Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.

The missive, entitled "No, You Really Can't," was issued Monday on Davidson's corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.

Oracle has not answered a request for comment.

The post responds to an increasing number of static analysis reports being submitted to Oracle by its customers. Static analysis is the process of inspecting the object code, or source code, of a program to find vulnerabilities.

Organizations may hire a third-party security consultant or program, from the likes of Veracode or Coverity, to scan the enterprise software it uses to look for as-of-yet unearthed bugs that could be exploited to gain entry to a system.

Davidson wrote that such tests are rarely necessary, and often point to flaws that don't exist.

"Most of these tools have a close to 100 [percent] false positive rate so please do not waste our time on reporting little green men in our code," she wrote.

Customers would be better served by keeping their software patched than by foraging for fresh obscure zero-day vulnerabilities, she wrote.

She reminded her customers that such scans, which inspect the object code of the actual program, violate the terms of Oracle's licensing agreements, because they constitute reverse engineering, which is the process of disassembling a technology to understand how it operates.

Davidson also took a jab at bug bounty programs, in which companies such as Microsoft or Google offer cash rewards to researchers who dig up previously undiscovered software flaws. Such a program wouldn't be of much value to Oracle, since the company finds the majority of its bugs through internal testing.

Not surprisingly, many security firms were not happy with the blog post.

"Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security," wrote Chris Wysopal, Veracode chief technology officer and chief information security officer, in an e-mail statement.

An attack using the SMB file sharing protocol that has been believed to work only within local area networks for over a decade can also be executed over the Internet, two researchers showed at the Black Hat security conference.

The attack, called an SMB relay, causes a Windows computer that's part of an Active Directory domain to leak the user's credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player.

Those credentials can then be used by the attacker to authenticate as the user on any Windows servers where the user has an account, including those hosted in the cloud.

In an Active Directory network, Windows computers automatically send their credentials when they want to access different types of services like remote file shares, Microsoft Exchange email servers or SharePoint enterprise collaboration tools. This is done using the NTLM version 2 (NTLMv2) authentication protocol and the credentials that get sent are the computer and user name in plain text and a cryptographic hash derived from the user's password.

In 2001 security researchers devised an attack called SMB relay where attackers can position themselves between a Windows computer and a server to intercept credentials and then relay them back to the server in order to authenticate as the user.

It was believed that this attack worked only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to "automatic logon only in Intranet zone."

However, security researchers Jonathan Brossard and Hormazd Billimoria found that this option is ignored and the browser can be tricked to silently send the user's Active Directory credentials -- the username and password hash -- to a remote SMB server on the Internet controlled by the attackers.

They tracked the issue down to a Windows system DLL file that is used not just by Internet Explorer, but by many applications that can access URLs, including Microsoft Outlook, Windows Media Player, as well as third-party programs.

When an URL is queried by these applications, the DLL checks for the authentication setting in registry, but then ignores it, the researchers said in their presentation at the conference in Las Vegas.

This is true for all supported versions of Windows and Internet Explorer, making it the first remote attack for the newly released Windows 10 and Microsoft Edge browser, Brossard said.

"We're aware of this matter and are looking into this further," a Microsoft representative said Thursday via email.

Once attackers have the user's credentials, there are several ways in which they can be used, according to Brossard.

n one scenario, they could use an SMB relay attack to authenticate as the victim on servers hosted outside of the user's local network by using a feature known as NTLM over HTTP that was introduced to accommodate network expansions into cloud environments. In this way they could obtain a remote shell on the server which could then be used to install malware or execute other exploits.

If the remote server is an Exchange one, the attackers could download the user's entire mailbox.

Another scenario involves cracking the hash and then using it to access a Remote Desktop Protocol server. This can be done using specialized hardware rigs or services that combine the power of multiple GPUs.

A password that has eight characters or less can be cracked in around two days. Cracking an entire list of stolen hashes would take the same amount of time, because all possible character combinations are tried as part of the process, he said.

Stealing Windows credentials over the Internet could also be useful for attackers who are already inside a local network, but don't have administrator privileges. They could then send an email message to the administrator that would leak his credentials when viewed in Outlook. Attackers could then use the stolen hash to execute SMB relay attacks against servers on the local network.

There are several methods to limit such attacks, but some of them have significant drawbacks.

Enabling an SMB feature called packet signing would prevent relay attacks, but not the credential leaking itself or attacks that rely on cracking the hash, Brossard said. This feature also adds a significant performance impact.

Another feature that could help is called Extended Protection for Windows Authentication, but it is hard to configure, which is why it's not usually enabled on corporate networks, the researcher said.

Microsoft recommends using a firewall to block SMB packets from leaving the local network. This would prevent credential leaks, but is not very practical in the age of employee mobility and cloud computing, according to Brossard. The researcher feels that a host-based filtering solution would be more appropriate.

The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn't break file sharing, he said.

Darkhotel -- the elite spying group discovered luxury hotels' Wi-Fi networks last year -- is back with new targets, new defensive capabilities, and a new zero-day exploit courtesy of the Hacking Team leak.

According to a report released Monday by Kaspersky Lab, Darkhotel is not known to have been a client of the Italian Hacking Team spyware company, but took advantage of the zero-day exploit after it was leaked last month.

That's not the group's only use of zero-day exploits. According to Kaspersky, Darkhotel has been investing "significant money" in several zero-days.
amtrak derailment
Business continuity and disaster recovery planning: The basics

Good business continuity plans will keep your company up and running through interruptions of any kind:
Read Now

Over the past year, the group has also extended its geographical reach around the world, and is targeting new victims from North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany, said Kurt Baumgartner, principal security researcher at Kaspersky Lab.

"Some of the targets are diplomatic or have strategic commercial interests," he said.

This is in addition to the group's existing focus on top executives from the U.S. and Asia in the electronics, finance, pharmaceutical, automotive, chemical, and defense industries.

The group continues to make use of stolen certificates and extremely targeted and long-term phishing techniques. For example, some targets can be hit by attacks several months apart.

Its defensive techniques have also been improved, Baumgartner said.

"Darkhotel now tends to hide its code behind layers of encryption and appear to be using SSH on victim hosts," he said. "It is likely that it has slowly adapted to attacking better-defended environments. And not only are its obfuscation techniques becoming stronger, but its anti-detection technology list is growing."

The latest version of its downloader can now identify and bypass antivirus software from 27 vendors.

Baumgartner declined to comment on Darkhotel's national origins, or name individual companies that have been targeted.

He recommended that companies train employes to be aware of spearphishing techniques.

He also suggested that employees should be familiar with the right-to-left-override method of faking file names. This is a technique in which hackers use Unicode characters to change the direction in which text is written, normally used for Arabic and Hebrew text. But the bad guys can also use this technique to change file names so that, say, an executable can have a more innocent-seeming extension like PDF or JPG.

When the user clicks on what they think is a JPG image file, the executable code runs, instead, and one of the things it does is save an actual image file and open it with MSPaint. Then, while the user is distracted by the picture, it installs malware downloader code.

"Organizations should pay careful attention to unusual netflow and of course deploying anti-malware capabilities that can identify and prevent zero-day exploit activity is very helpful," he added.

Patrick Heim is the (relatively) new head of Trust & Security at Dropbox. Formerly Chief Trust Officer at Salesforce, he has served as CISO at Kaiser Permanente and McKesson Corporation. Heim has worked more than 20 years in the information security field. Heim discusses security and privacy in the arena of consumerized cloud-based tools like those that employees select for business use.

What security and privacy concerns do you still hear from those doing due diligence prior to placing their trust in the cloud?

A lot of them are just trying to figure out what to do with the cloud in general. Companies right now have really three choices, especially with respect to the consumer cloud (i.e., cloud tools like Dropbox). One of them is to kind of ignore it, which is always a horrible strategy because when they look at it, they see that their users are adopting it en masse. Strategy two is to build IT walls up higher and pretend it’s not happening. Strategy three is adoption, which is to identify what people like to use and convert it from the uncontrolled mass of consumerized applications into something security feels comfortable with, something that is compliant with the company’s rules with a degree of manageability and cost control.

Are there one or two security concerns you can name? Because if the cloud was always entirely safe in and of itself, the enterprise wouldn’t have these concerns.

If you look at the track record of cloud computing, it’s significantly better from a security perspective than the track record of keeping stuff on premise. The big challenge organizations have, when you look at some of these breaches, is they’re not able to scale up to secure the really complicated in-house infrastructures they have.

We’re [as a cloud company] able to attract some of the best and brightest talent in the world around security because we’re able to get folks that quite frankly want to solve really big problems on a massive scale. Some of these opportunities aren’t available if they’re not in a cloud company.

How do you suggest that enterprises take that third approach, which is to adopt consumerized cloud applications?

The first step is through discovery. Understand how employees use cloud computing. There are a number of tools and vendors that help with that process. With that, IT has to be willing to rethink their role. Employees should really be the scouts for innovation. They’re at the forefront of adopting new apps and cloud technology. The role of IT will shift to custodian or curator of those technologies. IT will provide integration services to make sure that there is a reasonable architecture for piecing these technologies together to add value and to provide security and governance to make sure those kinds of cloud services align with the overall risk objectives of the organization.

How can the enterprise use the cloud to boost security and minimize company overhead?

If you think about boosting security, there is this competition for talent and the lack of resources for the enterprise to do it in-house. If you look at the net risk concept, where you evaluate your security and risk posture prior to and after you invest in the cloud, and you understand what changes, one of those changes is: what do I not have to manage anymore? If you look at the complexity of the tech stack, there are security accountabilities, and the enterprise shifts the vast majority of security accountabilities on the infrastructure side to the cloud computing provider; that leaves your existing resources free to perform more value-added functions.

What are the security concerns in cloud collaboration scenarios?

When I think about collaboration especially outside of the boundaries of an individual organization, there is always the question of how do you maintain reasonable control over that information once it’s in the hands of somebody else? There is that underlying tension that the recipient of that shared information may not continue to protect it.

In response to that, there is ERM, which provides a document-level control that’s cryptographically enforced. We’re looking at ways of minimizing the usability tradeoff that can come with adding in some of these kinds of security advancements. We’re working with some vendors in this space to identify what do we have to do from an interface and API perspective to integrate this so that the impact on the end user for adopting some of these advanced encryption capabilities is absolutely minimized, meaning that when you encrypt a document using some of these technologies that you can still, for example, preview it and search for it.

How do enterprises need to power their security solutions in the current IT landscape?

When they look at security solutions, I think more and more they have to think beyond the old model of the network parameter. When they send data to the cloud, they have to adopt a security strategy that also involves cloud security, where the cloud actually provides the security as one of its functions.

here are a number of cloud-access security brokers, and the smart ones aren’t necessarily sitting on the network and monitoring, but the smart ones are interacting, using access and APIs, and looking at the data people are placing into cloud environments, analyzing them for policy violations, and providing for archiving and backup and similar capabilities.

Security tools that companies need to focus on could be oriented to how these capabilities are going to scale across multiple cloud vendors as well as how do I get away from inserting it into our network directly and focus more on API integration with multiple cloud vendors?

Traditionally, blacklists of malicious IP addresses are assembled using honeypots and intrusion detection systems but a new approach, analyzing chatter on the dark and open Web, can find malicious addresses that would have been otherwise missed.

According to Recorded Future, an analysis of 700,000 Web sources resulted in 67,563 IP addresses associated with at least one type of malware -- and 1,521 particularly dangerous IP addresses that were associated with at least two types of malware.

Business continuity and disaster recovery planning: The basicsOf these addresses, 91 percent of the smaller list and 98 percent of the larger list were new to security researchers, and did not show up on existing blacklists.

One major difference between the new list and traditional lists is the higher percentage of "outbound" malicious addresses.

"An inbound address is when someone is attacking your system from an external address, trying to get in," said Staffan Truvé, chief scientist and co-founder at Recorded Future. "An outbound address is when an intruder is already in your systems, and is trying to connect to the outside world to exfiltrate data."

On traditional blacklists, 99 percent of the addresses are for inbound activity, he said.

On Recorded Future's new list, half of the addresses are for outbound activity.

For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families -- only 41 of which were known to existing blacklists.

Another reason why traditional detection systems might be missing these new addresses are because the bad guys are trying to stay hidden, said Recorded Future's CEO Christopher Ahlberg.

"They'll do lots of hops along the way, so by the time they hit the honey pot, it lost the connection it originated from," he said. "But we can get back to the core of the evil."

Ahlberg stressed that Recorded Future isn't suggesting that the new list replace traditional blacklists, but can be used as a source of complementary information.

"Once you figure out that these malicious infrastructures are out there, you can block them," he said. "Or you can do more research on theme and figure out what the problem is."

For example, this kind of analysis could lead to the discovery of shared infrastructure between different malware groups.

Truvé said that Recorded Future will be integrating the new information into its threat intelligence platform.

"And the next step is integrating our system with SIEM systems, so you can automate it, have them block these addresses automatically," he said.

The company hasn't decided yet how it will share the new lists with the public.

"We publish a free daily email, the Recorded Future Cyber Daily, which today lists the top actors and top malware," he said. "So it's likely that we will be enriching that information with at least a subset of these addresses."

Cybercriminals are leveraging the launch of Microsoft's Windows 10 operating system to trick users into installing a piece of ransomware on their systems.

Since Microsoft announced last week that Windows 10 has become available in 190 countries as a free upgrade, the new operating system has been installed on tens of millions of computers. As with all major announcements, cybercriminals are leveraging news of the free upgrade for their own benefit.

Researchers at Cisco have spotted a spam campaign designed to distribute a piece of ransomware by promising recipients a free Windows 10 upgrade.

The fake emails carry the subject line "Windows 10 Free Update" and they appear to come from "This email address is being protected from spambots. You need JavaScript enabled to view it.." The notifications might appear genuine to some regular users since they also contain a legitimate-looking disclaimer and a note that the message has been scanned for viruses and dangerous content.

However, a closer look reveals that the sender actually spoofed the originating email address, and the text of the emails contains several characters that haven't been parsed properly.

The file attached to the bogus notifications, Win10Installer.zip, is not a Windows 10 installer, but a variant of the CTB-Locker (Critroni) ransomware. Once it's unzipped and executed, the malware encrypts the victim's files and holds them for ransom.

Victims are given 96 hours to pay a certain amount of money in Bitcoin over the Tor network if they want to recover their files.

"Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware," Cisco said in a blog post. "The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user's files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk."

CTB-Locker attracted the attention of researchers last year due to its unusual cryptographic scheme, and because it was the first file-encrypting ransomware to use Tor.

Microsoft says Windows 10 introduces some advancements in security, including features for identity, information and device protection. Furthermore, Microsoft Edge, the successor of the Internet Explorer web browser, also brings significant improvements in security.

Researchers at Trend Micro analyzed Edge last week and determined that while the new browser is more secure, it also introduces new potential attack vectors.

"Microsoft Edge represents a clear improvement compared to Internet Explorer 11. Specifically, the improved sandbox and exploit mitigation techniques make exploiting Edge more difficult than its predecessor. In addition, the dropping of unused legacy features reduces the possible attack vectors into the browser," explained Trend Micro researchers.

"Overall, we believe that Edge has reached a security parity with the Google Chrome browser, with both markedly superior to Mozilla Firefox. However, multiple attack surfaces still remain which can be used by an attacker. Given the sophistication and demands on modern browsers, this may well be inevitable," they noted.