My information Resource (blog.mir.net)

Hardware/Server
Virtualization is a foundational technology in a cloud computing environment
and the hypervisor is the key software in that virtualized infrastructure.
However, hypervisors are large pieces of software with several thousand lines
of code and are therefore known to have vulnerabilities. Hence, a capability to
perform forensic analysis to detect, reconstruct and prevent attacks based on
vulnerabilities on an ongoing basis is a critical requirement in cloud
environments.

To gain a better understanding of
recent hypervisor vulnerabilities and attack trends, identify forensic
information needed to reveal the presence of such attacks, and develop guidance
on taking proactive steps to detect and prevent those attacks, NIST has
published NIST Internal Report (NISTIR) 8221, “A Methodology
for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.”
NISTIR 8221 outlines a methodology to enable this forensic analysis, and
illustrates the methodology using two open-source hypervisors—Xen and Kernel-based
Virtual Machine (KVM). The source for vulnerability data is NIST’s National
Vulnerability Database (NVD).

Publication details:
https://csrc.nist.gov/publications/detail/nistir/8221/final

CSRC Update:
https://csrc.nist.gov/news/2019/nist-publishes-nistir-8221 

NIST
announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding
Emerging Blockchain Identity Management Systems (IDMS), which
provides an overview of the standards, building blocks, and system
architectures that support emerging blockchain-based identity management
systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up
governance models for both identifier and credential management and addresses
some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in
this work can facilitate communications amongst business owners, software
developers, cybersecurity professionals within an organization, and individuals
who are or will be using such systems.

A public comment period for this document is
open until August 9, 2019. See the publication details link for
a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft

CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

The United Kingdom’s National Cyber Security Centre (NCSC) has released an
advisory about an ongoing Domain Name System (DNS) hijacking campaign. The
advisory details risks and mitigations for organizations to defend against this
campaign, in which attackers use compromised credentials to modify the location
to which an organization’s domain name resources resolve to redirect users,
obtain sensitive information, and cause man-in-the-middle attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages
administrators to review the NCSC
Advisory, apply the recommended mitigations, and refer to CISA’s Alert AA19-024A – DNS
Infrastructure Hijacking Campaign for more information.

    NIST
announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding
Emerging Blockchain Identity Management Systems (IDMS), which
provides an overview of the standards, building blocks, and system
architectures that support emerging blockchain-based identity management
systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up
governance models for both identifier and credential management and addresses
some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in
this work can facilitate communications amongst business owners, software
developers, cybersecurity professionals within an organization, and individuals
who are or will be using such systems.

    A public comment period for this document is
open until August 9, 2019. See the publication details link for
a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft

CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

                Go Here to read about this from Catalin Cimpanu @ ZDnet.

    The U.S. Food and Drug Administration released a warning last week recalling certain Medtronic MiniMed insulin pumps over concerns that the device may be vulnerable to cyber attacks. The warning comes after researchers found that an attacker with adjacent access was able to wirelessly communicate with the device and alter the pump settings, either providing or restricting insulin to a patient. These insulin pumps are meant to communicate wirelessly with other medical devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. The models specifically impacted are the Medtronic MiniMed insulin pumps, the MiniMed 508 insulin pump, and the MiniMed Paradigm series which are collectively used by approximately 4,000 patients in the U.S., according to Medtronic. 

    This vulnerability is described by CVE2019-10964 and has been assigned a score of 7.1 out of 10, designating it as a high severity vulnerability. The core of the vulnerability revolves around improper access control when associating with other devices. The researchers state that the wireless RF communication protocol doesn’t properly implement authentication or authorization, two important factors that mediate network access. In computer security, authentication refers to the mechanism by which a device is proven to be a legitimate user and authorization refers to the resources that the device has access to. The researchers found that an attacker with sufficient access can inject, replay, alter, or interpret data from the vulnerable insulin pumps. Medtronic is urging patients affected by this vulnerability to talk to their healthcare provider about exchanging their insulin pump for a newer model with appropriate security measures.

    While this exploit has not been seen in the real world and there are no known reports of patient harm resulting from it, there are precautions that users of wirelessly connected medical equipment can take to protect themselves. Ensuring that no one tampers with the medical device or other devices connected to it, refrain from sharing the serial number, noticing any alarms or alerts made by the device, and immediately canceling any unintended actions that are made by the medical device are all good steps to take. While it is always important for companies to implement proper security protocols in their devices, it’s even more important when there is the potential for serious harm to an end user, such as in the medical field. As more of these important systems become connected, the need for good security implementation becomes more and more important.

Sources
• https://threatpost.com/fda-warns-ofpotentially-fatal-flaws-in-medtronicinsulin-pumps/146109/

• https://www.fda.gov/news-events/Press-announcements/fda-warnspatients-and-health-care-rovidersabout-potential-cybersecurityconcerns-certain

• https://www.us-cert.gov/ics/advisories/icsma-19-178-01

    Smart locks have been increasing in popularity for the last few years. They provide a number of conveniences that make them an enticing option for people looking to replace their current locks. Things like automatically unlocking as you approach with your hands full or allowing a friend to unlock the door only when you’re on vacation sound great at first. But the risks of poorly secured and designed smart locks may outweigh those conveniences.

    Pen Test Partners along with 2 additional researchers, @evstykas and @cybergibbons, recently took a look at the U-tec Ultraloq and found a number of critical vulnerabilities that would allow an unauthorized person to bypass the lock. The first vulnerability they found was that their application API leaks data about the users of the locks, including the physical location of where the lock is. The second vulnerability found in their API is much more interesting though. By simply changing the user ID value during the login process you can impersonate any other user and have full control of their locks. Pairing these 2 vulnerabilities together means you would first be able to find installations of these locks and then unlock them when you get there.

    The researchers also spent some time looking at the Bluetooth based proximity unlocking feature. Due to a poor encryption implementation in the app and lock they were able to develop a brute force attack capable of unlocking the lock. This attack would allow someone to open an Ultraloq without requiring knowledge of who the lock belongs to like in the first attack. These 2 attacks alone allow complete bypass of the smart lock, but what if the attacker isn’t very technical? No problem, the lock is also easily picked. By inserting a thin pick into the body of the lock an attacker is able to shim the mechanism and open the lock with ease. The fallback physical lock mechanism was also easily picked by the researchers using only basic lockpicking techniques.

    The Ultraloq isn’t the only smart lock smart lock to have showstopping vulnerabilities and probably won’t be the last. Smart home products, especially security related ones have been a popular target for researchers since they first hit the market. If you’re considering a smart lock it is important to research the specific model being considered and stick to trusted manufacturers. Even still there is no guarantee that the lock won’t have a vulnerability found at some point so it is also important to apply firmware updates when they become available from the manufacturer. Ultraloq released a fix for their API last week but have not provided an update for the Bluetooth vulnerability yet.

Sources:

• https://threatpost.com/smart-lock-turns-out-to-be-not-so-smart-orsecure/146091/

• https://www.pentestpartners.com/security-blog/the-not-so-ultra-lock/

    When something is free, chances are pretty high that “the user” is the product. Services that are free usually generate value for the creator or provider by sharing exposure with advertisers or perhaps using the data collected from the “free” product for other means such as market studies or product testing before a final product. But sometimes free is the juicy apple with a parasite waiting to land its hook inside the consumer’s gut.

    Researchers from ESET and Malwarebytes labs have found cryptominers within high end music production software products provided for free to download and use. Named LoudMinerby ESET and simultaneously named Bird Miner by MalwareBytes Labs, the cryptominer hides by bundling itself inside already large files. The pirated versions of Virtual Studio Technology programs seem to function normally except that they are slower due to increased processor load. This obfuscation not only hides the existence of the additional malicious installation software, but also focuses their targets on users with high processing power: users who need to process visual and audio media. These two operate themselves within a lightweight virtual machine(VM) in the background. This keeps it hidden from the user, but also generalizes itself for both Mac, Windows, and Linux users, lowering the skill threshold of the developer.

    The cryptominer hides itself once installed by watching the usage of the Activity Monitor, pausing its functions when it might be watched and can consume of up to 90% of the CPU. While the user might notice difficulties, troubleshooting it will be more troublesome than just looking at what’s running. It can even detect what kind of CPU is used and how many cores are available, running up to two VMs simultaneously to more efficiently siphon off processing power. The Mac version runs QEMU, and the Windows version runs VirtualBox, and while the installation of the emulators require a trust verification, they name themselves “Oracle Corporation Network Service” to disguise their clandestine nature while setting the folders to which they are installed to hidden. The VM runs a version of Linux called Tiny Core Linux 9.0 and is set to mine Monero using XMRig, mining to a Mining pool. Profits are shared with other Monero users in the mining pool, but they are also untraceable to the attacker.

    It is always inadvisable to use pirated software, but if one ends up using software from less than reputable sources, be wary of unexpected CPU consumption, trust requests, services, or launch Daemons. While it can be nice to provide some value to a service that is otherwise free, it’s definitely better when you’re an aware and willing participant.

Sources

• https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/
• https://blog.malwarebytes.com/mac/2019/06/new-mac-cryptominer-malwarebytes-detects-as-bird-miner-runs-by-emulating-linux/

Summary

NIST is seeking comments on Draft
NIST Special Publication (SP) 800-171 Revision 2, Protecting Controlled
Unclassified Information in Nonfederal Systems and Organizations, and Draft
NIST SP 800-171B, Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations: Enhanced Security Requirements for
Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19,
2019. Comments can also be submitted on a Department of Defense (DoD) cost
estimate for implementing the enhanced security requirements of SP 800-171B.
See the publication details links below for document files and instructions on
submitting comments.

Details

Draft NIST SP 800-171 Rev. 2 provides minor editorial changes in Chapters
One and Two, and in the Glossary, Acronyms, and References appendices. There
are no changes to the basic and derived security requirements in Chapter Three.
For ease of use, the Discussion sections, previously located in Appendix F (SP
800-171 Rev. 1), have been relocated to Chapter Three to coincide with the
basic and derived security requirements.

Publication details for SP
800-171 Rev. 2:
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft

////////

Draft NIST SP 800-171B, Protecting
Controlled Unclassified Information in Nonfederal Systems and Organizations:
Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a
supplement to NIST SP 800-171. This new document offers additional
recommendations for protecting Controlled Unclassified Information (CUI) in
nonfederal systems and organizations where that information runs a higher than
usual risk of exposure. When CUI is part of a critical program or a high value
asset (HVA), it can become a significant target for high-end, sophisticated
adversaries (i.e., the advanced persistent threat (APT)). In recent years,
these critical programs and HVAs have been subjected to an ongoing barrage of serious
cyberattacks, prompting the Department of Defense to request additional
guidance from NIST.

The enhanced security
requirements are to be implemented in addition to the basic and derived
requirements in NIST SP 800-171, since the basic and derived requirements are
not designed to address the APT.  The enhanced security requirements apply
only to components of nonfederal systems that process, store, or transmit CUI
or that provide protection for such components when the designated CUI is
contained in a critical program or HVA. The enhanced security requirements
are only applicable for a nonfederal system or organization when mandated
by a federal agency in a contract, grant, or other agreement.

All public comments received on
Draft NIST SP 800-171B will be posted at both https://csrc.nist.gov/projects/protecting-cui/public-comments and https://www.regulations.gov/docket?D=NIST-2019-0002
(Regulations.gov docket no. NIST-2019-0002) without change or redaction,
so commenters should not include information they do not wish to be posted
(e.g., personal or business information). 

The DoD has completed a cost
analysis to provide stakeholders insight into the estimated cost of
implementing the enhanced security requirements in Draft NIST SP 800-171B. The
cost analysis is available for review and comment at the publication details
link below. Please submit any comments regarding the DoD cost analysis
review by July 19, 2019 to www.regulations.gov/docket?D=DOD-2019-OS-0072
(Regulations.gov docket no. DOD-2019-OS-0072).

Publication details for Draft SP
800-171B (including the document, DoD Cost Estimate, and recommended comment
template):
https://csrc.nist.gov/publications/detail/sp/800-171b/draft

NOTE: A call for patent claims
is included in both draft publications. For additional information, see
the “Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications”:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications.

Please send any questions to [email protected].