There is little question that the perpetrators of cyberthreats spend little time thinking inside the box — that’s how they stay ahead of their victims. It’s time for some out-of-the-box thinking of our own to get serious about fighting back. It’s time for the democratization of cybersecurity data.

Here is the challenge to users, organizations and security vendors alike: First, we should aggressively democratize the threat data we all have and share it securely yet freely with each other. Second, we should pivot a full 180 degrees from the accepted practice of automatically classifying, by default, all cyberthreat data. Instead, we should declassify threat data by default. Hence, the democratization of cybersecurity data.

Thinking Outside the Box

Cybercrime information sharing is nothing new. Unfortunately, the wrong people have been doing the sharing, and they have elevated the practice to a commercial art form. Cooperating and collaborating on the Dark Web, the most sophisticated cybercriminals build and peddle attack software to each other. They even have seller ratings and rankings for their malware, with the most effective earning five stars. They offer gold, silver and bronze levels of service — even money-back guarantees if the malicious efforts fail.

With thieves as organized and sophisticated as they are, it is a small wonder that estimates of their annual take in illegal profits total $ 455 billion These aren’t amateurs. The United Nations estimated that highly organized, well-funded criminal gangs account for 80 percent of breaches today.

For these and so many other good reasons, the time is now for businesses, governments and other organizations to elevate cyberthreat information sharing to entirely new levels. The public sector has initiated steps in this direction. Last year the U.S. passed the Cyber Information Security Act (CISA). Its goal is to help organizations share cyberthreat information and actual attack data anonymously and without fear of liability.

Democratization of Cybersecurity Data Dents Cybercrime

There are massive collections of cybercrime data largely kept under lock and key in individual organizations. Security vendors, including IBM, typically have the largest repositories.

Why has it been kept secret? Both security vendors and businesses tend hold onto this data for its perceived competitive value. It is valuable to some extent, but the potential gains of having that much threat data and information can be an even more formidable competitive weapon. After all, it isn’t possessing the data that yields an advantage; it’s what each organization or vendor does with it.

This kind of sharing is not new in our business. The whole open source movement that gave us Linux, OpenStack, Hadoop, Spark and so much more resulted from aggressive information sharing. It can be the same with cyberthreat data. Large-scale sharing of threat data will signal a new high water mark in fighting cybercrime.

We are walking the walk at IBM, recognizing that we were as much a part of the problem as any other business or organization. That is why IBM published all of its actionable, third-party global threat data — all 700 terabytes of it. This includes real-time indicators of live attacks.

We believe the free consumption and sharing of real-time threat data from our repository can put a sizable dent in cybercrime efforts. Think of what else we can accomplish with the democratization of cybersecurity data.

Information Sharing at the Speed of Business

As mentioned earlier, sharing is only one part of the out-of-the-box thinking we need to adopt. We have to share this information as soon as possible, not weeks or months after a major breach.

The default action today is to immediately classify such information, rendering it unshareable until it is eventually declassified. Instead, put a timeline on classification of new threat data — maybe 48 or 72 hours, no more. If no valid, justifiable case is made for continued classification within that period, release it to be shared among other organizations. The aforementioned CISA spells out methods for doing this securely so the information doesn’t fall into the wrong hands.

We must abandon the Cold War mentality that leads us to classify all information and share nothing. We are all engaged in a very hot war with cybercriminals. Speed matters when it comes to using relevant data to stop active attacks and thwart future threats. Information sharing at the speed of business can be a formidable weapon — we just need to unleash it.

Learn more about staying ahead of threats with global threat intelligence and automated protection

Security Intelligence

Fuzzing as a service, from Microsoft

Ignite Microsoft's conviction that "fuzzing in the cloud will revolutionize security testing," voiced in a research paper six years ago, has taken form with the debut of Project Springfield: an Azure-based service for identifying software flaws by automatically subjecting the code to bad input.

Introduced at the Ignite conference in Atlanta, Georgia, on Monday, Project Springfield offers developers the ability to conduct continuous testing of binary files on virtual machines running atop Microsoft Azure, in order to identify and eliminate bugs.

Allison Linn, self-described writer and storyteller for Microsoft, says that Microsoft's research team thinks about Project Springfield as a "million-dollar bug detector" (not to be confused with the Million Dollar Homepage) because some software bugs cost that much to fix if left too long. Your costs may vary.

A 2002 study released by the US National Institute of Standards and Technology estimated that software bugs cost the US economy between $ 22.2 and $ 59.5 billion annually (more like $ 79 billion today). Catching bugs before software gets released presumably can bring repair costs down, if that's your goal.

Microsoft insists a third of the "million dollar" security bugs in Windows 7 were found using its "whitebox fuzzing" technology, referred to internally as SAGE (scalable, automated, guided execution). SAGE is one of the components of Project Springfield.

Like other announcements echoing around Silicon Valley these days, artificial intelligence comes into play. Microsoft says its system employs AI to ask questions and make better decisions about conditions that might cause code to crash.

Microsoft's whitebox fuzzing algorithm symbolically executes code from a starting input and develops subsequent input data based on constraints from the conditional statements it encounters along the way. The technology is distinct from blackbox fuzzing, which involves the sending of malformed input data without ensuring all the target paths have been explored. Blackbox fuzzing thus has the potential to miss a critical test condition by chance.

Fuzzing lends itself to cloud computing because fuzzing software can run different tests in parallel using large amounts of available infrastructure. But Microsoft researchers Patrice Godefroid and David Molnar, in their 2010 research paper, argue that such computational elasticity matters less than the benefits of shared cloud infrastructure.

"Hosting security testing in the cloud simplifies the process of gathering information from each enrolled application, rolling out updates, and driving improvements in future development," they wrote.

It also, it is claimed, simplifies billing. ®

Sponsored: IBM FlashSystem V9000 product guide

The Register - Security

A high-profile project has been launched with the aim of strengthening UK enterprises' cyber-barricades.

The Cyber Highway was launched in London on Tuesday by Lord David Blunkett. The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.”

Corporations will, essentially, be able to monitor in real-time the progress their suppliers are making en route to Cyber Essentials certification.

Cyber Essentials is a UK government scheme that launched in June 2014 and is designed to help organisations protect themselves against hacking and malware infections. It’s largely about baseline security controls.

So basically, Cyber Highway ensures that your suppliers are following the Cyber Essentials requirements of good security – which is crucial as more and more Whitehall departments insist on suppliers being Cyber Essentials certified.

Lord Blunkett – a former Home Secretary and chairman of Cyber Essentials Direct, the outfit behind The Cyber Highway – said: “The UK Government has made significant progress. Government departments now require suppliers bidding for particular contracts to be Cyber Essentials certified, and next month sees the launch of the National Cyber Security Centre. These are all steps in the right direction but we can and must go further, especially to assist many more companies to become certified.”

Small organisations account for 92 per cent of cyber attacks, often because of limited resources. The issue of vulnerabilities in third-party suppliers leading to compromises of the companies they serve has been around for years, and gained much greater prominence after a mega-breach at US retailer Target was traced back to its refrigeration, heating and air conditioning subcontractor.

Cyber Essentials Direct chief exec John Lyons said: “We have spent the last eighteen months designing a practical and helpful approach to help de-risk and secure otherwise vulnerable supply chains from cyber attack.”

All about the baseline

Javvad Malik, security advocate at security tools firm AlienVault, said that Cyber Essentials was helpful in improving baseline security standards.

“There definitely have been benefits from cyber essentials,” Malik explained. “Many small businesses that were not even aware of security needs or requirements have, by way of Cyber Security Essentials, been able to establish a baseline. The better-equipped and aware of security needs companies are, the better the chance they can spot, prevent, and respond to a cyber attack. However, we may not see a visible reduction in the amount of data breaches immediately. The process needs time to distil through organisations. During this time, it is likely that attackers will change their tactics – but overall the security bar will be raised.

“The most important thing enterprises should be doing is [to] know what their assets are, where they are located, and be aware of when [they are] attacked, compromised, or stolen,” Malik added.

Gubi Singh, COO at pen testing and management threat detection firm Redscan, noted that many businesses, particularly small- and medium-sized ones, are “still complacent” about the risks posed by cyber threats.

“Obtaining accreditation like Cyber Essentials demonstrates to customers, partners and investors that a company takes protection of data seriously, and many businesses are now waking up to the competitive advantages of having effective security controls in place,” Singh said.

Compliance is not a tick box exercise, however. With the threat landscape evolving on a daily basis, defences and processes need to be continually reviewed to keep pace with the latest attacks,” he added.


Firms that gain Cyber Essentials certification through The Cyber Highway will have access to AIG’s CyberEdge range of cyber liability insurance cover at reduced rates.

Cyber Highway said it was in talks with 300 companies representing supply chain businesses in the retail and technology sectors about getting onto its platform. The organisations have also signed up an unnamed High Street bank as a customer. Government suppliers are another potential source of customers.

Malcolm Carrie, industry programme director of the Defence Cyber Protection Partnership, said, “Cyber Essentials is the ground level for the Defence supply chain – the Defence Cyber Protection Partnership has layered further controls on top of it to address higher-risk scenarios. Smoothing the path to obtaining Cyber Essentials certification is welcome.”

Overseas governments are also in talks with Cyber Essentials Direct about implementing the Cyber Essentials programme in their own countries.  For example, CyberNB (Cyber New Brunswick), Canada’s first provincial body to develop a comprehensive cyber security strategy, is weighing up the benefits of The Cyber Highway. ®

Sponsored: IBM FlashSystem V9000 product guide

The Register - Security

Black Hat Dan Kaminsky, the savior of DNS and chief scientist for White Ops, has used the opening keynote of Black Hat 2016 to outline three technologies he has been working on that could make working online a lot safer – if they are adopted.

First, and most importantly, Kaminsky has been developing a micro-sandboxing system that spins up small virtual machines (VMs) to carry out sensitive tasks, limiting their ability to infect other parts of the system.

Dubbed Autoclave, it limits the ability of the code running in the VM to communicate, and monitors what's going on inside to make sure there are no unexplained requests. The name comes from the heated chambers used to sterilize surgical equipment.

Container technology is perfect for this, Kaminsky told The Register before the show, since it has great application compatibility. He cited Docker as a great example of what could be used, but other container systems could also spin up VMs in milliseconds to cut down the processor lag that might turn off some users.

The downside is that, at the moment, none of the major cloud vendors are going to support this kind of rapid spinning up and down of VMs. Amazon and Google won't support the Autoclave as it stands at the moment, and Azure can only do so in limited circumstances – but Kaminsky said that if enough people demand it, they could.

Kaminsky is expecting this to be a long fight, similar to the one about medical germ theory, which he references in the name of the system. Hopefully he won't end up like Ignaz Semmelweis, who provided the first empirical proof of germ theory but was shunned by the medical community and ended up a crazed alcoholic.

The second piece of technology is IronFrame, the theory for which Kaminsky outlined at last year's DEFCON. IronFrame can be built into a "magic browser," he said, which would allow web designers to build webpages that allow functions in a known safe state.

If a new software build isn't finalized then it can be embedded in the browser and run as a separate file, while suppressing extraneous functions. It would also allow direct contact with third-party web functions without having to leave a target page. As Kaminsky is an advisor to the World Wide Web Consortium, it's possible that IronFrame could be put into future browser specifications, but that's a ways down the line. In the meantime, Kaminsky said, it would allow web designers to have better control of what's on their web pages and would let users try out new features without imperiling their systems.

Kaminsky's third idea is, he acknowledged, a bit out there - which is why he didn't talk about it at Black Hat. The technology, dubbed Astatica, aims to apply machine learning techniques to software training for fleshy humans.

"It wasn't until I tried to learn machine learning that I understood how so many people have problems with security," he said. "We are terrible at teaching people how to make things secure. We're not paying enough attention to what they need."

Astatica uses CSV files to process information and suggest new ways of learning about security issues. The system is still in its early stages, but Kaminsky says it could be a major breakthrough in teaching people about security.

None of these technologies is going to fix the internet instantly; it's a long-term process, he said. Ideally this is something government should be devoted to fixing long term (as in five to ten years of research). Business won't do it, he said, because it only thinks about the next quarter's results.

But action is desperately needed, he opined, because for the first time people are actually losing confidence in the internet. He cited the pathetic security of Internet of Things devices, which has left people assuming technology is unsafe, and this could provide a stimulus for change.

"We have the opportunity, we've got the interest, we've got the – I hate to say it – fear," Kaminsky said. "Not all fear is FUD – things are actually getting compromised – so let's figure out why this is hard, and let's go fix it." ®

Sponsored: 2016 Cyberthreat defense report

The Register - Security

Another month means another double bundle of security vulnerability patches for Android.

Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.

The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them.

These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device. Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.

Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.

The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to "access sensitive data without permission." The full list is here:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Mediaserver CVE-2016-3819, CVE-2016-3820, CVE-2016-3821 Critical Yes
Remote code execution vulnerability in libjhead CVE-2016-3822 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826 High Yes
Denial of service vulnerability in Mediaserver CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830 High Yes
Denial of service vulnerability in system clock CVE-2016-3831 High Yes
Elevation of privilege vulnerability in framework APIs CVE-2016-3832 Moderate Yes
Elevation of privilege vulnerability in Shell CVE-2016-3833 Moderate Yes
Information disclosure vulnerability in OpenSSL CVE-2016-2842 Moderate Yes
Information disclosure vulnerability in camera APIs CVE-2016-3834 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3835 Moderate Yes
Information disclosure vulnerability in SurfaceFlinger CVE-2016-3836 Moderate Yes
Information disclosure vulnerability in Wi-Fi CVE-2016-3837 Moderate Yes
Denial of service vulnerability in system UI CVE-2016-3838 Moderate Yes
Denial of service vulnerability in Bluetooth CVE-2016-3839 Moderate Yes

The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you'll need to install a fix.

Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready. That could be never in some cases.

The bundle predominantly fixes problems with Qualcomm's driver software – Qualy being a dominant phone system-on-chip designer, and its Snapdragon SoCs are used all over the place. These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month.

The patches includes fixes for Qualcomm's bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware. A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words. An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.

There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access "sensitive data without explicit user permission." The full list is below:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Qualcomm Wi‑Fi driver CVE-2014-9902 Critical Yes
Remote code execution vulnerability in Conscrypt CVE-2016-3840 Critical Yes
Elevation of privilege vulnerability in Qualcomm components CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943 Critical Yes
Elevation of privilege vulnerability in kernel networking component CVE-2015-2686, CVE-2016-3841 Critical Yes
Elevation of privilege vulnerability in Qualcomm GPU driver CVE-2016-2504, CVE-2016-3842 Critical Yes
Elevation of privilege vulnerability in Qualcomm performance component CVE-2016-3843 Critical Yes
Elevation of privilege vulnerability in kernel CVE-2016-3857 Critical Yes
Elevation of privilege vulnerability in kernel memory system CVE-2015-1593, CVE-2016-3672 High Yes
Elevation of privilege vulnerability in kernel sound component CVE-2016-2544, CVE-2016-2546, CVE-2014-9904 High Yes
Elevation of privilege vulnerability in kernel file system CVE-2012-6701 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3844 High Yes
Elevation of privilege vulnerability in kernel video driver CVE-2016-3845 High Yes
Elevation of privilege vulnerability in Serial Peripheral Interface driver CVE-2016-3846 High Yes
Elevation of privilege vulnerability in NVIDIA media driver CVE-2016-3847, CVE-2016-3848 High Yes
Elevation of privilege vulnerability in ION driver CVE-2016-3849 High Yes
Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-3850 High Yes
Elevation of privilege vulnerability in kernel performance subsystem CVE-2016-3843 High Yes
Elevation of privilege vulnerability in LG Electronics bootloader CVE-2016-3851 High Yes
Information disclosure vulnerability in Qualcomm components CVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944 High Yes
Information disclosure vulnerability in kernel scheduler CVE-2014-9903 High Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver CVE-2016-3852 High Yes
Information disclosure vulnerability in USB driver CVE-2016-4482 High Yes
Denial of service vulnerability in Qualcomm components CVE-2014-9901 High Yes
Elevation of privilege vulnerability in Google Play services CVE-2016-3853 Moderate Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-2497 Moderate Yes
Information disclosure vulnerability in kernel networking component CVE-2016-4578 Moderate Yes
Information disclosure vulnerability in kernel sound component CVE-2016-4569, CVE-2016-4578 Moderate Yes
Vulnerabilities in Qualcomm components CVE-2016-3854, CVE-2016-3855, CVE-2016-3856 High No

Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016

The Register - Security