Introducing the Cloudflare Onion Service

Introducing the Cloudflare Onion Service
  • When: a cold San Francisco summer afternoon
  • Where: Room 305, Cloudflare
  • Who: 2 from Cloudflare + 9 from Tor Project

Introducing the Cloudflare Onion Service

What could go wrong?

Bit of Background

Two years ago this week Cloudflare introduced Opportunistic Encryption, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS. Indeed, back in the old days some websites only used HTTP — weird, right? “Opportunistic” here meant that the server advertised support for HTTP/2 via an HTTP Alternative Service header in the hopes that any browser that recognized the protocol could take advantage of those benefits in subsequent requests to that domain.

Around the same time, CEO Matthew Prince wrote about the importance and challenges of privacy on the Internet and tasked us to find a solution that provides convenience, security, and anonymity.

From neutralizing fingerprinting vectors and everyday browser trackers that Privacy Badger feeds on, all the way to mitigating correlation attacks that only big actors are capable of, guaranteeing privacy is a complicated challenge. Fortunately, the Tor Project addresses this extensive adversary model in Tor Browser.

However, the Internet is full of bad actors, and distinguishing legitimate traffic from malicious traffic, which is one of Cloudflare’s core features, becomes much more difficult when the traffic is anonymous. In particular, many features that make Tor a great tool for privacy also make it a tool for hiding the source of malicious traffic. That is why many resort to using CAPTCHA challenges to make it less expensive to be a bot on the Tor network. There is, however, a collateral damage associated with using CAPTCHA challenges to stop bots: humans eyes also have to deal with them.

Introducing the Cloudflare Onion Service

One way to minimize this is using privacy-preserving cryptographic signatures, aka blinded tokens, such as those that power Privacy Pass.

The other way is to use onions.

Introducing the Cloudflare Onion Service

Here Come the Onions

Today’s edition of the Crypto Week introduces an “opportunistic” solution to this problem, so that under suitable conditions, anyone using Tor Browser 8.0 will benefit from improved security and performance when visiting Cloudflare websites without having to face a CAPTCHA. At the same time, this feature enables more fine-grained rate-limiting to prevent malicious traffic, and since the mechanics of the idea described here are not specific to Cloudflare, anyone can reuse this methods on their own website.

Before we continue, if you need a refresher on what Tor is or why are we talking about onions, check out the Tor Project website or our own blog post on the DNS resolver onion from June.

As Matthew mentioned in his blog post, one way to sift through Tor traffic is to use the onion service protocol. Onion services are Tor nodes that advertise their public key, encoded as an address with .onion TLD, and use “rendezvous points” to establish connections entirely within the Tor network:

Introducing the Cloudflare Onion Service

While onion services are designed to provide anonymity for content providers, media organizations use them to allow whistleblowers to communicate securely with them and Facebook uses one to tell Tor users from bots.

The technical reason why this works is that from an onion service’s point of view each individual Tor connection, or circuit, has a unique but ephemeral number associated to it, while from a normal server’s point of view all Tor requests made via one exit node share the same IP address. Using this circuit number, onion services can distinguish individual circuits and terminate those that seem to behave maliciously. To clarify, this does not mean that onion services can identify or track Tor users.

While bad actors can still establish a fresh circuit by repeating the rendezvous protocol, doing so involves a cryptographic key exchange that costs time and computation. Think of this like a cryptographic dial-up sequence. Spammers can dial our onion service over and over, but every time they have to repeat the key exchange.

Alternatively, finishing the rendezvous protocol can be thought of as a small proof of work required in order to use the Cloudflare Onion Service. This increases the cost of using our onion service for performing denial of service attacks.

Problem solved, right?

Not quite. As discussed when we introduced the hidden resolver, the problem of ensuring that a seemingly random .onion address is correct is a barrier to usable security. In that case, our solution was to purchase an Extended Validation (EV) certificate, which costs considerably more. Needless to say, this limits who can buy an HTTPS certificate for their onion service to a privileged few.

Introducing the Cloudflare Onion Service

Some people disagree. In particular, the new generation of onion services resolves the weakness that Matthew pointed to as a possible reason why the CA/B Forum only permits EV certificates for onion services. This could mean that getting Domain Validation (DV) certificates for onion services could be possible soon. We certainly hope that’s the case.

Still, DV certificates lack the organization name (e.g. “Cloudflare, Inc.”) that appears in the address bar, and cryptographically relevant numbers are nearly impossible to remember or distinguish for humans. This brings us back to the problem of usable security, so we came up with a different idea.

Onion addresses are like IP addresses, not domain names

Forget for a moment that we’re discussing anonymity. When you type “cloudflare.com” in a browser and press enter, your device first resolves that domain name into an IP address, then your browser asks the server for a certificate valid for “cloudflare.com” and attempts to establish an encrypted connection with the host. As long as the certificate is trusted by a certificate authority, there’s no reason to mind the IP address.

Roughly speaking, the idea here is to simply switch the IP address in the scenario above with an .onion address. As long as the certificate is valid, the .onion address itself need not be manually entered by a user or even be memorable. Indeed, the fact that the certificate was valid indicates that the .onion address was correct.

In particular, in the same way that a single IP address can serve millions of domains, a single .onion address should be able to serve any number of domains.

Except, DNS doesn’t work this way.

How does it work then?

Just as with Opportunistic Encryption, we can point users to the Cloudflare Onion Service using HTTP Alternative Services, a mechanism that allows servers to tell clients that the service they are accessing is available at another network location or over another protocol. For instance, when the Tor Browser makes a request to “cloudflare.com,” Cloudflare adds an Alternative Service header to indicate that the site is available to access over HTTP/2 via our onion services.

Introducing the Cloudflare Onion Service

In the same sense that Cloudflare owns the IP addresses that serve our customers’ websites, we run 10 .onion addresses. Think of them as 10 Cloudflare points of presence (or PoPs) within the Tor network. The exact header looks something like this, except with all 10 .onion addresses included, each starting with the prefix “cflare”:

alt-svc: h2="cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion:443"; ma=86400; persist=1

This simply indicates that the “cloudflare.com” can be authoritatively accessed using HTTP/2 (“h2”) via the onion service “cflare2n[…].onion”, over virtual port 443. The field “ma” (max-age) indicates how long in seconds the client should remember the existence of the alternative service and “persist” indicates whether alternative service cache should be cleared when the network is interrupted.

Once the browser receives this header, it attempts to make a new Tor circuit to the onion service advertised in the alt-svc header and confirm that the server listening on virtual port 443 can present a valid certificate for “cloudflare.com” — that is, the original hostname, not the .onion address.

The onion service then relays the Client Hello packet to a local server which can serve a certificate for “cloudflare.com.” This way the Tor daemon itself can be very minimal. Here is a sample configuration file:

SocksPort 0
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
HiddenServiceVersion 3
HiddenServicePort 443
SafeLogging 1
Log notice stdout

Be careful with using the configuration above, as it enables a non-anonymous setting for onion services that do not require anonymity for themselves. To clarify, this does not sacrifice privacy or anonymity of Tor users, just the server. Plus, it improves latency of the circuits.

Introducing the Cloudflare Onion Service

If the certificate is signed by a trusted certificate authority, for any subsequent requests to “cloudflare.com” the browser will connect using HTTP/2 via the onion service, sidestepping the need for going through an exit node.

Here are the steps summarized one more time:

  • A new Tor circuit is established;
  • The browser sends a Client Hello to the onion service with SNI=cloudflare.com;
  • The onion service relays the packet to a local server;
  • The server replies with Server Hello for SNI=cloudflare.com;
  • The onion service relays the packet to the browser;
  • The browser verifies that the certificate is valid.
  • To reiterate, the certificate presented by the onion service only needs to be valid for the original hostname, meaning that the onion address need not be mentioned anywhere on the certificate. This is a huge benefit, because it allows you to, for instance, present a free Let’s Encrypt certificate for your .org domain rather than an expensive EV certificate.

    Convenience, ✓

    Distinguishing the Circuits

    Remember that while one exit node can serve many many different clients, from Cloudflare’s point of view all of that traffic comes from one IP address. This pooling helps cover the malicious traffic among legitimate traffic, but isn’t essential in the security or privacy of Tor. In fact, it can potentially hurt users by exposing their traffic to bad exit nodes.

    Remember that Tor circuits to onion services carry a circuit number which we can use to rate-limit the circuit. Now, the question is how to inform a server such as nginx of this number with minimal effort. As it turns out, with only a small tweak in the Tor binary, we can insert a Proxy Protocol header in the beginning of each packet that is forwarded to the server. This protocol is designed to help TCP proxies pass on parameters that can be lost in translation, such as source and destination IP addresses, and is already supported by nginx, Apache, Caddy, etc.

    Luckily for us, the IPv6 space is so vast that we can encode the Tor circuit number as an IP address in an unused range and use the Proxy Protocol to send it to the server. Here is an example of the header that our Tor daemon would insert in the connection:

    PROXY TCP6 2405:8100:8000:dead:beef::ABCD ::1 43981 443rn
    

    In this case, 0xABCD encodes the circuit number in the last 32 bits of the source IP address. The local Cloudflare server can then transparently use that IP to assign reputation, show CAPTCHAs, or block requests when needed.

    Note that even though requests relayed by an onion service don’t carry an IP address, you will see an IP address like the one above with country code “T1” in your logs. This IP only specifies the circuit number seen by the onion service, not the actual user IP address. In fact, 2405:8100:8000::/48 is an unused subnet owned by Cloudflare that we are taking off the public IP list for this purpose.

    This enables customers to continue detecting bots using IP reputation while sparing humans the trouble of clicking on CAPTCHA street signs over and over again.

    Security, ✓

    Why should I trust Cloudflare?

    You don’t need to. The Cloudflare Onion Service presentes the exact same certificate that we would have used for direct requests to our servers, so you could audit this service using Nimbus, our certificate transparency log, to reveal any potential cheating.

    Additionally, since Tor Browser 8.0 makes a new circuit for each hostname when connecting via an .onion alternative service, the circuit number cannot be used to link connections to two different sites together.

    Note that all of this works without running any entry, relay, or exit nodes. Therefore the only requests that we see as a result of this feature are the requests that were headed for us anyway. In particular, since no new traffic is introduced, Cloudflare does not gain any more information about what people do on the internet.

    Anonymity, ✓

    Is it faster?

    Tor isn’t known for being fast. One reason for that is the physical cost of having packets bounce around in a decentralized network. Connections made through the Cloudflare Onion Service don’t add to this cost because the number of hops is no more than usual.

    Another reason is the bandwidth costs of exit node operators. This is an area that we hope this service can offer relief since it shifts traffic from exit nodes to our own servers, reducing exit node operation costs along with it.

    BONUS: Performance, ✓

    How do I enable it?

    Onion Routing is now available to all Cloudflare customers, enabled by default for Free and Pro plans. The option is available in the Crypto tab of the Cloudflare dashboard:

    Introducing the Cloudflare Onion Service

    Browser support

    We recommend using Tor Browser 8.0, which is the first stable release based on Firefox 60 ESR, and supports .onion Alt-Svc headers as well as HTTP/2. The new Tor Browser for Android (alpha) also supports this feature.

    We’ve got BIG NEWS. We gave Tor Browser a UX overhaul.

    Tor Browser 8.0 has a new user onboarding experience, an updated landing page, additional language support, and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.https://t.co/fpCpSTXT2L pic.twitter.com/xbj9lKTApP

    — The Tor Project (@torproject) September 5, 2018

    Any last words?

    Similar to Opportunistic Encryption, Opportunistic Onions do not fully protect against attackers who can simply remove the alternative service header. Therefore it is important to use HTTPS Everywhere to secure the first request. Once a Tor circuit is established, subsequent requests should stay in the Tor network from source to destination.

    As we maintain and improve this service we will share what we learn. In the meanwhile, feel free to try out this idea on Caddy and reach out to us with any comments or suggestions that you might have.

    Acknowledgments

    Patrick McManus of Mozilla for enabling support for .onion alternative services in Firefox; Arthur Edelstein of the Tor Project for reviewing and enabling HTTP/2 and HTTP Alternative Services in Tor Browser 8.0; Alexander Færøy of the Tor Project for adding support for Proxy Protocol in onion services; the entire Tor Project team for their invaluable assistance and discussions; and last, but not least, many folks at Cloudflare who helped with this project.

    Addresses used by the Cloudflare Onion Service

    cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion
    cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion
    cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion
    cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion
    cflareki4v3lh674hq55k3n7xd4ibkwx3pnw67rr3gkpsonjmxbktxyd.onion
    cflarejlah424meosswvaeqzb54rtdetr4xva6mq2bm2hfcx5isaglid.onion
    cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion
    cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion
    cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion
    cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion
    

    Subscribe to the blog for daily updates on our announcements.

    Introducing the Cloudflare Onion Service

    Source:: CloudFlare

    Newegg confirms credit card information was taken in a sophisticated attack

    Online retailer Newegg on Wednesday confirmed that credit card information from customers had been stolen using a sophisticated attack.

    “Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site,” the company said in a statement on Twitter. “We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted. Please check your email.”

    This makes Newegg the latest company to get hit by black hat hacker groups collectively called Magecart. Security researchers at RiskIQ said the attack worked by injecting malicious JavaScript onto Newegg’s page to skim credit card information and sent it it to a domain registered as Neweggstats.com. RiskIQ said a very similar “Magecart assault” was also used against British Airways and Ticketmaster earlier this year.

    To read this article in full, please click here

    Source:: IT news – Security

    IBM unveils real-time, cloud-based bias detection for A.I. systems

    Cognitive services giant IBM has announced a new artificial intelligence (AI) ‘Trust and Transparency’ service, which it claims gives businesses greater transparency into AI decision-making and bias.

    The new Watson-based cloud service is designed to not only ‘open the black box’ of complex AI systems, but also to reinforce organisations’ trust in their own AI-based decisions – and data – by showing their workings.

    In this way, IBM also seeks to reinforce its status as a trusted provider and service arbiter, even of others’ technologies.

    IBM’s new Trust and Transparency capabilities on the IBM Cloud work with models built from a wide variety of machine learning and AI frameworks, including Watson itself, Google’s Tensorflow, Apache Spark MLlib, AWS SageMaker, and Microsoft’s Azure Machine Learning.

    The cloud service can be programmed to monitor the unique “decision factors” of any business workflow, enabling it to be customised to the specific needs of the organisation, says IBM.

    Importantly, it also exposes and explains the decision-making process and detects bias in AI models at runtime – as decisions are being made – capturing potentially unfair outcomes as they occur. It can recommend data to add to the model to help mitigate any bias it has detected.

    In addition, IBM Research will release into the open source community an AI bias detection and mitigation toolkit, proposing a suite of tools and new education protocols to encourage global collaboration in addressing bias in AI.

    “IBM led the industry in establishing trust and transparency principles for the development of new AI technologies,” said Beth Smith, general manager of Watson AI at IBM. “It’s time to translate principles into practice. We are giving new transparency and control to the businesses who use AI and face the most potential risk from any flawed decision-making.”

    Tackling bias is of strategic importance to IBM as it seeks to be a trusted provider of AI and data services. In June, the company announced that it would make public two datasets to be used as tools for the technology industry and AI research community.

    The first will be made up of one million annotated images, harvested from photography platform Flickr. The dataset will rely on Flickr’s geo-tags to balance the source material and reduce sample selection bias.

    According to IBM, the current largest facial attribute dataset is made up of just 200,000 images.

    IBM is also releasing an annotated dataset of up to 36,000 images that are equally distributed across skin tones, genders, and ages. The company hopes that it will help algorithm designers to identify and address bias in their facial analysis systems.

    In a blog post outlining the steps the company will be taking this year, IBM Fellows Aleksandra Mojsilovic and John Smith highlighted the importance of training development teams – which tend to be dominated by young white men – to recognise how bias occurs and becomes problematic.

    • Read more: Norman the psychopathic AI offers a warning on biased data

    Internet of Business says

    The question for most organisations is not that an AI or machine learning system is biased by deliberate design, but whether the training data has introduced unconscious, cultural, or historic bias into the system, effectively casting prejudices or assumptions of any kind into code.

    Another challenge is confirmation bias, in which organisations either use or design systems to prove what they already believe, weighting the data towards pre-defined conclusions.

    A valuable system, then, which is as much a gain for IBM as it is for its customers.

    The developments come on the back of recent research by IBM’s Institute for Business Value, which reveals that while 82 percent of enterprises are considering AI deployments, 60 percent fear liability issues and 63 percent lack the in-house talent to manage the technology with confidence.

    • Read more: IBM launches blockchain payment & clearing network for banks
    • Read more: IBM develops A.I. to speed deep learning architecture selection
    • Read more: IBM: Strong Q2 results – but cognitive and business services flat

    The post IBM unveils real-time, cloud-based bias detection for A.I. systems appeared first on Internet of Business.

    Source:: Internet of Business

    Alibaba sets up dedicated chip unit for A.I., IoT, smart cars

    NEWSBYTE Chinese ecommerce and technology giant Alibaba has announced that it is to set up a dedicated chip subsidiary.

    It aims to launch its first self-developed AI inference chip, which could be used for autonomous driving, smart city applications, and logistics, in the second half of 2019, the company said yesterday.

    The new subsidiary will make customised AI chips and embedded processors to support Alibaba’s push into cloud computing and the Internet of Things (IoT).

    The company’s aggressive drive to develop its own semiconductors comes as Beijing looks to propel China’s high-tech industries into leadership positions in AI, robotics, and autonomous transport, especially in areas such as healthcare.

    A recent report from PwC highlighted the dominance of the services sector in China over the next 20 years, which will lead the adoption of Industry 4.0 technologies. According to that report, China will gain 96 million new jobs by 2037, despite the disruption caused by robotics and AI to the existing job market.

    In April, Alibaba bought Chinese chipmaker Hangzhou C-SKY Microsystems to help bolster its ambitions.

    Source: Reuters.

    Internet of Business says

    Alibaba co-founder and chairman – and China’s richest man – said in April that China needs to control its “core technology” to avoid over-reliance on US imports.

    A number of companies, such as Facebook and Apple, are adopting the same approach internally, to avoid being a hostage to the fortunes and development cycles of chipmakers such as Intel.

    As the trade war between the US and China escalates – and heads towards all Chinese exports being hit by US trade tariffs – Ma’s comments seem increasingly prescient.

    On 19 September, he recanted his promise to bring one million new jobs to the US, blaming the trade dispute. He said, “The promise was made on the premise of friendly US-China partnerships and rational trade relations. That premise no longer exists today, so our promise cannot be fulfilled.”

    • Read more: Trade war: Boxing clever? US hits China with more tech tariffs
    • Read more: Facebook developing chips for AI and own-brand IoT devices

    The post Alibaba sets up dedicated chip unit for A.I., IoT, smart cars appeared first on Internet of Business.

    Source:: Internet of Business

    Threats posed by using RATs in ICS

    While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.

    Methodology

    The statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

    • supervisory control and data acquisition (SCADA) servers;
    • data storage servers (Historian);
    • data gateways (OPC);
    • stationary workstations of engineers and operators;
    • mobile workstations of engineers and operators;
    • Human Machine Interface (HMI).

    As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.

    The use of RATs in ICS

    According to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.

    Percentage of ICS computers that have RATs legitimately installed on them (download)

    The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.

    As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises – employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.

    From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:

  • To control/monitor HMI from an operator workstation (including displaying information on a large screen);
  • To control/maintain HMI from an engineering workstation;
  • To control SCADA from an operator workstation;
  • To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network);
  • To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations);
  • To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).
  • Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.

    TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)

    Scenarios of RAT installation on ICS computers

    According to our research, there are three most common scenarios of RAT installation on ICS computers:

  • Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.
  • Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)

  • Deliberate installation of RATs by personnel or suppliers – network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees.
  • Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below).
  • RAT-related threats to ICS

    Threats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.

    Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:

    • Elevated privileges – the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM;
    • No support for restricting local access to the system / client activity;
    • Single-factor authentication;
    • No logging of client activity;
    • Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year);
    • The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter.

    The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world.

    There are also other issues that affect RATs built into ICS software distribution packages:

    • RAT components and distribution packages are rarely updated (even if new versions of ICS distribution packages are released). This makes them more likely to contain vulnerabilities;
    • In the vast majority of cases, the default password is used – it is either hardcoded into the RAT by the ICS software vendor or specified in the documentation as “recommended”.

    RATs are legitimate software tools that are often used on industrial networks, which means it can be extremely difficult to distinguish attacks involving RATs from legitimate activity. In addition, since the information security service and other employees responsible for ICS security are often unaware that a RAT is installed, the configuration of RATs is in most cases not analyzed when auditing the security of an industrial network. This makes it particularly important to control by whom, when and for what purposes RATs are used on the industrial network and to ensure that it is completely impossible to use RATs without the knowledge of employees responsible for the OT network’s information security.

    Attacks of threat actors involving RATs

    Everything written above applies to potential threats associated with the use of RATs.

    Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence):

  • A brute force network attack from the local network or the internet designed to crack logins/passwords;
  • An attacker or malware using a RAT to download and execute malware using stolen or cracked authentication credentials;
  • A remote user (probably a legitimate user deceived by attackers) using a RAT to download a Trojan to an ICS computer and then executing it; the Trojan can be disguised as an office document, non-industrial software (a game, multimedia software, etc.), a crack/keygen for office, application or industrial software, etc.;
  • A network attack from the local network or the internet on the server part of the RAT using exploits.
  • Brute force type network attacks (designed to crack logins/passwords) are the most common: their implementation does not require any special knowledge or skills and the software used in such attacks is publicly available.

    It cannot be determined based on available data who connects to a RAT’s server part installed on an ICS computer – a legitimate user, an attacker or malware – or why. Consequently, we can only guess whether this activity represents a targeted attack, sabotage attempts or a client’s error.

    Network attacks from the internet were most probably conducted by threat actors using malware, penetration testing tools or botnets.

    Network attacks from the local network could indicate the presence of attackers (possibly including an insider) on the network. Another possibility is that there is a compromised computer on the local network that is either infected with malware or is used by the attacker as a point of presence (if the authentication credentials were compromised earlier).

    Attacks on industrial enterprises using RMS and TeamViewer

    In the first half of 2018, Kaspersky Lab ICS CERT identified a new wave of phishing emails disguised as legitimate commercial offers. Although the attacks targeted primarily industrial companies within the territory of Russia, the same tactics and tools can be used in attacks on industrial companies in any country of the world.

    The malware used in these attacks installs legitimate remote administration software on the system — TeamViewer or Remote Manipulator System/Remote Utilities (RMS). In both cases, a system DLL is replaced with a malicious library to inject malicious code into a legitimate program’s process. This provides the attackers with remote control of the infected systems. Various techniques are used to mask the infection and the activity of the software installed on the system.

    If necessary, the attackers download an additional malware pack to the system, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools that extend the threat actor’s control of infected systems, malware to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

    According to available data, the attackers’ main goal is to steal money from victim organizations’ accounts, but possible attack scenarios are not limited to the theft of funds. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines. Clearly, on top of the financial losses, these attacks result in leaks of victim organizations’ sensitive data.

    Multiple attacks on an auto manufacturer

    A characteristic example of attacks based on the second scenario was provided by attacks on the industrial network of a motor vehicle manufacturing and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles. Multiple attempts to conduct such attacks were blocked by Kaspersky Lab products.

    A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Starting in late 2017, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. Infection attempts were made regularly over a period of several months – 2-3 times a week, at different times of the day. Based in part on other indirect indicators, we believe that RAT authentication data was compromised and used by attackers (or malware) to attack the enterprise’s computers over the internet.

    After gaining access to the potential victim’s infrastructure via the RAT, the attackers kept trying to choose a malicious packer that would enable them to evade antivirus protection.

    The blocked programs included modifications of the malware detected by Kaspersky Lab products as Net-Worm.Win32.Agent.pm. When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

    The Nymaim Trojan family was also blocked. Representatives of this family are often used to download modifications of botnet agents from the Necus family, which in turn have often been used to infect computers with ransomware from the Locky family.

    Conclusion

    Remote administration tools are widely used on industrial networks for ICS monitoring, control and maintenance. The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult.

    To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:

    • Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
    • Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
    • Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.

    Source:: Securelist

    Panasonic Adopts Inmarsat’s In-Flight Satellite Broadband Platform

    aircraft

    Panasonic (Panasonic Avionics Corporation) has today signed a new deal with UK satellite operator Inmarsat, which will see the company deploying the “high-speed broadband” GX Aviation (Global Xpress) platform to deliver faster in-flight WiFi connectivity to the airlines (passengers) they serve. The Global Xpress network, which promises “consistent performance [and] no drop-outs between satellite beams“, […]

    Source:: ISPreview

    Retail IoT: Amazon to open 3,000 checkout-free stores

    Amazon is reportedly considering a plan to open as many as 3,000 new Amazon Go cashier-less convenience stores worldwide.

    The concept could see the retail and Web services giant move aggressively into bricks and mortar shopping, by disrupting the market for healthy ‘food on the run’ in city centres and transport hubs, suggests Bloomberg.

    If the report is accurate, this would not only pitch Amazon against the metro-style convenience stores of brands such as Sainsbury’s, Tesco, and M&S in the UK, for example, but also cafe-style outlets, such as Pret a Manger.

    Until now, it has been unclear if Amazon plans to open more real-world shops, use its cashier-less technology in the Whole Foods supermarket chain that it owns, or sell it to other retailers via Amazon Web Services (AWS).

    Does ‘no checkout’ check out?

    Either way, checkout-free shopping is set to transform shopping over the next few years. Retailers are exploring a range of options, from self-scanning items via smartphone, to more complex, connected solutions that use sensors and cameras to track shoppers’ movements and decisions in store.

    For example, Amazon’s system detects products that have been moved, places them in a virtual cart, and knows once customers have left the premises. However, the risk in any such system is the potential for losses, dishonesty, and theft.

    In either case, shoppers are billed via their smartphone and connected payment choices, regardless of whether they’ve scanned the items themselves or the store has logged their choices for them.

    Amazon unveiled its first Amazon Go cashier-less store in Seattle in 2016 and has since opened additional sites in the city, along with Chicago. Last week, it announced plans to open a branch in New York. At present, the company is using those outlets to roadtest two subtly different models: a checkout-free convenience store, and a cashier-less takeaway food outlet.

    But Amazon is far from alone in examining the options. Walmart, the world’s biggest retailer, is also exploring next-generation technologies, according to a number of recent patent filings.

    In August, San Francisco start-up Zippin launched what it called its “next-generation checkout-free technology”.

    In order to have the ‘frictionless’ experience that Zippin and others believe urban customers want, users first have to download an app and input details of their preferred payment method. The app contains their store ‘key’ – in the form of a QR code – which they use to gain entry to the shop.

    Overhead cameras follow customers’ movements around the store, while smart-shelf sensors identify which products are picked up – or put back – and when. Items are added to a virtual cart as well as the real-world one.

    On leaving the store, shoppers receive a receipt for all the purchased goods, but the system is also designed to optimise supply chain and logistics processes.

    Last month, the company opened a concept branch in San Francisco’s Soma district, where it is showcasing the technology. Like Amazon, Zippin’s prime focus is convenience stores, along with fast-food restaurants.

    Meanwhile on the high street…

    Also in August, UK supermarket chain Sainsbury’s announced that it is trialling its own approach to checkout-free shopping in one of its London stores.

    The retailer’s SmartShop app allows customers at its Clapham North tube station Local branch to use their smartphones to scan items as they pick them up, then pay for their goods using Apple Pay, by scanning a QR code at the exit.

    SmartShop is already supported by 68 Sainsbury’s supermarkets. However, they currently require shoppers to pay at a designated till point; the Clapham trial takes the technology one step further.

    In August, Sainsbury’s revealed that there are over 100,000 SmartShop transactions and 3,000 to 4,000 new registrations every week, highlighting the enthusiasm for the app among customers for whom frictionless retail is an increasingly attractive concept.

    Earlier this year, the Co-op also announced smartphone-based checkouts, using an app built on Mastercard’s ‘Masterpass’ secure mobile payments technology.

    With the affordability and popularity of recent entrants, such as Lidl and Aldi, eating into the market share of the UK’s supermarket giants, high street names are having to find new ways to differentiate themselves.

    But the real home of cashier-free convenience stores is China, where mobile wallets and apps such as WeChat are already a widely used way of paying for goods and services.

    There, a number of start-ups, such as BingBox, are opening cashier-free stores countrywide. However, the technology used in many tends to be less sophisticated than Amazon’s and Zippin’s, being based less on cameras, sensors, and AI, and more on RFID tags and self-scanning by customers.

    But one company plans to change all that. Chinese e-commerce giant Alibaba is blazing a trail that other retailers may follow. In 2016, its chairman Jack Ma coined the phrase ‘New Retail’ to describe a shopping experience that seamlessly blends online and offline elements.

    In April this year, the company opened a grab-and-go convenience store of its own, Futuremart, at its Hangzhou HQ. The shop operates along much the same lines as Amazon Go and Zippin. And last year, it launched Tao Cafe, a cashier-free coffee shop, open to users of its Taobao e-commerce site.

    But can Amazon win in the West?

    Internet of Business says

    Making shopping more convenient is a sound strategy to pursue, given the fast-paced lifestyles that many city-dwellers pursue, and the ‘need it now’ mentality encouraged by one-click online shopping.

    However, Amazon faces the opposite challenge to the likes of Sainsbury’s and the Co-op in the UK, and Walmart, Target, and Kroger in the US. It needs to spend a vast amount of money to move into the one sector it was set up to undermine: bricks and mortar retail. Talk about squaring the circle.

    Indeed, by moving en masse into main street – aka offline – one could infer that the main problem Amazon has been solving all along has been checkout queues. But can it – and should it – really do that?

    According to Bloomberg, the hardware costs alone of the original Amazon Go convenience store were over $1 million. While those costs wouldn’t necessarily be replicated in each new launch, multiplying that figure by 3,000 creates a notional technology outlay alone of $3 billion, and that’s before the property, regulatory, and other costs associated with thousands of new city centre properties are even considered.

    Then Amazon has to build a logistics, distribution, and delivery network to service thousands of real-world locations. A tough challenge, but Amazon is one of only two trillion-dollar companies in the world, the other being Apple.

    But that’s in terms of market capitalisation, not revenues: the value of its stocks could plummet, taking Jeff Bezos’ unrivalled fortune with it (unlikely though that may seem today). In terms of real-world revenues, Walmart is far larger – than any company in the world, in fact.

    In bricks and mortar retail, on the other hand, companies such as Sainsbury’s, Tesco, Aldi, and Walmart – and even those in other retail sectors, such as Walgreens and Boots – already have the physical stores and the networks to service them. But they lack the technology infrastructure to transform their businesses overnight to a cashier-less model – should they even wish to do so.

    So as ever, this is a clash of cultures and business models: technology and market capitalisation (bits) versus bricks and hard revenues. Place your bets please. As Amazon CEO Jeff Bezos said last week, “If we offer a me-too product, it’s not going to work.”

    Yet the other challenge facing Amazon is much bigger but, at the same time, subtler. And it takes the form of a question: What is this company, and who does it really serve?

    The vast and ever-growing diversity of its business may be deeply impressive, but it also reveals a company that is fast losing focus. Most companies can say who they serve and why – if they can’t, they tend to go out of business.

    At present, the only thing we can say with confidence is that Amazon wants to sell everything to everyone by any and every means necessary. But is that a good idea?

    Plus: Antitrust regulators move in

    In related news, EU antitrust regulators are investigating Amazon’s third-party merchant data.

    Competition commissioner Margrethe Vestager says Amazon hosts yet competes with the merchants and uses their data to help its own sales. The regulators have sent questionnaires to merchants to better understand the issue but have yet to open a formal case against the company.

    The post Retail IoT: Amazon to open 3,000 checkout-free stores appeared first on Internet of Business.

    Source:: Internet of Business

    Renault unveils autonomous concierge concept for last mile delivery

    renault ez-pro concierge and last mile delivery

    French automotive giant Renault has unveiled the EZ-PRO, an autonomous delivery concept that could provide a modular, last-mile option for logistics operators.

    Renault launched the futuristic concept at the Hannover Motor Show this week, highlighting the company’s confidence in this potentially lucrative market.

    The ‘last mile problem’ is a critical challenge for cities, as the boom in online and mobile commerce has caused an influx of petrol- and diesel-powered vans into crowded centres and suburbs, ramping up pollution.

    Companies are exploring a range of solutions, from autonomous electric vehicles to electric bikes and scooters, together with the longer-term promise of drones that can operate beyond visible line of sight (BVLOS).

    The EZ-PRO promises to tackle a number of the challenges faced by both logistics companies and city planners. For starters, the manufacturer’s proposed ‘robo-pods’ could help delivery businesses manage pollution and urban congestion. They also include features designed to meet the expectations of demanding customers.

    • Read more: Ford, Renault, GM, BMW, IBM co-found MOBI blockchain consortium

    An autonomous future with people at its heart?

    Renault’s EZ-PRO is an electric transport platform capable of tapping into smart city infrastructure to better organise deliveries. It consists of an autonomous leader pod and a train of driverless robo-pods. The robo-pods can be customised to suit their freight type.

    The leader pod has been designed to carry a human concierge, who would be on hand to supervise deliveries and focus on “value-added tasks, such as the itinerary planning and the driverless robo-pods, or ensuring efficient and customised service, such as in-person, premium delivery of groceries or fragile objects”, said Renault.

    In the company’s vision, a convoy of EZ-PRO pods would depart from a single hub, managed by the same logistics operator, but ferrying goods for different clients. The same electric, autonomous platform could make a series of deliveries for multiple online stores concurrently to maximise productivity and cut costs.

    To keep customers happy, recipients would be able to select a convenient delivery time and location. The end user could also choose between receiving their parcel from the concierge, or accessing self-service lockers in the driverless pods.

    “Renault EZ-PRO shows our vision of last-mile delivery integrated with the ecosystem of smart cities of tomorrow and the needs of professionals,” said Ashwani Gupta, senior VP of the Renault-Nissan-Mitsubishi LCV Business. “This concept is a solution that would unlock countless opportunities for our various partners.”

    • Read more: Renault-Nissan-Mitsubishi launch Alliance Ventures, announce first investment

    Laurens van den Acker, senior VP of corporate design at the Renault Group, believes the EZ-PRO concept finds the middle ground between an efficient solution and customer-friendly technology.

    “With EZ-PRO, we continue our exploratory work around urban shared mobility of the future,” he said. “Focused on delivery solutions, this autonomous, connected, and electric concept represents the ideal tool, being both a creator of opportunity for professionals, and a facilitator of services for all its users, direct or indirect.

    “It is based on Renault’s expertise in commercial vehicles and on the brand’s DNA, which places people at the heart of its solutions.”

    Internet of Business says

    Whether the system will end up as anything more than a shiny concept illustration remains to be seen. But as with all concept vehicles, it reveals the thinking behind the design and a possible direction of travel for both its maker and the industry.

    While the announcement is short on detail, it does emphasise that Renault is keen to move into logistics and be at the forefront of the driverless revolution. This comes as no surprise following the unveiling of the company’s plans for an electric, autonomous ride-sharing service back in March: the EZ-GO.

    Clearly this is a brand with potential. But is it really so ‘EZ’? As is sometimes the case with concept vehicles, Renault’s solution seems over-engineered and unnecessarily complex, particularly for crowded streets and difficult-to-access addresses.

    This demonstrates that the last-mile challenge is tough to meet, especially in old cities that were never designed for 21st Century lifestyles. Indeed, few were designed at all.

    The post Renault unveils autonomous concierge concept for last mile delivery appeared first on Internet of Business.

    Source:: Internet of Business