Microsoft bringing EMET back as a built-in part of Windows 10

June 27, 2017 – 4:37 PM

The Windows 10 Fall Creators Update will include EMET-like capabilities managed through a new feature called Windows Defender Exploit Guard.

Microsoft’s EMET, the Enhanced Mitigation Experience Toolkit, was a useful tool for hardening Windows systems. It used a range of techniques—some built in to Windows, some part of EMET itself—to make exploitable security flaws harder to reliably exploit. The idea being that, even if coding bugs should occur, turning those bugs into actual security issues should be made as difficult as possible.

With Windows 10, however, EMET’s development was essentially cancelled. Although Microsoft made sure the program ran on Windows 10, the company said that EMET was superfluous on its latest operating system. Some protections formerly provided by EMET had been built into the core operating system itself, and Windows 10 offered additional protections far beyond the scope of what EMET could do.

But as more mitigation capabilities have been put into Windows, the need for a system for managing and controlling them has not gone away. Some of the mitigations introduce application compatibility issues—a few even require applications to be deliberately written with the mitigation in mind—which means that Windows does not simply turn on every mitigation for every application. It’s here that Exploit Guard comes in.

Exploit Guard will be able to control the operating system-wide mitigation capabilities, as well as more individual, tailored protections. For example, with Exploit Guard, certain kinds of macros in Office documents can be blocked, and access to websites known to host lots of malware can be prevented.

Source:
https://arstechnica.com/information-technology/2017/06/microsoft-bringing-emet-back-as-a-built-in-part-of-windows-10/

Linux Systems in the Hackers’ Cross Hairs

June 27, 2017 – 4:02 PM

Security experts have warned IT teams to improve protection for Linux servers and IoT devices after observing an increase in threats targeting these systems.

WatchGuard Technologies’ latest quarterly Internet Security Report is based on analysis of over 26,500 active UTM appliances round the world.

It revealed that overall malware detection dropped by 52% from Q4 2016 to the first three months of this year as seasonal campaigns ceased.

However, despite that fall in detected malware volumes, Linux malware comprised more than a third (36%) of the top threats observed by WatchGuard during the period.

Among the top 10 threats detected by the firm were “Linux/Exploit”, “Linux/Downloader” and “Linux/Flooder”, the latter related to generic DDoS tools.

Linux Exploit is a generic detection rule used by WatchGuard to catch Linux trojans which usually infect devices before scanning related networks for others hosting Telnet or SSH services, attempting to log in using default credentials or via brute force. This was the MO of the infamous Mirai malware.

Jonathon Whitley, director at WatchGuard Technologies, argued that IoT devices are not designed with security in mind and frequently run on unsupported legacy operating systems

“Consequently it is essential that they are protected by robust IPS and AV to ensure any vulnerabilities are addressed before the IoT device is accessed,” he told Infosecurity.

“We recommend that these devices be protected with strong firewall policies ensuring that access privileges are only granted where essential. Access can be further controlled by enabling application control, which will allow users to, for example, stop any access via a TOR Network, a common tool used by hackers. Visibility of traffic is critical to allow users to view who and how these devices have been accessed, allowing you to shape and tighten your policies.”

Source:
https://www.infosecurity-magazine.com/news/linux-systems-in-the-cross-hairs/

‘Petya’ Ransomware Outbreak Goes Global

June 27, 2017 – 4:00 PM

A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.

According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. The country’s government, national bank and largest power companies all warned today that they were dealing with fallout from Petya infections.

Danish transport and energy firm Maersk said in a statement on its Web site that “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” In addition, Russian energy giant Rosneft said on Twitter that it was facing a “powerful hacker attack.” However, neither company referenced ransomware or Petya.

Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Source:
https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/

Google Will Stop Reading Your Email to Target Ads

June 23, 2017 – 6:16 PM

One of Google’s most controversial practices over the years has been the automated scanning of email contents. Google used that data to target ads inside Gmail, which it places at the top of the list in your social and promotions tabs. Google now says it will end the practice of targeting ads based on email text, but the decision was not made by the Gmail or advertising teams. It comes from Google’s cloud unit, which is responsible for selling G Suite business subscriptions.

G Suite, or Apps for Work as it used to be known, costs $5 or $10 per month for each user, but larger customers can contact Google for enterprise pricing. G Suite includes additional storage beyond the free 15GB that everyone gets, more security tools, and support for the usual list of Google cloud services like Gmail and Drive.

It’s interesting that Google Cloud was able to affect a change in the way Gmail ads are handled. Diane Greene, Google’s SVP of cloud, says this change was made to offer a more consistent experience across paid and free versions of Gmail. G Suite has doubled its paying users in the last year, so Google seems happy to let Greene make some big calls.

While the free version of Gmail has done automated email scanning for advertising purpose since its inception, that has never been the case in G Suite. If you pay Google for Gmail and other tools, you don’t get those ads in the first place. This change is supposed to put everyone’s mind at ease, even business customers that aren’t affected.

Source:
https://www.extremetech.com/g00/internet/251481-google-will-stop-reading-email-target-ads

Advanced CIA firmware has been infecting Wi-Fi routers for years

June 15, 2017 – 6:27 PM

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That’s according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it’s likely modifications would allow the implant to run on at least 100 more.

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a “FlyTrap” that beacons a CIA-controlled server known as a “CherryTree.” The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a “Mission” consisting of specific tasks tailored to the target. CIA operators can use a “CherryWeb” browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Missions can target connected users based on IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers. Mission tasks can include copying all or only some of the traffic; copying e-mail addresses, chat user names, and VoIP numbers; invoking a feature known as “Windex,” which redirects a user’s browser that attempts to perform a drive-by malware attack; establishing a virtual private network connection that gives access to the local area network; and the proxying of all network connections.

Source:
https://arstechnica.com/security/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/