Daily Archives: May 2, 2018

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

[VIDEO] Top 5 Tips on Application Security Policies

Policies are a critical part of your application security program; you need them to frame your program, set goals, measure success, and report on progress. But they can also stall your program if they work against, and not with, developer processes and priorities. With the shift to DevOps, and developers working in a faster and more incremental way, it might be a good time to ensure your policy isn’t holding them back. Is your application security policy DevOps-ready? Pejman Pourmousa, Veracode VP of Program Management at Veracode, recently recorded a quick “chalkboard” video where he outlines our top 5 tips on application security policies. Listen to Pejman as he walks you through:

Tip No. 1: Work with current development processes, not against. With the rapid change in the ways software is developed and released, most of the security policies that were deployed a few years back are no longer acceptable by the development community. Many application security policies were built when we did not have fast, automated security tools that could be plugged into the SDLC. Now more than ever, with teams moving to DevOps and CI/CD, it is important to revisit and build new policies that work with, and not against, the developer goal of “getting good code out quickly.”

Tip No. 2: Don’t set the bar too high. If your development team is new to security, enacting a stringent policy right out of the gate will create pushback and frustration.

Tip No. 3: Not all apps are created equal … Treating all apps equally will leave your developers spinning their wheels to address vulnerabilities that would never lead to exposure of sensitive information. A one-page temporary marketing site doesn’t require the same attention as an application that contains valuable IP. Tweak policies based on the criticality of applications.

Tip No. 4 … nor are all vulnerabilities. Similarly, adjust your policies to ensure your team isn’t wasting time on flaws that are not actually vulnerabilities. Consider whether a flaw is truly an exploitable vulnerability or whether it has compensating controls.

Tip No. 5: Don’t neglect open source components. In today’s development environment, if your policy is only addressing your internally developed code, it’s missing a significant portion of your threat surface. Ensure your policy covers your code, plus any components your developers are adding to your environment. One option is to build developers a library of safe components.

Watch Pejman’s short video to get all the details on these five tips, and set yourself up for AppSec success.

New Firefox Quantum-compatible VirusTotal Browser Extension

In November 2017 Mozilla released a new and improved version of their browser. This version is called Firefox Quantum. Following that step forward, VirusTotal is releasing major revamp of its browser extension! You may install it at:

Historically VirusTotal had a very simple but popular firefox extension called VTZilla. It allowed users to send files to scan by adding an option in the Download window and to submit URLs via an input box. We had not updated it since 2012.



At the end of 2017 Firefox decided to discontinue support for old extensions and encourage everyone to update their extensions to the new WebExtensions APIs, a common set of APIs designed to be the new standard in browser extensions. As a result our existing VTZilla v1.0 extension no longer worked. At VirusTotal we decided to face this as an opportunity instead of an inconvenience and we started working on a new and improved version of VTZilla.

VTZilla 2.0 has been designed with various goals in mind. We wanted this new version to be easy to use, transparent to users and as customizable as possible. The first thing users will see when installing the extension is the VirusTotal icon. If you click on it you will see the different configuration options:


This will allow users to customize how files and URLs are sent to VirusTotal and what level of contribution to the security community they want.

Users can then navigate as usual. When the extension detects a download it will show a bubble where you can see the upload progress and the links to file or URL reports.


These reports will help users to determine if the file or URL in use is safe, allowing them to complement their risk assessment of the resource. This is a great improvement with respect to the former v1.0 version of VTZilla where we would only scan the pertinent URL tied to the file download. Then you would then have to jump to the file report via the URL report, and this would only be possible if VirusTotal servers had been able to download the pertinent file, leaving room for cloaking and other deception mechanisms.

VTZilla also has functionality to send any other URL or hash to VirusTotal. With a right button click users have access to other VirusTotal functionality:


This is the basis for all future functionality. Feel free to send us any feedback and suggestions. We will be working to improve and add functionality to the extension. Thanks to WebExtensions we will also be able to make this extension compatible with other browsers that support the WebExtensions standard.

Soon after this major revamp we will be announcing new VTZilla features whereby users may further help the security industry in its fight against malware. Even non-techies will be able to contribute, the same way that random individuals can contribute to search for extraterrestrial life with SETI@home or help cure diseases with BOINC, stay tuned and help give good the advantage.