the worldwide degradation of its services. "A rare case triggered an issue on the Incapsula service and caused two system-wide errors at 9:44 UTC and 14:50 UTC making sites inaccessible," a spokeswoman told us. "The issue was identified immediately and actions were taken to contain it and restore service.

The root cause has been identified and the Incapsula development and ops teams have corrected the issue. We apologize for the inconvenience to our customers." The data center security firm elaborated on the situation on its system status page and in a string of tweets. Affected sites included the blog of IT security industry veteran Graham Clulely. He tweeted: "Apologies to those trying to get to my site. @Incapsula_com is down for the second time today, bring my site with it." ® Incapsula Incapsulating Thursday's problems Bootnote PITSTOP – Partial Inability To Support Totally Optimal Performance: Not quite a full TITSUP, which is a Total Inability To Support Usual Packets. Sponsored: Speed up incident response with actionable forensic analytics
Not that kind of crack.Geoff Parsons Apple's encryption battle Feds: New judge must force iPhone unlock, overturning ruling that favored Apple Amazon will restore Fire OS‘ encryption support in the spring What is a “lying-dormant cyber pathogen?” San Bernardino DA says it’s made up [Updated] San Bernardino DA says seized iPhone may hold “dormant cyber pathogen” [Update] To get back at Apple, GOP congressman introduces pointless bill View all…The custom firmware that the FBI would like Apple to produce in order to unlock the San Bernardino iPhone would be the most straightforward way of accessing the device, allowing the federal agency to rapidly attempt PIN codes until it found the one that unlocked the phone. But it's probably not the only way to achieve what the FBI wants.

There may well be approaches that don't require Apple to build a custom firmware to defeat some of the iPhone's security measures. The iPhone 5c used by the San Bernardino killers encrypts its data using a key derived from a combination of an ID embedded in the iPhone's processor and the user's PIN.

Assuming that a 4-digit PIN is being used, that's a mere 10,000 different combinations to try out. However, the iPhone has two protections against attempts to try every PIN in turn.

First, it inserts delays to force you to wait ever longer between PIN attempts (up to one hour at its longest).
Second, it has an optional capability to delete its encryption keys after 10 bad PINs, permanently depriving access to any encrypted data. The FBI would like to use a custom firmware that allows attempting multiple PINs without either of these features.

This custom firmware would most likely be run using the iPhone's DFU mode.

Device Firmware Update (DFU) mode is a low-level last resort mode that can be used to recover iPhones that are unable to boot.

To use DFU mode, an iPhone must be connected via USB to a computer running iTunes. iTunes will send a firmware image to the iPhone, and the iPhone will run that image from a RAM disk.

For the FBI's purposes, this image would include the PIN-attack routines to brute-force the lock on the device. Developing this firmware should not be particularly difficult—jailbreakers have developed all manner of utilities to build custom RAM disks to run from DFU mode, so running custom code from this environment is already somewhat understood—but there is a problem.

The iPhone will not run any old RAM disk that you copy to it.
It first verifies the digital signature of the system image that is transferred. Only if the image has been properly signed by Apple will the phone run it. The FBI cannot create that signature itself. Only Apple can do so.

This means also that the FBI cannot even develop the code itself.

To test and debug the code, it must be possible to run the code, and that requires a signature.

This is why it is asking for Apple's involvement: only Apple is in a position to do this development. Do nothing at all The first possibility is that there's simply nothing to do.

Erasing after 10 bad PINs is optional, and it's off by default.
If the erase option isn't enabled, the FBI can simply brute force the PIN the old-fashioned way: by typing in new PINs one at a time.
It would want to reboot the phone from time to time to reset the 1 hour delay, but as tedious as the job would be, it's certainly not impossible. It would be a great deal slower on an iPhone 6 or 6s.
In those models, the running count of failed PIN attempts is preserved across reboots, so resetting the phone doesn't reset the delay period.

But on the 5c, there's no persistent record of bad PIN trials, so restarting the phone allows an attacker to short-circuit the delay. Why it might not work Obviously, if the phone is set to wipe itself, this technique wouldn't work, and the FBI would want to know one way or the other before starting.
It ought to be a relatively straightforward matter for Apple to tell, as the phone does have the information stored in some accessible way so that it knows what to do when a bad PIN is entered. But given the company's reluctance to assist so far, getting them to help here may be impossible.Update: It turns out that this bug was fixed in iOS 8.1, so it probably wouldn't work after all. Acid and laserbeams One risky solution that has been discussed extensively already is to use lasers and acid to remove the outer layers of the iPhone's processor and read the embedded ID. Once this embedded ID is known, it's no longer necessary to try to enter the PIN directly on the phone itself.
Instead, it would be possible to simply copy the encrypted storage onto another computer and attempt all the PINs on that other computer.

The iPhone's lock-outs and wiping would be irrelevant in this scenario. Why it might not work The risk of this approach is not so much that it won't work, but that if even a tiny mistake is made, the hardware ID could be irreparably damaged, rendering the stored data permanently inaccessible. Jailbreak the thing The iPhone's built-in lockouts and wipes are unavoidable if running the iPhone's operating system... assuming that the iPhone works as it is supposed to.
It might not.

The code that the iPhone runs to enter DFU mode, load a RAM image, verify its signature, and then boot the image is small, and it should be simple and quite bullet-proof. However, it's not impossible that this code, which Apple calls SecureROM, contains bugs.
Sometimes these bugs can enable DFU mode (or the closely related recovery mode) to run an image without verifying its signature first. There are perhaps six known historic flaws in SecureROM that have enabled jailbreakers to bypass the signature check in one way or another.

These bugs are particularly appealing to jailbreakers, because SecureROM is baked into hardware, and so the bugs cannot be fixed once they are in the wild: Apple has to update the hardware to address them.

Exploitable bugs have been found in the way SecureROM loads the image, verifies the signature, and communicates over USB, and in all cases they have enabled devices to boot unsigned firmware. If a seventh exploitable SecureROM flaw could be found, this would enable jailbreakers to run their own custom firmwares on iPhones.

That would give the FBI the power to do what it needs to do: it could build the custom firmware it needs and use it to brute force attack the PIN.
Some critics of the government's demand have suggested that a government agency—probably the NSA—might already know of such a flaw, arguing that the case against Apple is not because of a genuine need to have Apple sign a custom firmware but merely to give cover for their own jailbreak. Why it might not work Of course, the difficulty with this approach is that it's also possible that no such flaw exists, or that even if it does exist, nobody knows what it is.

Given the desirability of this kind of flaw—it can't be fixed through any operating system update—jailbreakers have certainly looked, but thus far they've turned up empty-handed.

As such, this may all be hypothetical. Ask Apple to sign an FBI-developed firmware Apple doesn't want to develop a firmware to circumvent its own security measures, saying that this level of assistance goes far beyond what is required by law.

The FBI, however, can't develop its own firmware because of the digital signature requirements. But perhaps there is a middle ground.

Apple, when developing its own firmwares, does not require each test firmware to be signed.
Instead, the company has development handsets that have the signature restriction removed from SecureROM and hence can run any firmware.

These are in many ways equivalent to the development units that game console manufacturers sell to game developers; they allow the developers to load their games to test and debug them without requiring those games to be signed and validated by the console manufacturer each time. Unlike the consoles, Apple doesn't distribute these development phones.
It might not even be able to, as it may not have the necessary FCC certification.

But they nonetheless exist.
In principle, Apple could lend one of these devices to the FBI so that the FBI would then be responsible for developing the firmware.

This might require the FBI to do the work on-site at Cupertino or within a Faraday cage to avoid FCC compliance concerns, but one way or another this should be possible. Once it had a finished product, Apple could sign it.
If the company was truly concerned with how the signed firmware might be used, it might even run the firmware itself and discard it after use. This would relieve Apple of the burden of creating the firmware, and it could be argued that it was weakening Apple's first amendment argument against unlocking the firmware. While source code is undoubtedly expressive and protected by the first amendment, it seems harder to argue that a purely mechanical transformation such as stamping a file with a digital signature should be covered by the same protection. Why it might not work Apple may very well persist in saying no, and the courts may agree. Andrew Cunningham Stop the phone from wiping its encryption keys The way the iPhone handles encryption keys is a little more complex than outlined above.

The encryption key derived from the PIN combined with the hardware ID isn't used to encrypt the entire disk directly.
If it were, changing the PIN would force the entire disk to be re-encrypted, which would be tiresome to say the least.
Instead, this derived key is used to encrypt a second key, and that key is used to encrypt the disk.

That way, changing the PIN only requires re-encryption of the second key.

The second key is itself stored on the iPhone's flash storage. Normal flash storage is awkward to securely erase, due to wear leveling.

Flash supports only a limited number of write cycles, so to preserve its life, flash controllers spread the writes across all the chips. Overwriting a file on a flash drive may not actually overwrite the file but instead write the new file contents to a different location on the flash drive, potentially leaving the old file's contents unaltered. This makes it a bad place to store encryption keys that you want to be able to delete.

Apple's solution to this problem is to set aside a special area of flash that is handled specially.

This area isn't part of the normal filesystem and doesn't undergo wear leveling at all.
If it's erased, it really is erased, with no possibility of recovery.

This special section is called effaceable storage. When the iPhone wipes itself, whether due to bad PIN entry, a remote wipe request for a managed phone, or the built-in reset feature, this effaceable storage area is the one that gets obliterated. Apart from that special handling, however, the effaceable area should be readable and writeable just like regular flash memory. Which means that in principle a backup can be made and safely squirreled away.
If the iPhone then overwrites it after 10 bad PIN attempts, it can be restored from this backup, and that should enable a further 10 attempts.

This process could be repeated indefinitely. This video from a Shenzhen market shows a similar process in action (we came at it via 9to5Mac after seeing a tweet in February and further discussion in March). Here, a 16GB iPhone has its flash chip desoldered and put into a flash reader.

A full image of that flash is made, including the all-important effaceable area.
In this case, the chip is then replaced with a 128GB chip, and the image restored, with all its encryption and data intact.

The process for the FBI's purposes would simply use the same chip every time. By restoring every time the encryption keys get destroyed, the FBI could—slowly—perform its brute force attack.
It would probably want to install a socket of some kind rather than continuously soldering and desoldering the chip, but the process should be mechanical and straightforward, albeit desperately boring. A more exotic possibility would be to put some kind of intermediate controller between the iPhone and its flash chip that permitted read instructions but blocked all attempts to write or erase data. Hardware write blockers are already routinely used in other forensic applications to prevent modifications to SATA, SCSI, and USB disks that are being used as evidence, and there's no reason why such a thing could not be developed for the flash chips themselves.

This would allow the erase/restore process to be skipped, requiring the phone to be simply rebooted every few attempts. Why it might not work The working assumption is that the iPhone's processor has no non-volatile storage of its own.
So it simply doesn't remember that it is supposed to have wiped its encryption keys, and thus will offer another ten attempts if the effaceable storage area is restored, or that even if it does remember, it doesn't care.

This is probably a reasonable assumption; the A6 processor used in the iPhone 5c doesn't appear to have any non-volatile storage of its own, and allowing restoration means that even a securely wiped phone can be straightforwardly restored from backup by connecting it to iTunes. For newer iPhones, that's less clear.

Apple implies that the A7 processor—the first to include the "Secure Enclave" function—does have some form of non-volatile storage of its own. On the A6 processor and below, the time delay between PIN attempts resets every time the phone is rebooted. On the A7 and above, it does not; the Secure Enclave somehow remembers that there has been some number of bad PIN attempts earlier on.

Apple also vaguely describes the Secure Enclave as having an "anti-replay counter" for data that is "saved to the file system." It's not impossible that this is also used to protect the effaceable storage in some way, allowing the phone to detect that it has been tampered with.

Full restoration is similarly still likely to be possible. There is also some risk to disassembling the phone, but if the process is reliable enough for Shenzhen markets, the FBI ought to be able to manage it reliably enough. This last technique in particular should be quite robust.

There's no doubt that Apple's assistance would help a great deal; creating a firmware to allow brute-forcing the PIN would be faster and lower risk than any method that requires disassembly.

But if the FBI is truly desperate to bypass the PIN lockout and potential disk wipe, there do appear to be options available to it that don't require Apple to develop the firmware.
NEWS ANALYSIS: The first known attempt to spread ransomware on Macs was quickly spotted and disabled by security researchers and by Apple, but it won’t be the last. The first try at creating ransomware for the Macintosh was a bust, according to a spokesperson at Apple who told eWEEK that the company acted to invalidate the developer certificate tied to the malware to protect users from installing it.The malware was initially found by researchers at Palo Alto Networks, who alerted Apple and Transmission, the software developer that made the Tor file transfer app that was infected to spread the malware.Macintosh users who downloaded the Transmission software can get rid of the malware, now called KeRanger, by downloading the updated version 2.9.2 of the Transmission installer, which among other things, contains code that will find and remove the malware.Meanwhile, Apple updated XProtect so that it would recognize the KeRanger malware, and prevent it from infecting more Macintosh computers. XProtect is Apple's built-in anti-malware software for the Macintosh. Of the approximately 6,500 Mac users that downloaded the infected Transmission software, most won't actually have their files encrypted by the malware nor have to pay the hackers a Bitcoin ransom to get the decryption key because the necessary file, called General.RTF, won't execute. Unfortunately, a few Mac users will have had their files encrypted before the malware was detected and thwarted.

These users will either need to pay to decrypt them, or if they're lucky, restore their files from a backup.The vast majority of Macintosh users dodged the bullet this time, but it's not safe for them to assume that the hackers won't have better luck and better malware, the next time.Then Mac users will find themselves in a situation similar to what Windows users have been dealing with for years.

The only safe approach is to assume that any software you don't personally know to be safe probably isn't.The reason that Mac users haven't had to worry about ransomware or other malware until recently isn't that the Macintosh is immune, because it's not.

The reason that Macs haven't had a problem is mainly that their market share has been so low that malware writers didn't have the economic incentive to write malware.

But that's all changed.As Apple's market share has grown, so has the temptation to create malware and Apple's XProtect is the first approach at fighting it.

But XProtect is only a basic, signature-based security package, so it's limited in what it can do against advanced threats.

Fortunately, all of the familiar antivirus packages are also available for your Mac, including software from Symantec, McAfee, Avast, Trend Micro and many others.But ransomware isn't always picked up by antivirus software or by corporate firewalls. What happens then is that you could still end up with your data encrypted and find yourself stuck with no means of getting your work done except to pay the ransom.Unfortunately, the problem is only going to get worse. "This is the first really functional ransomware on the Mac," said Dodi Glenn, vice president of cyber-security for PC Pitstop, a security vendor. 
The first known working ransomware aimed at Macs contained hints that the cybercriminals were working on a way to encrypt backups in an attempt to force payment, security researchers said today. Dubbed "KeRanger" by Palo Alto Networks, whose researcher...
With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware. The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows. Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files. Security company Palo Alto Networks wrote on Sunday that it found the "KeRanger" ransomware wrapped into Transmission, which is a free Mac BitTorrent client.  Transmission warned on its website that people who downloaded the 2.90 version of the client "should immediately upgrade to 2.92." It was unclear how the attackers managed to upload a tampered version of Transmission to the application's website.

But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto wrote on its blog. The tainted Transmission version was signed with a legitimate Apple developer's certificate.
If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous. Apple revoked the certificate after being notified on Friday, Palo Alto wrote.

The company has also updated its XProtect antivirus engine. After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system.
It is coded to encrypt more than 300 types of files. The ransom is 1 bitcoin, or about $404. There are few defenses against ransomware.

Antivirus programs often do not catch it since the attackers frequently make modifications to fool security software. The best method is to ensure files are regularly backed up and that the backup system is isolated in a way to protect it from being infected as well. Disturbingly, KeRanger appears to also try to encrypt files on Apple's Time Machine, its consumer backup drive, Palo Alto wrote. Ransomware schemes have been around for more than a decade, but over the last few years have spiked. At first the attacks struck consumer computers, with the aim of extracting a few hundred dollars.

But it appears attackers are targeting companies and organizations that may pay a much larger ransom to avoid disruption. Last month, a Los Angeles hospital said it paid a $17,000 ransom after saying it was the quickest, most effective way to restore its systems.

The ransomware had affected its electronic medical records. Although Apple's share of the desktop computing market is much lower than Windows, cyberattackers have been showing increasing interest in it.

But so far, ransomware hasn't been a problem, although some researchers have created proof-of-concept file-encrypting malware for Macs. Last November, Brazilian security researcher Rafael Salema Marques published a video showing how he coded ransomware for Mac in a couple of a days. He didn't release the source code. Also, OS X security expert Pedro Vilaca posted proof-of-concept code on GitHub for Mac ransomware he wrote, another experiment showing how simple it would be for attackers to target the platform.
Canary squeals when domain admin credentials are pinched RSA 2016 Dell SecureWorks duo Joe Stewart and James Bettke have created a free honeypot loaded with fake domain credentials in a bid to help admins trap and block attackers. The researchers built the Domain Controller Enticing Password Tripwire (DCEPT) tool designed to help organisations unmask hackers and shore up defences ahead of attacks. Windows Active Directory credentials are among the most common and handy tools in an attacker's arsenal and the pair hope to foil those who access them with the tool. Network administrators often use domain administrator accounts to access network computers.
If any of those machines are compromised, attackers can swipe the credentials stored in cache using tools like Mimikatz. "With this information, the attacker gains total control of the network," the pair say. "These types of attacks can potentially terminate a company’s ability to do business. "Espionage or advanced-persistent-threat-style attacks have used this technique for years to compromise networks and steal protected data." The pair say the method is as common as it is effective, and has led to fleets of computers being permanently destroyed. "Even with reliable and recent data backups, the manpower it would take to restore an entire enterprise network is daunting." Stewart and Bettke, both seasoned forensic investigators, say solutions that identify anomalies are expensive and must be trained to capture normal behaviour. The DCEPT tool launched at the RSA San Francisco conference last week will identify what credential or honeytoken was stolen and from which machine. It sports an agent that drops honeytoken passwords into memory on endpoints, a network service that generates unique honeytokens at the request of an agent, and a sniffer service that looks at network traffic for signs that credentials are being stolen. The tool can be downloaded from GitHub and is available as a Docker container. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
nrkbeta A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines. "This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.The KeRanger malware, which imposes a 72-hour lockout window unless the victim pays 1 bitcoin ($410 as of this writing), appears to have been first discovered via a rogue version of Transmission, a popular BitTorrent client. For some time now, ransomware has primarily targeted Windows machines—threatening total data destruction if the ransom isn't paid. Recently, even a Los Angeles hospital was infected, which resulted in the payment of a $17,000 ransom.
In June 2015, the FBI said it had been contacted by 992 victims of CryptoWall, a similar ransomware scheme, who have sustained combined losses totaling over $18 million. On Saturday evening, some Transmission users noticed the strange activity on a discussion board—users concluded that the 2.90 version of Transmission was infected with the ransomware.
It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission website. Soon after, Transmission posted this message on its website: "Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file." In a technical analysis, Palo Alto Network’s Claud Xiao and Jin Chen wrote: The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.
If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network.

The malware then begins encrypting certain types of document and data files on the system.

After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data. Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4.

Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems. Apple did not immediately respond to Ars’ request for comment. Palo Alto Networks also added: Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.
If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now. This story is developing. Please check back for updates.
Under-Fire web biz finds reverse gear after outcry from Fire and Kindle owners Amazon has U-turned on its decision to remove filesystem encryption from Fire OS, which powers its Fire and Kindle slabs. We've been told that a version due out within the next month or two will return support for encrypting documents stored on the devices.

This decision to restore the feature comes just days after it emerged that Amazon had axed the encryption from the latest build of its tablet operating system: Fire OS 5. Removing the crypto sparked outcry from furious Fire and Kindle owners as well as the wider tech world.

Amazon appears to have taken notice. "We will return the option for full disk encryption with a Fire OS update coming this spring,” a spokesman for the web bazaar told El Reg on Saturday. The decision to remove the encryption was at odds with Amazon's public support [PDF] for Apple in the iPhone giant's battle with the FBI.

Apple refused to comply with an order to help unlock a killer's encrypted smartphone, and has rallied the tech industry to back it against the Feds. Amazon's decision to axe the encryption feature from Fire OS 5 was made well before the Apple-FBI legal case blew up last month.

Amazon thought disk encryption wasn't being used by enough people to continue support for it.
Soon it will let people switch the mechanism back on – and, I guess, in a way, we have the FBI to thank for that. ® Sponsored: Agile For Dummies, 2nd Edition
Company releases new advanced threat protection services, a new "security sandbox" product, and upgraded storage and disaster-recovery packages. SAN FRANCISCO -- Dell, much more well known for PCs, storage and servers than for its security acumen, made a lot of news this past week in the data protection category.Item 1: The Round Rock, Texas-based corporation's SecureWorks subsidiary on March 3 launched a cloud-based service that identifies threats while they are happening by identifying malicious behavior, enabling it to become aware of attacks that may otherwise go undetected because they involve little or no malware code.Dell's Advanced Endpoint Threat Detection Red Cloak is available now as a fully managed software-as-a-service platform.
It links to endpoint monitoring capabilities and lightweight sensors in the user's data center in order to scan and analyze for activity that could indicate a network breach.The service is powered by real-time threat intelligence provided by the Dell SecureWorks Counter Threat Unit (CTU).

The system is already protecting more than 4,100 Dell clients in 61 countries, the company said. Within the unit, the company's Cyber Threat Analysis Center can provide electronic notification within 15 minutes of determining that activity constitutes a security incident, Dell said.

Targeted and/or high-impact events are then forwarded to the Senior Intrusion Analyst Team, which guarantees a response within 24 hours. Go here for more information.New Data-Protection Packages ReleasedItem 2: On the storage security side, Dell unveiled a series of new data-protection packages to help organizations better protect frontline business systems, applications, and data–either on premises or in the cloud.These offerings include Dell Data Protection/Rapid Recovery, three new data deduplication appliances models, a free edition of the new Dell Data Protection/Endpoint Recovery, and Dell's Data Protection/NetVault Backup 11.Dell Data Protection/Rapid Recovery integrates proven and familiar features of AppAssure and other Dell securityware to help eliminate downtime for customer environments.

Customers can attain ZeroImpact recovery of systems, applications and data across physical, virtual and cloud environments, the company said.Another new feature, Rapid Snap for Applications, takes snapshots of entire physical or virtual environments up to every five minutes.

This gives users immediate access to data in the event of an incident and the power to restore in real time as if nothing ever happened.
In addition, Rapid Snap for Virtual technology offers agentless protection of VMware VMs, Dell said.Go here for more information.Capture, Dell's New 'Sandbox' Security ServiceItem 3: Patrick Sweeney, Vice-President of Marketing and Product Management for Dell Security, told eWEEK at the RSA Conference here about SonicWall's new Capture service, a sandboxing technology -- which is in the same space as FireEye, Lastline and others -- that has "differentiatable attributes to it.""It's managed and controlled by the next-general firewalls, and we see packets coming in; we identify everything we know to be good, everything we know to be bad, and also what we determine to be unknown," Sweeney said. "It could be zero-day, could be something benign, or whatever. We direct it to our cloud infrastructure, where we process it through in a key differentiation: three engines in parallel.""Everybody knows that no one security engine is going to find every threat," Sweeney said.
So, in addition to the SonicWall Capture and Lastline engines (Dell is part owner of Lastline, a strong emulation engine that enables users to detect advanced malware in networks), data packets in the Capture are also fed into VMRay, a third-generation malware analysis technology that detects and protects systems from APTs (advanced persistent threats), targeted attacks, and 64-bit kernel rootkits, he said.VMRay was announced this week at the RSA conference as Dell's newest security partner.All the products noted in this article are available now.

Go here for more information.
But its role in the attack remains unclear Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine's power grid in December 2015. A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online. Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23. "In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine," Flom notes. "Whether or not the attack was nation state-sponsored, the source code for most of the components that were used is available for purchase and download on the open Web," Flom writes. "It's no longer far fetched that a similar attack could be conducted by non-nation state-sponsored groups for criminal purposes." BlackEnergy has evolved from a "relatively simple" distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom. The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers. Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

The Ukrainian government and the three impacted power utilities (named elsewhere as Prykarpattya, Oblenergo and Kyivoblenergo) collaborated with the investigation, which concluded that the assault involved a great deal of coordination and planning, culminating with an attempt to destroy evidence on field devices using wiper malware. The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.

According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.

The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access. All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.

The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. The whole incident has generated a great deal of interest because it's reckoned to represent the first time that hackers have successfully attacked a power grid.

For context, it's worth pointing out that outages caused by squirrels chewing through electricity cables and the like are commonplace.

A growing number of experts have come to regard the Ukraine energy utility attacks as the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010. BlackEnergy malware was discovered on the affected companies' computer networks, however it is important to note that ICS-CERT investigators reckon the precise role of the potent cyber-pathogen in the attack remains as yet unclear. Each company also reported that they had been infected with BlackEnergy malware, however we do not know whether the malware played a role in the cyber-attacks.

The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments.
It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated.
It is important to underscore that any remote-access Trojan could have been used, and none of BlackEnergy's specific capabilities were reportedly leveraged. A mining company and a large railway operator in Ukraine were also hit by BlackEnergy, so the run of attacks was far from limited to the power distribution sector.

The possible motivations of the hackers range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets. Russia is the obvious prime suspect in this malfeasance, and this is supported by plenty of circumstantial evidence, although nothing incontrovertible and certainly no smoking gun. Security researchers at the SANS Institute have put together a reaction to the ICS-CERT report ahead of their own forthcoming study, which will focus on how to defend against similar attacks on industrial control systems in future. Industrial control system security expert Robert M Lee argues that ICS-CERT unnecessarily hedged its bets in calling BlackEnergy a central vector of the attack. "ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident," Lee writes. "I understand their hesitation, but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources.

The malware, however, was not responsible for the outage.
It just enabled the attackers, as the SANS team and others in the community have said all along," he added. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
'We will not make ransom payments in such circumstances' North Dorset District Council is working with police to identify the source of a ransomware attack this week, the latest incident in what security experts believe to be a growing problem for local authorities. According to an email seen by The Register, the attack had infected 6,000 files on the council's servers by Tuesday. However, the council said yesterday evening the problem had been fixed. Councillor Graham Carr-Jones, deputy leader of North Dorset District Council, said: “The ‘ransomware’ attack was quickly detected by our security systems and action was taken to minimise the impact on our systems. No customer data was compromised. “The council has not made, and will not make ransom payments in such circumstances. We are currently working with other public sector agencies, including the police to identify the source.” It follows an attack on Lincolnshire County Council last month leading it to turn off all of its networks' computers. The council eventually got its IT back up and running after attackers demanded a £350 Bitcoin payment. Mark James, security specialist at ESET, said that many public sector bodies are sitting targets for attackers due to the nature of the data they hold and the cost constraints of upgrading all their systems. "We hear about healthcare a lot, which is particularly serious because if those systems go offline we're not just talking about malicious software, but peoples' lives," said James. He added that with more sophisticated encryption targets have little choice between restoring their systems from a backup or paying the ransom. Eddy Willems, security specialist at G-Data, said attackers were deliberately targeting organisations which appear more likely to pay the ransom to get back online. "Some of these organisations do not have the latest backup [systems] installed," he said. "We are seeing an increase in the amount of ransomware than previously – there has been an evolution in what's available and will become an even bigger problem in the next year," he added. Willems concluded that the ransomware problem is not that difficult to stop, providing organisations have the correct security measures in place. ® Sponsored: Four ways to achieve more efficient and effective vulnerability management
Spare us your files, guv? Microsoft is asking its certificate authority (CA) affiliates to send it their own copies of audit data after a MS system crash resulted in data loss. Microsoft lost audit data for about 147 roots after a system crash.

The incident had the knock-on effect of generating query emails to scores of affected (temporarily disavowed) CAs. Redmond is taking its first steps towards getting on top of the situation by letting CAs know the score, in a message to the cabforum.org security forum on Wednesday, requesting help in putting matters right. As many of you may have just noticed, our system just generated a bunch of emails informing many of you that you are subject to removal because Microsoft does not have evidence of a qualifying audit on file.

This is likely an error on our side, but we need your help. Our CRM system suffered a data loss, and it looks like it rolled back to an old backup.

As a result, we lost audit data for about 147 roots.
If you received a message, please don't panic.
Instead, please just send Microsoft your most-recent audit data, and we will update our records.
Sorry for the confusion. As part of Microsoft’s Trusted Root program’s compliance requirements, Certificate Authorities must provide a courtesy copy of their audit data to the company annually. We’re reliably informed that Microsoft stores these internally in a standalone tool.

An error occurred with the tool, so Microsoft contacted some CAs and requested they resubmit a copy of their latest audit data, sources confirm. Microsoft is a player in backup and the cloud, through Microsoft Azure.

Asking third parties for data on themselves in the wake of a back-up bungle is not the biggest disaster in the world, but it doesn’t look good either. Redmond would certainly be well advised to review its disaster recovery plan in the wake of the snafu. ® Sponsored: Securing personal and mobile device use with next-gen network access controls