The undeniable benefits of the cloud – better functionality, scalability, availability, and innovation at lower cost – is driving a secular move to cloud services. These benefits have made the cloud an executive-level and board-level conversation at many companies. As a result, IT is looking to take advantage of these opportunities not only for systems of engagement but also for the systems of record that house the authoritative copy of sensitive data. At the same time, end users demand and expect the same level of usability and functionality in enterprise systems as they’ve come to expect with personal technology. As data leaves the company datacenter for the cloud, IT is caught between delivering technologies to support innovation and growth in the business and securing sensitive data against proliferating threats.
In this survey we plan to explore how these trends are reshaping the role of IT and its relationship to the line of business. After numerous high profile data breaches in recent years starting with the Target payment card theft and culminating in the Sony breach, we also seek to investigate how organizations are preparing for mega breaches. Finally, as more organizations look to migrate their systems of record to the cloud, we focus on what systems of record are being migrated first and the security challenges organizations face as sensitive data moves beyond the firewall.
Participants will be entered to win 1 of 10 Certificate of Cloud Security Knowledge (CCSK) exam tokens and a DJI Phantom 2 quadcopter drone.
The CCSK token ($345 value) will allow the user to take the CCSK exam onhttps://ccsk.cloudsecurityalliance.org/ and earn their certificate. A link to the study material will be included. Respondents can only take the survey once but feel free to invite your qualified friends and colleagues.
With so many cyber threats out there, knowing where to focus your efforts and what controls to implement is no easy task. However, with cyber risk intelligence, you can gain an immediate understanding of the trending cyber threats to your business domain, what the bad guys are after and how they are getting in. And then you can shift your defenses and implement the appropriate controls.
In a new mid-year cybercrime report by SurfWatch Labs, our data analysts looked at all of the CyberFacts, or evaluated cyber intelligence, collected from 1 January to 30 June 2015. A CyberFact consists of an actor—who conducted the attack; target—what information/systems were targeted; effect—what was the impact of the attack; and practice—what method was used, along with other key metadata and information such as the target industry sector.
A common theme we found was that cybercriminals are targeting personally identifiable information (PII). The top breach targets of the first half of 2015 (Anthem, OPM, etc.) show an important shift when compared to the second half of 2014 when point of sale (POS) breaches at Home Depot, Staples, Dairy Queen and others took up seven of the top 10 slots. In those instances, cybercriminals were going after credit card information, which is very different from the personal information of patients, employees, partners and other individuals associated with the breached organization.
The reason for the cybercrime shift to focus on PII is that this kind of information allows cybercriminals to gain a greater fraud footprint—much more beyond simply selling credit card numbers on the Dark Web. If your organization has personal data, it is time to pay close attention and implement the proper controls.
We found that 77 percent of all cyberattacks in the first half of 2015 started at user interaction points with web sites, applications, accounts and/or endpoints. While the mid-year report outlines differing avenues of approach for different industries, cybercriminals are first targeting users for entry.
Knowing the user environment is the most targeted, you will want to implement the proper controls to ensure you can answer these questions:
Are your users effectively trained?
Are you proactively monitoring the user environment?
It is certainly not an easy feat, but it’s critically important to the overall security posture of your organization.
Another key point to highlight is that since last year when POS equipment was the leading avenue of approach, retail vendors have been upgrading their equipment for chip and PIN, adding tokenization and more, which is creating a harder target for actors to penetrate. As such, cybercriminals have shifted to other “softer” targets.
You cannot just implement controls to address an exploitable surface and then think you are covered, as it is a constantly moving target. As targets begin to harden their environment, the cybercriminals will shift to softer targets to continue their business—and right now they have chosen your users or, in some cases, the users of your partners.
Adam Meyer Chief Security Strategist at SurfWatch Labs
On Wednesday, Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo. Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost. We have investigated the malware to identify how it spreads, the techniques it uses and its impact.
XcodeGhost is the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file sharing service for used by Chinese iOS/OS X developers. Xcode is Apple’s official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.
XcodeGhost exploits Xcode’s default search paths for system frameworks, and has successfully infected multiple iOS apps created by infected developers. At least two iOS apps were submitted to App Store, successfully passed Apple’s code review, and were published for public download.
This is the sixth malware that has made it through to the official App Store after LBTM, InstaStock, FindAndCall, Jekyll and FakeTor.
XcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.
Distributing the Malicious Xcode Build
In China (and in other places around the world), sometimes network speeds are very slow when downloading large files from Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.
By searching for “Xcode 下载” (Xcode downloading) in Google, in the first page of the search results (Figure 1), we found that six months ago someone posted Xcode download links to multiple forums or websites (including Douban, SwiftMi, CocoaChina, OSChina, etc.) that Chinese iOS developers frequently visit.
Figure 1. Google search results for “Xcode downloading” in Chinese
These posts provided links to download all versions of Xcode from 6.0 to 7.0 (including beta versions). All of the links direct to Baidu Yunpan, a cloud based file storage and sharing service.
Figure 2. Malicious Xcode shared in Baidu Yunpan
We downloaded these Xcode installers and found that all versions of Xcode between 6.1 to 6.4 were infected. When attempting to verify the installers’ code signing signature, it’s clear that some extra files were added into the Xcode (Figure 3).
Figure 3. Code signing verification shows some extra files in Xcode
The primary malicious component in the XcodeGhost infected version is “CoreServices”. What is different from all previous OS X and iOS malware instances is that this file is neither a Mach-O executable, nor a Mach-O dynamic library, but is a Mach-O object file that is used by LLVM linker and can’t directly execute in any way. This abnormal file format will cause crashes or errors when analyzing it by format parsers like MachOView, 010 Editor (with Mach-O template) or jtool.
In iOS, the CoreServices contain many of the fundamental system services, and almost all complex iOS apps reply on it. When such an iOS app is compiled, Xcode will search for the CoreServices framework in some pre-defined paths to link with developer’s code.
XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.
When an infected app is executed, either in an iOS Simulator or on iOS devices, malicious code will collect some system and app information using its UIDevice AppleIncReserved method. The collected information includes:
Current time
Current infected app’s name
The app’s bundle identifier
Current device’s name and type
Current system’s language and country
Current device’s UUID
Network type
Figure 4. Collecting system and app information
Then, XcodeGhost will encrypt the information, and upload it to a C2 server through the HTTP protocol. From different versions of XcodeGhost, we found three C2 domain names:
According to JoeyBlue in Sina Weibo, at least two famous apps were infected by XcodeGhost and successfully landed in the App Store. We have confirmed both.
We downloaded the NetEase Cloud Music App (com.netease.cloudmusic) from Apples App Store (China region). In its latest version (2.8.3), Info.plist shows that it was built with Xcode 6.4 (6E35b). In the main executable file, the malicious XcodeGhost code is present (Figure 7 and Figure 8).
Figure 6. Infected NetEase App in the Apple App Store
Figure 7. XcodeGhost Present in the Infected NetEase App
Figure 8. Decompiled XcodeGhost Functions in the NetEase App
Security Risks
Compiler malware is not a new idea. Starting with the first proof-of-concept written by Ken Thompson 31 years ago, real compiler malware has been discovered in many platforms. Compared with other iOS malware, XcodeGhost’s behaviors are not especially significant or harmful. This is why the code can pass App Store code review.
However, XcodeGhost disclosed a very easy way to Trojanize apps built with Xcode. In fact, attackers do not need to trick developers into downloading untrusted Xcode packages, but can write an OS X malware that directly drops a malicious object file in the Xcode directory without any special permission.
Additionally, although Apple’s code review for App Store submissions is very strict, some applications are never reviewed by Apple.If the iOS app is used by an enterprise internally, for example, it will be distributed in-house and won’t go through the App Store.In the same example, an OS X app can also be infected, and lots of OS X apps are directly distributed via the Internet other than App Stores.
In these situations, Xcode compiler malware can be much more aggressive and risky.
It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware.
When you consider that the GTDC members are some of the biggest and most successful distribution companies in the world, accounting for more than $135 billion in product sales globally, it makes receiving this award a huge honor.
This recognition also puts us in an elite group of U.S. Rising Star companies. We were one of only 12 2015 award winners, one of only six repeat winners and one of only three companies to be competing in a new higher revenue category (we moved from $25M-$100M in annual revenue to $100M-$500M in annual revenue).
Todd Palmer, VP of Americas Channels and Anne Stoken, Distribution Business Manager North America at Palo Alto Networks were both on hand to receive our 2015 U.S. Rising Star Silver Award in the Hardware Companies with revenue of $100M-$500M category.
This award highlights the vital role distribution plays in our ability to grow. We want to thank the GTDC for the recognition and we want our distributors to know we are hard at work to make sure we are a 2016 U.S. Rising Star winner.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
The Internet Police is a solid primer to many of the cases that helped define law online – from fighting against child pornographers to litigating against the masses who have downloaded music illegally. Nate Anderson, deputy editor at technology news site, Ars Technica, writes clear and, at times, entertaining tales about a large variety of online crime, including the creation of the Silk Road and the colorful lives of spammers.
But the book lacks an overarching narrative that would put the cases in context and help the reader to draw conclusions about the future of online enforcement. While useful for someone with an interest in learning more about specific court cases, it is not essential reading for the cybersecurity community and so does not make the cut for the Cybersecurity Canon.
Review
The Internet Police begins in a place that law enforcement agencies find hard to reach: a platform in the middle of the North Sea.
Sealand may be only seven miles from the English coast, but it is a separate jurisdiction that specialized in hosting sites, such as online gambling portals, that were prohibited in other countries. This offshore platform illustrates the fundamental problem of policing the Internet: bytes can travel across borders in seconds, always finding somewhere happy to host them.
This is one of the three major challenges for online law enforcement that Nate Anderson sets out at the start of The Internet Police. The second is that the structure of the Internet means network intelligence is stored on peoples’ computers, not in a central depository easily accessed by law enforcement. The third problem is that anonymity rules online, making it hard to identify individuals with any great certainty, even when armed with an IP address.
However, Anderson quickly goes on to explain why these three challenges were not ever as difficult as the so-called “Internet police” had feared.
To help address the jurisdiction problem, he argues the police could pursue online criminals based in their own country and rely on extradition from friendly countries. The decentralized structure still has its pressure points, such as ISPs and large Internet companies, which could be pushed into disclosing information. Finally, “anonymity,” he said, “turned out to be the province of the deeply skilled” and committed to disguising their identity. With a court order, most police can obtain enough information to identify a suspect.
Anderson’s argument would be more powerful if he used more detailed data and examples to back it up. It is true that police and other agencies have become skilled in tracing online identities and the NSA revelations – which Anderson devotes his Afterword to – make it clear that government can use a few key access points to gain a treasure trove of sensitive information. But he does not detail how successful extraditions have been, or how many online criminals have made their homes in countries which are not friendly to the U.S. He also skips writing about cyberattacks and hackers completely, most of which have been able to use anonymity, foreign jurisdictions and the decentralized nature of the Internet to their advantage.
If there is any clear lesson from the examples detailed in the book, it is that you cannot fight online crime with traditional methods: you have to turn to technology. Even when a prolific spammer is located, hundreds of millions of dollars in fines can mount that will never be paid. But much of conventional spam is now filtered away from our inboxes automatically with algorithms.
The music industry spent years and vast amounts of money chasing illegal downloaders of songs, in court cases against individuals on modest incomes, which often turned public opinion against the big companies. Now, the industry just sends lists of IP addresses to the government to let tax dollars do the work.
Overall, The Internet Police lacks a behind-the-scenes insight into how cops more familiar with chasing criminals down the street made the transition to pursuing crime online. Anderson does not quote any police officers or show any deep understanding of how law enforcement had to train its staff or hire new, more tech-savvy officers to tackle new threats.
Anderson writes both about the crimes that the police are tackling and how the online tools they are using may overstep the boundaries of privacy. He touches on evergreen debates about how much data it is appropriate for the FBI to harvest, the uses and misuses of encryption, and stories of law enforcement bending the existing rules to suit their needs. These tales are interesting for those who need an understanding of how arguments that hit the headlines today have existed for decades.
But the author does not reach a strong conclusion about what police should be allowed to do online to keep the population safe – and what oversteps the mark into spying. He warns that citizens need to keep an eye on the police and their tools and make “prudential judgments.” Anderson advocates instead for “productive chaos,” writing at the end: “Life is a messy business on the Internet as it is everywhere else, and we are never going to engineer the mess out of it.”
