Japan to Train Thousands on Cyber-Security Ahead of 2020 Olympics

The Japanese Government is set to spend approximately 20 billion yen to form and train a cyber security staff dedicated to tackling the 2020 Olympics:

According to local newspaper Nikkei, Japan’s Ministry of Internal Affairs and Communications has put forward a set of cyber-security proposals in relations to the Games, and intends to request around 20 billion yen (£103 million) in government funding over the four years, starting from fiscal 2016.

This funding will go towards training for local authorities, schools, SMEs and enterprises, with the ministry also overseeing drills to prepare for attacks linked to the Games, such as websites being hacked and ticket sale scams. There are also reportedly plans for red teaming exercises.

The ministry, which did not respond to our request for comment, aims to create industry-wide forums so companies can share best practices and other knowledge in the realm of cyber-security in the run-up to the Olympics.

One security expert, who played a key and senior role in securing the 2012 London Olympics, toldSCMagazineUK.com that the games is probably being used ‘as a vehicle’ to reduce the much-publicised information security skills gap.

The Nikkei report cites one study which claims that 160,000 of the 265,000 infosec personnel in the country lack the skills need for the job.

“My reading of this is that it must be broader than just the Olympics,” said the expert, speaking anonymously and citing ambitions to reduce the skills-gap in particular.

The Japanese government needs to spend money to train people as the country is absolutely sorely lacking in the cyber security skills arena.

OPM Is “Incrementally” Restarting Its Security Clearance Management System E-QIP

After being hit with the largest breach in the US government history, OPM is “incrementally” restarting its security clearance management system e-QIP (emphasis added):

Shut down in late June for “security enhancements,” the Office of Personnel Management’s e-QIP system was back on line, OPM spokesman Sam Schumach said in a statement.

He said, however, that the system would only “incrementally” be re-opened to users so as to “resume this service in an efficient and orderly way.”

OPM was sorely criticized after it reported in April and May that computer breaches had compromised job and security clearance personal data related to more than 22 million people. The e-QIP system was shut down two weeks ago as a precaution.

Bringing e-QIP back up incrementally means that, at first, only clearance applicants who had already started submitting data to the system for their clearance applications would be invited to start using it again.

New applicants would be unable to use the system for an unspecified time period, an official said.

OPM’s statement said that it had turned off e-QIP “proactively” and that there was no evidence that a “vulnerability” discovered in the system had been “exploited” by hackers.

FISMA Reform Act Strengthens DHS Cyber Security Mission Capabilities for the .gov Domain

As a result of the recent major OPM breach which saw the compromise of data on over 20 million Americans, Congress has bipartisan support for the FISMA Reform Act, strengthening DHS cyber security mission capabilities for the .gov domain (emphasis added):

Introduced on Wednesday, the FISMA Reform Act provides an update to the 12-year-old FISMA and would give the DHS increased authority over other agencies’ networks on the .gov domain. As it stands, the DHS needs permission to come in and investigate or monitor networks, the Hill reports.

The new measure would provide DHS with legal authority to deploy tools that search for security breaches in real-time without a formal request to an agency. It would also enable DHS to conduct risk assessments of any other agency’s system and take action to secure vulnerable systems.

Earlier this year, the US Office of Management and Budget released a report that found although US government agencies spent $12.7 billion on cybersecurity in fiscal 2014 the government still faced nearly 70,000 cybersecurity events in total across departments.

Sen. Mark Warner, the lead Democrat on the bill, said that the voluntary nature of the system has “resulted in an inconsistent patchwork of security across the whole federal government.”

In a time when cybersecurity threats are changing rapidly, the federal government has been criticized for outdated programs and responding too slowly to serious data breaches, such as the OPM breach that compromised personal data belonging to 22 million people.

Five Reasons Intel Should Spin Off McAfee According to Out-of-Touch Analyst

I am not sure if this is mere clickbait or if the Richard Stiennon actually believe what he wrote, but apparently he is under the impression that Intel should spin off McAfee just as they are in the midst of finally integrating the two companies together. He even offers up five reason for why he feels this would be a smart move:

Here are five good reasons for Intel to reverse the blunder of 2010.

1. Symantec is coming back. Symantec too has made its mistakes. Up until Intel acquired McAfee, Symantec held the record for blunders. It acquired a data center behemoth, Veritas for $14 billion in 2004. Only recently has Symantec decided to reverse that decision.

During the last four years Symantec has been a tad rudderless. It is too bad McAfee was no longer in a position to gain market share. That opportunity was left to the other vendors in the space, Sophos, Eset, and Trend Micro, to name three. On top of that a slew of endpoint security vendors have cropped up to address the failings of traditional signature based AV. Cylance, Bit9/CarbonBlack, CounterTack(which just announced the acquisition of Mantech’s Cyber Security products, the remnants of HBGary). Even FireEye, (the company Dave Dewalt went on to lead to an IPO after handing off McAfee to Intel) has made an endpoint security play with the acquisition of Mandiant.

One of the reasons I would attribute to McAfee having only flat revenue (as opposed to plummeting) since the acquisition is that its largest competitor, Symantec, has been stalled out itself. That is about to change. After Symantec finally spins off Veritas it is coming back with a vengeance.

Seriously, Symantec is making a comeback? In what universe?

2. Brand confusion. Branding is important in the security space and Intel is attempting to re-brand McAfee to “Intel Security.” It’s a great name but does nothing for the $55 billion a year Intel brand and confuses buyers of McAfee products. Regardless of the Intel acquisition, McAfee was headed towards a branding train wreck as the weirdest character in an industry known for its oddballs, John McAfee, came out of hiding from an experimental drug retreat in Belize to make a come back, first with a truly strange YouTube video, and now on the lecture circuit. This is a golden opportunity to spin off McAfee with a clean name.

Because, you know, Intel Security is not a clean name, right?

Read the rest of the article for a what seems to be a humorous look into the mind of someone who is out of touch.

Hacking Team Has Likely Created the Most Sophisticated Piece of Android Malware Ever Exposed

It seems like as the sun rises each morning, we have new news about capabilities Hacking Team was leveraging in their exploit and vulnerability arsenal. Today we learn the Hacking Team has likely created the most sophisticated piece of Android malware ever exposed:

After having revealed one of the ways that the company used to deliver its spyware on Android devices (fake app hosted on Google Play), Trend Micro researchers have analyzed the code of the actual spyware: RCS Android (Remote Control System Android).

Unsurprisingly, it can do so many things and spy on so many levels that they consider it the most sophisticated Android malware ever exposed.

The spyware is delivered either via the aforementioned app, or via an SMS or email that contain a specially crafted URL that will trigger exploits for several vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean.

This will allow the attacker to gain root privilege, and allow the installation of a shell backdoor and RCS Android.

The RCS Android has two core modules: the Evidence Collector and the Event Action Trigger.

The former is responsible for the spying routines: gathering device information, capturing screenshots and photos, recording speech by using the devices’ microphone, capturing voice calls, recording location, capturing Wi-Fi and online account passwords, collecting contacts and decoding messages from IM accounts, as well as collecting SMS, MMS, and Gmail messages.

The latter is in charge of triggering malicious actions based on certain events (e.g. screen turning on, or SMS received with keywords). It can sync configuration data, upgrade modules, and download new payloads; upload the above mentioned collected data to the C&C server, and purge it from the device; execute shell commands; disable the network, root access; reset the device’s locking password; uninstall the bot.

“To avoid detection and removal of the agent app in the device memory, the RCSAndroid suite also detects emulators or sandboxes, obfuscates code using DexGuard, uses ELF string obfuscator, and adjusts the OOM (out-of-memory) value,” the researchers shared.

“Interestingly, one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon.”

After learning the Hacking Team is not the most sophisticated group around even though they have some very advanced tools in their arsenal, imagine all the malware out there in the wild we do not yet know about and how complex it may be.

You don’t know what you don’t know seems somehow apropos.

Just What the World Needs: New Strain of the Bartalex Malware Drops Pony Loader Malware and the Dyre Banking Trojan

Because there is not enough complex and dangerous malware out there already, we now how a new strain of the Bartalex malware dropping Pony loader malware and the Dyre banking Trojan to increase the power and sophistication of an attack:

Primarily spread through spam, the first iterations of Bartalex were observed in late March embedded in Microsoft Word and Excel macros.

Macros have been a popular infection method for a decade-plus but as is often the case in malware, everything old eventually becomes new again. The attack vector never really went away but Word documents booby-trapped with macro malware have been enjoying a comeback of sorts as of late. Microsoft’s Malware Protection Center even sounded the alarm over an increasing number of threats using macros in January.

Brad Duncan, a security researcher at Rackspace and handler at the SANS Internet Storm Center spotted Bartalex propagating through a rigged Word document on Tuesday.

The Word document purports to come from the payroll service ADP and pertain to a rejected Automated Clearing House (ACH) payment. As Duncan notes, a quick look at the email’s header however indicates the email did not come from ADP and if a user were to open the file, assuming they have macros enabled in Microsoft Word, they’d execute any associated macros.

Current State of Critical Infrastructure Cyber Security in the United States in 2015

The annual Aspen Security Forum takes place this week in Aspen, CO and discussed the current state of critical infrastructure cyber security in the United States (emphasis added):

More than 70 percent think the threat to their organizations is escalating. Almost 9 out of 10 experienced at least one attack in the last three years that caused some damage, disruption, or data loss, with a median of close to 20 attacks per year. Forty-eight percent believe it likely to extremely likely that a critical infrastructure cyber-attack will result in human fatalities in the next three years.

While they continue to look at further investment in various security areas, the vast majority think that greater cooperation and public-private partnerships with national and international agencies are important to keep pace with the escalating threat landscape.

What form would these joint activities take? Well, the top rated suggestions were joining a national or international defense council to share threat intelligence and defense strategies, taking coordinated direction on cyber defense, or even national legislation that requires cooperation with government agencies. The majority of respondents felt that their own government as well as international agencies could be valuable and respectful partners in cybersecurity, and many were open to sharing network visibility if it was deemed vital to national or global cyber defense.

However, one caution was that more than three-quarters of the security professionals supported the use of national defense forces to retaliate in response to a fatal critical infrastructure attack within the country. Given that only a third think that nation-state security services are behind the serious attacks on their organization, identifying a target for retaliation is problematic. Even if a nation-state is responsible, how do you conclusively determine the source of the attack, when it is using code borrowed or bought from organized crime in one country and servers spread across 5 other countries?

Recent Jeep Hack Highlights How Utterly Dangerous the DMCA’s Anti-Circumvention Clause Is to Security Research

The Electronic Frontier Foundation waxes on why the recent Jeep hack highlights how utterly dangerous the DMCA’s anti-circumvention clause is to security research:

One major reason that serious vulnerabilities have gone undisclosed and unfixed is that laws like Section 1201 of the Digital Millennium Copyright Act chill independent security research. That’s why we filed for an exemption to Section 1201 that would specifically protect security and safety research on vehicle software from DMCA liability. The automakers showed up in force to oppose it (including the “Auto Alliance” trade group, of which Fiat Chrysler is a member), arguing that there was no need for independent security research and that they had the legal right to shut it down – even when researchers only look at code on vehicles they own. We think Miller, Valasek, and other researchers have amply shown the need for independent vehicle security research.

We also asked for a second DMCA exemption for vehicle software, one that would allow competition in the vehicle software space (as well as repairs and customization). If that exemption is granted, an alternative software provider could enter the market to secure your vehicle and you might decide you have more faith in them than in the original manufacturer (or they might offer better functionality, or they might protect your privacy against invasive data collection by auto manufacturers). We would at least see the possibility of competition leading to better practices and spurring innovation among manufacturers.

Security Researchers Hack a Jeep From Ten Miles Away

Two security researchers performed a proof-of-concept hack on a Jeep, remotely controlling in while it was in motion on a highway, proving they could control its dashboard, steering, breaking, and transmission (emphasis added):

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.

From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

Imagine how it must feel to suddenly lose complete control over your vehicle while it is traveling over 60mph on a highway. Reading it is scary enough, but living through it must be much more terrifying.

There is a delicate balance between convenience and security. To do things correctly, security needs to be baked in from the beginning rather than duct taped on after the fact. Sounds like Chrysler opted for the latter route.

German Researcher Identifies Dangerous Local Privilege Escalation Vulnerability in Mac OS X

Generally speaking, Mac OS X is a much safer operating system compared to Microsoft Windows, but that does not mean it is completely immune to vulnerabilities. German researcher Stefan Esser has identified a dangerous local privilege escalation vulnerability in Mac OS X (emphasis added):

“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.

Esser has published technical details on the vulnerability and explained how it can be exploited for full privilege escalation. He has also released a proof-of-concept (PoC) exploit that provides a local root shell.

While Esser decided to take the full disclosure approach and not notify Apple before making his findings public, it appears this vulnerability was reported to the company months ago by the South Korean researcher known as “beist.”

However, Apple only fixed the flaw in the beta versions of OS X El Capitan 10.11, and not in the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11 is expected to be released in late September or early October.

Esser has pointed out that the local privilege escalation vulnerability also affects jailbroken iPhones running iOS 8.x.