15.1.18

CES 2018: Why doesn’t everyone use VR already?


Last year, CES 2017 heralded the age of ubiquitous Virtual Reality or VR as the cool kids call it, but now CES 2018 has come and gone and you probably still don’t own or use a VR system. So why not?
VR has been a slow burn. The problem has been to create realism to the extent that the brain can stop nagging you that you’re not in a real environment and just adapt, and learn whatever’s being presented.
This year there are even more VR offerings than at last year’s event, with better resolution, lower latency, better and more intuitive sensors – the kind that might be useful for visualizing large sets of security threat data and discerning significant trends – so the slower-than-expected adoption of VR might be about to speed up.
Bolstering this potential is the deluge of Artificial Intelligence (AI) offerings this year, along with augmented reality implementations. So maybe we’re finally getting ready to see the promise of “VR everywhere”, helping us to do everything from training to security to the next killer app we haven’t even imagined yet.
Case in point: When sensors were just starting to come out, the headset would paint an environment to the eyes that suggested you were immersed in a virtual environment, but the next human instinct was to raise your hands to see how they reacted. Since there were no hand sensors, they wouldn’t be displayed in the environment, and the brain sort of checked back out of virtual reality.
” This is another hint to your brain that what you are experiencing in VR is not the the real world”
Also, there’s the display issue. Even if you have high-definition displays, they don’t emulate moving through a real environment. This is because you overlay a flat image onto a surface, but when you “pass by” that object, your peripheral vision doesn’t detect the other side of the image being displayed on the other side of the object. This is another hint to your brain that what you are experiencing in VR is not the the real world. Therefore the credibility of the synthesized reality is in doubt. To address this, some initiatives are underway that use special cameras to recreate scenes by capturing these missing visual elements and then make them available in the VR gear.
Then there’s latency. If you progress rapidly through an environment, the rendering process has to have very low latency to appear real. The good news is the devices this year at CES have far more computing power, faster access speed, and lower latency throughout, so even lower-priced pieces of the puzzle are available, driving the total cost of a more believable environment down to a price that makes it accessible to a wider audience.
One side effect of slower than expected uptake of VR is that virtual reality application developers have been slow to invest in creating content. In this sort of chicken-and-egg cycle, growth tends to be slow, not explosive.
“The credibility of the synthesized reality is disbelieving”
However, due to the strong strides this past year in AI cores that “know” or can infer more about your changing environment, the overall experience can seem far more real, and commoditization of that technology makes such improved VR experience increasingly affordable.  AI has come a long way in recent years, especially around integrating it into other environments through hooking APIs and such.
Speaking of APIs, much of the modular technology involved in VR is getting far better at supplying more robust (and hopefully documented) APIs that are far easier to use for developing VR. Whether you’re integrating LiDAR into your project, or servos, or any of a host of other sensors, it’s very helpful to have great APIs to tie them all together, or at least get them all to speak the same language.
On the LiDAR front alone, we saw some impressive sensors developed that have dropped precipitously in cost over the past few years, putting them in reach of various builders seeking to emulate environments in new ways.
We hope VR continues to make strides, and not just because it’s fun to enter a “realistic” virtual environment — the entire security industry, and lots of others, could benefit immensely. Consider this: every day in the world of cybersecurity we process stunning amounts of threat data and we are working on better ways to visualize threats and infer trends in that data. It is hoped that better VR could prove to be a big help to the world of cybersecurity.


12.1.18

CES 2018: The price of tech is dropping, kids can do this!



In the startup area of the Consumer Electronics Show (CES) 2018, I watch as a founder pitches a variant of Raspberry Pi in a case with a touchscreen with great graphics aimed at getting kids to engage in tech.
Teaching kids to code with a drag-n-drop interface is just one of a myriad of tech projects here that are getting cheap and easy enough for an average family to purchase for their kids.
Nowadays you can find AI embedded in devices that can just plug in to the expansion pins on a tiny computer like the Raspberry Pi and you have a non-trivial development and testing set at your fingertips, with enough horsepower to run both an operating system, and yet support direct hardware development if that’s your thing.
Whether you bolt on relays that turn things on or off in your home, or plug in a LIDAR sensor that can sense the computer’s surroundings and drive the robot that’s also controlled by the Raspberry Pi, it’s tenable to hack a system together like this for the price of a child’s fancy bicycle, and you get to learn a career in the process.
I rode next to a math professor on one of the CES busses, and we mused why more kids don’t more aggressively seek out STEM technology.
To one way of thinking, they can interact at a high level with technology, but the deeper stuff is sort of out of view, and so doesn’t feel as accessible. Yet there are free code classes where a student can watch videos and tutorials to their heart’s content and make the next generation of cool stuff.
Row after row of startup tech here has tiny modules designed to be mashed up into the next big thing if their founders have anything to say about it, and the trend continues. You can buy sensors by the drawer-full and bolt them all together, so it seems the next generation of inventors should be knocking the doors down.
“If we get enough kids on the good side of tech, it will help keep us all safe”
At ESET we invest heavily in the next generation – through projects like the annual Cyber Boot Camp and Securing Our eCity – not just because we find the technology cool, but because today’s young people will have to defend against future threats to data and digital technologies. To do that, kids first need to learn how those technologies work. Ironically, learning how to tear apart and fix a given technology is foundational for how many of those students learn.
In the end, if kids can get turned on to tech early, through an interface that’s easy to use and aimed at a low-cost and fun toolset, then that will go a long way toward making it fun. The Raspberry Pi teaching platform founder said he came from a teaching background, not a tech background as you might think; if he approaches the problems in a way that translates to kids learning, all the better. If we get enough kids on the good side of tech, it will help keep us all safe. Bear in mind: we either invest in them or defend against them. Investing is cheaper.

11.1.18

Tank-traps versus trappings in virtual currencies: A cybersecurity minefield

Virtual currencies have been the talk of the town of late — including that of the ‘online town’, judging by 2017’s top-trending search terms on Google. And, in a way, rightly so, given the genuine bumper crop of events that 2017 yielded in this burgeoning – but all too often murky and muddy – field. We saw cryptocurrency splits, bankruptcies, the launch of futures contracts by the world’s biggest derivatives exchange operator, an explosion in initial coin offerings (ICOs) along with some fraud involving ICOs, Japan’s approval of bitcoin as legal tender, regulatory rumblings from governments, crackdowns on bogus digital currencies, fake trading apps, arrests of suspected scammers, and the kidnapping of a cryptocurrency industry insider.
Importantly, 2017 witnessed a bevy of cyberattacks against providers of infrastructure that caters to virtual currencies and their users, including high-profile thefts of users’ virtual assets. Last year was also notable for a boom in surreptitious cryptocurrency mining. To be sure, this is by no means an exhaustive list of calamities to have befallen this space last year – all against the backdrop of the gravity-defying appreciation of the cryptocurrency market.
Bitcoin, the progenitor of the entire cryptocurrency boom and still the most popular virtual currency, experienced a truly heady run-up in value. Its price surge was punctuated with a crescendo midway through December, when a single bitcoin approached $20,000. Bitcoin’s value had thus risen twenty-fold from the beginning of the year, wildly outflanking the ‘meager’ more-than-doubling in its price in 2016. While the digital currency has since retreated from these lofty heights, it continues to trade at levels that has many officials and pundits concerned that bitcoin is a bubble waiting to pop. The markets continued to shower their love on bitcoin and its ilk, notwithstanding reports of various cybersecurity disasters that struck a number of cryptocurrency services and its users last year.
“Last year was also notable for a boom in surreptitious cryptocurrency mining”
With the value of digital currencies, to use a technical term, going nuts, the ‘money’ and related services are becoming ever more irresistible catnip for a slightly unsavory clowder of clued-in cats. Indeed, Europol, the European Union’s law enforcement agency, noted in its 2017 Internet Organised Crime Threat Assessment (IOCTA) that “[b]itcoin remains a key facilitator for cybercrime”, but was quick to add that “other cryptocurrencies such as Monero, Ethereum and Zcash are also gaining popularity within the digital underground”.
In addition to targeting providers of online crypto-wallets, trading and mining exchanges and other services focused on digital currencies, the attackers are also taking aim at investors and industry insiders. They commonly rely on familiar social engineering tactics for scams involving phishing, website spoofing, fake mobile apps and wallets and others, all with the ultimate aim of cyber-heists. Indeed, nearly a million bitcoin in total is reported as stolen since 2011.
High-profile incidents in 2017
Let us now review some of the notable cybersecurity incidents that occurred amid the hustle and bustle of the cryptocurrency markets in 2017. The cryptocurrency arena has resembled something of a mosh pit of late, with the craze about 2017’s smash hit continuing despite the many bruises suffered by a number of its cheerleaders, speculators, and various infrastructure providers. The ICO frenzy in particular – which yielded $4 billion to the start-ups last year alone – provided a perfect storm of conditions for cyberlarceny.
·         In February, attackers broke into a home computer belonging to an employee of South Korean exchange Bithumb, one of the world’s busiest exchanges for bitcoin and Ether. The personal details of more than 30,000 of Bithumb’s customers were compromised, acting as a springboard for scams that ultimately led to the siphoning of bitcoins worth over $1 million.
·         In July, hackers flew off with some $7.4 million worth of ether, a currency similar to bitcoin. The cyberheist was perpetrated during the ICO of an Israeli cryptocurrency trading start-up called CoinDash. Investors were tricked into sending their money in ether to a fraudulent Ethereum deposit address controlled by the hackers.
·         A further $8.4 million worth of ether was stolen in the midst of another ICO a few days later, this time organized by an Ethereum platform known as Veritaseum. The hackers stole the platform’s tokens, known as VERI, before immediately dumping the loot by exchanging it for ether, thus making a quick profit while the ICO was still under way.
·         Still in July, a coding fault in Parity, a well-known Ethereum wallet, facilitated the theft of around 150,000 Ethereum cryptocurrency tokens. It was worth more than $30 million at the time.
·         In August, a devious scheme was devised to con prospective investors out of their money at Enigma, another Ethereum platform. While the platform was preparing for an ICO, scammers fooled unsuspecting traders into sending them $500,000 in ‘crypto-money’ with a ‘pre-sale’ of tokens.
·         In November, the Hong Kong-based operator behind a digital currency known as Tether, which is pegged to the US dollar at a 1:1 ratio, announced a theft of nearly $31 million worth of its tokens from its digital coffers.
·         An apparent coding blunder in the Parity wallet was reported as having resulted in the permanent ‘freezing’ of some $280 million worth of ether in November. The bug was triggered after a user – yes, a ‘mere’ user – mistakenly deleted the code library required for access to the digital wallets.
·         In December, hackers ransacked the payment system of Slovenia-based cryptocurrency mining marketplace NiceHash, stealing some 4,700 bitcoin, worth around $64 million at the time. The company described the breach as “a highly professional attack with sophisticated social engineering”, as the attackers entered the company’s system using the login credentials of one of its engineers.
However, this rundown doesn’t paint the whole picture, as cryptocurrency services, including exchanges Bitfinex and Coinbase, were also frequent targets of distributed denial-of-service (DDoS) attacks in 2017. Malicious actors also zeroed in on the potential users of a cryptocurrency trading app known as Poloniex, targeting them with two bogus credential-stealing apps on Google Play.
“Malicious cryptocurrency miners are also known to target unpatched Windows webservers and mobile devices”
In addition, increasing numbers of internet users have been hit by covert mining of digital coins, also known as cryptojacking, a practice that picked up extra steam with the launch of an in-browser mining service by Coinhive in September. This fired up an easy way for website owners to generate revenue using a method other than adverts. The practice involves gobbling up the untapped processing power of the visiting device by running a currency mining script in the browsers of website visitors, usually without their consent or knowledge. The code, which mines a digital currency called Monero, has been detected on tens of thousands of websites, including many legitimate but compromised websites, as well as in browser extensions and plugins, and on typo-squatted domains. Malicious cryptocurrency miners are also known to target unpatched Windows webservers and mobile devices.
Speaking of cryptocurrency mining – which is actually a process whereby the ‘coins’ come into existence – a different kind of threat made the rounds on the internet in December. It was reported that the mining of bitcoins, because it requires significant computational processing power, consumes more energy than 159 individual countries. If the bitcoin network were to retain its current growth in energy use, it could reportedly use up all of the world’s energy by 2020 – an estimate disputed by some energy and IT researchers, however.
Where does this leave us?
The relaxed – or non-existent – checks and balances in the cryptocurrency arena and concerns about the use of virtual money being used as a vehicle for all manner of illicit endeavors, such as extortion, money laundering and tax dodging, have prompted authorities in a number of countries to take action. The list of nations that are planning to keep a more watchful eye on this space – or are already doing so – includes Japan, China, the United States, South Korea, Australia, Russia, and the United Kingdom and other European Union countries. At the same time, some countries are planning to dive into the uncharted waters of government-backed cryptocurrencies, which should also serve to put cybersecurity concerns on the front burner.
All told, virtual currencies – once the preoccupation of the technologically-minded – are looking to gain currency among ever broader sectors of society. The trappings come with many traps to ensnare the unwary, and even the wary. It remains to be seen how, over the long term, the morass of risks inherent in the newfangled currencies, the fundamental security-related challenges they face, and tighter regulation pan out for virtual ‘money’ and its fandom. That said, it is obvious already that – unless the myriad security concerns are addressed – more and more people invested in the superheated currency (or should we say ‘commodity’?) may face a cold and harsh reality further down the road.

10.1.18

ESET research: Appearances are deceiving with Turla’s backdoor-laced Flash Player installer



ESET researchers have found that Turla, the notorious state-sponsored cyberespionage group, has added a fresh weapon to its arsenal that is being used in new campaigns targeting embassies and consulates in the post-Soviet states. This new tool attempts to dupe victims into installing malware that is ultimately aimed at siphoning off sensitive information from Turla’s targets.
The group has long used social engineering to lure unsuspecting targets into executing faux Adobe Flash Player installers. However, it doesn’t rest on its laurels and continues to innovate, as shown by recent ESET research.
Not only does the gang now bundle its backdoors together with a legitimate Flash Player installer but, compounding things further, it ensures that URLs and the IP addresses it uses appear to correspond to Adobe’s legitimate infrastructure. In so doing, the attackers essentially misuse the Adobe brand to trick users into downloading malware. The victims are made to believe that the only thing that they are downloading is authentic software from adobe.com. Unfortunately, nothing could be further from the truth.
The campaigns, which have been leveraging the new tool since at least July 2016, bear several hallmarks associated with the group, including Mosquito, a backdoor believed to be the group’s creation, and the use of IP addresses previously linked with the group. The new malicious tool also shares similarities with other malware families spread by the group.
Attack vectors
ESET researchers have come up with several hypotheses (shown in Figure 1) for how Turla-related malware can make it onto a victim’s computer via the new method of compromise. Importantly, however, it is safe to rule out a scenario involving some sort of compromise of Adobe. Turla’s malware is not known to have tainted any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities. The possibility involving a compromise of the Adobe Flash Player download website has also been practically discarded.

The possible attack vectors ESET researchers considered are:
·         A machine within the network of the victim’s organization could be hijacked so that it acts as a springboard for a local Man-in-the-Middle (MitM) attack. This would effectively involve on-the-fly redirection of the traffic of the targeted machine to a compromised machine on the local network.
·         The attackers could also compromise the network gateway of an organization, enabling them to intercept all the incoming and outgoing traffic between that organization’s intranet and the internet.
·         The traffic interception could also occur at the level of internet service providers (ISPs), a tactic that – as evidenced by recent ESET research into surveillance campaigns deploying FinFisher spyware – is not unheard of. All the known victims are located in different countries, and we identified them using at least four different ISPs.
·         The attackers could have used a Border Gateway Protocol (BGP) hijack to re-route the traffic to a server controlled by Turla, although this tactic would probably rather quickly set off alarm bells with Adobe or BGP monitoring services.
Once the fake Flash installer is downloaded and launched, one of several backdoors is dropped. It could be Mosquito, which is a piece of Win32 malware, a malicious JavaScript file communicating with a web app hosted on Google Apps Script, or an unknown file downloaded from a bogus and non-existent Adobe URL.
The stage is then set for the mission’s main goal – exfiltration of sensitive data. This information includes the unique ID of the compromised machine, the username, and the list of security products installed on the device. ‘Only’ the username and device name are exfiltrated by Turla’s backdoor Snake on macOS.
At the final part of the process, the fake installer drops – or downloads – and then runs a legitimate Flash Player application. The latter’s installer is either embedded in its fake counterpart or is downloaded from a Google Drive web address.
Mosquito and JavaScript backdoors
ESET researchers have seen in the wild, new samples of the backdoor known as Mosquito. The more recent iterations are more heavily obfuscated with what appears to be a custom crypter, to make analysis more difficult both for malware researchers and for security software’s code.
In order to establish persistence on the system, the installer tampers with the operating system’s registry. It also creates an administrative account that allows remote access.
The main backdoor CommanderDLL has the .pdb extension. It uses a custom encryption algorithm and can execute certain predefined actions. The backdoor keeps track of everything it does on the compromised machine in an encrypted log file.
Turla has been operating for a number of years and its activities have been monitored and analyzed by ESET research laboratories. Last year, the analysts released pieces covering new versions of another Turla backdoor called Carbon, watering hole campaigns misusing a Firefox browser extension and, most recently, a backdoor called Gazer.
Read ESET’s latest findings about Turla here in: Diplomats in Eastern Europe bitten by a Turla mosquito

9.1.18

MADIoT – The nightmare after XMAS (and Meltdown, and Spectre)

In the last few months of 2017, security companies made their own forecasts about incoming cyberthreats and the measures that needed to be taken to ensure a better and cybersafer 2018, often advocating the use of protective software tools made by that vendor.  Lo and behold! 2018 started with a scenario hardly anyone could have foreseen. Two serious design vulnerabilities in CPUs were exposed that make it possible, although not always that easy, to steal sensitive, private information such as passwords, photos, perhaps even cryptography certificates.
Lots has been written about these vulnerabilities already: if you are new to the subject we suggest that you read Aryeh Goretsky’s article “Meltdown and Spectre CPU Vulnerabilities: What You Need to Know.
Now, there is a much larger underlying issue. Yes, software bugs happen, hardware bugs happen. The first are usually fixed by patching the software; in most cases the latter are fixed by updating the firmware. However, that is not possible with these two vulnerabilities as they are caused by a design flaw in the hardware architecture, only fixable by replacing the actual hardware.
Luckily, with cooperation between the suppliers of modern operating systems and the hardware vendors responsible for the affected CPUs, the Operating Systems can be patched, and complemented if necessary with additional firmware updates for the hardware. Additional defensive layers preventing malicious code from exploiting the holes – or at least making it much harder – are an “easy” way to make your desktop, laptop, tablet and smartphone devices (more) secure. Sometimes this happens at the penalty of a slowdown in device performance, but there’s more to security than obscurity and sometimes you just have to suck it up and live with the performance penalty. To be secure, the only other option is either to replace the faulty hardware (in this case, there is no replacement yet) or to disconnect the device from the network, never to connect it again (nowadays not desirable or practical).
And that is exactly where the problems begin. CPUs made by AMD, ARM, Intel, and probably others, are affected by these vulnerabilities: specifically, ARM CPUs are used in a lot of IoT devices, and those are devices that everybody has, but they forget they have them once they are operating, and this leaves a giant gap for cybercriminals to exploit. According to ARM, they are already “securing” a Trillion (1,000,000,000,000) devices. Granted, not all ARM CPUs are affected, but if even 0.1% of them are, it still means a Billion (1,000,000,000) affected devices.
IoT of issues
Now I can hear already someone say “What kind of sensitive data can be stolen from my Wi-Fi-controlled light? Or my refrigerator? Or from my digital photo frame? Or from my Smart TV?” The answer is simple: lots. Think about your Wi-Fi password (which would make it possible for anyone to get onto your local network), your photos (luckily you only put the decent photos on the digital photo frame in your living room, right? Or did you configure it to connect automatically to Instagram or DropBox to fetch your newly-taken pictures?), your credentials to Netflix? Your… Eh… There is a lot of information people nowadays store on IoT devices.
Ok, to be fair, to get access to these IoT devices, your attackers need to have compromised the network already to get into them? Or they have to compromise the supply chain, or compromise apps or widgets that can run on the device, or… as you can see, there are many ways to get access to these devices.
It is not feasible, in fact not even possible, to replace all CPUs in all devices. It would be too costly, besides the success rate for unsoldering and resoldering pin-throughs in multi-layer boards will never be 100%. In the real world, people will keep their existing devices until those devices reach the end of their lifecycles. So for years to come, people will have households with vulnerable devices.
Do you know how many IoT devices you have on your local network? Probably not. Several products, including from ESET, exist that will identify all the network-aware devices in your network. If you use any of these you may be surprised  you discover some devices you have never realized are there in your household at all.
As mentioned, it would be too costly to replace all the faulty CPUs, especially in the cheaper IoT devices. On those, even updating the firmware or (patching) the operating system may not be possible. As a warning, when you are buying a new IoT device, it makes sense to check which CPU it is running on, and if that CPU is affected by these vulnerabilities. It is expected that some devices may suddenly be offered cheaply by the manufacturer, hoping to rid their inventory of old(er) faulty CPUs while manufacturing new devices with updated CPUs, when these become available. So: caveat emptor. A bargain may turn out to be a nightmare once you connect it to your network.
The bottom-line: IoT or “smart” devices are here to stay, affected or not, so be sensible with the information you store within them.


7.1.18

Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

NOTE: Microsoft released Security Advisory 18002 on Wednesday, January 3, 2018 announcing mitigation for a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.
Background
The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, as well as processors from AMD.  The scope of the vulnerability is wide-ranging, affecting everything from the ARM processors commonly used in tablets and smartphones to the IBM POWER processors used in supercomputers.
At the time of this writing, not all details have been released, but reportedly the issue is that programs running in user-mode address space (the “normal” range of memory in which application software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).
Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent.  The exact amount of slowdown is open to debate.  Intel has stated the performance penalty will “not be significant” for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.
History
A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.
Processor manufacturer AMD announced that they are unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer, but reports from both Google‘s Project Zero and Microsoft state that AMD processors are affected.  Since then, AMD has released a statement for clarification.
The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and macOS as well.  Red Hat‘s advisory includes IBM’s POWER architecture as being vulnerable.  Hypervisor manufacturers VMware and Xen have issued their own advisories, as has Amazon Web Services.
Affected Vendors
Here is a list of affected vendors and their respective advisories and/or patch announcements:
Vendor
Advisory/Announcement
Amazon (AWS)
AMD
Android (Google)
Apple
ARM
Azure (Microsoft)
Chromium Project
Cisco
Citrix
Debian
Dell
F5 Networks
FreeBSD
Google's Project Zero
Huawei
IBM
Intel
Lenovo
Microsoft
Mozilla
NetApp
nVidia
Raspberry Pi Foundation
Red Hat
SUSE
Synology
Ubuntu
VMware
Xen
Complete article on: