Don’t have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)

US govt sounds alarm over wireless comms, caveats apply

Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect.…

‘Sharing of user data is routine, yet far from transparent’ is not what you want to hear about medical apps. But 2019 is gonna 2019

Study finds Android software slinging deets all over the place

Folks using healthcare-related Android apps: after you've handed over your private details to that software, do you know where it is sending your data? If you don't, nobody should blame you. It turns out it can be a complicated and obfuscated affair.…

Microsoft Says the FCC ‘Overstates’ Broadband Availability In the US

An anonymous reader quotes a report from Motherboard: Microsoft this week was the latest to highlight the U.S. government's terrible broadband mapping in a filing with the FCC, first spotted by journalist Wendy Davis. In it, Microsoft accuses the FCC of over-stating actual broadband availability and urges the agency to do better. "The Commission's broadband availability data, which underpins FCC Form 477 and the Commission's annual Section 706 report, appears to overstate the extent to which broadband is actually available throughout the nation," Microsoft said in the filing. "For example, in some areas the Commission's broadband availability data suggests that ISPs have reported significant broadband availability (25 Mbps down/3 Mbps up) while Microsoft's usage data indicates that only a small percentage of consumers actually access the Internet at broadband speeds in those areas," Microsoft said. Similar criticism has long plagued the agency. The FCC's broadband data is received via the form 477 data collected from ISPs. But ISPs have a vested interest in over-stating broadband availability to obscure the sector's competition problems, and the FCC historically hasn't worked very hard to independently verify whether this data is truly accurate. The FCC's methodology has long been criticized as well. As it currently stands, the agency declares an entire ZIP code as "served" with broadband if just one home in an entire census block has it. In its filing, Microsoft "suggested that the Commission's ongoing effort to more accurately measure broadband could be improved by drawing on the FCC's subscription data, along with other broadband data sets from third-parties such as Microsoft, to complement survey data submitted under the current rules."

Read more of this story at Slashdot.

Mitigating the Insider Threat at Scale

Mohan Koo of Dtex Systems on the Roles of People and Analytics
Enterprises are getting wiser to understanding the insider threat. But mitigating it? That remains a challenge - especially at a large scale. Mohan Koo of Dtex Systems talks about how to blend human and data analytics to address the challenge.

Bromium: Application Isolation in the Spotlight

  • Two major announcements bring application isolation into the spotlight
  • Microsoft and HP elevate the importance of isolation in the endpoint security stack
  • Isolate risky browser activity, but don’t forget files are risky too

This week, two major announcements came out highlighting the need for application isolation in the security stack for endpoint security – HP DaaS Proactive Security and Microsoft Windows Defender extensions for Chrome and Firefox. The spotlight on application isolation is an excellent way to raise awareness for this technology, and I applaud HP and Microsoft for going all out with isolation as a way to boost endpoint security. Here is a closer look at what both announcements are highlighting.

Microsoft Defender Application Guard (WDAG)

Microsoft Windows Defender Application Guard (WDAG) was announced over a year ago, it introduced client virtualization on Windows. The initial release was designed to redirect untrusted (or not explicitly trusted) Edge browser activity into a VM. The end-user would surf the web using Edge, and if they typed in a URL or were redirected to a site that was untrusted, the website would open in a separate instance of Edge that was running isolated inside a VM. The end-user would have two instances of Edge running and the protected instance was noted with a red background.

Everyone was excited when WDAG came out, as browsers continue to be a major attack vector, and we even wrote a blog supporting Microsoft entering the isolation market. As any security specialist will tell you, the safest way to stop malware is to keep end-users from opening emails or surfing the web altogether. However, while true, this is clearly not practical, but isolation is the technology that can change the game.  Unfortunately for Microsoft, it was not practical to expect users to abandon Chrome and Firefox for Edge. You win some and you lose some, and Microsoft did not win the browser market. BUT they also didn’t lose sight of the importance of isolating potentially risky browser activity, which brings us to their announcement this week.

Microsoft releases Windows Defender Application Guard for Chrome and Firefox

Microsoft WDAG now allows users to surf the web using their browser of choice. When a user types in or is redirected to an untrusted site, the Chrome or Firefox extension directs opening of the website to Edge, which is running inside a VM. WDAG is still about client virtualization aiming to isolate risky websites into a separate VM on the user’s PC, but now the user is not required to use Microsoft Edge as their default browser. The end-user will have most of their browser activity take place in their default browser. However, when the user encounters an untrusted site, they will access that website in an isolated instance of Edge. Welcome back to browser isolation, Microsoft, and thank for you validating the application isolation market!

The second announcement this week that validates application isolation was from HP.

HP DaaS Proactive Security

HP and Bromium have enjoyed a productive relationship for over two years, since HP launched HP Sure Click, which uses Bromium Secure isolation technology for hardware-enforce browser isolation. Our relationship continues to grow and evolve, and this week HP announced the next step –including Bromium Secure isolation for browsing and files in their HP DaaS Proactive Security powered by HP Sure Click Advance. This announcement further validates that major players in the hardware and software market are recognizing the need to move the responsibility for endpoint security away from the end-user. Microsoft and HP are choosing to rely on application isolation as the way to prevent malware from invading Windows endpoints and spreading onto corporate networks.

Isolate Only Browsers?

While we applaud Microsoft’s decision to use isolation for surfing the web and for links that come in emails, there’s an obvious gap in their coverage. What about emails with attachments? And how about files that users download from the Internet? Browsers are indeed a major attack vector, but files are equally a major attack vector.  If you don’t think files are a threat, you might want to visit some of our latest Threat Intelligence posts below.

What do you think of this week’s announcements? Share your thoughts and questions in the comments section. Happy reading!

See Bromium threat intelligence in action:

The post Application Isolation in the Spotlight appeared first on Bromium.



Bromium

Trump Gives Netanyahu Part of Syria to Boost Israeli Leader’s Flagging Reelection Campaign

With a tweet posted on Thursday, President Donald Trump dismissed five decades of international consensus on the status of the Golan Heights, Syrian territory seized by Israel in 1967 during a preemptive war, declaring that the United States would recognize Israel’s annexation of the region.

Offered without explanation, the move looked to many Israeli, Palestinian and American observers like a transparent attempt to boost the reelection prospects of Trump’s embattled ally, Prime Minister Benjamin Netanyahu, who faces corruption charges and could be defeated at the polls next month.

In reply to Trump’s tweet, Mohamed ElBaradei, the former head of the International Atomic Energy Agency, suggested that the American president “might want to consult with your international lawyers.” Trump’s declaration, ElBaradei noted, flies in the face a United Nations Security Council resolution adopted unanimously in 1967, which called for the “Withdrawal of Israel armed forces from territories occupied” in that summer’s conflict — including the Golan, as well as the West Bank, East Jerusalem and Gaza — and emphasized, “the inadmissibility of the acquisition of territory by war.”

It was not lost on some analysts that U.S. recognition of Israel’s right to annex territory it seized by force would also seem to pave the way for Trump to recognize Russia’s annexation of Crimea.

Calling Trump’s declaration, “a brazen violation of international law,” which “doesn’t change protections occupied Syrians of Golan have,” Omar Shakir, the Israel and Palestine director of Human Rights watch, observed that “moves like this only isolate the U.S. further from international consensus and make its voice even more irrelevant.”

Standing alongside Secretary of State Mike Pompeo, who was in Israel for the announcement, a beaming Netanyahu described Trump’s gift to his reelection campaign as “a miracle of Purim,” the Jewish holiday celebrated this week.

“He did it again,” the Israeli prime minister said of an American president who seems determined to make every wish of Israel’s far-right nationalist leader come true. “First, he recognized Jerusalem as Israel’s capital and moved the U.S. Embassy here,” Netanyahu said, “then he got out of the disastrous Iran treaty and reimposed sanctions, but now he did something of equal historic importance — he recognized Israel’s sovereignty over the Golan Heights.”

By accepting Israel’s 1981 annexation of the Golan Heights, after withdrawing from the Iran nuclear deal and moving the U.S. Embassy, Trump also checked off another item on the pro-Israel wishlist of one of his biggest donors, the American casino magnate Sheldon Adelson, who spent more than $20 million to support his 2016 presidential campaign, and is also Netanyahu’s most important backer.

As the Israeli-American journalist Mairav Zonszein noted, Jason Greenblatt, the Trump administration’s peace envoy for the region seemed only mildly less excited by the news than Israel’s prime minister.

The American envoy — who is working with the president’s son-in-law, Jared Kushner, on a peace plan that seems to begin with total surrender to every Israeli demandeffusively thanked Trump for a “bold, courageous, and historic decision” by a president “who understands Israel and its security needs.”

“Thieves,” was the concise description of the move from Ali Abunimah, the Palestinian-American activist and writer whose book, “One Country: A Bold Proposal to End the Israeli-Palestinian Impasse,” calls for a one-state solution to the conflict, with equal rights for Israelis and Palestinians. “But it’s good that the U.S. makes explicit its bias and removes once and for all the pretense that it was ever an ‘honest broker,'” he added.

Since Trump has now declared his support for Israel’s previously unrecognized annexations of both East Jerusalem and the Golan Heights, speculation naturally turned to what might come next: the annexation of most or all of the occupied West Bank. When Israeli citizens go to the polls on April 9th, more than half a million Israelis who live in Jewish-only settlements in the West Bank will cast ballots. Millions of their Palestinian neighbors, who continue to live under military rule 52 years after the Six-Day War, remain disenfranchised, with every aspect of their lives controlled by an Israeli government they have no say in choosing.

“When Israel annexes the West Bank,” Lara Friedman, the president of the Foundation for Middle East Peace in Washington observed on Twitter, “Trump can just copy-paste this same text, change ‘Golan’ to ‘Judea & Samaria,’ and presto — with one final tweet, the Israeli-Palestinian conflict will be resolved!”

Trump’s decision to cede the Golan to Israel, following his move of the U.S. Embassy to Jerusalem, “pretty much tells us where the Kushner peace plan is going,” Paul Danahar, a former BBC Middle East bureau chief, tweeted. “It will likely recognise all of Israel’s ‘facts on the ground’ across most of the disputed regions. The weakness of the Palestinian Authority will be exploited and when it refuses to accept what’s on offer, the administration will throw its hands in the air, blame Palestinian intransigence and begin to formally recognise Israel’s claims on parts of the occupied West Bank.”

“There is almost an unseemly haste from Saudi Arabia and Israel to refashion the region as they want it while they have what has proved to be the most pliable US administration in modern history where the Middle East is concerned,” Danahar concluded.

Yousef Munayyer, the executive director of the U.S. Campaign for Palestinian Rights, made the same point in a slightly less nuanced way.

The post Trump Gives Netanyahu Part of Syria to Boost Israeli Leader’s Flagging Reelection Campaign appeared first on The Intercept.

Grandson of Legendary John Deere Inventor Calls Out Company On Right To Repair

chicksdaddy writes: The grandson of Theo Brown, a legendary engineer and inventor for John Deere who patented, among other things, the manure spreader is calling out the company his grandfather served for decades for its opposition to right to repair legislation being considered in Illinois. In an opinion piece published by The Security Ledger entitled "My Grandfather's John Deere would support Our Right to Repair," Willie Cade notes that his grandfather, Theophilus Brown is credited with 158 patents, some 70% of them for Deere & Co., including the manure spreader in 1915. His grandfather used to travel the country to meet with Deere customers and see his creations at work in the field. His hope, Cade said, was to help the company's customers be more efficient and improve their lives with his inventions. In contrast, Cade said the John Deere of the 21st Century engages in a very different kind of business model: imposing needless costs on their customers. An example of this kind of rent seeking is using software locks and other barriers to repair -- such as refusing to sell replacement parts -- in order to force customers to use authorized John Deere technicians to do repairs at considerably higher cost and hassle. "It undermines what my grandfather was all about," he writes. Cade, who founded the Electronics Reuse Conference, is supporting right to repair legislation that is being considered in Illinois and opposed by John Deere and the industry groups it backs. "Farmers who can't repair farm equipment and a wide spectrum of Americans who can't repair their smartphones are pushing back in states across the country."

Read more of this story at Slashdot.

Facebook passwords stored in plain text, hundreds of millions users affected

News problems for Facebook that admitted to have stored the passwords of hundreds of millions of users in plain text.

Facebook revealed to have stored the passwords of hundreds of millions of users in plain text, including passwords of Facebook Lite, Facebook, and Instagram users.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.” reads the announcement published by Facebook.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.”

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and plans to notify the affected users.
Facebook estimated that hundreds of millions of people using Facebook Lite, tens of millions of other Facebook users, and tens of thousands of Instagram users are impacted.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” continues Facebook.

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,”

Facebook passwords

According to the popular investigator Brian Krebs that is investigating the incident, hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees. Krebs date some cases back to 2012, anyway he did not find an indication that employees have abused access to this data.

Krebs believes that the passwords of between 200 million and 600 million Facebook users may have been stored in plain text, and that over 20,000 Facebook employees may have been able to search those passwords.

Krebs cited a senior Facebook employee, who is familiar with the investigation and who spoke on condition of anonymity, that revealed the company is currently investigating a series of incidents regarding employees who built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.

According to Krebs, who cited its informer, access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

Even if no passwords were exposed outside the company, Facebook suggests the following steps to secure users’ accounts:

  • You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
  • Pick strong and complex passwords for all your accounts. Password manager apps can help.
  • Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you.

Pierluigi Paganini

(SecurityAffairs – Facebook passwords, privacy)

The post Facebook passwords stored in plain text, hundreds of millions users affected appeared first on Security Affairs.

Security Affairs: Facebook passwords stored in plain text, hundreds of millions users affected

News problems for Facebook that admitted to have stored the passwords of hundreds of millions of users in plain text.

Facebook revealed to have stored the passwords of hundreds of millions of users in plain text, including passwords of Facebook Lite, Facebook, and Instagram users.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.” reads the announcement published by Facebook.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.”

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and plans to notify the affected users.
Facebook estimated that hundreds of millions of people using Facebook Lite, tens of millions of other Facebook users, and tens of thousands of Instagram users are impacted.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” continues Facebook.

“In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them,”

Facebook passwords

According to the popular investigator Brian Krebs that is investigating the incident, hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees. Krebs date some cases back to 2012, anyway he did not find an indication that employees have abused access to this data.

Krebs believes that the passwords of between 200 million and 600 million Facebook users may have been stored in plain text, and that over 20,000 Facebook employees may have been able to search those passwords.

Krebs cited a senior Facebook employee, who is familiar with the investigation and who spoke on condition of anonymity, that revealed the company is currently investigating a series of incidents regarding employees who built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.

According to Krebs, who cited its informer, access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

Even if no passwords were exposed outside the company, Facebook suggests the following steps to secure users’ accounts:

  • You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
  • Pick strong and complex passwords for all your accounts. Password manager apps can help.
  • Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, we will ask for a security code or to tap your security key to verify that it is you.

Pierluigi Paganini

(SecurityAffairs – Facebook passwords, privacy)

The post Facebook passwords stored in plain text, hundreds of millions users affected appeared first on Security Affairs.



Security Affairs

ZOLL Medical Device Data Breach Caused By Third Party

Medical device company ZOLL has announced a data breach of patient information involving a third-party provider, stating: 

On January 24, 2019, ZOLL learned of a data security incident that impacted the personal and medical information of some patients. As a precaution, ZOLL is providing this notice to make potentially affected patients aware of the incident and provide information on actions ZOLL has taken in response, resources available to impacted patients, and steps they can take to protect themselves. ZOLL’s email is archived by a third-party service provider to comply with record retention and maintenance requirements, policies, and procedures. Some personal information was included in the email communications stored by the third-party service provider.  

Matan Or-El, CEO at Panorays:

“This latest data breach illustrates the importance of monitoring the cybersecurity posture of third parties that do business with healthcare providers. These providers hold some of our most sensitive and confidential data: personal and demographic information, financial statements, health details and insurance policies. Attackers can use this information for identity theft, insurance fraud, financial gain, or even blackmail. 

Often the best way for hackers to reach this information is through third parties, who have access to healthcare organizations’ data but lack adequate security to guard it. 

For this reason, assessing and continuously monitoring healthcare organizations’ third-party security is critical.” 

 

 

The ISBuzz Post: This Post ZOLL Medical Device Data Breach Caused By Third Party appeared first on Information Security Buzz.

CVE-2018-20031

A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.

CVE-2019-3871

A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response

CVE-2018-20034

A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.

CVE-2019-3858

An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVE-2018-20032

A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.

CVE-2019-3855

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVE-2019-8351

Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certificates from TLS servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.

Historic, Widespread Flooding Will Continue Through May, NOAA Says

The U.S. is likely to see "historic, widespread flooding" through May, according to the National Oceanic and Atmospheric Association's spring outlook. From a report: "This is shaping up to be a potentially unprecedented flood season, with more than 200 million people at risk for flooding in their communities," said Ed Clark, director of NOAA's National Water Center in Tuscaloosa, Alabama. NOAA's outlook calls for nearly two-thirds of the lower 48 states to face an elevated risk of flooding through May, with the potential for major to moderate flooding in 25 states across the Great Plains, Midwest and down through the Mississippi River valley. "The flooding this year could be worse than what we have seen in previous years ... even worse than the historic floods we saw in 1993 and 2011," said Mary Erickson, deputy director of the National Weather Service. The warning comes amid record flooding triggered by a sudden warm-up and heavy rains earlier this month brought on by the "bomb cyclone." Combined with rapid snowmelt, the factors in recent weeks have put many places in the Great Plains and Midwest underwater.

Read more of this story at Slashdot.

DataBreachToday.com RSS Syndication: Mitigating the Insider Threat at Scale

Mohan Koo of Dtex Systems on the Roles of People and Analytics
Enterprises are getting wiser to understanding the insider threat. But mitigating it? That remains a challenge - especially at a large scale. Mohan Koo of Dtex Systems talks about how to blend human and data analytics to address the challenge.

DataBreachToday.com RSS Syndication

Fedora 28: xen Security Update

xen: various flaws (#1685577) grant table transfer issues on large hosts [XSA-284] race with pass-through device hotplug [XSA-285] x86: steal_page violates page_struct access discipline [XSA-287] x86: Inconsistent PV IOMMU discipline [XSA-288] missing preemption in x86 PV page table unvalidation [XSA-290] x86/PV: page type reference counting issue with failed IOMMU update

Cable Lobby Seeks Better Reputation By Dropping ‘Cable’ From Its Name

An anonymous reader quotes a report from Ars Technica: Cable lobbyists don't want to be called cable lobbyists anymore. The nation's top two cable industry lobby groups have both dropped the word "cable" from their names. But the lobby groups' core mission -- the fight against regulation of cable networks -- remains unchanged. The National Cable & Telecommunications Association (NCTA) got things started in 2016 when it renamed itself NCTA-The Internet & Television Association, keeping the initialism but dropping the words it stood for. The group was also known as the National Cable Television Association between 1968 and 2001. The American Cable Association (ACA) is the nation's other major cable lobby. While NCTA represents the biggest companies like Comcast and Charter, the ACA represents small and mid-size cable operators. Today, the ACA announced that it is now called America's Communications Association or "ACA Connects," though the ACA's website still uses the americancable.org domain name. "The new name reflects a leading position for the association in the fast-growing telecommunications industry, where technology is rapidly changing how information is provided to and used by consumers," the cable lobby said. "It's all about the communications and connections our members provide," said cable lobbyist Matthew Polka, who is CEO of the ACA. The "ACA Connects" moniker "explains what our association and members really do," Polka continued. "We connect, communicate, build relationships and work together with all, and that will never change."

Read more of this story at Slashdot.

CVE-2019-7537

An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.

CVE-2015-6458

Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow condition that may crash or allow remote code execution. Moxa released SoftCMS version 1.4 on June 1, 2015, to address the vulnerability.

CVE-2015-6457

Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow condition that may crash or allow remote code execution. Moxa released SoftCMS version 1.4 on June 1, 2015, to address the vulnerability.

5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line

How you respond to a data breach matters.

In today’s world, most companies have documented policies and technologies that can help prepare them for grappling with a cyber intruder, but in many cases those tactics are insufficient — focusing more on answering questions about the incident itself and less about an integrated response that protects reputation, the business and, most importantly, clients.

A breach can be damaging, and the inability to respond effectively can add even more self-inflicted damage. The good news is, while you can’t control whether or not you’re a target of a breach, you can control how — and how well — you respond.

Leading organizations that analyze business trends have taken note of the importance of an integrated response. Earlier this week, Forrester released “The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2019.” This report encourages customers to look for providers that can ensure timely preparation and breach response. Some characteristics highlighted in the report include vendors that have cyber range capabilities to train employees in the event of an attack and provide thorough deliverables to help beyond postmortem of the incident.

Forrester evaluated 15 incident response (IR) service providers and weighed them across 11 criteria. These vendors were identified, evaluated, researched, analyzed and scored. The Forrester Wave report shows how each provider measures up and helps security and risk professionals make the right choice. Forrester noted that IBM “is a strong choice for training and incident preparation services” and that it “attaches X-Force threat intelligence analysts to its IR teams to ensure full situational awareness across the investigation.”

The IBM X-Force Incident Response and Intelligence Services (IRIS) team was created in 2016 and launched alongside the X-Force Command Cyber Range in Cambridge, Massachusetts. We knew that pairing a strong IR team with an immersive range experience that tests skills to survive the inevitable would greatly increase the success our clients experience in the event of a breach.

5 Characteristics of an Elite IR Team

As leaders of the X-Force IRIS team, we’ve been on the front line of hundreds of security breaches and built a team of elite practitioners that help clients recover quickly and effectively in the wake of an attack. Here are the top five characteristics of a world-class response team, based on our experience.

1. It Starts With People

One of the things we often say is, “IR is a team sport.” And with any team, it’s important to make sure each player has a unique set of skills that, when combined with the rest, compose a formidable force against your opponent.

The right team with the right skills means you solve problems faster, build more creative solutions to challenges, and have diverse insight and perspective on situations that allows you to view the problem from a variety of angles. That’s important, because often the attackers have assembled teams of skilled individuals that represent different experiences and perspectives themselves, so constructing an internal team in a similar manner enables you to quickly identify tactics and anticipate the next move.

2. Great Technology, Dynamic Analysis

When you’re technology agnostic, you can go beyond the tools available in your backyard and better ensure you’re getting the right capabilities to achieve your objective. We’ve learned that when we’re not tied to a specific technology or limited to one analytical methodology, we can rapidly evolve our approach to swiftly detect an attacker’s ever-shifting activity.

3. Embedded Threat Intelligence Capabilities

For every case we open, we embed an intelligence analyst who stays involved from start to finish. They bring a consistent intel perspective to each case, augmenting their own skills by leveraging unique insights from the larger intelligence team. Their combined insight gives us exceptional views into an adversary’s actions, tools and methodologies. Understanding these aspects allows faster, more accurate mitigation actions.

4. Comprehensive Remediation

There are two important focus areas for remediation: tactical and strategic. The tactical emphasizes removing an attacker and their access from the victim environment, and the strategic centers on ensuring that same type of attack is not successful again. They both matter, because getting an intruder out quickly and making sure you’re not vulnerable to the same kind of exploitation keeps you safer.

But there’s an element that goes beyond the tactical and the strategic: rebuilding an environment that’s been destroyed as the result of an attack. Rebuilding an environment requires a set of precision skills and, often, a great deal of human resources to ensure it’s done quickly, accurately, and in a way that enables you to continue to operate while rebuilding and recovery take place.

We built the X-Force IRIS team with a set of practitioners that, together, represent thousands of hours of experience rebuilding devastated environments from the ground up. That means when a client has been ravaged by an attack, it can rely on us to not only help it remediate, but keep its business running while we rebuild anew.

5. Train Like You Fight, Fight Like You Train

Even the best IR plan is insufficient if you don’t practice it. We encourage clients to run battle drills on their IR plans (and even put our own to the test). While tabletop exercises can be informative, by far the best way to train for a cyber breach is through an immersive, instructor-led range experience.

We combine our IR expertise with the X-Force Command Cyber Range. Here, we immerse clients in a highly gamified scenario that tests not only their IR plan, but also their human abilities to respond and adapt in a crisis. This helps uncover gaps in existing processes and silos in an organization and develop ways to respond to a breach in an integrated fashion that can’t be replicated in any other way.

Competitive Collaboration

Leaders named in the Forrester Wave™ — such as FireEye, CrowdStrike and Deloitte — are proving that effective incident response is worth the investment. And as competitors, we have the opportunity to share information and create a more robust collective defense for our clients when possible. We are enthusiastic about opportunities like this that allow us to share and build knowledge, because when cybersecurity is implemented correctly, it enables transformation and business growth regardless of the competitive landscape.

The X-Force IRIS team’s investigative and analytical methodology will continue to adapt to meet future IR challenges. By combining cutting-edge methodology with new technologies across disjointed security layers, we envision that our clients will get the context they need to eliminate the noise and identify the most critical threats so they can get can back to what matters most: their core business.

Download the report

The post 5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line appeared first on Security Intelligence.

Press Release: Guardian Digital Leverages the Power of Open Source to Combat Evolving Email Security Threats

Cloud-based email security solution utilizes the open source methodology for securing business email, recognized by many as the best approach to the problem of maintaining security in the relentlessly dynamic environment of the Internet.

Windows Incident Response: A Minimal LNK

Yeah, so I've written about LNK files before, but I wanted to take it a step further and explore just how much of the specification is required for a functioning LNK file. 

Step 1
I used VBS to create a "bare-bones" LNK to run calc.exe.  I like to have something visual when testing this sort of thing.

The resulting LNK file is 890 bytes in size, and here's what the metadata for the file looks like:

guid               {00021401-0000-0000-c000-000000000046}
mtime              Wed Apr 11 23:34:36 2018 Z
atime              Wed Apr 11 23:34:36 2018 Z
ctime              Wed Apr 11 23:34:36 2018 Z
basepath           C:\Windows\System32\calc.exe
shitemidlist       My Computer/C:\/Windows/System32/calc.exe
**Shell Items Details (times in UTC)**
  C:2018-04-11 21:04:34  M:2018-10-11 21:39:08  A:2018-10-11 21:39:08 Windows (9)
  C:2018-04-11 21:04:34  M:2018-12-20 22:46:22  A:2018-12-20 22:46:22 System32 (9)
  C:2018-04-11 23:34:38  M:2018-04-11 23:34:38  A:2018-04-11 23:34:38 calc.exe (9)
vol_sn              22D3-06AE
vol_type           Fixed Disk
hotkey              0x14
showcmd          0x4

***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasLinkInfo|HasRelativePath

***PropertyStoreDataBlock***
GUID/ID pairs:
{446d16b1-8dad-4870-a748-402ea43d788c}/104
{46588ae2-4cbc-4338-bbfc-139326986dce}/4       SID: S-1-5-21-3855314428-4085452759-4066589348-1000

***KnownFolderDataBlock***
GUID  : {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}
Folder: CSIDL_SYSTEM

***TrackerDataBlock***
Machine ID                   : enzo
New Droid ID Time        : Tue Sep 18 10:39:24 2018 UTC
New Droid ID Seq Num  : 7175
New Droid    Node ID     : 5c:26:0a:24:29:6f
Birth Droid ID Time       : Tue Sep 18 10:39:24 2018 UTC
Birth Droid ID Seq Num : 7175
Birth Droid Node ID       : 5c:26:0a:24:29:6f

Okay, that is a LOT of stuff that's created in an LNK file, based on the following .vbs script:

set w = CreateObject("Wscript.shell")
set l = w.CreateShortcut("\foo2.lnk")
l.TargetPath = "c:\windows\system32\calc.exe"
l.Save

Step 2
Write code that creates a bare-bones LNK file header.  By "bare-bones", I mean one with the time stamps and any extraneous metadata zero'd out.

Step 3
Write code that goes to the LNK file created in step 1, and strips out just the linktargetIDlist, or "shell item ID list".  Zero out all of the time stamps in the shell items, and just for giggles, change the version value within the shell items.  Append this linktargetIDlist to the header created in step 2.

The resulting LNK file appears below:









The LNK file is 389 bytes in size, and functions perfectly well, no matter where I put it within the file system.  I double-click it, it launches the Calculator, as expected. 

However, this is what the metadata now looks like:

guid               {00021401-0000-0000-c000-000000000046}
shitemidlist       My Computer/C:\/Windows/System32 /calc.exe
**Shell Items Details (times in UTC)**
  C:0                   M:0                   A:0                  Windows (10)
  C:0                   M:0                   A:0                  System32  (10)
  C:0                   M:0                   A:0                  calc.exe  (10)
hotkey             0x0
showcmd         0x1

***LinkFlags***
HasLinkTargetIDList|IsUnicode

The result of this process is a functioning LNK file with minimal metadata.  No disk or volume info, no SID, no MAC address, none of the things we'd look for when analyzing a weaponized LNK file. 



Windows Incident Response

PewCrypt Ransomware Locks Users’ Files and Won’t Offer a Decryption Key Until – and Unless – PewDiePie’s YouTube Channel Beats T-Series To Hit 100M Subscribers

The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data. While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

Read more of this story at Slashdot.

VERISIGN TO REVEAL LATEST ENHANCEMENTS TO NAMESTUDIO API AT CLOUDFEST

Verisign is pleased to share the newest enhancements to NameStudio API, a smart domain name suggestion solution. The NameStudio API Service is designed to help domain name registrars, web-hosting companies, web builders and other businesses that offer domain name search services deliver relevant domain name suggestions to their customers.

The latest NameStudio API enhancements include:

  • Expanding the language support from 10 to 13 (now includes Dutch, Hindi and Vietnamese) allowing users to reach more customers around the world;
  • Significant advancements to the German, French, Italian, Portuguese and Mandarin language capabilities; and
  • Enhanced ability to detect and offer domain name suggestions based on personal names and provide relevant domain name suggestions based on the end-user’s location (when provided).

These are just some of many great updates to the NameStudio API Service.

LEARN MORE FROM THE EXPERTS

Experience these new NameStudio API enhancements at CloudFest in Europa-Park, Germany, where Verisign will be present at Booth F05. You will be able to speak to one of Verisign’s product experts about integrating the NameStudio API into your domain name search platform. When you visit our booth, you can also get a preview of our service – the NameStudio Web Component Beta – which combines a mobile-friendly user interface with the power of the NameStudio API Service into a single solution to help you easily create a custom search experience that can help drive domain name registrations.

About the NameStudio API Service:

The NameStudio API is an innovative domain name suggestion service that swiftly returns relevant domain name suggestions, and can be easily implemented with any platform. The service delivers relevant domain name suggestions based on popular keywords, geo-location data, and semantic relevance. Machine learning algorithms help ensure the service continuously improves the domain name suggestions. The NameStudio API provides domain name suggestions in over 1,500 top-level domains (TLDs)*, and can be customized to meet unique business needs.

To see a demo of the NameStudio API Service or request an API key, please visit www.NameStudioAPI.com.

*NameStudio API provides second-level domain name suggestions in Verisign-operated TLDs and other TLDs. Availability checks are currently offered in Verisign-operated TLDs and several other TLDs. Availability checks in non-Verisign-operated TLDs are subject to change.


Subscribe to the Verisign blog to have future posts delivered directly to your inbox.

The post VERISIGN TO REVEAL LATEST ENHANCEMENTS TO NAMESTUDIO API AT CLOUDFEST appeared first on Verisign Blog.

Comcast Unveils $5-a-Month Streaming Service Xfinity Flex

Comcast announced a $5-a-month streaming video service Thursday called Xfinity Flex, an offering that aggregates on-demand video from your subscriptions like Netflix Amazon Prime Video and HBO, as well as offering free ad-supported shows to watch and options to rent and buy programming. From a report: It essentially replicates some of the features of a cable service but delivers over the internet rather than... well, cable. But it won't have live channels or DVR, and it won't let you watch a live-TV streaming service like YouTube TV or Sling TV, keeping Flex squarely in the realm of on-demand viewing that's less threatening to Comcast's traditional -- and lucrative -- cable TV packages. Instead, Flex will have built-in ways to upgrade to live TV from Comcast. Xfinity Flex comes with a 4K and HDR-ready wireless set-top box with an X1 voice remote, Engadget adds. It's scheduled to launch March 26th, and will be available to customers who have Comcast internet.

Read more of this story at Slashdot.

Threat Hunting Tips to Improve Security Operations

From Ferdinand Magellan to Lewis and Clark to Neil Armstrong – humans have an innate desire to understand the unknown. In security operations, we see this phenomenon every day in several forms, one of which is threat hunting. Threat hunting is not triggered by an event, but by the unknown. It is the practice of proactively and iteratively searching for abnormal indications within networks and systems.

read more

SecurityWeek RSS Feed: Threat Hunting Tips to Improve Security Operations

From Ferdinand Magellan to Lewis and Clark to Neil Armstrong – humans have an innate desire to understand the unknown. In security operations, we see this phenomenon every day in several forms, one of which is threat hunting. Threat hunting is not triggered by an event, but by the unknown. It is the practice of proactively and iteratively searching for abnormal indications within networks and systems.

read more



SecurityWeek RSS Feed

CVE-2019-5490

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY.

CVE-2015-6461

Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page.

CVE-2015-6462

Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC client browser.

CVE-2018-13798

A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V14), SICAM A8000 CP-802X (All versions < V14), SICAM A8000 CP-8050 (All versions < V2.00). Specially crafted network packets sent to port 80/TCP or 443/TCP could allow an unauthenticated remote attacker to cause a Denial-of-Service condition of the web server. The security vulnerability could be exploited by an attacker with network access to the affected systems on port 80/TCP or 443/TCP. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the web server. A system reboot is required to recover the web service of the device. At the time of advisory update, exploit code for this security vulnerability is public.

Use Threat Intelligence to Reduce Third-Party Risk, Says Analytics Expert Thomas H. Davenport

Everything is connected to everything else.

In the internet era, this is no longer just a New Age adage — it’s the bare truth of how business is conducted in just about every industry. And working closer together in digital spaces and sharing data more openly can certainly make the job easier for everyone. The problem is, that includes threat actors.

That’s what Thomas H. Davenport, a world-renowned thought leader and author in analytics, information and knowledge management, process management, and enterprise systems, says in his new report on third-party risk. Titled “Rating Companies on Third-Party Cyber Risk,” the report examines how threat intelligence provided by Recorded Future answers many of the difficult questions security practitioners face today, when the threat landscape has vastly grown.

“Digital ties among organizations are pervasive now,” he says. “Many data breaches, hacks, and attacks, including some of the most prominent ones, are facilitated by external digital relationships in which hackers get access to a company’s network through software or connections from a third party.”

“Companies need to know if the third-party organizations with which they do business are vulnerable to these threats,” Davenport goes on. “They also need to know if their own digital environment is secure, and how desirable a partner they are from a third-party-risk standpoint.”

The Problem With Traditional Risk Metrics

There are a few ways to measure third-party risk — “typically, numeric indicators of the level of risk in a particular company that other firms can use in deciding whether and how to do business with them,” Davenport explains. Many of these scoring systems are beginning to trend toward being more transparent about the factors that go into their scores, and that’s certainly a good thing. But there are still many problems with them.

One issue is that the assessments they offer are usually static. Something like a financial audit or an evaluation of what security certifications an organization has provides only a snapshot of a moment in time. When cybersecurity threats change daily, these assessments will inevitably become out of date — sometimes before they’re even published.

Another problem is a lack of context. Because many of these assessments don’t say anything about the actual threats that are out there — in a way, many only measure the thickness of the castle walls, not the bore of the cannons on its doorstep — they also don’t provide a lot of guidance about what to do with the information they provide. If a partner receives a high risk score, does that mean you should stop doing business with them? Not necessarily. And many systems of scoring are still not transparent about what factors go into generating their scores.

Threat intelligence, by contrast, offers a way to assess third-party risk and get that context in real time, Davenport says, and provides a much-needed supplement to traditional risk scoring methods.

3 Things to Look for in Threat Intelligence

In the report, Davenport defines some of the key criteria to look for in a threat intelligence solution.

1. The need for machine learning and automation when dealing with massive amounts of data.

“Given the scope and scale of cybersecurity-related content — literally billions of facts — there is no alternative today to using automation and AI for rigorous threat intelligence,” Davenport says.

Developing the risk scores in Recorded Future’s Third-Party Risk module takes “a considerable amount of automation and artificial intelligence,” according to Davenport. “Recorded Future is constantly collecting and analyzing content from the open web, the dark web, technical and news sources, and discussion forums. Each piece of content is analyzed, classified, and indexed using a variety of machine learning models and natural language processing capabilities. After the underlying data has been analyzed and indexed, a score based on the data can be created with a straightforward mathematical formula.”

2. The value of real-time updates to risk scores and reporting.

The problem of static assessments quickly becoming outdated also applies to threat intelligence, of course. Weekly or monthly intelligence reports provide good overviews but can’t be acted on if they come too late.

Recorded Future’s risk scores update more frequently and draw on a large pool of data, making them much more reliable for both immediate risk assessments and wider-reaching security decisions, Davenport explains:

3. The importance of transparency when providing risk assessments.

What’s the point of a risk assessment if you don’t do anything about it? The problem of information without context leaves us like the Cassandra of Greek legend — after the god Apollo gave her the gift of prophecy but she scorned his romantic advances, he cursed her so that nobody would ever believe her warnings about the future.

Transparency in risk reporting helps avoid this outcome by helping security professionals see why something might represent a real risk for themselves. Recorded Future’s risk score is “based on an algorithm that synthesizes recent threat intelligence events, which Recorded Future routinely gathers and reports to its customers,” Davenport explains:

Responding to High Third-Party Risk Scores

So what do you do when faced with high risk scores? “If your partner’s risk score is high, it would be an overreaction to stop doing business with that firm,” Davenport says. “Remember that virtually every company faces some cyber events these days; it is how they respond to them that matters.”

Instead, he explains, it should be “the rationale for further investigation and perhaps a dialogue with the company.” And on your end of things, you can look more closely at whether the risk rules that were triggered will impact your organization’s network.

The point is to be empowered to make smart security decisions, not knee-jerk ones — and this is only possible with up-to-the-minute context and evidence.

Get the Full Report on Third-Party Risk

Thomas H. Davenport is the President’s Distinguished Professor of Information Technology and Management at Babson College, a Fellow of the MIT Center for Digital Business, and an independent senior advisor to Deloitte Analytics.

He’s authored or co-authored 15 books and counting, most recently including “The AI Advantage: How to Put the Artificial Intelligence Revolution to Work,” as well as “Competing on Analytics: The New Science of Winning” and “Only Humans Need Apply: Winners and Losers in the Age of Smart Machines.”

To read his full report about third-party risk, download your complimentary copy today.

The post Use Threat Intelligence to Reduce Third-Party Risk, Says Analytics Expert Thomas H. Davenport appeared first on Recorded Future.

     

Infosecurity – Latest News: UK Police Federation Hit by Ransomware

UK Police Federation Hit by Ransomware

The UK’s Police Federation of England and Whales (PFEW) was the victim of a malware attack, according to two different tweets posted by the National Cyber Security Center (NCSC) UK and the PFEW.

According to the Police Federation, the attack on the PFEW, which represents 119,000 police officers across the 43 forces in England and Wales, was first noticed on March 9. Upon learning of the ransomware attack through a system alert, PFEW responded quickly and was able to isolate the malware before it spread to additional branches, the announcement said.

Though the full extent of the damage remains undisclosed, the FAQs section of the announcement noted that “a number of databases and systems were affected. Back up data has been deleted and has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.”

The investigation remains ongoing, but the PFEW tweeted, “All indications are that the malware did not spread any further than they systems based at our Surrey headquarters, with none of the 43 branches being directly affected.”

The initial announcement suggests that the attack was not targeted, though ransomware generally is not a targeted campaign, according to Matt Walmsley, EMEA director at Vectra. Walmsley added that ransomware is more opportunistic in nature, and its actions create a lot of noise, making it comparatively easier to spot than more stealthy targeted or advance attacks.  

“Whether they had a regulatory or legal need to inform the ICO isn’t clear – particularly if there has been no data breach. The launch of a criminal investigation may help salve anger and frustration but is unlikely to result in accurate attribution, never mind a conviction, even if they’ve called in their friends from the National Computer Crime Unit. However, their transparent reporting, even if it’s a number of days after the instance, should be commended for its candor. Defenses are imperfect, always,” Walmsley said.

The PFEW reported that it is continuing to work with experts to restore systems and minimize damage, which is the goal in the aftermath of a successful ransomware attack, according to Tim Erlin, VP of product management and strategy at Tripwire.

“Every organization should have a plan in place for a successful ransomware attack. While prevention is preferred, the reality is that no security control is perfect. The key to responding to a ransomware attack is to detect quickly, limit the spread and restore systems back to a trusted state. Functional backups are key to recovery, but so is a clear understanding of how systems are configured. Finally, restoring from backups is only useful if you can close the attack vector that allowed the ransomware to gain a foothold in the first place.”



Infosecurity - Latest News

Windows, Netflix Users Hit By Targeted Phishing Campaigns

In response to reports from Windows Defender Security Intel that AmEx and NetFlix customers are being hit with well-crafted phishing campaigns to get their credit card information, an expert with Centripetal Networks offers thoughts. 

Colin Little, Senior Threat Analyst at Centripetal Networks: 

Phishing emails are one of the highest-risk intrusion methods to date. They are easy to craft, easy to deploy; they are aimed at our broadest, weakest attack surface: The endpoint, and its user. They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen. Cyber criminals have been extremely successful at both designing the lure and monetizing their success, despite their re-use of techniques and themes such as threatening our Netflix accounts or suggesting something may be amiss with our credit or identity. Some contemporary security and awareness tips to keep in mind:   

First, there are many places in the phishing kill chain for our own security intelligence, tools and TTPs to keep these malicious emails away from our user. These tools are a strong Enterprise mitigation. 

Also, a security awareness program that trains users to how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.   

And if you or your users are just not sure if an email is legitimate or not, address the potential issue in a separate dialogue.  Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site.  Address the inquiry in a different media, such as calling their vendor support line. Or, the recipient can open the applicable app (if one’s available) on their smart phone if and check their credit or account status. 

 

 

The ISBuzz Post: This Post Windows, Netflix Users Hit By Targeted Phishing Campaigns appeared first on Information Security Buzz.

SciLinux: Important: ghostscript on SL7.x x86_64

ghostscript: superexec operator is available (700585) (CVE-2019-3835) * ghostscript: forceput in DefineResource is still accessible (700576) (CVE-2019-3838) Bug Fix(es): * ghostscript: Regression: double comment chars '%%' in gs_init.ps leading to missing metadata SL7 x86_64 ghostscript-9.07-31.el7_6.10.i686.rpm ghostscript-9.07-31.el7_6.10.x86_64.rpm ghostscript-cups-9.07-31 [More...]

Infosecurity – Latest News: Cyber Expert Hosts ‘Savvy Cyber Kids’ Talk in MA

Cyber Expert Hosts 'Savvy Cyber Kids' Talk in MA

Middle schoolers in Massachusetts welcomed the opportunity to learn about cybersecurity with a visit from Ben Halpert, founder of the Atlanta, Georgia–based nonprofit Savvy Cyber Kids Inc.

According to the Center for Digital Education, Halpert visited with more than 200 seventh graders at different schools, including the Consentino School in Haverhill, Massachusetts, earlier this week. During his presentation students learned what really happens when they take a picture on their phones.

“Those images are, and mostly without their knowledge, uploaded to 'the cloud,' which he explained are centers that store massive amounts of digital data,” wrote Mike LaBella of The Eagle-Tribune.

Halpert, who currently serves as VP of risk and corporate security for Ionic Security, founded Savvy Cyber Kids in 2007 and has been touring schools around the country for more than a decade.

“My positions over the years in cybersecurity and risk management have exposed me to the threats that not only organizations face but also those that impact the world's children,” Halbert said.

“I decided to take my expertise and founded the nonprofit Savvy Cyber Kids in 2007 to create and deliver cybersecurity and cyber-ethics materials and content to students of all ages (3–18) to make sure students today have a better understanding of the impact of their actions when using technology. I have had the pleasure of conducting workshops with students from preschool to elementary and middle school and through high school since 2002 (before I started the nonprofit).”

Commenting on his recent experience with the students in the Haverhill School District sessions, where he talked about online privacy and images, as well as appropriate online behaviors and bullying, Halpert said, “I had great student participation that showed their thoughtfulness, inquisitiveness and desire to learn more about what is really happening with all the technology they use in their daily lives.”



Infosecurity - Latest News

CVE-2019-9904

An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.

CVE-2019-9903

PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.

CVE-2019-8997

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field.

Headquarters of Police Federation Suffered Ransomware Infection

The Police Federation of England and Wales (PFEW) suffered a ransomware infection in which crypto-malware affected several systems at its headquarters. According to a statement posted about the security incident, the law enforcement association’s security systems sent out an alert at 19:00 local time on 9 March. PFEW’s security teams looked into the alert and […]… Read More

The post Headquarters of Police Federation Suffered Ransomware Infection appeared first on The State of Security.

US Companies Are Moving Tech Jobs To Canada Rather Than Deal With Trump’s Immigration Policies, Report Says

US companies are going to keep hiring foreign tech workers, even as the Trump administration makes doing so more difficult. For a number of US companies that means expanding their operations in Canada, where hiring foreign nationals is much easier. From a report: Demand for international workers remained high this year, according to a new Envoy Global survey of more than 400 US hiring professionals, who represent big and small US companies and have all had experience hiring foreign employees. Some 80 percent of employers expect their foreign worker headcount to either increase or stay the same in 2019, according to Envoy, which helps US companies navigate immigration laws. That tracks with US government immigration data, which shows a growing number of applicants for high-skilled tech visas, known as H-1Bs, despite stricter policies toward immigration. H-1B recipients are all backed by US companies that say they are in need of specialized labor that isn't readily available in the US -- which, in practice, includes a lot of tech workers. Major US tech companies, including Google, Facebook, and Amazon, have all been advocating for quicker and more generous high-skilled immigration policies. To do so they've increased lobbying spending on immigration.

Read more of this story at Slashdot.

Infosecurity – Latest News: Facebook Left Millions of Passwords Unhashed

Facebook Left Millions of Passwords Unhashed

During a routine security review in January 2019, Facebook discovered that some user passwords had been stored in plain text on its internal data storage systems, an issue that raised concerns given that the company’s login system is supposed to mask passwords, according to the Facebook newsroom.

The security flaw has reportedly been fixed, and Facebook said it will be notifying everyone whose passwords were unencrypted, which it said could be hundreds of millions of Facebook users in addition to tens of thousands of Instagram users.

The social media platform did emphasize in its news release that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

According to Facebook's security policy, user passwords are supposed to be hashed and salted at the time an account is created, which makes them unreadable. However, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” an unidentified Facebook source told KrebsonSecurity.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told Krebs. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

Unfortunately for Facebook, each new headline seems to chip away at what is left of public trust, according to Terence Jackson, chief information security officer (CISO) at Thycotic.

“Another day, another Facebook breach of trust,” Jackson said. “As a CISO, the first question that comes to mind is, was this a flaw in the system or an accepted risk? Assuming they are following an SSDLC, this should have definitely been a core protection built into the system.  

"Because there is no evidence that anyone external to Facebook had access to the unencrypted passwords is not reassuring. As a Facebook user, I question why would an internal employee need access to my unencrypted password. Ultimately it’s still up to the consumer to govern data shared with services like these. This won’t likely be the last of Facebook’s trust failures.”



Infosecurity - Latest News

0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.

The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites.

Technical Details

The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context.

Continue reading 0day Vulnerability in Easy WP SMTP Affects Thousands of Sites at Sucuri Blog.

Sucuri Blog: 0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.

The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites.

Technical Details

The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context.

Continue reading 0day Vulnerability in Easy WP SMTP Affects Thousands of Sites at Sucuri Blog.



Sucuri Blog

SecurityWeek RSS Feed: Global Security Spend Set to Grow to $133.8 Billion by 2022: IDC

Global spending on security-related hardware software and services will grow at a compound annual growth rate (CAGR) of 9.2% between 2018 and 2022, to a total of $133.8 billion in 2022. The figures come from the latest Worldwide Semiannual Security Spending Guide compiled by IDC.

read more



SecurityWeek RSS Feed

CVE-2017-16255

An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP request at At 0x9d014e84 the value for the cmd1 key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large.

CVE-2018-3968

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy image format. To trigger this vulnerability, a local attacker needs to be able to supply the image to boot.

CVE-2017-16254

An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP request at 0x9d014e4c the value for the flg key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

CVE-2017-16253

An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012 for the cc channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP request At 0x9d014dd8 the value for the id key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

Microsoft Ships Antivirus For macOS as Windows Defender Becomes Microsoft Defender

Microsoft is bringing its Windows Defender anti-malware application to macOS -- and more platforms in the future -- as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. From a report: To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled "for Mac" or "for Windows." macOS malware is still something of a rarity, but it's not completely unheard of. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found. Apple has integrated some malware protection into macOS, but we've heard from developers on the platform that Mac users aren't always very good at keeping their systems on the latest point release. Further reading: Microsoft launches previews of Windows Virtual Desktop and Defender ATP for Mac.

Read more of this story at Slashdot.