MITRE Engenuity to strengthen critical infrastructure

MITRE has launched a tech foundation to advance its mission of solving problems for a safer world by working with the private sector to strengthen critical infrastructure. The foundation provides MITRE a new pathway to work with industry, academia, and other organizations beyond its work with the federal government. MITRE Engenuity is a distinct, not-profit company with a separate board of directors and private funding. “MITRE has a history of transforming cybersecurity standards, improving aviation … More

The post MITRE Engenuity to strengthen critical infrastructure appeared first on Help Net Security.

F-Secure integrates its cyber security software into Zyxel’s residential gateways and devices

Zyxel Communications, a leading provider of secure broadband networking, Internet access and connected home products, announced it has teamed up with F-Secure to integrate the company’s award-winning cyber security software into Zyxel’s residential gateways and devices. The integration of F-Secure’s software with Zyxel’s world-class hardware enables service providers to deliver secure high-speed broadband and WiFi connectivity to their subscribers while protecting them from a growing array of cyber attacks targeting their connected home devices. Zyxel … More

The post F-Secure integrates its cyber security software into Zyxel’s residential gateways and devices appeared first on Help Net Security.

Devo and Demisto deliver increased visibility and shortened investigation and incident response times

Devo Technology, the data analytics company that unlocks the full value of machine data for the world’s most instrumented enterprises, announced a product integration with Demisto, a Palo Alto Networks company and leader in security orchestration, automation, and response (SOAR). The integration delivers increased visibility and shortened investigation and incident response times. By providing a better workflow, Devo and Demisto empower analysts and improve the effectiveness of the Security Operations Center (SOC). Together, Devo and … More

The post Devo and Demisto deliver increased visibility and shortened investigation and incident response times appeared first on Help Net Security.

Smashing Security #154: A buttock of biometrics

The UK’s Labour Party kicks off its election campaign with claims that it has suffered a sophisticated cyber-attack, Apple’s credit card is accused of being sexist, and what is Google up to with Project Nightingale?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.

The Chertoff Group and Dragos providing risk management for industrial organizations

The Chertoff Group and Dragos announced the formation of a unique alliance that will provide a holistic approach to cybersecurity risk management for industrial organizations seeking to protect critical infrastructure environments from today’s constantly evolving cyber threats. The Chertoff Group is combining its policy intelligence, technology expertise and vast experience communicating threats to executives with Dragos’ industrial control system (ICS) expertise and best-in-class asset identification, threat detection and response platform. This alliance between two of … More

The post The Chertoff Group and Dragos providing risk management for industrial organizations appeared first on Help Net Security.

Indegy and Owl Cyber Defense address secure sharing of OT data with IT security systems

Indegy, a leading provider of security solutions for industrial control system (ICS) and operational technology (OT) environments, and Owl Cyber Defense Solutions, the global market leader in data diode network cybersecurity solutions, announced a partnership to provide the safe unification of OT security data with IT monitoring systems. The tested and certified joint Indegy-Owl solution gives customers the confidence of knowing that their OT network is physically inaccessible from the external network while being monitored … More

The post Indegy and Owl Cyber Defense address secure sharing of OT data with IT security systems appeared first on Help Net Security.

Better Together: How Pen Testing Helps Take Vulnerability Assessments to the Next Level

While many inaccurately use vulnerability scans or vulnerability assessments as terms that are synonymous with penetration tests, others explain the differences as though you have to choose between the two. Vulnerability assessments are tools that search for and report on what known vulnerabilities are present in an organization’s IT infrastructure. Penetration tests, on the other hand, as they relate to vulnerability assessments, are conducted by testers who investigate if the vulnerability can be exploited, and the severity of that potential harm. Pen testing can make vulnerability assessments more valuable by identifying the likelihood a vulnerability can be compromised, as well as any associated risk if it is exploited. This provides vulnerability program managers a way to prioritize and manage risk more effectively.

Vulnerability Scans, CVEs, and the CVSS

There are many different vulnerability scanners to choose from—Burp Suite Professional, Nessus, and Qualys, to name a few. While there are distinct differences between them, in general, vulnerability scanners are relatively straightforward: they examine an environment, and upon completion, create a report of the vulnerabilities uncovered. These scanners often list these vulnerabilities using CVE identifiers.

The Common Vulnerabilities and Exposures (CVE) system is a reference list providing an id number, description, and instance of known vulnerabilities. The CVE system has become the standard method for classifying vulnerabilities, used by the U.S. National Vulnerability Database (NVD) and other databases around the globe. For instance, the well-known Microsoft vulnerability, BlueKeep, is known as CVE-2019-0708.

These CVEs are also given a rating using the Common Vulnerability Scoring System (CVSS) to distinguish how severe these vulnerabilities are on a scale of 0-10, calculated using six metrics: access vector, attack complexity, authentication, confidentiality, integrity, and availability. Vulnerabilities on the lowest end of the spectrum typically have a very low risk of impacting the system. On the high end of the spectrum, the risk is deemed to be much larger for a variety of reasons. The BlueKeep vulnerability, for example, is ranked at 10.0, as it allows remote code execution, permitting an attacker to gain access no matter where the device is located.

When a vulnerability scanner produces a report, with the assistance of these descriptions and scores, it should be easy to identify what vulnerabilities to focus on, right? Unfortunately, it’s not quite so simple. Scanners can uncover thousands of vulnerabilities, so there may be enough severe vulnerabilities that further prioritization is needed. Additionally, these scores do not account for the circumstances of each individual IT environment. This is where penetration tests can help.

Vulnerability Management Augmented with Penetration Tests

While vulnerability scans provide a valuable picture of what vulnerabilities are present, penetration tests can add further insight to this picture with additional context, by seeing if these vulnerabilities could be leveraged to gain access within your environment. Organizations often have compensating controls like firewalls, AV, Endpoint Detection and Response (EDR), or other data loss prevention tools in place that offset the risk of some of these vulnerabilities. Alternately, a CVE with a severe rating that can only be exploited with direct access to the machine, is not going to be an issue if physical access to it is highly controlled, like being in a server room with very limited access.

On the other hand, organizations usually don’t have compensating controls in place for all vulnerabilities. Pen testing helps determine if compensating controls are in place and working effectively.

 Pen testing can also help determine the risk associated with vulnerabilities with lower scores. On the surface, a vulnerability may not look that impactful, but if it can be leveraged, and used as a “pivot point” to reach other vulnerabilities or resources, it could have significant consequences on the organization. By supplementing your vulnerability scans with a penetration test, you can prioritize the risk associated with your vulnerabilities to better suit the needs of your organization. This allows for better remediation planning, since the focus is on what poses real risk, versus focusing on just the scores of the vulnerabilities.

Critical vulnerabilities may also have a patch developed by the vendor that will fix the issue, as well. However, a patch may not be properly implemented, or the version of the software doesn’t change with the patch, so testing is valuable in determining if it is properly deployed and present. For instance, a machine may not be rebooted right away, for a variety of reasons, so while the patch is identified as being present by a vulnerability scanner, it may not be working. A penetration test can determine the status of the patch. BlueKeep has the potential to be a particularly destructive example of this issue. Though a patch has been created and released, there are continued reports of it being exploited for cryptojacking, just as NotPetya had a patch available but still cost millions in ransomware attacks.

In addition to more insights, time can be saved with vulnerability scans and pen test tools that can be integrated to work together. Core Impact can import data from most vulnerability scanners, so you can rapidly evaluate a scan's output and provide a prioritized remediation plan of your system's weaknesses based on real-world risk. While vulnerability scans are valuable on their own, augmenting with penetration testing maximizes their effectiveness, ensuring that you remediate not just severe vulnerabilities, but vulnerabilities that are introducing significant risk into your infrastructure.


Penetration testing
Big text: 
Resource type: 
Are you ready to take your vulnerability scans to the next level?

Easily pair your assessments with Core Impact. See Core Impact's streamlined integration of vulnerability scanners for yourself with a live demo from one of our experts.

A flaw in PMx Driver can give hackers full access to a device

Eclypsium experts found a vulnerability affecting the popular PMx Driver Intel driver that can give malicious actors deep access to a device.

In August, Eclypsium researchers found multiple serious vulnerabilities in more than 40 device drivers from tens of vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.

The experts warn that the vulnerabilities that can be exploited by attackers to deploy persistent backdoor on vulnerable systems.

The experts pointed out that since they reported the issued to the vendor, only Intel and Huawei addressed them with patches and advisories, while Insyde and Phoenix provided patches to their OEM customers.

According to Eclypsium, Intel addressed a vulnerability in its PMx Driver (PMxDrv). The vulnerability could be exploited to have full access to the devices. The driver implements a superset of all the capabilities including read and write to physical memory, model specific registers, control registers, IDT and GDT descriptor tables, debug registers, gain I/O and PCI access.

“This level of access can provide an attacker with near-omnipotent control over a victim device. Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999.” reads the analysis published by Eclypsium.”Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as part of the toolset used to solve the AMT issue.”

Experts recommend users and organizations to enable Hypervisor-protected Code Integrity (HVCI) for devices that support the feature.

This option will only work with 7th generation or newer processor, new processor features such as mode-based execution control, this means it will not possible to enable HVCI on many devices.

The only universally effective possible consist of blocking or blacklisting old, known-bad drivers.

“The only universally available option possible today is to block or blacklist old, known-bad drivers. To this end, we would like to specifically commend the response of Insyde Software, a UEFI firmware vendor. Of the 19 vendors we notified early this summer, Insyde is the only vendor to date to proactively contact Microsoft and ask that the old version of the driver be blocked.” concludes the report. “Due to this request, Windows Defender will proactively quarantine the vulnerable version of the driver so it can’t cause damage to the system.”

Pierluigi Paganini

(SecurityAffairs – PMx Driver, hacking)

The post A flaw in PMx Driver can give hackers full access to a device appeared first on Security Affairs.

Multi-Party Cyber-Incidents Cost 13x More Than Single-Party Incidents

Multi-Party Cyber-Incidents Cost 13x More Than Single-Party Incidents

A new study has found that the financial losses caused by cyber-incidents affecting multiple parties are vastly more devastating than those that stem from any single-party incident. 

According to the Ripples Across the Risk Surface study, published today by Cyentia Institute, when compared to losses triggered by a single-party incident, the ripple effect costs that occur following multi-party incidents result in a total loss that is a whopping 13 times greater. 

Extreme losses, which sit above the 95th percentile, show an even larger discrepancy, with a loss of $16m for single-party incidents versus $417m for multi-party incidents.

The in-depth study, sponsored by RiskRecon, analyzed data from 813 cyber-incidents and closely examined their impact on numerous downstream organizations, described as secondary victims. A cyber-incident is defined in the study as an "event that compromises the confidentiality, integrity, or availability of an information asset."

The objective of this first-of-its-kind study was to raise market awareness of the far-reaching effects an incident such as a data breach can have as a result of the hyper-interdependencies of organizations.

Researchers plumbed historical data relating to 90,000 cyber-events from the cyber-loss database Advisen, finding that since 2008, 813 cyber-incidents had occurred in which at least three organizations were primary victims. 

As a result of these multi-party cyber-incidents, a further 5,437 downstream loss events occurred in which secondary organizations were impacted. In fact, downstream entities affected by multi-party incidents outnumbered primary victims by 850%.

In one single incident examined by researchers, 131 different organizations were affected. 

Researchers found that secondary organizations could be faced with losses equal to those experienced by primary victims. 

"Our analysis reveals little difference between losses reported by primary and secondary victim organizations of a cyber incident. This suggests that another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems," wrote researchers. 

Analysis into the specific industries most severely impacted by ripple events was conducted through Cyentia Institute’s adoption of the North American Industry Classification System. Based on this data, the sectors that possess the highest concentration of personal data and information (credit bureaus, banks, collection agencies, and hotels) account for nearly 60% of all organizations generating ripple effects. 

"Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization," said Kelly White, CEO and co-founder of RiskRecon.  

"Lacking proper third-party risk controls can contaminate the entire enterprise ecosystem where sensitive data is stored and shared."

Researchers projected that multi-party incidents will increase at an average rate of 20% per year.

IRS to Mount Epic Cyber-Safety Campaign

IRS to Mount Epic Cyber-Safety Campaign

America's Internal Revenue Service is to launch a large-scale cyber-safety campaign to coincide with the busiest shopping period of the year.

According to the website, the campaign by the IRS will begin on the Monday after Thanksgiving, commonly known to bargain hunters as Cyber Monday. 

"The campaign will emphasize to practitioners and taxpayers the potential dangers they face during the holiday shopping season and the filing season ahead," said Stephen Mankowski, national tax chair of the National Conference of CPA Practitioners.

"National Tax Security Awareness Week 2019 is slated to begin on Cyber Monday and run from December 2 through December 6," he continued. "This is the heaviest period of time when people are online and when phishing is most common."

YouTube videos will form a key part of the campaign, which will strongly urge taxpayers to only make purchases from known vendors and to regularly check their bank statements for any suspicious activity. 

Mankowski said that continued widespread ignorance of security best practices had been flagged as a concern during a recent meeting he attended with government officials in Washington, DC.

"During the recent Tax Forums, the IRS noted that a lot of people still are not aware of the basics of data security," he said. "The IRS has been making some headway, but much more is needed."

The news follows last month's efforts by the IRS to raise cybersecurity awareness within families as part of National Work and Family Month. 

On October 22, the IRS urged families and teens to stay vigilant in protecting personal information while connected to the internet. 

An IRS spokesperson wrote: "During National Work and Family Month, IRS is asking parents and families to be mindful of all the pitfalls that can be found by sharing devices at home, shopping online and through navigating various social media platforms. Often, those who are less experienced can put themselves and others at risk by leaving an unnecessary trail of personal information for fraudsters."

Cybersecurity "common-sense suggestions" shared by the IRS on their website include advice to always use a virtual private network when connecting to public Wi-Fi, a recommendation to encrypt sensitive files such as tax records stored on computers, and an admonition not to share personal information such as birthdate, address, age, and Social Security numbers online.

Researchers Describe Significant Flaw in Intel’s PMx Driver

Intel Has Fixed Vulnerability That Allows for 'Near-Omnipotent Control' of Device
Researchers at Eclypsium have revealed new details concerning a significant flaw in Intel's PMx driver, which they say could give attackers "near-omnipotent" control over devices. Intel has released an updated version of the driver, a key step in mitigating risks.

Facebook Bug Turns on iPhone Cameras

Facebook Bug Turns on iPhone Cameras

Users of the Facebook app have complained after discovering a bug that causes their iPhone cameras to activate in the background when they use the app. 

Multiple people have taken to Twitter to report that using the Facebook app on their iPhone has caused the device's rear camera to switch on and run in the background.

Eagle-eyed users noted that the problem seemed to occur as they looked at photos and watched videos that appeared on their newsfeed.

It isn't clear whether the cameras activated by the bug were recording what they observed.

The earliest incident relating to the bug was recounted on Twitter by software tester @neo_qa on November 2. 

The concerned Facebook user wrote: "Today, while watching a video on @facebook, I rotated to landscape and could see the Facebook/Instagram Story UI for a split second. When rotating back to portrait, the Story camera/UI opened entirely. A little worrying . . ."

CNET were able to replicate the bug, and other Facebook users chimed in to say that they had experienced the same issue, with one Twitter user, @selw0nk, quipping that "It's not a bug, it's a feature."

At the beginning of this week, more users of Facebook took to Twitter to report another bug that seems to be affecting the latest version of the iOS. 

This time, users said that when they navigated away from an image they had opened in the Facebook app, they could see a thin slice of the camera's viewfinder. From this, they concluded that whenever the Facebook app is opened, the camera is activated in the background.

Twitter user @JoshuaMaddux wrote on November 10: "Found a @facebook #security & #privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed. Note that I had the camera pointed at the carpet."

The camera-related bugs have added fuel to the fire for people who believe that it's within the realm of possibility that Facebook might deliberately record its users as a way to gather information or target advertisements. 

After a week of silence regarding the first camera bug, Facebook's vice president of integrity Guy Rosen responded on Twitter to Maddux's November 10 tweet about the second bug. 

From his Android device, Rosen wrote: "Thanks for flagging this. This sounds like a bug, we are looking into it."

In a later tweet, Rosen said the camera bug had been created when an earlier bug was fixed.

"We recently discovered our iOS app incorrectly launched in landscape," Rosen wrote. 

"In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this."

Rosen later confirmed that nothing was uploaded to Facebook as a result of the camera-related bugs, because the camera was in preview mode. 

A fixed version of the app was submitted to the App Store yesterday.

Dr. Richard Gold, head of security engineering at Digital Shadows, commented: "Bugs such as these erode the already fragile trust between companies and the public, even though their origin might be completely innocuous."

Shoring Up Your Network and Security Policies: Least Privilege Models

Reading Time: ~ 3 min.

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan. 

Appropriate privilege

When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.

If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.

Listen to the podcast: Episode 6 | Shoring Up Your Network Security with Strong Policies to learn more about implementing the Principle of Least Privilege and other network security best practices.

Navigating the difficult conversations around access control

It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.

Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.

Firewalls and antivirus aren’t enough 

There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.

Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.

Cyberattacks like phishingransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.

Tips to achieve least privilege

When it comes to implementing POLP in your business, here are some tips for getting started:

  • Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
  • Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
  • Create separate admin accounts that limit access. 
    • Superuser accounts should be used for administration or specialized IT employees who need unlimited system access. 
    • Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
  • Implement expiring privileges and one-time-use credentials.
  • Create a guest network leveraging a VPN for employees and guests.
  • Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
  • Regularly review updated employee access controls, permissions, and privileges.
  • Upgrade your firewalls and ensure they are configured correctly.
  • Add other forms of network monitoring, like automated detection and response.

The post Shoring Up Your Network and Security Policies: Least Privilege Models appeared first on Webroot Blog.

Russian National Charged in Payment Card Scheme

DoJ Says Aleksey Burkov, Who Was Extradited This Week, Ran 'Cardplanet' Site
The U.S. Justice Department Tuesday unsealed an indictment charging Russian national Aleksey Burkov with running an underground site called "Cardplanet" that acted as a clearinghouse for stolen payment card data. Burkov arrived in the U.S. Tuesday after being extradited by Israel.

New ZombieLoad v2 Attack Affects Intel’s Latest Cascade Lake CPUs

Zombieload is back. This time a new variant (v2) of the data-leaking side-channel vulnerability also affects the most recent Intel CPUs, including the latest Cascade Lake, which are otherwise resistant against attacks like Meltdown, Foreshadow and other MDS variants (RIDL and Fallout). Initially discovered in May this year, ZombieLoad is one of the three novel types of microarchitectural data

SECURITY ALERT: Trickbot Launches BEC Attacks with Fake #MeToo Harassment Claims

Security researchers witnessed and reported on a Trickbot resurgence in the past few days. Apparently, now Trickbot launches BEC attacks carefully targeting important people within US-based organizations. Key people within the targeted organizations receive highly worrying emails claiming that someone at work filed a sexual harassment complaint against them.

The emails are allegedly coming from the U.S. Equal Employment Opportunity Commission (EEOC), exactly the authority which deals with such complaints. The messages are looking official enough not to arouse suspicions right away. The hackers behind this new Trickbot campaign are really choosing their victims in a smart way, from the upper tier of businesses and organizations.

Here is how Trickbot aims to wreak havoc now and how to recognize it.

How Trickbot Launches BEC Attacks and How the Emails Looks Like

Over time, Trickbot achieved notoriety with its capacity to adapt and change strategy. Either it was targeting the financial sector (in the beginning), or gaining internet worm abilities, or spoofing trusted brands like Dropbox, or learning to disable Windows Defender. The attackers behind Trickbot were always creative and knowledgeable, which is how Trickbot managed to surpass Emotet and become the biggest malware threat today.

In its newest tactic, Trickbot now sends emails claiming to be on behalf of the U.S. Equal Employment Opportunity Commission, due to an alleged complaint against the target made by a colleague. In order to find out who accused them of sexual misconduct in the workplace, the victim has to open the email attachment.

sample phishing email

The caption of the fake Trickbot BEC email, via 

The name of the attachment is something along the lines of Name_of_Victim – Harassment complaint letter (phone 111-222-3333).doc.  Within that attachment, Trickbot is hiding, ready to infect the victim’s machine and potentially breach the network of the entire organization.

There are some other signs that something is amiss in the new Trickbot campaign. If the emails are analyzed carefully, one can notice spelling mistakes and all the things that usually give fake emails away.

Sadly, this newest instance of spear-phishing found a goldmine of social emotion to exploit: fear. Nothing new on this count, since that’s how all kinds of social engineering attacks work, by exploiting common human emotions and drives.

But lately, hackers are really upping their game on this account: last week it was fake court subpoenas, today it is fake sexual harassment complaints.

How to Protect Yourself from This New Wave of Trickbot Attacks and Spear-Phishing in General

No matter how urgent and serious an email seems to be, don’t click links and don’t open attachments if it’s about something out of the ordinary. That sense of urgency and seriousness is exactly what hackers are aiming for.

Don’t click on links and attachments until you check the validity of the email through alternate means. These alternate means can include: getting in touch with the legitimate sender over phone / new email thread / social media accounts, checking with the police or your cybersecurity provider, running the email through an email security tool that protects against BEC attacks and so on.

Final Words

Personally, I am very saddened to see that Trickbot contributes to a #MeToo-like panic with these fake sexual harassment claims scare. I think that there’s this pervasive and really damaging myth, that the current campaign against sexism and harassment in the workplace can somehow make victims out of innocent men. While it’s wise to never say never, this is highly unlikely, and decent people really do not have anything to worry about.

But the way Trickbot launches BEC and phishing attacks now is capitalizing on this damaging myth and is also helping to spread it, unfortunately. My advice to anyone, regardless of the exact nature of a worrisome email you are receiving, is to not believe anything until you investigate.

Stay safe!

The post SECURITY ALERT: Trickbot Launches BEC Attacks with Fake #MeToo Harassment Claims appeared first on Heimdal Security Blog.

Orcus RAT Author Charged in Malware Scheme

In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. This week, Canadian authorities criminally charged him with orchestrating an international malware scheme.

An advertisement for Orcus RAT.

The accused, 36-year-old John “Armada” Revesz, has maintained that Orcus is a legitimate “Remote Administration Tool” aimed at helping system administrators remotely manage their computers, and that he’s not responsible for how licensed customers use his product.

In my 2016 piece, however, several sources noted that Armada and his team were marketing it more like a Remote Access Trojan, providing ongoing technical support and help to customers who’d purchased Orcus but were having trouble figuring out how to infect new machines or hide their activities online.

Follow-up reporting revealed that the list of features and plugins advertised for Orcus includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

Canadian investigators don’t appear to be buying Revesz’ claims. On Monday the Royal Canadian Mounted Police (RCMP) announced it had charged Revesz with operating an international malware distribution scheme under the company name “Orcus Technologies.”

“An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a ‘Remote Access Trojan’ type of virus,” the agency said in a statement.

The RCMP filed the charges eight months after executing a search warrant at Revesz’ home, where they seized several hard drives containing Orcus RAT customer names, financial transactions, and other information.

“The evidence obtained shows that this virus has infected computers from around the world, making thousands of victims in multiple countries,” the RCMP said.

Revesz did not respond to requests for comment.

If Revesz’s customers are feeling the heat right now, they probably should be. Several former customers of his took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware.

“I got raided [and] within the first 5 minutes they mention Orcus to me,” complained one customer on Hackforums[.]net, the forum where Revesz principally advertised his software. That user pointed to a March 2019 media advisory released by the Australian Federal Police, who said they’d executed search warrants there as part of an investigation into RAT technology conducted in tandem with the RCMP.

According to Revesz himself, the arrests and searches related to Orcus have since expanded to individuals in the United States and Germany.

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

It’s remarkable how many denizens of various hacking forums persist in believing that an end-user licensing agreement (EULA) or “terms of service” (TOS) disavowing any responsibility for what customers do with the product somehow absolves sellers of RAT programs of any liability when they then turn around and actively assist customers in using the tools to infect systems with malware.

New TSX Speculative Attack allows stealing sensitive data from latest Intel CPUs

ZombieLoad 2, aka TSX Asynchronous Abort, is a new flaw that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

ZombieLoad 2, aka TSX Asynchronous Abort, is a new vulnerability tracked as CVE-2019-11135 that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

The flaw affects the Transactional Synchronization Extensions (TSX) feature in Intel processors, it could be exploited by a local attacker or a malicious code to steal sensitive data from the underlying operating system kernel.

The ZombieLoad 2 attack also targets the speculative execution implemented in modern CPU to improve performance.

In the past months, security researchers devised several speculative -channel RIDL (Rogue In-Flight Data Load), Fallout, Microarchitectural Data Sampling (MDS attacks), and ZombieLoad.

Unlike Meltdown, Spectre, and Foreshadow attacks, MDS attacks target CPU’s microarchitectural data structures.

News of the day is that a new version of the ZombieLoad attack was devised by researchers, it also impacts processors in the Intel Cascade Lake CPU family that are not impacted by other attacks.

The Zombieload 2 attack only affects CPU supporting the Intel TSX instruction-set extension, a condition that is true in all Intel CPUs manufactured since 2013.

The TSX feature allows improving performance by leveraging a hardware transactional memory, any operation on this memory doen’t impact on the overall performance of the systems.

“The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus).” reads the security advisory published by Intel.

“Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.”

Experts discovered that aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.

The following video shows a ZombieLoad MDS attack:

Additional technical details are available on the Zombieload website.

Pierluigi Paganini

(SecurityAffairs – TSX Speculative Attack, hacking)

The post New TSX Speculative Attack allows stealing sensitive data from latest Intel CPUs appeared first on Security Affairs.

Rainy Day Windows Command Research Results

Sally Vandeven // We have all heard people talk about how much cooler Linux is than Windows, so much easier to use, etc. Well, they are not necessarily wrong… but we have learned that Microsoft has some very interesting gems hiding in plain sight. Seriously, Microsoft seems to be making a concerted effort to add some […]

The post Rainy Day Windows Command Research Results appeared first on Black Hills Information Security.

Microsoft to honor California’s digital privacy law all through the U.S.

In the absence of a federal digital privacy law, Microsoft has decided to comply with the requirements of California’s Consumer Privacy Act (CCPA) throughout the U.S. The CCPA in short The CCPA goes into effect on January 1, 2020, and says that California residents (consumers) have the right to know what personal data is being collected about them and access it, to know whether their data is sold or disclosed (and to whom), to demand … More

The post Microsoft to honor California’s digital privacy law all through the U.S. appeared first on Help Net Security.

Adobe patch Tuesday updates addressed critical flaws in Media Encoder and Illustrator products

Adobe patch Tuesday updates addressed a total of 11 vulnerabilities affecting its Animate, Illustrator, Media Encoder and Bridge products.

Adobe patch Tuesday updates addressed a total of 11 flaws affecting its Animate, Illustrator, Media Encoder and Bridge products.

“Adobe has published security bulletins for Adobe Animate CC (APSB19-34), Adobe Illustrator CC (APSB19-36), Adobe Media Encoder (APSB19-52) and Adobe Bridge CC (APSB19-53). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the advisory published by Adobe.

The good news is that all the vulnerabilities fixed by Adobe are unlikely to be exploited, the company also confirmed that it is not aware of attacks in the wild exploiting them.

5 out of 11 vulnerabilities addressed by Adobe have been rated as critical:

Adobe Media Encoder

  • CVE-2019-8246 – Out-of-bounds Write issue that could lead to arbitrary code execution on Windows and macOS

Adobe Illustrator CC

  • CVE-2019-8247 is a memory corruption issue that could lead to arbitrary code execution on Windows and macOS.
  • CVE-2019-8248 is a memory corruption issue that could lead to arbitrary code execution on Windows and macOS

Adobe credited independent researchers from NSFOCUS, Qihoo 360 and Fortinet for reporting the vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday updates, hacking)

The post Adobe patch Tuesday updates addressed critical flaws in Media Encoder and Illustrator products appeared first on Security Affairs.

Labour Party DDoS Cyber Attacks

It was just a matter of time before cyberattacks were catapulted into the forefront of the UK 2019 General Election campaign, with two cyber-attacks on the Labour Party in the last two days.

It was reported the Labour Party was targeted by two separate Distributed Denial of Service (DDoS) attacks. Labour have not publically disclosed which of its digital systems were targetted by the DDoS attacks, but it is understood cyber attacks impacted the speed of their election and campaigning tools on Monday.

A Labour spokeswoman said: “We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently.” Following reports of a second cyber-attack, a Labour Party spokesperson said: "We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently."

The National Cyber Security Centre (NCSC) has warned all political parties about the high likelihood of being targeted with cyberattacks during elections for years. An NCSC spokesman said the Labour Party followed the correct procedure and notified them swiftly of Monday's cyber-attack, adding: "The attack was not successful and the incident is now closed".

Despite the apparent 'failure' of this attack, it raises important questions around the security of data ahead of the vote: Who is behind this attack? What is the intended outcome? Do political parties have the required level of security to ward off nation-state hackers?

A Labour source said the attacks came from computers in Russia and Brazil, but given it was a DDoS attack, that attack source is likely from 'zombie' controlled computers, so the countries cited as generating the network traffic on mass against the Labour Party IT systems have no bearing on who the culprit behind the attacks is. The DDoS attacks such as these can be orchestrated from any part of the world, so the culprit could be anyone from a nation-state offensive cyber team to a bored 14-year-old kid sat in a bedroom.

DDoS Cyber Attack Explained
Zombie Computers
A zombie computer is where malware with ‘command and control software” has inflected a computer, which allows the computer to be remotely controlled by a hacker over the internet to perform malicious tasks. Computer users are typically unaware their computer is infected and is being controlled. Where hackers infect and control computers on mass over the internet, it is known as a botnet.

Botnets can have tens and even hundreds of thousands of computers remotely controlled by a hacker. Such botnets are used to send spam and phishing emails, and to perform Distributed Denial of Service DDoS) attacks. A DDoS attack is where a hacker instructs computers within the botnet to send network traffic to a website or server, at the same time, to flood server(s) with so much network traffic the server or website is unable to provide a service or function.

Terry Greer-King, VP EMEA at SonicWall said, "This morning’s ‘failed’ cyber attack on the Labour Party underscores the fact that we are living in an era where political attacks are business as usual for cybercriminals. Breaching a political organisation for the purpose of compromising personal information or even blackmail tampers with the political fabric of a nation and potentially tampers with democratic processes."

Greer-King stated "Despite the apparent 'failure', today's attack once again raises important questions around the upcoming election. Any vulnerabilities within political parties will be ruthlessly exploited, hindering and possibly manipulating their information and systems. Today’s trustworthy security solutions should empower government agencies and political parties, like Labour in this instance, to consistently meet cybersecurity safeguarding requirements and procedures, and implement layered security solutions to block attackers at every step of the way."

Tom Kellermann, Head Cybersecurity Strategist at VMware Carbon Black said "The UK government should be lauded for its ability to successfully thwart an attack campaign targeting its digital platforms. It’s clear the west is under siege as a new Cold War continues to emerge in cyberspace. 

Nation-state-backed hackers have often taken advantage of divisive issues like Brexit to undermine democratically elected governments and cooperative international coalitions like NATO and the EU. It’s hard to think this attack is the last that will target the UK. In turn, the US should see these cyberattacks as a prelude for what may come in 2020.”

Attackers Using PureLocker Ransomware to Target Enterprises’ Servers

Researchers have detected a new ransomware family they’re calling “PureLocker” which attackers are using to target enterprises’ production servers. Intezer detected a sample of the ransomware masquerading as the Crypto++ C++ cryptography library. In their analysis of the sample, they noticed something unusual when they saw that alleged library contained functions related to music playback. […]… Read More

The post Attackers Using PureLocker Ransomware to Target Enterprises’ Servers appeared first on The State of Security.

NTSB Investigation of Fatal Driverless Car Accident

Autonomous systems are going to have to do much better than this.

The Uber car that hit and killed Elaine Herzberg in Tempe, Ariz., in March 2018 could not recognize all pedestrians, and was being driven by an operator likely distracted by streaming video, according to documents released by the U.S. National Transportation Safety Board (NTSB) this week.

But while the technical failures and omissions in Uber's self-driving car program are shocking, the NTSB investigation also highlights safety failures that include the vehicle operator's lapses, lax corporate governance of the project, and limited public oversight.

The details of what happened in the seconds before the collision are worth reading. They describe a cascading series of issues that led to the collision and the fatality.

As computers continue to become part of things, and affect the world in a direct physical manner, this kind of thing will become even more important.

Intel releases updates to plug TPM-FAIL flaws, foil ZombieLoad v2 attacks

Intel’s Patch Tuesday releases are rarely so salient as those pushed out this month: the semiconductor chip manufacturer has patched a slew of high-profile vulnerabilities in their chips and drivers. TPM-FAIL TPM-FAIL is a name given to vulnerabilities found in some Intel’s firmware-based TPM (fTPM) and STMicroelectronics’ TPM chipsets, discovered by Ahmad “Daniel” Moghimi and Berk Sunar from Worcester Polytechnic Institute, Thomas Eisenbarth from University of Lübeck and Nadia Heninger from University of California at … More

The post Intel releases updates to plug TPM-FAIL flaws, foil ZombieLoad v2 attacks appeared first on Help Net Security.

Airbus Launches Human-Centric Cybersecurity Accelerator

Airbus Launches Human-Centric Cybersecurity Accelerator

Airbus has announced the launch of a human-centric cybersecurity accelerator program. It will feature a dedicated team of human factor and cognitive psychology experts that will work in collaboration with the UK’s National Cyber Security Centre (NCSC) and a range of other partners to gain crucial insights into human-centric approaches for improving cybersecurity effectiveness. 

The Accelerator will offer placements for qualifying university students and establish collaboration opportunities with research teams and businesses to help make the UK one of the safest places to do business in cyberspace. 

The launch follows the opening of the Airbus Cyber Innovation Hub, located in Newport, Wales, in April 2019.

Dr Kevin Jones, chief information security officer of Airbus, said: “With increasingly sophisticated attacks being attempted every day, it simply isn’t possible to protect every user against every cyber-attack. We therefore need to think differently and identify ways for security to work with an organization’s people, to better protect against an array of threats.

“With the right tools and approach, employees can be the strongest link in an organization’s cyber-defense. Our work aims to put people-centric thinking at the heart of an organization’s security and we’re keen to hear from likeminded researchers and organizations who are interested in getting involved with our new Accelerator.”

Airbus was recently forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year.

Dr Ian Levy, technical director at the NCSC, said the new initiative is a welcome one and recognizes the importance of a multidisciplinary approach that puts people at the center of cybersecurity development.

“At the NCSC, we recognize the vital role employees have to play in an organization’s cyber-resilience and we are pleased to collaborate on this program.”

Mexican Petrol Giant Pemex Hit by Ransomware

Mexican Petrol Giant Pemex Hit by Ransomware

Mexico’s state-owned petroleum giant Petróleos Mexicanos (Pemex) is insisting all operations are running normally after a suspected ransomware attack, despite reports to the contrary.

The firm claimed that operation and production systems remain unaffected and supply of fuel remains guaranteed. However, it admitted that an attack on Sunday did affect around 5% of its personal computers.

Reports, though, suggest the firm has been harder hit, with Pemex billing systems taken offline, forcing staff to rely on manual processes which means payment of staff and suppliers may be disrupted.

Invoices for fuel sent from Pemex storage facilities to gas stations were being filled in manually while some employees in the petrol giant’s refining business couldn’t access emails or get online on Tuesday, with computers running slowly, sources told Bloomberg.

Although an internal memo reportedly suggested Ryuk as the culprit, security experts have seen leaked ransom notes confirming that the attackers used the DoppelPaymer variant.

A Tor payment site revealed a ransom demand of 565 Bitcoins, (£3.9m, $5m).

The same ransomware is thought to have been used in an attack against Canada’s Nunavut territory earlier this month.

Pemex is the latest in a long line of big-name organizations targeted by ransomware this year. Norwegian aluminium giant Norsk Hydro suffered major outages after being struck in March. The firm later admitted that the attack may have cost it as much as $41m after production was disrupted.

German automation giant Pilz was crippled for over a week by ransomware last month, while US mailing technology company Pitney Bowes and French media conglomerate Groupe M6 admitted suffering attacks.

Over a quarter (28%) of UK firms were hit by ransomware over the previous 12 months, according to research from Databarracks published in July.

How much did cyberattacks cost organizations in 2018?

Estimated reading time: 3 minutes

In today’s day, it has become common knowledge that cyberattacks are dangerous for an organization. However, sometimes, people within the organization can differ on the exact impact of these threats. These differences can often blindside businesses on the total value of monetary and operational losses– without cold, hard numbers to back up the effect of cyberattacks, companies can tend to underestimate cybersecurity, often preferring to prioritize their budgets to other things.

Every security expert will state that this can often be the first step to a disaster.

While there are no guarantees to cybersecurity, it’s obvious that a business which spends more time and investment in protecting its perimeters has a better chance of protection against the rampant cyber threats that exist in today’s times, rather than, say, another enterprise which hasn’t taken its cyber protection that seriously.

Seqrite is sharing numbers from different reports and surveys around the world about the impact and cost of cyberattacks so that they act as an eye-opener for stakeholders to understand clearly that cyberthreats have a deep impact on the overall business functionality.

These numbers and descriptions should illustrate the real danger enterprises face, both financially and on the reputation front if cybersecurity is not taken seriously.

Cyberattacks: The numbers

In July 2019, the Online Trust Alliance, a component of the Internet Society (an American organization committed to leading Internet standards, access and policy) dedicated for the promotion & security and privacy best practices, released its 11th Cyber Incident & Breach Trends Report, providing an overview of cyber incidents in 2018. Some of the key findings from the report were:

  • It was estimated that there were more than 2 million cyber incidents in 2018 and even this number is likely to be a rough estimate for the actual number
  • The financial impact of all these incidents was at least USD 45 billion
  • The main types of attacks were (in terms of number of incidents) cryptojacking, ransomware, breaches, supply chain attacks, Business Email Compromise (BEC)
  • Cryptojacking attacks saw a marked increase in 2018 which indicates that attackers are continuously innovating and finding new attack vectors

Large companies bore the brunt of some of the biggest cyber attacks the world saw in 2018.


Among the world’s largest and most influential hospitality chains, Starwood Hotels revealed in September 2018 that up to 500 million hotel guests’ information had been stolen in a data breach. The attackers stole a huge array of Personally Identifiable Information (PII) leaving the hospitality chain in the midst of a big crisis.

British Airways data breach

As one of the oldest and most well-known airlines of the world, there was a sense of concern when British Airways announced that 380,000 card payments on its website were compromised during a 15-day period between August 21st and September 5th.

Details like name, email address, credit card information like number, expiration date and CVV code were stolen. While it did not affect flight operations, it caused a lot of anxiety and concern for customers who had booked flights in the intervening period

Facebook-Cambridge Analytica data breach

Facebook’s troubles had emerged earlier in the year, in March, when the news erupted of the Cambridge Analytica scandal. According to investigations made by the American and the British media, Cambridge Analytica stole personal information from 50 million Facebook user profiles.

This was done by getting users to submit answers to a personality prediction application by a psychologist from the University of Cambridge Aleksandr Kogan. This application needed users to login using their Facebook account and gained access to their profiles, locations, likes and other personal data. It also gathered data on the friends of the users who downloaded the application.

This data was then sent to Cambridge Analytica – which is a violation of Facebook’s terms of service – which created psychographic profiles on 30 million of these profiles, to influence voter behaviour for its clients. This news caused a huge uproar over the world with Facebook being investigated by authorities of several countries and many angry users even starting a ‘DeleteFacebook’ hashtag on social media.

It is quite obvious that cyber attacks can have a significant impact on enterprises. To protect against them, enterprises can consider powerful & efficient security solutions like Seqrite’s Endpoint Security (EPS), mSuite and Unified Threat Management (UTM), to provide a layer of defence against advanced cyberthreats.

The post How much did cyberattacks cost organizations in 2018? appeared first on Seqrite Blog.

US Border Officers Humbled by Fourth Amendment Ruling

US Border Officers Humbled by Fourth Amendment Ruling

Privacy groups are celebrating after a federal court ruled that suspicion-free searches of travellers’ electronic devices at the US border are unconstitutional.

The original lawsuit was filed by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and ACLU of Massachusetts, on behalf of 11 travellers whose smartphones and laptops were searched without suspicion on entry to the US.

According to the Boston court’s ruling, Customs and Border Control (CBP) and Immigration and Customs Enforcement (ICE) officers must now demonstrate suspicion of “illegal contraband” before being able to search an individual’s device.

According to EFF, searches at US ports have rocketed recently. It claimed that CBP carried out more than 33,000 last year, nearly four times the number from three years previously.

Esha Bhandari, staff attorney with the ACLU’s Speech, Privacy, and Technology Project, argued that travellers can now travel to the US without fear that the government will impinge on their privacy.  

“This ruling significantly advances Fourth Amendment protections for millions of international travellers who enter the United States every year,” she added. “By putting an end to the government’s ability to conduct suspicionless fishing expeditions, the court reaffirms that the border is not a lawless place and that we don’t lose our privacy rights when we travel.”

The EFF pointed to several cases where border guards had apparently abused their powers to search travellers coming into the US.

This includes one example where an officer rifled through privileged attorney-client communication on an individual’s electronic device, and another alleged case where a Harvard freshman was denied entry after the officer noted social media posts from his friends critical of the government.

The Comprehensive Compliance Guide (Get Assessment Templates)

Complying with cyber regulations forms a significant portion of the CISO's responsibility. Compliance is, in fact, one of the major drivers in the purchase and implementation of new security products. But regulations come in multiple different colors and shapes – some are tailored to a specific vertical, while others are industry-agnostic. Some bare explicit consequences for failing to comply

Hashtag Trending – Disney server overload; Facebook secretly turning on cameras; best companies ranked

In this episode of Hashtag Trending, we talk about Disney+’s server overload, Facebook secretly activating cameras, and Americans voting for the best brand. Thank you for tuning in, it’s Wednesday, November 13th, and I’m your host, Tom Li. Trending on Reddit, the new Disney+ streaming service was immediately overloaded on launch day. By 9 a.m.…

Microsoft Patches IE Zero-Day Bug

Microsoft Patches IE Zero-Day Bug

Microsoft released fixes for 75 vulnerabilities during this month’s patch update round, including one zero-day flaw in Internet Explorer.

The bug in question, CVE-2019-1429, exists in the way the scripting engine handles objects in memory in the browser, corrupting memory so an attacker can execute arbitrary code, according to Microsoft.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” it explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."

An attacker could also take advantage of compromised websites and those that accept or host user-provided content or ads, Microsoft continued.

Another one to watch is CVE-2019-1457, a publicly disclosed vulnerability in Excel which could bypass security features.

“An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability,” explained Ivanti director of security solutions, Chris Goettl.

“This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.”

Microsoft has also issued an advisory on a flaw in some Trusted Platform Modules (TPM) chipsets from STMicroelectronics, which may require a firmware update to the TPM.

Elsewhere, Adobe issued patches for 45 critical vulnerabilities in Acrobat and Reader that should be prioritized for workstations.

Researchers Discover TPM-Fail Vulnerabilities Affecting Billions of Devices

A team of cybersecurity researchers today disclosed details of two new potentially serious CPU vulnerabilities that could allow attackers to retrieve cryptographic keys protected inside TPM chips manufactured by STMicroelectronics or firmware-based Intel TPMs. Trusted Platform Module (TPM) is a specialized hardware or firmware-based security solution that has been designed to store and protect

Russian man Aleksei Burkov extradited for running online criminal marketplace

Aleksei Burkov is a Russian accused of being involved in more than $20 million in credit-card frauds, has been extradited to the US to face criminal charges.

Aleksei Burkov (29) is a Russian man accused of running an online criminal marketplace, called Cardplanet, that helped crooks to organize more than $20 million in credit card fraud. The suspect has been extradited to the US to face criminal charges.

“According to court documents, Burkov allegedly ran a website called “Cardplanet” that sold payment card numbers (e.g., debit and credit cards) that had been stolen primarily through computer intrusions.  Many of the cards offered for sale belonged to U.S. citizens.  The stolen credit card data from more than 150,000 compromised payment cards was allegedly sold on Burkov’s site and has resulted in over $20 million in fraudulent purchases made on U.S. credit cards.” reads a press release published by the DoJ.

Burkov was also operating another invite-only cybercrime forum, to obtain membership prospective members needed three existing members to “vouch” for their good reputation in the cybercrime community. The membership also requested a sum of money, normally $5,000, as insurance. 

“Additionally, Burkov allegedly ran another online Cybercrime Forum that served as an invite-only club where elite cybercriminals could meet and post in a secure location to plan various cybercrimes, to buy and sell stolen goods and services,  such as personal identifying information and malicious software, and offer criminal services, such as money laundering and hacking services.”

In October, the Israel justice minister approved the extradition of Alexei Bourkov to the United States.

The suspect was arrested in Israel in 2015, his case made the headlines multiple times because media speculated a possible prisoner swap with Naama Issachar, an Israeli-American that was arrested in Russia on cannabis charges.

According to the media, the Naama Issachar’s family is opposing the extradition for the above reason.

Israel’s Prime Minister Benjamin Netanyahu also commented on the case and told the media that he “would appreciate” Russian President Vladimir Putin looking into Naama Issachar’s case. Of course, Russian officials also made opposition to the extradition.

Burkov initially appeared in Alexandria on Tuesday after being extradited from Israel.

According to the indictment, Cardplanet was offering its members stolen credit card data for a price that goes from $3 up to $60. Burkov was also offering a money-back guarantee for expired or blocked card numbers.

Pierluigi Paganini

(SecurityAffairs – Aleksei Burkov , malware)

The post Russian man Aleksei Burkov extradited for running online criminal marketplace appeared first on Security Affairs.

November 2019 Patch Tuesday: Actively exploited IE zero-day fixed

November 2019 Patch Tuesday comes with patches for an IE zero-day exploited by attackers in the wild and four Hyper-V escapes. Microsoft updates Microsoft has delivered fixes for 74 vulnerabilities in various products, 13 of which are deemed to be critical. The most notable ones in this batch are: CVE-2019-1429, a scripting engine memory corruption vulnerability that, according to researchers of the Google Threat Analysis Group, is being exploited in attacks in the wild to … More

The post November 2019 Patch Tuesday: Actively exploited IE zero-day fixed appeared first on Help Net Security.

Microsoft Patch Tuesday updates fix CVE-2019-1429 flaw exploited in the wild

Microsoft’s Patch Tuesday updates for November 2019 address over 70 flaws, including an Internet Explorer issue (CVE-2019-1429) that has been exploited in attacks in the wild.

Microsoft’s Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn’t provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time.

The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.” read the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability could be exploited by an attacker to execute arbitrary code in the context of the current user by tricking the victims into visiting a specially crafted website with a vulnerable IE browser or into opening a weaponized Office document.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.” continues the advisory “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Microsoft addressed the flaw by modifying how the scripting engine handles objects in memory, the company has not identified any workarounds or mitigating factors for this issue.

Microsoft has credited Ivan Fratric from Google Project Zero, Clément Lecigne from Google’s Threat Analysis Group, an anonymous researcher from iDefense Labs, and Resecurity for reporting the issue.

Microsoft’s Patch Tuesday updates for November 2019 addressed security issue in Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based), ChakraCore, Office and Office Services and Web Apps, Open Source Software, Exchange Server, and Visual Studio.

Of these 74 CVEs addressed by Microsoft, 13 are rated Critical and 61 are rated Important in severity. 15 vulnerabilities were reported through the ZDI program.

According to Trend Micro’s Zero Day Initiative (ZDI), several threat groups could start exploiting the CVE-2019-1429 zero-day now that the patch has been released and that it is possible to make a reverse-engineering of the fix.

Microsoft also addressed a remote code execution vulnerability, tracked as CVE-2019-1373, in Microsoft Exchange. The vulnerability resides in the deserialization of metadata via PowerShell. An attacker could exploit this vulnerability by tricking victims into running cmdlets via PowerShell.

“While this may be an unlikely scenario, it only takes one user to compromise the server. If that user has administrative privileges, they could hand over complete control to the attacker.” reads a post published by ZDI.

Other critical vulnerabilities addressed by Microsoft impact Windows, Internet Explorer, and Hyper-V.

“Looking through the Critical-rated patches, the updates for Hyper-V stand out the most. Five separate code execution bugs receive patches this month, and each could allow a user on the guest OS to execute code on the underlying host OS,” ZDI concludes.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-1429, Patch Tuesday)

The post Microsoft Patch Tuesday updates fix CVE-2019-1429 flaw exploited in the wild appeared first on Security Affairs.

Lateral phishing makes for dangerous waters, here’s how you can avoid getting caught in the net

As companies and consumers have become more aware of phishing, hackers have refined their techniques and are now launching a more advanced form of attack known as lateral phishing. This technique is highly convincing and, consequently, highly effective. Hackers are no longer phishing in the dark Millions of individuals have had their personal information exposed in recent breaches at companies like DoorDash, PCM Inc., and Nordstrom. When email addresses, dates of birth, names, and other … More

The post Lateral phishing makes for dangerous waters, here’s how you can avoid getting caught in the net appeared first on Help Net Security.

Product showcase: SpyCloud Active Directory Guardian

Fueled by rampant employee password reuse across work and personal logins, account takeover represents a major risk to the enterprise. According to the 2019 Verizon Breach Report, the use of stolen credentials has been the number one hacking tactic for three years running. When employees reuse the same credentials across multiple logins, one data breach puts all of those accounts at risk. It’s trivial for criminals to access all accounts that use those compromised credentials, … More

The post Product showcase: SpyCloud Active Directory Guardian appeared first on Help Net Security.

Researchers discover massive increase in Emotet activity

Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim’s inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the … More

The post Researchers discover massive increase in Emotet activity appeared first on Help Net Security.

NetApp unveils its Keystone

LAS VEGAS – The keystone of an arch is the stone at the top that holds everything together, and that’s what NetApp is aiming for with its Keystone program. Unveiled at the company’s annual user conference, Insight, Keystone offers a simplified way to achieve the agility of cloud infrastructure, either on premises or through any major cloud provider or providers.

Chief executive officer George Kurian told the 4,500 attendees that the group of programs, services, and offerings lets NetApp deliver a consistent experience across public cloud and data centre, building on NetApp’s data fabric.

“NetApp Keystone enables you to simplify the business of hybrid cloud data services,” he said. “It provides flexible cloud consumption models that make it easy to buy, easy to consume, and easy to operate NetApp capability, whether it’s on premises or in the public cloud, and you get to pay for it as a metered utility with zero upfront commitment, as a subscription, or with a capital purchase.”

Keystone Subscription Services gives customers the public cloud experience on premises. To subscribe, they simply pick the performance tier (high performance, standard, or value), choose file, block, or object data services, and decide whether they want to manage the storage themselves or have NetApp do so. Subscriptions are paid monthly, quarterly, or yearly, with a one-year commitment, for committed capacity, and include the ability to burst on demand.

“We share the risk with you,” he said. “We retain the title to the assets that you deploy in your data centre, we allow you to burst, and we give you the option to deploy in your co-located data centre and managed environments.”

The third part of NetApp Keystone, Kurian said, is for customers who still want to buy capital infrastructure. It simplifies the ordering system and provides a digital product selector. Product support offering have also been enhanced, with predictable pricing.

“NetApp Keystone marks the next major evolution of the data fabric,” he said. “For five years we have led the market in innovating in data services for hybrid IT. Today we are taking the next step forward providing you with a simplified integrated cloud-like customer experience that is deployable anywhere, in the cloud or in your data centre.”

While hybrid multicloud was the magic phrase this year, NetApp didn’t neglect its legacy products, announcing a new version of ONTAP as well as new hardware, including the AFF All SAN array featuring symmetric active-active controllers for instant failover that got spontaneous applause from Kurian’s keynote audience.

Karen López, data evangelist at Infoadvisors, found the announcements interesting, but felt they were lacking in detail.

“Most of the information I got was more about their messaging and their successes from last year and in previous years,” she said. “So that tells me they are still working on this transition from being a hardware company to being a data services company, and that’s not an easy thing to do.”

“I wasn’t expecting them to say they’re fully transitioned,” she went on. “I didn’t get to see enough of the technical side of what they’re announcing to form an opinion. It sounds like a great strategy. There are other things I’d like to see them doing – I’d like every company to be doing this – I wanted to hear more about, if they’re going to be a data services company, how are they addressing the big data problems right now:  privacy and security. I’m sure they’re doing things around security, but I expected to hear more.”


Enterprise cybersecurity in the Asia-Pacific region

Almost one in five business organizations in the Asia-Pacific (APAC) region experienced more than six security breaches in the past two years, a new ESET enterprise cybersecurity survey has revealed. ESET polled over 1,835 managers and C-level executives working in organizations in a variety of industries in India, China, Hong Kong, Taiwan, Japan, Thailand and Indonesia, and also found that: 91 percent of organizations have a cybersecurity awareness program. The percentage reaches as high as … More

The post Enterprise cybersecurity in the Asia-Pacific region appeared first on Help Net Security.

The leading challenge facing cloud migration projects is security

60% of organizations misunderstand the shared responsibility model for cloud security and incorrectly believe the cloud provider is responsible for securing privileged access, according to Centrify. Securing cloud migration projects Furthermore, organizations are not employing a common security model or enforcing least privilege access to reduce risk, and the majority list security as their main challenge with cloud migrations. The cloud’s availability, accessibility, scalability, and speed of delivery make it an attractive option to deliver … More

The post The leading challenge facing cloud migration projects is security appeared first on Help Net Security.

Dark Web

The Dark Web is a network of systems connected to the Internet designed to share information securely and anonymously. These capabilities are abused by cyber criminals to enable their activities, for example selling hacking tools or purchasing stolen information such as credit card data. Be aware that your information could be floating around the Dark Web, making it easier for cyber criminals to create custom attacks targeting you..

Vulnerability Management Program Best Practices

An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals that address the information needs of all stakeholders, when its output is tied back to the goals of the enterprise and when there is a reduction in the overall risk of the organization. Such vulnerability management technology […]… Read More

The post Vulnerability Management Program Best Practices appeared first on The State of Security.

Trend Micro enhances protection for industrial orgs

Trend Micro, a global leader in cybersecurity solutions, announced its complete smart factory security solutions, designed to provide enhanced visibility and protection for embattled industrial control system (ICS) environments. The solutions will secure across all layers of Industry 4.0, mitigating this growing area of cyber risk to keep operations running. Gartner predicts that approximately 49 billion IoT devices will be connected in 2021 and that number will continue to increase for the foreseeable future. Even … More

The post Trend Micro enhances protection for industrial orgs appeared first on Help Net Security.

Jamf unveils Jamf Protect, an enterprise endpoint protection solution built for Mac

Jamf launched Jamf Protect, an enterprise endpoint protection solution built for Mac. Jamf Protect leverages native Apple security tools and on-device analysis of macOS activity to create customized telemetry that gives enterprise security teams unparalleled visibility into their macOS fleet and the ability to respond and block identified threats. Jamf Protect is now generally available to commercial organizations in the United States. “Because of Jamf’s Apple-first and Apple-only approach, Jamf Protect is unique in how … More

The post Jamf unveils Jamf Protect, an enterprise endpoint protection solution built for Mac appeared first on Help Net Security.

Redis Labs launches RedisInsight and automated cluster recovery for Kubernetes

Redis Labs, the home of Redis and provider of Redis Enterprise, announced a new graphical user interface (GUI) tool for developers and administrators, RedisInsight, and automated cluster recovery capabilities for the company’s Kubernetes Operator toolkit, to make it even easier for organizations to deploy and operate Redis at scale. “Both RedisInsight and automated cluster recovery for Kubernetes will enable our customers to increase how and where they use Redis by simplifying how they develop and … More

The post Redis Labs launches RedisInsight and automated cluster recovery for Kubernetes appeared first on Help Net Security.

CloudVector’s API Threat Protection platform monitors and secures APIs to prevent data breaches

CloudVector, the first API Threat Protection platform to go beyond the gateway, announced the launch of its namesake solution, which discovers, monitors and secures APIs to prevent data breaches. The proliferation of APIs have encouraged threat actors to target this new attack vector, increasing the risk of major data breaches. Existing Web Application Firewall (WAF) and API Management gateways are unable to provide API Threat Protection because of inherent limitations in their architectures. According to … More

The post CloudVector’s API Threat Protection platform monitors and secures APIs to prevent data breaches appeared first on Help Net Security.

OpenText announces technology update with innovations across its entire portfolio

OpenText, a global leader in Enterprise Information Management (EIM), announced its latest technology update, with innovations across its entire portfolio. This release further improves the capture, governance, exchange and use of information to drive productivity, growth and a lasting competitive advantage. “OpenText builds the world’s most impressive and compelling EIM platform, designed to help companies gain the agility, scale and capability they need to empower their workforces and delight customers,” said Mark J. Barrenechea, OpenText … More

The post OpenText announces technology update with innovations across its entire portfolio appeared first on Help Net Security.

Bitdefender GravityZone enhanced with new endpoint defense capabilities

Bitdefender, a global cybersecurity leader protecting over 500 million systems across 150 countries, announced new endpoint defense capabilities for GravityZone, the company’s unified endpoint prevention, detection and response platform designed to help enterprises stop threats earlier in the attack chain, as well as simplify and speed up incident response. With the new release, Bitdefender GravityZone extends its lead in endpoint prevention by identifying and stopping network-based and fileless attacks, exploits and malicious behaviors, before they … More

The post Bitdefender GravityZone enhanced with new endpoint defense capabilities appeared first on Help Net Security.

Wind River and Xilinx develop new platform for automated driving apps

Wind River, a leader in delivering software for the intelligent edge, announced a collaboration with Xilinx on the development of a comprehensive automated driving platform that integrates Xilinx’s Versal adaptive compute acceleration platform (ACAP) and Wind River automotive software. The collaboration will provide carmakers with a flexible, high-performance compute platform for delivering safe and secure connected and automated driving vehicles. Using IP from both companies, the platform will provide a foundation that rapidly enables and … More

The post Wind River and Xilinx develop new platform for automated driving apps appeared first on Help Net Security.

OpenText Enfuse 2019: The Carbonite acquisition, new apps, and updates

LAS VEGAS — The topic of endpoint security was front and centre on the first day of OpenText Enfuse 2019. OpenText’s chief executive officer, Mark Barrenechea, said in his keynote that the technology world is accelerating thanks to cloud computing, but with that added innovation, endpoint security becomes all the more vital. “We look at…

Avaya expands global availability of its DaaS offering

Avaya Holdings announced that it has expanded global availability of its Device as a Service (DaaS) offering, enabling businesses to acquire Avaya’s latest smart devices with the flexibility of a monthly subscription rather than an upfront purchase. Following a successful introduction in the United States in 2018, this offering is now available to customers in Canada and a number of European countries. The Avaya DaaS offering is now available for Avaya IX IP Phones, the … More

The post Avaya expands global availability of its DaaS offering appeared first on Help Net Security.

Aqua Security acquires CloudSploit to expand into CSPM

Aqua Security, the leading platform provider for securing container-based, serverless, and cloud native applications announced its expansion into cloud security posture management (CSPM) with its acquisition of CloudSploit. CloudSploit’s SaaS-based platform allows customers to monitor their public cloud accounts within minutes, providing visibility to their entire estate of cloud resources, and reduce threats due to misconfiguration and vulnerabilities. CloudSploit automatically manages cloud security risk and benchmarks against industry standards to ensure compliance and has garnered … More

The post Aqua Security acquires CloudSploit to expand into CSPM appeared first on Help Net Security.

Privacy Analysis: Google Accesses Patient Data on Millions

Massive Research Project With Ascension Health System Raises Concerns
A newly disclosed collaboration between Google and the massive Ascension healthcare system that the partners say is designed to improve patient care is raising serious privacy concerns. That's because the project involves Ascension sharing with Google data on millions of its patients - without their permission.

Patch Tuesday, November 2019 Edition

Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today’s patches.

More than a dozen of the flaws tackled in this month’s release are rated “critical,” meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.

Perhaps the most concerning of those critical holes is a zero-day flaw in Internet Exploder Explorer (CVE-2019-1429) that has already seen active exploitation. Today’s updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages.

Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program that could let malicious macros through.

Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to “enable macros” once they’ve opened a booby-trapped Office document delivered via email. Thus, Office has a feature called “disable all macros without notification.”

But Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as a vector for pushing malware. Will Dornan of CERT/CC reports that while Office 2016 and 2019 for Mac will still prompt the user before executing these older macro types, Office for Mac 2011 fails to warn users before opening them.

Other Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities — five of them critical — in the Windows Hyper-V, an add-on to the Windows Server OS (and Windows 10 Pro) that allows users to create and run virtual machines (other “guest” operating systems) from within Windows.

Although Adobe typically issues patches for its Flash Player browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to note last month that Adobe released a critical update for Acrobat/Reader that addressed at least 67 bugs, so if you’ve got either of these products installed, please be sure they’re patched and up to date.

Finally, Google recently fixed a zero-day flaw in its Chrome Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.

Now seems like a good time to remind all you Windows 7 end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Standard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

Mexican state-owned oil company Pemex hit by ransomware

On Sunday, the Mexican state-owned oil company Petróleos Mexicanos (Pemex) was infected with the DoppelPaymer ransomware.

On Sunday, a piece of the DoppelPaymer ransomware infected systems of the Mexican state-owned oil company Petróleos Mexicanos (Pemex) taking down part of its network.

According to the company, less than 5% of the computers in its network were infected with ransomware.

Threat actors demanded a $4.9 million (565 BTC) ransom in order to decrypt their files, they are also threatening to leak sensitive data stolen by the company.

Pemex’s internal network, like all major national and international government and financial companies and institutions, frequently receives threats and cyber attacks that have not prospered today.” reads a security notice published by the company. “Yesterday, Sunday, November 10, the State productive company received attempts at cyber attacks that were timely neutralized, affecting the operation of less than 5% of personal computer equipment. Notwithstanding the foregoing, Pemex reiterates that the production, supply and inventories of fuel are guaranteed.”

The Petróleos Mexicanos claims that it has quickly neutralized the attack, it also highlighted that operation and production systems were not impacted.  

Pemex confirmed that its infrastructure, like all major national and international government and financial organizations, is under unceasing targeted attacks, for this reason, it is continuing to improve its security measures.

The DoppelPaymer ransomware is a forked version of the BitPaymer ransomware likely developed by some members of the cybercrime gang tracked as TA505.

Pierluigi Paganini

(SecurityAffairs – ransomware, Petróleos Mexicanos (Pemex))

The post Mexican state-owned oil company Pemex hit by ransomware appeared first on Security Affairs.

Google’s Project Nightingale Health Data Practice Raises Privacy Concerns

Google is collecting the health record data of millions of U.S. citizens, raising serious concerns about patient privacy.

According to a recent story published in The Wall Street Journal, Google has partnered with Ascension, the nation’s second largest health care system for Project Nightingale. 

The partnership gives Google full, non-anonymized access to “lab results, doctor diagnoses and hospitalization records… and amounts to a complete health history, including patient names and dates of birth” for millions of patients in 21 states.

The stated intention of Project Nightingale is “ultimately improving outcomes, reducing costs, and saving lives,” according to Google Cloud president Tariq Shaukat, who also see it helping developers “design new software, underpinned by advanced artificial intelligence and machine learning, that zeros in on individual patients to suggest changes to their care.”

Google’s access to patient data raises concerns among privacy advocates, particularly because at least 150 of the company’s employees have full access to highly personal information without patient consent or notification. 

Of perhaps even greater concern is the fact that Google’s apparent data mining is legal according to federal law, specifically the Health Insurance Portability and Accountability Act of 1996, or HIPAA. According to the U.S. Department of Health and Human Services, medical providers “may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions.”

Google has recently made similar moves to expand its access to health and medical data, including its acquisition of Fitbit and that company’s data sharing partnership with the University of Chicago Medical Center. That move resulted in a class action lawsuit.

The post Google’s Project Nightingale Health Data Practice Raises Privacy Concerns appeared first on Adam Levin.

VERT Threat Alert: November 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s November 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-859 on Wednesday, November 13th. In-The-Wild & Disclosed CVEs CVE-2019-1429 A vulnerability in the scripting engine in Internet Explorer can lead to code execution. The attacker could corrupt memory and execute code in […]… Read More

The post VERT Threat Alert: November 2019 Patch Tuesday Analysis appeared first on The State of Security.

Facebook’s latest giant language AI hits computing wall at 500 Nvidia GPUs

Facebook AI research's latest breakthrough in natural language understanding, called XLM-R, engineers tasks such as question-answering across 100 different languages including Swahili and Urdu. It shows both that deep learning models keep getting bigger, and that they're running up against serious resource constraints in existing computing systems.

Orvis Passwords Leaked Twice on Pastebin

Orvis Passwords Leaked Twice on Pastebin

Internal passwords belonging to American retailer Orvis were twice leaked online in a double data breach. 

Credentials belonging to the luxury fishing equipment purveyor were posted on the website last month, according to investigative reporter Brian Krebs

A swathe of plaintext usernames and passwords relating to everything from firewalls and routers to database servers and even administrator accounts was exposed for several weeks. 

The leaked files from the Vermont-based retailer included credentials for security cameras, door controllers, door and alarm codes, and FTP credentials, and even showed the combination to a locked safe in the company's server room. 

Krebs was tipped off about the data breach in late October by Wisconsin-based security firm Hold Security. Company founder Alex Holden said an enormous file containing internal passwords relating to Orvis had been posted to Pastebin on October 4 and again on October 22.

Holden's finding was corroborated by, a company that aggregates information from leaked databases online. However, a spokesperson for Orvis would only acknowledge that one much shorter breach had occurred.

Orvis spokesperson Tucker Kimball told Krebs: "The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. 

"We are leveraging our existing security tools to conduct an investigation to determine how this occurred."

Orvis is America's oldest mail-order retailer and was founded in 1856. The company has 69 retail stores and 10 outlets in the US plus a further 18 stores in the UK, and employs 1,700 people. 

How the passwords came to be on Pastebin is unknown, though potential sources could include an internal threat actor or a malicious or perhaps simply careless third party. 

Kelly White, CEO of RiskRecon, commented: "Security teams need to get into the mindset that their risk surface spans to all people, processes, and technology that touch their data, including subcontractors. Too often, organizations require less of their vendors and subcontractors than they do of their own personnel. 

"While employees are formally trained in handling of sensitive information and required to use corporate administered systems, subcontractors are not; no training in handling of sensitive data and allowed to use their own systems. When incidents like this happen, it is no surprise that existing security standards aren't met—the subcontractor likely wasn't even aware of them." 

Orvis did not reply to a request for further comment.

PortSwigger Launches Web Security Academy

PortSwigger Launches Web Security Academy

PortSwigger has launched a free interactive training platform in an attempt to address the global shortage of cybersecurity talent. 

The makers of Burp Suite cut the ribbon on the new Web Security Academy last month following a soft launch of the platform in April 2019, which a PortSwigger spokesperson said had garnered "overwhelmingly positive user feedback."

The Web Security Academy features a vast amount of high-quality reading materials and interactive labs of varying levels of difficulty. Inside the free resource, users are able to access a safe testing environment in which to experiment without incurring any kind of legal risk.

Content will be continuously updated, with new topics and material added regularly to reflect the ever-changing nature of the cyber-threat landscape. Learning materials currently available on the site include labs on clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection.

Users of the new platform can track their progress and indulge in a little healthy competition via live leader boards. Learning is offered at a pace set by the user and without the pressure of deadlines, although the first user to finish each freshly released lab will get their name in the Hall of Fame and win some Burp Suite swag. 

After six months of being tested out and tweaked in beta, the Web Security Academy was officially launched on October 29. 

The academy is led by PortSwigger founder and CEO and author of The Web Application Hacker's Handbook, Dafydd Stuttard, along with PortSwigger's world-renowned research team.

"There has been huge demand for a third edition of The Web Application Hacker's Handbook. After much thought, I concluded that writing another paper book wasn't the right option today. Much better to produce an online edition that is interactive, actively maintained, and accessible to everyone. The Web Security Academy is exactly that," said Stuttard.

The launch of the new free training website follows news reported last week that global IT security skills shortages have now surpassed four million. 

Research conducted by recruitment firm Outsource found that since 2014, the number of organizations reporting a problematic security skills shortage has more than doubled, from 23% to 51%.

Facebook is secretly using iPhone’s camera as users scroll their feed

New problems for Facebook, it seems that the social networking giant is secretly using the camera while iPhone users are scrolling their feed.

Is this another privacy issue for Facebook? The iPhone users Joshua Maddux speculates that Facebook might be actively using your camera without your knowledge while you’re scrolling your feed.

Maddux published footage on Twitter that shows the camera on his iPhone that is active while he scrolls through his feed.

“The problem becomes evident due to a bug that shows the camera feed in a tiny sliver on the left side of your screen, when you open a photo in the app and swipe down. TNW has since been able to independently reproduce the issue.” reported The Next Web.

The expert successfully tested the issue on devices iPhone devices running iOS version 13.2.2, but the problem doesn’t affect iOS version 12,

Maddux adds he found the same issue on five iPhone devices running iOS 13.2.2, but was unable to reproduce it on iOS 12.

“I will note that iPhones running iOS 12 don’t show the camera (not to say that it’s not being used),” Maddux said.

The personnel at TNW noticed that the issue only occurs if users have granted the Facebook app access to your camera.

At the time of writing, it is still unclear if the issue is expected behavior, the issue is not working on Android devices.

A similar issue was described in October 2017 by the Austrian developer and Google engineer, Felix Krause. The expert explained that the privacy issue in Apple iPhone could be exploited by iOS app developers to silently take users’ photos and record their live video by enabling both front and back cameras.

The iPhone users will never receive any notification from the device, Krause shared technical details in a blog post.

At the time, the researcher explained that the best way to mitigate the issue was to revoke camera access.

TNW contacted Facebook for comment.

Pierluigi Paganini

(SecurityAffairs – iPhone, hacking)

The post Facebook is secretly using iPhone’s camera as users scroll their feed appeared first on Security Affairs.

Aqua Security Acquires CloudSploit

Aqua Security Acquires CloudSploit

CloudSploit has been acquired by Aqua Security for an undisclosed sum.

Aqua Security, the leading platform provider for securing container-based, serverless, and cloud native applications, announced the acquisition of security auditing and monitoring tool CloudSploit today. 

The American company said the addition of CloudSploit will enable them to expand into cloud security posture management (CSPM) and give their customers the option of continuous security monitoring.

Co-founded by Matthew Fuller and Josh Rosenthal, CloudSploit was built on open source foundations and has benefited from the contributions of cloud users and experts since its inception in 2015. 

CloudSploit’s SaaS-based platform allows customers to monitor their public cloud accounts and access an overview of their entire estate of cloud resources. It automatically manages cloud security risk and benchmarks against industry standards to ensure compliance.

CloudSploit works as an auditing tool to check the configuration state of services in users' IaaS accounts for potential misconfigurations that lead to security breaches. The platform also monitors activity in users' accounts for suspicious behavior and insider threats in real-time. 

"We are excited to add CloudSploit to Aqua’s cloud-native security portfolio," said Dror Davidoff, CEO of Aqua Security.  

"Aqua protects the world’s largest cloud native environments; with CloudSploit our customers can now continuously monitor and manage their cloud security posture across their multi-cloud infrastructures."

CloudSploit is the second open-source investment by Aqua since August, when the company announced its acquisition of Trivy Vulnerability Scanner

A spokesperson for Aqua Security said: "With the addition of CloudSploit and VM Security, Aqua’s customers can more effectively manage risk and protect against threats for their multi-cloud environments across the full application stack, from infrastructure, application workloads and code."

Aqua has also added significant new capabilities to its Cloud Native Security Platform (CSP), deepening protection of virtual machines. Aqua CSP now protects VMs for complete cloud workload protection.   

Aqua’s VM security solution delivers file integrity monitoring, machine image assurance, network discovery, and micro-segmentation to hosts for full visibility of infrastructure and application threats. Organizations can now protect their cloud native workloads from a single control panel for improved visibility and efficient remediation.   

Is Facebook Secretly Accessing Your iPhone’s Camera? Some Users Claimed

It appears that Facebook at the center of yet another issue involving privacy. Reportedly, multiple iPhone users have come forward on social media complaining that the Facebook app secretly activates their smartphone's camera in the background while they scroll through their Facebook feeds or looking at the photos on the social network. As shown in the Twitter videos below, when users click

State of Software Security v10: Top 5 Takeaways for Security Professionals

It’s the 10th anniversary of our State of Software Security (SOSS) report! This year, like every year, we dug into our data from a recent 12-month period (this year we analyzed 85,000 applications, 1.4 million scans, and nearly 10 million security findings), but we also took a look back at 10 years of software security. With a decade’s worth of analysis about software vulnerabilities and the best ways to address them, we’re in a unique position to offer insights into creating secure code. There’s a lot to unpack in our most recent SOSS, including some then vs. now comparisons, a look at the most popular vulnerabilities, and a deep dive into security debt. Here are the five takeaways we consider most noteworthy for security professionals:

Apps are insecure

Eighty-three percent of applications have at least one flaw in their initial scan. And we’ve been hovering around that number for the past decade. In addition, the types of flaws that were plaguing code a decade ago are still wreaking havoc today. The top two flaw types seen in code 10 years ago are the same top two we saw this past year: information leakage and cryptographic issues. And many of the top 10 flaws in Volume 1 remain on the top 10 list today, including CRLF injection, Cross-Site Scripting, SQL Injection, and Credentials Management.

What is going on here? We’ve said it before, and we’ll say it again: we need to do a better job helping developers create secure code. We recently partnered with to conduct a survey surrounding DevSecOps skills and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.

Security debt is a significant problem

In the good news department, we do see improvement in fix rates. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20 percent either had no flaws or showed no change. This means 70 percent of development teams are keeping pace or pulling ahead in the flaw-busting race! However, we also found that teams are prioritizing newly found security flaws over older flaws, leading to security debt piling up. This year’s data reveals that flaws are much more likely to be fixed soon after they’re discovered.

We’re doing a better job tackling high-severity flaws, but not the most exploitable ones

As we said above, developers are doing a better job fixing what they find, and they are prioritizing both the most recently discovered, and the most severe. On the one hand, this is good news. On the other, we found the security debt that has accumulated across organizations is comprised primarily of Cross-Site Scripting, with Injection, Authentication, and Misconfiguration flaws making up sizable portions as well. This is noteworthy because Injection is the second most prevalent flaw category in reported exploits. Bottom line: Exploitability of a flaw needs to be prioritized, and older flaws need to be addressed. An older injection flaw is just as dangerous as a newly discovered one.

When you scan more, you secure more

This year’s report also looked at the effect of both scanning cadence and frequency on security debt and fix rate. And the results were striking. Those that scanned the most, and the most regularly, had dramatically better fix rates and less security debt. In fact, those with the highest scan frequency (260+ scans per year) had 5x less security debt, and a 72 percent reduction in median time to remediation.

There are some differences in how organizations in different industries are securing software

Looking at the software security trends in your own industry gives you an idea of how your program compares, and where to focus your security efforts.

And we did find some significant differences this year in how different industries are tackling AppSec. For instance, we found that organizations in the retail sector are doing the best job at keeping security debt at bay, while those in the government and education space are doing the worst.

The infrastructure industry is fixing flaws almost 4X faster than any other industry, and 13X faster than the median time to remediation for healthcare. The financial industry has an impressive fix rate, but one of the slowest median times to remediation.

You’ll find all the SOSS X industry infosheets, which include details on which vulnerabilities are most common in each industry, on our Resources page.

Read the report

Read the full SOSS report to learn more about best practices that can help keep your software security. Check out our SOSS X page for access to the full report, additional data highlights, videos of Veracode experts discussing the results, and more.