High Assurance Security – Why Should We Care?

Written by Dr Bernard Parsons, CEO, Becrypt

Today, the cyber security requirements of government and the private sector are rapidly converging. On the one hand, traditional methods of cyber defence are failing in corporate environments, given the ever-evolving threat landscape. While on the other, governments are increasingly needing to reduce their reliance on government-bespoke approaches to security, in order to deliver the operational benefits, flexibility and cost advantages of emerging technologies – from cloud to mobile and IoT.

High Assurance products and services seek to bridge this gap, allowing organisations to undertake informed risk management, defending against the more advanced targeted attacks, and highest impact risks, while enabling effective use of commercial “off the shelf” technologies.

What is High Assurance?

Definitions vary, but a typical starting point for a High Assurance system is a claim or set of claims that are made about a system’s behaviour, and an argument or evidence that a system will function as described (HAUK definition).

The approach to achieving this may be a selection of formal software verification methods, third-party expert evaluation, security testing and analysis, depending on the system characteristics and market needs. Formal verification itself is a rapidly evolving field driven in part by large platform vendors such as Amazon, who have a tremendous amount at stake regarding the correctness of their software platforms – we all do! (see provable security).

Given the complexity of most software platforms, and their often-infinite number of possible states, systems that seek to achieve high levels of assurance often look to integrate with hardware components that expose functionality on which to base security claims. Behaviour of hardware is typically more constrained (see for example HardSec blog), and any existing security analysis or evaluations can be inherited by the software that makes use of it. This principle is driving increased availability and use of hardware-based security functionality, from TPM chips, to Intel and Arm processor security extensions, as well as dedicated and evaluated hardware security platforms.

High Assurance systems may still have vulnerabilities, including those found within hardware, but the combination of explicit claims with constrained or verified security functionality means that associated risks can be both mitigated and quantified more effectively.

What High Assurance is not?

Of course, most cyber security products today would not be categorised as High Assurance, either because exaggerated marketing claims replace evidence-based security claims, or because of the probabilistic nature of technologies such as signature-based malware detection and AI-based anomaly detection. That is not to say we should not include the use of such technologies, but we should recognise the different type of contribution they can make to informed risk management. If I want to reduce the occurrence of malware within a network, then I will run the latest anomaly detection. If I want a high degree of confidence that I have removed the risk of malware, then my controls will include something like a High Assurance gateway that provides network isolation, which in turn can increase the effectiveness of my anomaly detection software.

Why should we care?

If you’ve made it to this part of the article, you will probably have some differing perspectives on parts of the above, and areas you may improve, I would be interested in your feedback. But too many consumers of cyber security products and services do not yet adequately distinguish between well implemented and well marketed security products, and others. In fact, they often do not have the resources, time and expertise to do so. Economists refer to this market dynamic as ‘Information Asymmetry’ and point out that it is one of the key drivers of market failure (often leading to further regulation).

In some sectors and for some categories of security product or service, third-party evaluations or accreditation schemes can address Information Asymmetry, but it is unrealistic to assume these can scale to address even a minority of the market’s needs.

Within the UK, the direction of travel from government seems to be towards placing more focus and then trust on the vendor’s standards and practices. If part of this leads to the encouraging of more formal security claims, and a closer relationship between these and marketing claims, the industry will make a significant step forward in addressing Information Asymmetry and supporting more informed risk management.



Reluctant Apple joins FIDO

Recently, it has been revealed that Apple, which has been one of the tech companies that appeared more resistant to the FIDO Alliance, has joined the biometrics and authentication standards body. FIDO was founded by companies including Google, Yubico and Microsoft and was later joined by multiple chipmakers, financial institutions and other tech companies.  Apple hasn’t actually announced that it joined the FIDO Alliance, but it has been listed as one of the 40 or so “board level members” on FIDO’s website.
Jake Moore, Cybersecurity Specialist at ESET:
“Strengthening the security of an account, whilst making it more convenient for the user, is a step in the right direction. As the private key is stored locally on the device, even if the website has suffered a data breach, the hackers would have no passwords to steal, minimising the risk of exposure online. People tend to struggle with the concept of cyber security so rendering it compulsory for them in a convenient way is the best way to add an extra layer of protection.”



RESEARCH: The Hole in the Bucket – Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

The Cybereason Nocturnus Research Team is following an active campaign to deliver multiple different types of malware and infect victims all over the world. Due to the unprecedented number of malware types deployed in this attack, the attackers are able to steal a wide variety of sensitive data, mine for Monero, and ultimately deploy ransomware. All of the payloads observed in this campaign originated from a code repository platform, Bitbucket, which was abused as part of the attackers delivery infrastructure.

Key points:

  • Abuses resource sharing platforms: TheCybereason Nocturnus team is investigating an ongoing campaign that abuses the Bitbucket infrastructure to store and distribute a large collection of different malware. The attackers aren’t satisfied with one payload, they want to use multiple to maximise their revenue.
  • Attacks from all sides: This campaign deploys seven different types of malware for a multi-pronged assault on businesses. It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and ultimately deploy ransomware.
  • Far Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.
  • Modular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many different types of malware at once. In order to evade detection, they have an array of user profiles and continuously update their repositories, at times as often as every hour.
  • Many kinds of malware: The attackers use the Evasive Monero Miner to steal a combination of data, mine cryptocurrency, and deploy other malware including the Vidar stealer, Amadey Bot, and IntelRapid. They also use Predator the Thief, Azorult, and the STOP ransomware over the course of their activities.
  • Devastating impact: The combination of so many different types of malware exfiltrating so many different types of data can leave organisations unworkable. This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.

This highlights an ongoing trend with cybercriminals, where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.



New PayPal phishing campaign tricks users to send over passport details- Comment

A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports. The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a bit.ly address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.

Full story here: https://threatpost.com/active-paypal-phishing-scam-targets-ssns-passport-photos/152755/

Commenting on the news is Javvad Malik, security awareness advocate at KnowBe4:

We are seeing the criminals becoming more and more brazen in their attacks and methods. The key is to dupe someone to click on a phishing link,  once that has happened then the criminal can ask for whatever they wish.

This is not uncommon as we have seen this evolution in ransomware. Whereas previously ransomware only encrypted files now criminal look to steal data and logins and as much information as possible.

Similarly, we could be seeing the emergence of a trend where phishing attacks will look to gather more and more information.

It is why organisations need to ensure staff receive effective and timely security awareness and training so that they can spot phishing emails and report them appropriately.




Metamorfo banking Trojan has expanded its campaign to target online users’ banking services- Comment

It has been reported that the Metamorfo banking Trojan has expanded its campaign to target online users’ banking services around the world, with the aim of stealing credit card information, finances and other personal details. Like many other hacking campaigns, Metamorfo begins with phishing emails that in this case claim to contain information about an invoice and invite the user to download a .ZIP file. By downloading and running the file, the victim allows Metamorfo to execute and run on a Windows machine.

Commenting on this, Justin Fox, director of DevOps engineering at NuData Security, a Mastercard company, said “Banks and consumers are under continuous attacks by cybercriminals that will try to find any crack in defences to track and step in the middle between consumers and banks. While banks are employing various technologies to identify the true customer online, they just can’t protect them when hackers target consumers. Experts advise never to click on an attachment sent to you, but time and again cybercriminals come up with the most sophisticated method to trick the end user into clicking. From the moment a user receives the malicious email in their inbox, the clock is ticking – most users will click on links and provide their information, or open a malware infected document without thinking twice. Once they do, their credentials are immediately harvested for hackers to leverage or sell on the Dark Web. Educating end users is clearly not enough, nor is the deployment of technical countermeasures to protect end users.”



Translink report suspected IT hack to the police

As reported by the BBC, bus and train operator Translink has reported a suspected hack of its internal IT systems to the police. The firm confirmed it has reported an “incident” to the Police Service of Northern Ireland (PSNI) after experiencing difficulties with its internal IT systems. Bus and train services have not been affected, a spokesperson said.

Jake Moore, Cybersecurity Expert at ESET:

“I applaud organisations that report cyberattacks at the earliest opportunity, which in turn gives them the best chance of quicker recovery. Attacks such as ransomware are not legally required to be reported as usually personal data isn’t compromised in this way, but holding your hands will usually attract external expert support.

After the wake of the Travelex cyberattack, it has been proven that the reporting aspect of the situation is just as important as getting back to business as usual. Ransomware, although hugely impactful on a company, needn’t be embarrassing and we need to steer away from the stigma of damaging the brand or being further targeted. Cyberattacks are unfortunately inevitable but it’s the honesty from the start, including learning from what has happened, that will help put a company back on its feet with a stronger defence.”



Cisco Flaws Put Millions of Workplace Devices at Risk

As reported by Wired, researchers say that a crop of recently discovered flaws in Cisco enterprise products—like desk phones, web cameras, and network switches—could be exploited to penetrate deep into corporate networks. Because Cisco dominates the network equipment market, the bugs impact millions of devices.
All software has flaws, but embedded device issues are especially concerning given the potential for espionage and the inherent complexity of patching them. These particular vulnerabilities, found by the enterprise security firm Armis, can also break out of the “segmentation” IT managers use to silo different parts of a network, like a guest Wi-Fi, to cause widespread issues.
Jake Moore, Cybersecurity Expert at ESET:
“Cisco will always be targeted due to the huge numbers they operate on. However, the interesting aspect of this case is that these flaws could possibly be exploited by someone on the inside, which tends to be forgotten about in countless firms.
Usually automatic updates are the best way to protect against this type of threat, but so many of these devices do not allow auto updates and therefore become vulnerable very quickly even once a flaw is known. IT managers need to be aware of the risks and immediately update where possible before anyone is able to take advantage of this threat.”



NSPCC urges Facebook to stop encryption plans

As reported by the BBC, child-protection organisations say Facebook’s decision to strongly encrypt messages will give offenders a place to hide. The company is moving ahead with plans to implement the measure on Facebook Messenger and Instagram Direct. But more than 100 organisations, led by the NSPCC, have signed an open letter warning the plans will undermine efforts to catch abusers. They say Facebook has failed to address concerns about child safety.
Jake Moore, Cybersecurity Expert at ESET:
“Encryption is the backbone of the internet; without it, you lose all security. If you create a backdoor to encryption, you undermine the encryption entirely. There is an endless battle between law enforcement and the technology companies when it comes to encryption, but it is vital that we strike the correct balance. 
I think Facebook are right to secure their applications, which in fact protects users. Taking away encryption allows cyber criminals to view sensitive data, which creates more problems in the long run. You could also argue that if Facebook was to allow access to its messaging platforms, many users could simply move to other more privacy-focused applications.” 



Bug in Philips Smart Light Allows Hopping to Devices on the Network- Comment

It has been reported that security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x.

The good news is that the vulnerability has already patched by Philips and was released on the 13th of January. Users that have automatic updates enabled on their bridges have already got the patch applied. Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.”



The UK Gov law outlines will provide a necessary first-step in enhancing IoT device security

The UK Government has unveiled new regulatory proposals for the consumer Internet of Things (IoT), forcing the IoT ecosystem to take a more rigorous and conscious approach to cybersecurity. With an estimated 75 billion internet connected devices worldwide forecasted for 2025, there is no denying that the scope of IoT is becoming a more integral part of our lives; yet with this comes the increased security risks.

Whilst the new law outlines requirements for unique passwords, no ‘factory reset’ options, vulnerability reporting functions and minimum timeframes for security updates, Paul Farrington, CTO of EMEA at Veracode believes that as some of the worst offenders when it comes to fixing flaws, the proposal should be extended to ensure manufacturers are building in software security at the early stages.

Below is a comment from Paul on the topic. Please let me know if you’re interested in running it in a story. Alternatively, we can offer you a briefing or opinion piece from Paul to discuss this issue further.

Paul Farrington, CTO of EMEA at Veracode:

“The outcome of the consultation will provide a necessary first-step in enhancing IoT device security. The Government has attempted to balance the needs of industry with those of users. Removing default passwords, coordinating vulnerability reporting and bringing clarity to technical support coverage is progress. These measures do fall well short of what is necessary to protect users. Research shows that the manufacturing is one of the worst sectors at dealing with security bugs. 83% of software apps have at least one security issue. On average, firms take 171 days to fix a security defect. Improving ways for people to report problem is really a bare minimum. What we really need is a way for IoT device manufacturers to evidence how they are building security to the process, at the earliest stages. The toy industry has had to do something similar around safety-testing for decades. The Government will need to revisit IoT security legislation again before too long.”