Wednesday, June 10, 2020

6/10/2020 - Machine Learning to Improve Cyber Security, Have We Learned Nothing From The Terminator and The Matrix?

ZDNet - New CrossTalk attack impacts Intel's mobile, desktop, and server CPUs -

Academics from a university in the Netherlands have published details today about a new vulnerability in Intel processors.

The security bug, which they named CrossTalk, enables attacker-controlled code executing on one CPU core to leak sensitive data from other software running on a different core.

Linux kernel developers are in the midst of applying a trio of patches after a Google engineer reported that defenses implemented to stop speculative execution attacks don't work as intended.

In three posts marked urgent to the Linux kernel mailing list on Tuesday, Anthony Steinhauser points out problems with countermeasures put in place to block Spectre vulnerabilities in modem chips that perform speculative execution.

Billions of Internet of Things and Local Area Network devices that rely on the Universal Plug and Play (UPnP) protocol for discovery of and interaction with other devices are vulnerable to “CallStranger,” a bug that can be exploited to exfiltrate data, launch a denial of service attack or scan ports.

The Windows 10 operating system, the Xbox One gaming console, and various models of printers, modems, televisions and routers are among the many products affected.

Officially designated CVE-2020-12695, the bug is specifically located within UPnP’s SUBSCRIBE capability and is caused by a callback header value that can be controlled by attackers, allowing them to send large quantities of traffic to arbitrary destinations, reported the CERT/CC in a security advisory.

Boris Johnson must provide a legally-binding date to strip Huawei from Britain's 5G network or face a Commons defeat, senior Tory MPs have warned.

Conservatives are pressing for a concrete pledge by the Government within the next two months, while crucial legislation is expected to go through Parliament.

Writing in The Telegraph, Sir Iain Duncan Smith and Bob Seely said: "Parliament is feeling increasingly restless about the UK's dependency on China. More and more legislators are recognising that how we handle this issue hugely affects our constituents."

The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls_session_ticket_key_generate(). An attacker capable of exploiting this vulnerability could bypass authentication under TLS 1.3 and could recover previous conversations under TLS 1.2.

The issue, tracked as CVE-2020-1317, affects one of the most basic mechanisms for centrally managing the settings of Windows computers and users in Active Directory environments: Group Policy. More importantly, the flaw is old and exists in all Windows versions for desktops and servers beginning with Windows Server 2008. Microsoft rates it as important and describes it as such:

"An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system."

The company's advisory has no other information aside from that, but according to researchers from CyberArk who discovered the vulnerability, it is quite serious.

One of the bugs that was of particular interest to researchers was CVE-2020-1299, a remote code execution issue that arises when trying to load Windows shortcut (LNK) files. This is the third time this year Microsoft has had to address an RCE bug in such shortcuts.

"An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file," explained Dustin Childs of the Trend Micro Zero Day Initiative (ZDI).

"These types of files are often put on a USB drive in an attempt to bridge an air-gapped network."

This portal, called Cyber 9-Line, allows participating Guard units from their perspective states to quickly share incidents with Cyber Command. Cyber Command’s elite Cyber National Mission Force, which conducts operations aimed at disrupting specific nation state actors, is then able to provide analysis on the malware and offer feedback to the states to help redress the incident.
The future will see the rise of the cybersecurity specialist who uses data science and machine learning in the way that we have used speadsheets in the past. These specialists will be able to take data sets from logs on systems and from open source data sets, and then make predictions on the data. They will find the correlations and build new threat models. The rise of Splunk, too, seems almost endless, especially as it provides a great interface to machine learning models.
Related - Security Boulevard - Using Machine Learning for Threat Detection -
We all live by rules, some rules are defined strictly and some loosely. There is new research in social psychology about how our world is wired by rule makers & rule breakers¹, including how all of us as people and communities are wired to follow some rules ‘tightly’, and some ‘loosely’. Cybersecurity is eventually about people, and how some break rules (attackers) and others make rules (Cyber Warriors & products). The cybersecurity effort at the very heart of it is a pattern recognition problem, trying to understand patterns of attacks in various ways and classifying them into benign (rule follower), malicious (rule breaker), or potentially requiring more investigation on precise intent. So, what is the role of Machine Learning (ML) in such pattern recognition problems? As we will explore more below, machine learning is a technology built for pattern recognition on a large amount of data, especially patterns that are hard to uncover by writing signatures for, and hence ML plays quite an integral role in solving cybersecurity problems.

Automated analysis tools excel at finding certain types of vulnerabilities — from cross-site scripting flaws to SQL injection and from misconfigured security headers to remote-file inclusion — but humans continue to be necessary to evaluate the severity of such flaws, according to an analysis of 2,500 penetration tests released on June 9.

In its annual "State of Pentesting 2020" report, security-services firm Cobalt.io found that about two-thirds of its penetration testing engagements involved testing either web applications or web-based application programming interfaces (APIs), with misconfigurations topping the list of security threats discovered in 2019, followed by cross-site scripting and authentication issues. Automated security testing continues to be an efficient way to find these issues, especially as 37% of application security practitioners have to deal with weekly or daily release cadences, the report states.

The flaw, tracked as CVE-2020-3960, was reported to VMware by Cfir Cohen, a researcher from Google's cloud security team.

According to VMware, Cohen discovered that ESXi, Workstation and Fusion are affected by an out-of-bounds read vulnerability that can allow an attacker with non-admin access to a virtual machine to read privileged information from memory.

Secure internet connections depend on the server presenting a valid certificate to the client, the most common problem being that the server certificate is out of date, easily fixed by the server admin.

In order to validate the certificate, though, the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.

Typically root certificates have a long lifetime, such as 25 years, but nevertheless they do expire; and if one is embedded in a smart TV, fridge or security system, the consequence is that it will stop connecting while giving users little clue about what has gone wrong.

The big question is how often bad actors find such databases. If we listen to the database owners, the impression is 'not often'. Where a database owner acknowledges the issue, the usual comment is, "We have no reason to believe that any third party accessed the data."

Researchers Paul Bischoff and Bob Diachenko from Comparitech have attempted to verify this belief by establishing an Elasticsearch honeypot containing fake user data. "We wanted to find out how fast data can be compromised if left unsecured," they say in a report on the exercise.

Their data was exposed for just eleven days between May 11, 2020 and May 22, 2020. During that period, 175 unauthorized requests were made, beginning less than nine hours after deployment.
(T)he health crisis could end up giving additional public momentum to efforts to rein in the tech industry, despite — or even because of — how vital it has proven during the pandemic.

"I think what we are seeing as a result of the crisis is that more and more people are depending on these platforms, which just highlights how powerful they are," said Charlotte Slaiman, competition policy director at the advocacy group Public Knowledge. "I think people are noticing in more areas of their life, that there are very few legal protections that people and companies have for their interactions with these platforms." 
A new study from MacroPolo — a think tank run by the Paulson Institute, which promotes constructive ties between the United States and China — estimated that Chinese-educated researchers comprised nearly one-third of the authors of the papers accepted and promoted at a prestigious A.I. conference last year, more than from any other country. But it also found that most of them lived in the United States and worked for American companies and universities.
Under the withering microscope of government watchdogs, tech giants including Amazon, Facebook and Google have funded a bevy of political groups that have helped push positive polling and engaged in other fingerprint-free tactics designed to deter regulators who are seeking to break up or penalize the industry. The approach reflects the growing threats they now face from the Justice Department and the country’s top attorneys general, who have been investigating them on antitrust grounds.

 

No comments: