Sophos Security – Solutions IT – IT Support | Web design | Network security

Sophos Security

A first for BSides thanks to SophosLabs researchers

The BSides security conference has gone global since 2009, when it first began in Las Vegas as a place for talks that weren’t accepted by Black Hat or Defcon. The movement has now reached Budapest and, with help from two of our own, the first event was a success.

 

More than 400 people attended BSides Budapest (with a Twitter hashtag of #BSidesBUD2017) on March 2 to hear talks on a variety of security topics, from hacking IP cameras through the cloud to getting the most value from security logs.

Attila Marosi and Sandor Nemes from SophosLabs played key roles in organizing the event. Marosi’s statistics show how well things went:

  • Some 705 people registered and 429 showed up, which is quite robust for an event in its first year.
  • Attendees arrived from 11 countries.
  • Seventeen speakers were from 6 countries in 3 continents.

The event included one main track of talks and another track for workshops. And, of course, the capture-the-flag contests that have become a BSides staple.

At the main track there were 11 sessions – two 15-minute light talks and the rest were ordinary 30-45 minute talks,” Marosi said. “At the workshop session there were 4 topics, each one 2 hours long.”

SophosLabs threat researcher Tamás Boczán gave a talk about how online gamers are using malware-like techniques to cheat. (You can read about the presentation in this Naked Security article.)

In a post on the BSidesBUD website, the organizers made it clear that the event is here to stay:

Based on the interest and success of #BSidesBUD2017 we already started brainstorming about #BSidesBUD2018. From now on every BSidesBUD conferences will take place on the first Thursday of March, so if you do the math, you’ll get that the next one will be on 1st March, 2018. Enter the date into your calendar!

Filed under: Events Tagged: BSides Budapest, BSidesBUS, SophosLabs
Source: Sophos

Read more...

Q&A: Wikileaks, the CIA, ‘Fine Dining’ and DLL hijacks

There’s been a lot of talk in the media lately about an alleged CIA project called Fine Dining.

We’ve tried to explain what the fuss is all about by answering a series of questions about the what, the how and the why.

Q1. What’s all this from Wikileaks about “malware-laced spy apps”, including hacked anti-virus programs?

A1. A recent mass leak of CIA documents by Wikileaks, dubbed “Vault 7”, includes mention of an alleged CIA project called Fine Dining.

This project aims to provide CIA field agents who already have insider access to a target organisation with hacked versions of well-known apps that they can run as a decoy, to act as a cover for data-sniffing tools that run in the background at the same time.

Q2. Which decoy apps appear on the list?

A2. VLC Player Portable, Irfan View, Chrome Portable, Opera Portable, Firefox Portable, ClamWin Portable, Kaspersky TDSS Killer Portable, McAfee Stinger Portable, Sophos Virus Removal Tool, Thunderbird Portable, Opera Mail, Foxit Reader, Libre Office Portable, Prezi, Babel Pad, Notepad++, Skype, Iperius Backup, Sandisk Secure Access, U3 Software, 2048, LBreakout2, 7-Zip Portable and Portable Linux CMD Prompt.

Q3. Some reports say that these apps were hacked because they contained a vulnerability called “DLL hijacking” – is that true?

A3. The Fine Dining attack relies on altering each of the apps in some way in advance, and giving the modified app to the field agent, for example on a USB stick. The technique used to modify the apps involves changing or adding a DLL that each app uses so that it loads differently, thus the name “DLL hijack”.

(DLL is short for dynamic link library, a program component that is stored in a separate file from the program’s main executable. DLLs exist so that programs can share common “library code”, thus saving disk and memory space, and making updating easier.)

Because a prepared version of the app is modified in advance, it is a huge stretch to call this an application vulnerability. The DLL hijacking used in Fine Dining is down to the flexibility in how Windows decides which DLLs to choose for programs that run. Windows makes it possible even for system DLLs to be substituted automatically before a program begins to execute.

DLLs are effectively sub-programs in their own right, so, on a correctly-protected computer, installed applications should be protected from this sort of unauthorised modification anyway. However, the Fine Dining attack relies on the the field agents being able to bring in their own apps from outside and to run them at will. (To run the Sophos Virus Removal Tool, they need administrator privileges as well.)

Q4. If a field agent is already an administrator, can’t they pretty much do what they want anyway?

A4. Yes. That’s the whole point. This isn’t so much about what they’re doing but whether they fit the part while they’re doing it. (Much like fine dining, in fact: most upmarket restaurants have a dress code, so you’d do well to turn up looking smart.)

Q5. So this Fine Dining attack isn’t an exploit by which the field agents break into the target in the first place?

A5. No. It’s simply a way of modifying the behaviour of a well-known app so that it does everything it used to, such as editing files, watching movies or scanning for malware, as well as performing hidden tasks that would stand out more obviously if carried out on their own.

Q6. Surely the CIA could achieve the same result simply by creating fake or patched versions of the originals?

A6. Yes. Fake apps have been a staple of cyberattacks for years, especially to steal passwords and data, in just the same way that fake websites are a staple of today’s phishing attacks. DLL hijacking is another way of doing something similar.

Q7. So why bother with DLL hijacking?

A7. The most obvious answer is, “Why not?” Substituting the DLLs used by a decoy program is often quicker than the alternatives. These include: modifying existing program executables (EXE files); creating mock-up versions; or building what is called a “wrapper app” that runs before the legitimate program and then launches it over the top as a decoy.

Notably, the same DLL can often be used with several different apps (a favourite DLL substituted by the CIA seems to a system DLL called MSIMG32.DLL). Patches and mock-ups generally need adapting for each app.

Q8. Why Fine Dining?

A8. Most fine dining restaurants have a dress code, so it matters what you look like while you’re there. So the name is probably a metaphor for eating your fill of other people’s data but looking good while doing it.

Also, building modified software versions, such as hacked firmwares for mobile phones, is often referred to as “cooking”. Good “cooked ROMs” are sought after, although the most popular are ironically often those that remove unwanted bloatware from an official build, rather than those that add extra “secret sauce”.

Filed under: Corporate
Source: Sophos

Read more...

Anti-malware is imperfect but still necessary. Here’s why

Doctors sometimes make mistakes that harm the patient. Police often fail to protect and serve. When that happens, people rightly demand the failures be analyzed and fixed. But no one ever calls for the elimination of all doctors and police.

Why then, do some call for the end of antivirus and anti-malware when failures happen? It’s a question that has vexed us for a long time.

Researchers uncover vulnerabilities in security products on a regular basis. A recent example is Trend Micro, which faced scrutiny in January after researchers reported some 223 vulnerabilities across 11 of the vendor’s products. Tavis Ormandy, a prolific and gifted Google Project Zero researcher who most recently discovered Cloudbleed, regularly targets security products, including those produced by Sophos and such vendors as Kaspersky and Symantec.

Along the way, someone either declares it the end of antivirus, anti-malware and endpoint protection, or calls for its demise. Last year, during another disclosure of Trend Micro vulnerabilities, security experts even declared antivirus a threat to security.

Can we all do better? Absolutely. Like all technology created since the dawn of time, antivirus sometimes falls short of its mission. As an industry, we need to continue to find weaknesses and fix them as quickly as possible.

Does doing better mean we set aside antivirus and anti-malware, just as some believe vaccines should be shelved? Hardly.

To help frame the issue, I sat down with Sophos CTO Joe Levy.

Iatrogenesis happens, followed by schadenfreude
“In responding to the occasional question about the claims of harm from endpoint security products, it occurred to me how strikingly similar such a belief system is to the anti-vaxxer movement. Both mean well, but unfortunately have the potential to do more harm than those they indict. Nonetheless, those who point out problems with antivirus make valid points,” Levy said. “All software has flaws.”

Levy offers two other observations:

  1. This is a case of yelling ‘iatrogenesis (harm caused by the healer) in a crowded theater. It is particularly sensational because of the irony, and in many cases, a source of schadenfreude (pleasure derived from the misfortune of others).
  2. The attack surface of security software is often enlarged by the level of privilege needed to operate efficiently (i.e. in the kernel) and to do the kind of work that it needs to (file/network interception, process termination, system cleanup, etc.)

Just as patients sometimes develop complications after surgery, security technology sometimes fails, creating unintended harm for the user, Levy said. When that happens, detractors love to swoop in and bludgeon the offender.

Levy noted that when medical care goes wrong, we don’t see the masses calling for the end of doctors and hospitals. Sometimes police make mistakes and do harm in the line of duty. When that happens there’s public outrage, but no one calls for the end of police.

Like modern medicine and law enforcement, the security industry has a very high obligation to protect their users from harm. That means not only demonstrating effectiveness against attacks targeting operating systems and applications, but also against attacks targeting themselves. Despite this awareness, prevalent security software, like all other software with a large enough install base, is still sometimes found to be far from ironclad.

But just as we still need hospitals and police officers, we still need those security tools, Levy said. While Microsoft continues to make great strides in the security of their operating systems and applications year over year, a look at the number of Microsoft vulnerabilities per year illustrates the continuing need for additional protections. Microsoft security holes between 2009 and 2016, as catalogued on the Common Vulnerabilities and Exposures (CVE) website, are as follows:

  • 2009: 74
  • 2010: 106
  • 2011: 103
  • 2012: 83
  • 2013: 106
  • 2014: 85
  • 2015: 135
  • 2016: 155

In five of the last eight years, Microsoft released more than 100 security bulletins in a 12-month period. The number of bulletins each year haven’t fallen below 75 since 2009. Antivirus remains the first line of defense when attackers work to exploit vulnerabilities in either software or the software’s human operators.

“We take our obligation to protect very seriously, and we make continuous investments in the tools and programs to improve the security of our products, from our SDLC (secure development lifecycle), to static/dynamic/runtime security tools, to our bug bounty program, to name a few,” Levy said. “We are genuinely grateful to those security researchers who practice responsible disclosure. All of us in the security industry, whether software vendors or researchers, seek to make information systems more secure.”

He added: “We should all take a sort of Hippocratic Oath to do no harm, and that means both holding ourselves to a higher standard for building secure software, as well as putting end users before glory or sensationalism. Failure at either is a form of negligence, but calls for extermination are silly and irresponsible. The focus should not be on kicking the other when they’re down, but on making each other better.”

Filed under: Corporate Tagged: anti-malware, Antivirus, Joe Levy
Source: Sophos

Read more...

Sophos Mobile 7 is heading to Spain for a big unveiling

Sophos Mobile 7 is unveiled at Mobile World Congress 2017.

shutterstock_5804896301

Barcelona: the city of Gaudí, Miró, Picasso, a pretty decent football team, and so many more absolutely fantastic things. But, it’s more than that; every year in early spring, Barcelona is also the venue for the world’s biggest gathering of the mobile industry. Thousands upon thousands of companies descend on the city to network, exhibit their products, and make their technology announcements at Mobile World Congress. This year Sophos joins the ranks to introduce Sophos Mobile 7.

Sophos Mobile 7 is the latest version of our flagship Enterprise Mobility Management (EMM) product, for businesses that want to spend less time and effort managing and securing their mobile devices. This update adds exciting support for IoT devices, containerization management for Android enterprise (formerly “Android for Work”), strengthened security features like anti-phishing technology, and much more. It will even be available through the Sophos Central cloud-based management platform.

Save IT resources and get going quickly by deploying Sophos Mobile managed in the Sophos Central admin interface, which gives admins full EMM capabilities side-by-side with endpoint, network and server security. Get the same web-based console, the same look-and-feel, and the same simplicity across all of our security products. Whether you choose to use Sophos Mobile hosted in Sophos Central or installed on your premises, features and functionality stay the same.

We’ve also added support for Internet of Things (IoT) devices running Android Things or Windows 10 IoT. Why? With the explosion of connected devices, from lighting to cars to household equipment, the number of IoT devices will soon reach into the billions. And, we’ll bet that being able to manage and secure all your devices from one place will become increasingly important to you.

The new IoT functionality in Sophos Mobile provides core management features to organizations that are designing and deploying solutions at scale using low-cost devices. This includes tasks such as applying policies, checking the online device status, monitoring battery levels or confirming firmware versions. Sophos is one of the first security companies to provide organizations with a cost-efficient way to add management and security capabilities to their IoT projects, offering a communication and management framework that can be built into industrial and commercial IoT solutions such as POS/retail or connected classrooms.

Sophos Mobile 7 is available now for on-site installation and will be available managed in Sophos Central mid-March 2017. Head over to sophos.com/mobile for more information.

And, if you’ve got any questions about Sophos Mobile for IoT, drop us an email at [email protected].

If you do happen to be in Barcelona between 27 February and 2 March, drop by and see us at stand 5H31 in hall 5 at Mobile World Congress 2017.

screen-shot-2017-02-27-at-18-00-04

Filed under: Corporate, Enduser Tagged: Mobile World Congress, Sophos Mobile, Sophos Mobile 7
Source: Sophos

Read more...

Independent testing isn’t perfect, but it still helps make security products better

The Anti-Malware Testing Standards Organization (AMTSO) reaffirmed its support for independent product testing in the wake of disputes that surfaced at RSA Conference 2017 last week.

Two security vendors – Cylance and CrowdStrike – took issue with the practices of independent testing organizations, and it became a major discussion point among RSA attendees.

Sophos shares AMTSO’s position, which was mapped out in a press release:

Testing products in a fair and balanced way is very difficult. Product developers routinely make bold claims about the capabilities of their products. AMTSO supports the right of testers to put these claims to the test, to provide independent validation of their accuracy (or otherwise).

AMTSO said it was asked for an opinion on recent privately-commissioned anti-malware tests, and offered the following points:

  1. We reject turning off product capabilities while comparing the capabilities of products in real-world use, as we believe that this introduces bias in the results.
  2. We believe that any claims about what the results of tests show must be valid and accurate, and they must provide both data and evidence that the scenarios tested and the methodologies used do in fact match the resulting claims. In our opinion, test reports without this data and evidence should be rejected.
  3. We believe that tests that don’t give the tested product vendors an opportunity to engage and to comment on the approach or to validate their configuration are unfair.
  4. We believe that all comparative tests should follow our draft standards.
  5. We support the rights of a tester to run any test it wants to, and to test any available product without limitation, consistent with the AMTSO draft standards.

Sophos has long believed that independent testing is vital to the continued improvement of security technology. Sophos CTO Joe Levy acknowledged that while these tests are not perfect, they still have plenty of value.

“Methodologies can never be perfect, but the best testing houses will evolve them over time,” Levy said. “The worst will remain static and become increasingly irrelevant.”

There should be a partnership between the testing labs, end users and vendors, he added. Testing labs should under-promise and over-deliver, and work with vendors to configure environments correctly. End users should continuously be clear on the specific items they want to see reviewed, and vendors should make it easy for their products to be scrutinized.

For more meaningful and accurate testing, Levy suggested the following:

  • There needs to be transparency (sharing methodologies and revealing all numbers) and consistency, and all vendors should be subjected to the same tests.
  • Vendors should not try to hide from tests, and they should probably think twice before threatening litigation against testing labs, their partners, or other vendors. Such stunts make vendors look dishonest, and ultimately harms end users.
  • Testing Labs should think twice about commissioned reports and what they could do to perceptions about their objectivity.
  • End users should look at multiple testing sourcing rather than trusting just one. They should also endeavor to do their own testing where practical.

Simon Reed, VP of SophosLabs, said security product testing is hard, and third-party testing organizations need to focus on more depth and better testing than more different tests.

“Third-party testers need to acknowledge that some of their tests are focused on only parts of the malware attack chain and thus emphasize certain technologies over others,” Reed said. But in the bigger picture, he said, “Independent tests help us improve our quality. If third-party testers didn’t publish results, I would still want to be in at least half of them purely for an independent quality-control point of view.”

Reed added that third-party testers must clearly indicate in their reports which vendors assisted in the tests and which did not. Vendors included without approval should be able to make a short statement in the report on why they believe their inclusion wasn’t necessary, he said.

Filed under: Corporate Tagged: third-party testing
Source: Sophos

Read more...

RSA Conference 2017: Did our predictions come true?

It’s day 4 of RSA Conference 2017 as I write this. For me, the event ends with a flight home in a few hours. Before doing so, a review of the week is in order.

Journalists often write preview stories for RSA, and we’re no exception.

screen-shot-2017-02-17-at-18-50-52

My preview appeared on Naked Security last week, and now it’s time to see how accurate my predictions were. I wrote that some of the big topics would be attacks against Internet of Things (IoT) devices and the continuing scourge of ransomware.

Ransomware

What I predicted:

Ransomware is an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. Some might expect that a majority of people are well aware of the threat by now and that they’re taking the appropriate precautions. It’s therefore reasonable to assume that online thieves have moved on to new tactics. Unfortunately, that’s hardly the case, said Andrew Hay, CISO of DataGravity and one of the seminar organizers. “Ransomware is one of the most prominent threats facing organizations and their end-users, partners, and customers,” he explained.

What happened:

Indeed, ransomware was a big discussion point, best illustrated by an all-day seminar on the subject on Monday. I was there and it was well attended. From 9am – 5pm, a variety of experts offered up case studies, reviews of the best technology to fight ransomware, and tips to help companies avoid falling victim in the first place.

Internet of Things

What I predicted:

IoT threats have been discussed at RSA conference for years now, but in largely theoretical terms. This past year, the theoretical turned into reality when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit. For 2017, Sophos predicts a rise in threats against devices that are part of the IoT.

What happened:

My prediction that IoT attacks would be a big focus also turned out to be true. Multiple vendors played up the threat – and how they could help defend against it – on the show floor. And, Chester Wisniewski and I discussed the topic at the Sophos booth as well.

screen-shot-2017-02-17-at-19-16-31

Security luminary Bruce Schneier gave two presentations about regulating IoT devices. “Licenses, certifications, approvals and liabilities are all coming,” he said in one of his talk descriptions. “We need to think about smart regulations now, before a disaster, or stupid regulations will be foisted on us.”

To conclude

It was difficult to pinpoint an overriding theme this year. Whereas past RSA conferences were dominated by one or two issues (spyware in 2005 comes to mind), this year was more of a topic du jour. Ransomware and IoT were just two of many issues.

But I was fine with that.

I’ve found over the years that people don’t necessarily come to RSA in search of a big news event or theme. They attend because they are constantly striving to find more effective ways to better manage old problems.

Whether RSA filled those needs is in the eye of the individual.

For me, it was a great week full of networking and valuable conversation; some of which you can watch for yourself here.

Filed under: Corporate, Events Tagged: Internet of Things, ransomware, RSA Conference 2017
Source: Sophos

Read more...

Live from RSA 2017: Nation states crafting ‘meticulous’ attack code

In the latest installment of live videos beaming directly from San Fransisco Sophos security scribe Bill Brenner chats to Mark Loman, director of engineering for next-generation tech at Sophos, about how nation-state attackers meticulously craft their attack code to evade the most advanced security products.

(If you haven’t read our pre-RSA Conference Q&A with Mark, why not catch up first?)

 

Want to see more?
Check out our other videos live from RSA Conference 2017: IoT and ransomware and how machine-learning helps fight malware.

Filed under: Corporate, Events Tagged: Exploits, Mark Loman, RSA Conference 2017
Source: Sophos

Read more...

RSA Conference 2017: Security diet for modern attacks

Couldn’t get to RSA? We’ve got you covered on all the juiciest presentations.

In this Facebook Live presentation, Sophos principal research scientist Chester Wisniewski and channel SE John Shier use the food pyramid to show what they see as the proper balance of tools in the fight against online attackers.

 

If you haven’t caught our previous videos, find out about this year’s big topics – IoT and ransomware – and how machine-learning helps fight malware.

screen-shot-2017-02-13-at-17-33-08

Filed under: Corporate, Events Tagged: Chester Wisniewski, John Shier, RSA, RSA Conference 2017
Source: Sophos

Read more...

Live from RSA Conference 2017: How machine-learning helps fight malware

If you’re across the Atlantic or couldn’t get to RSA, we’re bringing RSA to you via Facebook Live.

In his presentation, Sophos product management director Russell Humphries talks about how machine learning will change the battle against malware. And, find out how we are bringing machine learning into the fold with our plans to acquire Invincea.

For those lucky enough to be at the conference, don’t forget to drop by our booth 3201 in North Expo Hall to pitch your questions, see live demos and pick up some extra special Sophos goodies.

screen-shot-2017-02-13-at-17-33-08

Filed under: Corporate, Events Tagged: Invincea, malware, RSA Conference 2017
Source: Sophos

Read more...

Hacked By MuhmadEmad

<br /> HaCkeD by MuhmadEmad<br />

HaCkeD By MuhmadEmad

Long Live to peshmarga

KurDish HaCk3rS WaS Here

[email protected]
FUCK ISIS !

Read more...