Daily Archives: May 3, 2018

Springfield, Mass., Unveils Real-Time Crime Analysis Center

Police will soon be able to access surveillance cameras with views from around Springfield, Mass., including the new MGM Springfield casino, Union Station and city schools. Analysts at the Springfield Police Department’s Real-Time Analysis center will be able to use information gleaned from those cameras to provide situational awareness and information to officers in the field.

Chicago Bill for Drone Surveillance of Large-Scale Events Sparks Privacy Debate

Chicago lawmakers are attempting to amend the Freedom from Drone Surveillance Act to permit law enforcement to fly surveillance drones over “large scale events” in Chicago. The bill references festivals and concerts, but ACLU Illinois says the amendment could empower police to fly drones over political protests and rallies.

San Francisco Seeks to Grow Outdoor Security Camera Program

In San Francisco, the Union Square Business Improvement District launched an outdoor security camera program in 2012, starting with six privately-owned cameras, and it has since raised more than $3 million in grant money and outfitted 40 property owners with cameras, extending the network to around 350 cameras that share footage with police.

Female and Male Cybersecurity Pros Have More in Common Than Not

Female and male cybersecurity professionals share the same workplace values, priorities and aspirations. Both place about the same level of importance on matters such as salary and working close to home – and both apply roughly the same skills to their work and view protecting people and data as their primary function, according to recent (ISC)2 research.

CVE-2018-10561 (gpon_router_firmware)

An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.

CVE-2018-10562 (gpon_router_firmware)

An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

Dell EMC Unity Family OS Command Injection

Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968 are affected by multiple OS command injection vulnerabilities. A remote application admin user could potentially exploit the vulnerabilities to execute arbitrary OS commands as system root on the system where Dell EMC Unity is installed.

Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Smart Install client functionality is enabled by default on switches that are running Cisco IOS Software releases that have not been updated to address Cisco bug ID CSCvd36820.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi

This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2018-0156

Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:
  • Triggering a reload of the device
  • Allowing the attacker to execute arbitrary code on the device
  • Causing an indefinite loop on the affected device that triggers a watchdog crash

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Smart Install client functionality is enabled by default on switches that are running Cisco IOS Software releases that have not been updated to address Cisco bug ID CSCvd36820.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.


Security Impact Rating: Critical
CVE: CVE-2018-0171

CVE-2018-10722 (cylanceprotect)

In Cylance CylancePROTECT before 1470, an unprivileged local user can obtain SYSTEM privileges because users have Modify access to the %PROGRAMFILES%\Cylance\Desktop\log folder, the CyUpdate process grants users Modify access to new files created in this folder, and a new file can be a symlink chain to a pathname of an arbitrary DLL that CyUpdate uses.

Risky Biz Soap Box: Root9b on agentless threat hunting

In this edition of Soap Box we’re chatting with Root9b. They’ve just launched an updated version of their ORION platform. And I guess the way you’d describe Root9b is as a threat hunt product maker and managed threat hunt provider. And their approach is a bit different – their software is agentless. They basically authenticate to a machine, inject various payloads into memory, and use that to pull back all sorts of telemetry from machines.

They say this means it’s much less likely that attackers will see them and they offer this as a product, ORION, or they offer it as a service. They say their managed services customers come to them because pretty unhappy with their MDR and MSSP providers and want better signalling.

So I was joined by John Harbaugh, COO of Root9b, and Mike Morris, CTO. Both of these guys were US Air Force cyberdudes before jumping out to the private sector. The company actually started off doing training before developing their platform ORION.

John and Mike joined me by Skype for this podcast. Enjoy!

It’s World (Terrible) Password (Advice) Day!

Frequently change your one random password – that's the ticket

It's World Password Day! And you know what that means: all the effort you've put into trying to persuade people to rethink how they do passwords turns to mush because some company sees a PR opportunity and floods social media with terrible advice.…

CVE-2018-8003 (ambari)

Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides read-only access to any file on the filesystem of the host the Ambari Server runs on that is accessible by the user the Ambari Server is running as. Direct network access to the Ambari Server is required to issue this request, and those Ambari Servers that are protected behind a firewall, or in a restricted network zone are at less risk of being affected by this issue.

Bug Alert! All 330 Million Twitter Users Need to Change Their Passwords Immediately

Tweet, tweet! No, that’s not a bird you’re hearing outside your window, that’s Twitter kindly reminding you to change your password immediately. And that goes for every single user, as it was discovered just today, on World Password Day no less, that all 330 million Twitter users need to change their passwords to their accounts after a bug exposed them in plain text.

So, how did this exactly happen? According to Twitter, this vulnerability came about due to an issue within the hashing process that masks passwords. This process is supposed to mask these passwords by replacing them with a random string of characters that get stored on Twitter’s system. However, an error occurred during this process that caused these passwords to be saved in plain text to an internal log.

This news first came to light via a company blog, as Twitter confirmed that “we found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.” So far, Twitter has not revealed how many users’ passwords may have been potentially compromised or how long the bug was exposing passwords before the issue was discovered – which is precisely why the company has advised every user to change their password just in case. But, beyond changing their passwords, what other security steps can Twitter users take to ensure they stay protected from this bug? Start by following these tips:

  • Make your next password strong. When changing your password, make sure the next one you create is a strong password that is hard for cybercriminals to crack. Include numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the more difficult it will be to crack. Finally, avoid common and easy to crack passwords like “12345” or “password.”
  • Use unique passwords for every account. Was your Twitter password the same one used for other accounts? If that’s the case, you need to also change those passwords immediately. It’s a good security rule of thumb – always use different passwords for your online accounts so you avoid having all of your accounts become vulnerable if you are hacked. It might seem difficult to keep so many passwords, but it will help you keep your online accounts secure.
  • Use a password manager. Take your security to another level with a password manager. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords and log you into your favorite websites automatically.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Bug Alert! All 330 Million Twitter Users Need to Change Their Passwords Immediately appeared first on McAfee Blogs.

Cisco Wireless LAN Controller 802.11 Management Frame Denial of Service Vulnerability

A vulnerability in the 802.11 frame validation functionality of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.

The vulnerability is due to incomplete input validation of certain 802.11 management information element frames that an affected device receives from wireless clients. An attacker could exploit this vulnerability by sending a malformed 802.11 management frame to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-wlc-mfdos


Security Impact Rating: High
CVE: CVE-2018-0235

On The Road – Enterprise Security Weekly #89

This week, Paul and John interview Adam Gordon, Edutainer at ITPro.TV! In the news, we have updates from Cisco, IBM, LogRhythm, ServiceNow, and more! In our final segment, we are joined by Security Weekly's own Jeff Man, who will give us an RSA Vendor Wrap-Up! All that and more, on this episode of Enterprise Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode89

 

Visit https://www.securityweekly.com/esw for all the latest episodes!

Introducing ThreatConnect’s Intel Report Cards

Providing insight into how certain feeds are performing within ThreatConnect

As part of our latest release, we've introduced a new feature to help users better understand the intelligence they're pumping into their systems.  Intelligence can be a fickle thing; indicators are by their very nature ephemeral and part of our job is to better curate them. We find patterns not only in the intelligence itself, but in the sources of intelligence. As analysts, we frequently find ourselves asking a simple question: "Who's telling me this, and how much do I care?" We sought to tackle this problem on a few fronts in ThreatConnect in the form of Report Cards, giving you insight into how certain feeds are performing across the ThreatConnect ecosystem.  

First and foremost, we wanted to leverage any insights gleaned from our vast user base. We have users spanning dozens of industries across a global footprint. If a customer in Europe is seeing a lot of false positives come from a set of indicators, we want the rest of ThreatConnect users to learn from that. This is where ThreatConnect's CAL™ (Collective Analytics Layer) comes in. All participating instances of CAL are sending some anonymized, aggregated telemetry back. This gives us centralized insight which we can distribute to our customers. This telemetry includes automated tallies, such as how often an indicator is being observed in networks, as well as human-curated data such as how often False Positives are being reported.

Feed selection interface, driven by CAL's insights (27 March 2018)

 

By combining and standardizing these metrics, CAL can start to paint a picture of various intelligence feeds.  CAL knows which feeds are reporting on which indicators, and can overlay this information at scale with the above telemetry.  This has an impact at the strategic level, when deciding which feeds to enable in your instance. We're all familiar with the "garbage in, garbage out" problem -- simply turning on every feed may not be productive for your environment and team.  High-volume feeds that yield a lot of false positives, report on indicators outside of your areas of interest, or are simply repeated elsewhere may not be worth your time. Now system administrators can make an informed decision on which feeds they would like to enable in their instance, and with a single button click can get months of historical data.  These feeds are curated by the ThreatConnect Research team, who is doing their best to prune and automatically deprecate older data to keep the feeds relevant.

ThreatConnect's Intelligence Report card helps you better understand a candidate feed (27 March 2018)

 

The Report Card view goes into more depth on a particular feed. For each feed CAL knows about, it will give you a bullet chart containing the feed's performance on a few key dimensions, as determined by the ThreatConnect analytics team.  In short, a bullet chart identifies ranges of performance (red, yellow, and green here) to give you a quick representation of the groupings we've identified for a particular metric. A vertical red line indicates what we consider to be a successful "target" number for that metric, and the gray line indicates the selected feed's actual performance on that metric. We've identified a few key metrics that we think will help our users make decisions:

  • Reliability Rating is a measure of false positive reports on indicators reported by this feed. It's more than just a count of how many votes have been tallied by users. We also consider things like how egregious a false positive is, since alerting on something like google.com in your SIEM is a much more grave offense in our book. We give this a letter grade, from A-F, to help you identify how likely this feed is to waste your time.
  • Unique Indicators is a simple percentage of how many indicators contained within this feed aren't found anywhere else. If a feed's indicators are often found elsewhere, then some organizations may prefer not to duplicate data by adding them again. There may be reasons for this, as we see below with ThreatAssess. Nonetheless, this metric is a good way to help you understand how much novelty does this feed add?
  • First Reported measures the percentage of indicators which, when identified in other feeds, were found in this feed first. Even if a feed's indicators are often found elsewhere, this feed may have value if it's reporting those indicators significantly earlier. This metric helps you understand how timely a feed is relative to other feeds.
  • Scoring Disposition is a measure of the score that CAL assigns to indicators, on a 0-1000 scale. This score can be factored into the ThreatAssess score (alongside your tailored, local analysis). The Scoring Disposition is not an average of those score, but a weighted selection based on the indicators we know our users care about. This metric helps answer how bad are the things in this feed according to CAL?

The Report Card also contains a few other key fields, namely the Daily Indicators graph and the Common Classifiers box. The Daily Indicators chart shows you the indicator volume coming from a source over time, to help you understand the ebbs and flows of a particular feed. The Common Classifiers box shows which Classifiers are most common on indicators in the selected feed. Combined, these can give you an idea of how many indicators am I signing up for, and what flavors are they?

All of these insights are designed to help you make better decisions throughout your security lifecycle. Ultimately, the decision to add a feed should be a calculated one. When an analyst sees that an indicator was found in a particular feed, they may choose to use that information based on the Reliability Rating of that feed. You can leverage these insights as trust levels via ThreatAssess, allowing you to make such choices for every indicator in your instance.

We'll continue to improve our feed offering and expand upon our Report Cards as we hear more feedback from you, so please feel free to Tweet us @ThreatConnect.

The post Introducing ThreatConnect's Intel Report Cards appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

89% of top travel websites fail to protect your security

Researchers have put big-name travel and booking sites to the test to see how their security practices fare against other online services. If the results are anything to go by, we should all take extra precautions to secure our personal data when booking a flight and a hotel room, or renting a car.

Analyzing the data for its first Travel Website Password Power Rankings report, password manager developer Dashlane found that 89% of booking sites leave users’ accounts dangerously exposed to bad actors due to unsafe password practices.

The company tested each website on five critical criteria, and ranked each site’s performance on a five-star scoring system. The results were not good, as the chart above shows.

Notably, 96% of travel sites tested did not provide 2FA (two-factor authentication), where the system asks users to validate their identity on a second platform, such as their phone, or service, such as their email.

Most big-name booking and travel agencies, including Booking.com, Hertz, American Airlines and InterContinental Group, scored poorly in areas like two-factor-authentication (2FA), and in assessing password strength when accounts are created.

And cruise company Norwegian Cruise Line flunked on all points of security best practices, receiving zero stars. At the other end of the spectrum lay hospitality service Airbnb, with 5 out of 5 stars.

“When compared to results of Dashlane’s 2017 rankings of leading consumer websites, and the more recent 2018 rankings comparing the cryptocurrency exchanges, travel sites performed especially poorly,” reads the report. “In the consumer rankings, which examined sites such as Apple, Facebook, and PayPal, only 36% received a failing score. That is in extremely stark contrast to the 89% of sites that failed Dashlane’s 2018 travel examination.”

Users are encouraged to employ a unique password for every online account they create. That password should be at least eight characters long with a mix of case-sensitive letters, numbers and special symbols.

But if other studies are any indication, convenience usually wins. That, perhaps, is at least part of the reason almost every big-name travel agency avoids turning their service into a cyber-security hassle.

GDPR: Seeing Beyond Compliance to 3 Business Benefits

Cybersecurity breaches make headline news, seemingly on a daily basis. Private data for millions of consumers is compromised at greater frequency. Organizations scramble to remediate damages and restructure their cyber defense tactics. To address this new normal and further protect personal information from data breaches, the European Union will formally implement the General Data Protection Regulation (GDPR) on May 25, 2018.

CVE-2018-10166 (eap_controller)

The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.

CVE-2018-10164 (eap_controller)

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.

CVE-2018-10167 (eap_controller)

The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.

CVE-2018-10165 (eap_controller)

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.

CVE-2018-10168 (eap_controller)

TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.

5 Common Pitfalls in IT Security & How to Overcome Them

Whenever there’s a data breach, it’s easy to get caught up in the root cause analysis – a misconfigured device, an unpatched application, an employee falling for a phishing attack, you name it. But really, the root causes of most breaches are not these moment-in-time errors. Instead, they are almost always shortsighted decisions made well before the breach ever occurs.

Cybersecurity pervasiveness subsumes all security concerns

Given the increased digitization of society and explosion of devices generating data (including retail, social media, search, mobile, and the internet of things), it seems like it might have been inevitable that cybersecurity pervasiveness would eventually touch every aspect of life. But, it feels more like everything has been subsumed by infosec.

All information in our lives is now digital — health records, location data, search habits, not to mention all of the info we willingly share on social media — and all of that data has value to us. However, it also has value to companies that can use it to build more popular products and serve ads and it has value to malicious actors too.

The conflict between the interests of these three groups means cybersecurity pervasiveness is present in every facet of life. Users want control of their data in order to have a semblance of privacy. Corporations want to gather and keep as much data as possible, just in case trends can be found in it to increase the bottom line. And, malicious actors want to use that data for financial gain — selling PII, credit info or intellectual property on the dark web, holding systems for ransom, etc. — or political gain.

None of these cybersecurity pervasiveness trends are necessarily new for those in the infosec community, but issues like identity theft or stolen credit card numbers haven’t always registered with the general public or mass media as cybersecurity problems because they tended to be considered in individual terms — a few people here and there had those sorts of issues but it couldn’t be too widespread, right?

Now, there are commercials on major TV networks pitching “free dark web scans” to let you know whether your data is being sold on the black market. (Spoiler alert: your data has almost certainly been compromised, it’s more a matter of whether you’re unlucky enough to have your ID chosen from the pile by malicious actors or not. And, a dark web scan won’t make the awful process of getting a new social security number any better.)

Data breaches are so common and so far-reaching that everyone has either been directly affected or is no more than about two degrees of separation from someone who has been. Remember: the Yahoo breach alone affected 3 billion accounts and the latest stats say there are currently only about 4.1 billion people who have internet access. The Equifax breach affected 148 million U.S. records and the U.S. has an estimated population of 325 million.

Everyone has been affected in one way or another. Everything we do can be tracked including our location, our search and purchase history, our communications and more.

But, cybersecurity pervasiveness no longer affects only financial issues and the general public has seen in stark reality how digital platforms and the idea of truth itself can be manipulated by threat actors for political gain.

Cyberattacks have become shows of nation-state power in a type of new Cold War, at least until cyberattacks impact industrial systems and cause real world harm.

Just as threat actors can find the flaws in software, there are flaws in human psychology that can be exploited as part of traditional phishing schemes or fake news campaigns designed to sway public opinion or even manipulate elections.

For all of the issues that arise from financially-motivated threat actors, the security fixes range from relatively simple to implement — encryption, data protection, data management, stronger privacy controls, and so on — to far more complex issues like replacing the woefully outmatched social security number as a primary form of ID.

However, the politically-minded attacks are far more difficult to mitigate, because you can’t patch human psychology. Better critical reading skills are hard to build across people who might not believe there’s even an issue that needs fixing. Pulling people out of echo chambers will be difficult.

Social networks need to completely change their platforms to be better at enforcing abuse policies and to devalue constant sharing of links. And the media also needs to stop prioritizing conflict and inflammatory headlines over real news. All of this means prioritizing the public good over profits, a notoriously difficult proposition under the almighty hand of capitalism.

None of these are easy to do and some may be downright impossible. But, like it or not, the infosec community has been brought to the table and can have a major voice in how these issues get fixed. Are we ready for the challenge?

The post Cybersecurity pervasiveness subsumes all security concerns appeared first on Security Bytes.

How Risk-Based Cybersecurity Programs Differ Between Community & Global Banks

In today’s complex digital world, cybersecurity threats are high and rising. The Identity Resource Center’s 2017 Annual Data Breach Year-End Review reports publicly-disclosed data breaches were up 45 percent from 2016. And the 2018 Thales Global Data Threat Report notes that 71 percent of U.S. enterprises have suffered at least one data breach “over the past several years,” with 46 percent reporting a breach “in the past year,” up from 24 percent in the prior survey. As cyber threat volume and sophistication increase, financial institutions of all sizes are challenged to maintain and prove cyber safety and soundness.

A Puzzling Backdoor Upload

A Puzzling Backdoor Upload

After a successful compromise, backdoors are frequently left behind and function as a point of re-entry into the website environment. These malicious pieces of code are a valuable tool for attackers and allow them to bypass any existing access controls into the web server environment.

To demonstrate just how common this malware is, in 2017 we identified that 71% of all compromises seen by Sucuri had a PHP-based backdoor hidden within the site.

Continue reading A Puzzling Backdoor Upload at Sucuri Blog.

Internet Shortcut used in Necurs malspam campaign

The Necurs botnet continues to be one of the most prolific malicious spam distributors, with regular waves of carefully-crafted attachments that are used to download malware.

The majority of malspam campaigns that we track are targeting Microsoft Office with documents containing either macros or exploits. We also see a number of other types of malicious attachments that are zipped scripts (.VBS, .JS, etc)—essentially downloaders for the final payload.

In a new technique recently uncovered, Necurs is changing things up a little bit by avoiding the aforementioned formats and using a different file type instead, crafting malicious .URL files (Internet Shortcut).

This attack relies on the file:// protocol to load and execute a remote script from a samba (SMB) share. This is noteworthy because typically the attachment is used as a downloader, but instead here we see one additional step that pushes this function one degree further thanks to the .url shortcut.

By not placing the malicious script directly within the attachment, attackers are also preventing the automated collection and sandbox analysis that usually takes place within spam traps.

An obfuscated view of the WSF script can be seen in the screenshot below:

The final payload is eventually downloaded from a remote server:

This is an interesting attack designed to bypass traditional security measures and administrative policies that may block the well-known Office macros.

Malwarebytes users are already protected against this technique.

Malware authors are constantly looking for new evasion techniques as long as they generate good success rates. Social engineering attacks have relied upon the same lures for some time, but every now and again we see a slight variation in a technique that was perhaps known, but not yet leveraged by criminals.

The post Internet Shortcut used in Necurs malspam campaign appeared first on Malwarebytes Labs.

CVE-2018-10717 (ngiflib)

The DecodeGifImg function in ngiflib.c in MiniUPnP ngiflib 0.4 does not consider the bounds of the pixels data structure, which allows remote attackers to cause a denial of service (WritePixels heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted GIF file, a different vulnerability than CVE-2018-10677.

Yahoo! Fined 35 Million USD For Late Disclosure Of Hack

Yahoo! Fined 35 Million USD For Late Disclosure Of Hack

Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 years delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public – Massive Yahoo Hack – 500 Million Accounts Compromised.

Yahoo! has been having a rocky time for quite a few years now and just recently has sold Flickr to SmugMug for an undisclosed amount, I hope that at least helps pay off some of the fine.

Read the rest of Yahoo! Fined 35 Million USD For Late Disclosure Of Hack now! Only available at Darknet.

CVE-2018-10713 (dsl-3782_firmware)

An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'read' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'read <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code.

Securing the Connected Industrial World with Trend Micro

At Trend Micro we’ve made it our business over the past 30 years to anticipate where technology is taking the world. That’s why our message has evolved over that time from Peace of Mind Computing to Your Internet Firewall and most recently Securing Your Journey to the Cloud. Well, we know that things are evolving again, as the Internet of Things drives an evolution in IT infrastructure, user behavior and cyber-threats. That’s why it was great to take our new message Securing the Connected World to an audience of Industry 4.0 experts at Hannover Messe last week.

As “the world’s leading Trade Fair for industrial Technology” read more here about Hannover Messe.

If we want this next industrial revolution to be a success, we need to bake cybersecurity in from the start, and that’s going to require a whole new way of doing things.

The insecure connected world

Trend Micro has managed to stay relevant over the past three decades because in many ways our formula for success hasn’t changed. We anticipate shifts in IT infrastructure, embrace changes in user behavior and adapt protection for the new threats we encounter. Driving this change is the Internet of Things. According to some analysts there are as many as 12.8 billion connected things in the world today. To put that in perspective, that’s nearly twice the population of the planet – a staggering number. And it’s growing all the time: Arm predicts it will reach one trillion by 2035.

IoT technology is already permeating every corner of the industrial world to make companies more cost effective, productive and agile. It’s no surprise the market for IIoT is set to be worth $934bn by 2025. But as organizations invest more and more heavily in IIoT technologies and processes, they threaten to expose themselves to greater cyber-risk. Ransomware is actively targeting network infrastructure and industrial equipment, while IoT endpoints could be hijacked to remotely control or sabotage industrial machinery. Attacks can also compromise poorly protected IoT devices and use them to launch DDoS attacks or serve as proxies for other raids.

The threat will only get more pronounced as the bad guys use machine learning and cryptography in a bid to escape detection. So how do industrial stakeholders respond to this new cyber-threat?

A new approach

We can’t simply try to fit existing cybersecurity approaches into this new world. For one thing, the IoT is much different from traditional IT environments. We’re not just dealing with TCP/IP traffic, there are a huge number of new protocols to get to grips with. Then there’s the sheer volume of endpoints to consider, and the associated traffic. They connect not through a traditional gateway but directly, which requires a new kind of security at the network edge. Then there’s the problem of IT skills: they’re already in increasingly short supply and will need to adapt further to take account of the growing convergence of IT and OT worlds.

This is particularly apparent in manufacturing and Industry 4.0 environments. Enterprises will therefore need a new mentality and architectural approach to succeed in this brave new world. Next Generation Security Operations Centers will be a must-have: overcoming traditional challenges of alert fatigue, poor visibility, and slow response times. Trend Micro’s answer is to use AI to prioritize alerts, automate the correlation of threats across layers in an optimized fashion, and tightly orchestrate a connected response across IT and OT.

At the show

It was great to talk to so many experts from the industrial and manufacturing sectors, at Hannover Messe last week. These are the guys at the frontline when it comes to cyber-threats. Given the repercussions of a successful attack, the stakes don’t come much higher than here. That’s why we were keen to demonstrate on stand how cyber-attackers could disrupt a smart factory, causing physical damage on the production line or a ransomware outage spread from office computers.

It was also important to reach out at the show because, ultimately, the only way we’re going to stay one step ahead of the bad guys is by working closely together. That’s why Trend Micro is collaborating closely with ISPs on Virtual Network Function-based security; with industry to research and gather intelligence on new vulnerabilities; with embedded computing developers on innovative new solutions; and with enterprise customers.

Because only with effective cybersecurity can we accelerate the development of our connected world.

To find out more on these themes, please take a look at my presentation at Hannover Messe.

The post Securing the Connected Industrial World with Trend Micro appeared first on .

Operationalizing the Cyber Daily

Recorded Future’s Cyber Daily is an email newsletter released every day with the goal of providing trending indicators and emerging threats from across the web. It is generated automatically based off trending data from the prior 24 hours.

This data has been collected and processed by our analytics and machine-learning technologies and then prioritized by number of references and riskiness. This is information that under other circumstances analysts would have to surface manually, obtain from slower report sources, and potentially not see at all. The Cyber Daily provides a daily snapshot of the threat landscape that can be leveraged as a starting point into further threat research or used at face value in your network defense posture.

The objective of this blog post is to demonstrate what kinds of workflows an analyst can conduct by pivoting from our Cyber Daily data. This is a walkthrough of how to take some of the trending threats from our Cyber Daily, operationalize them into your workflows, and gain a better understanding of those threats in order to mitigate the risks to your organization.

Discovery: Targeted Industries

The Cyber Daily contains sections of information for different use cases, from trending cyber news, to suspicious indicators, to targeted industries. The Targeted Industries section highlights the trending industries that Recorded Future has collected references to that are being targeted by threat actors, operations, or any other kind of specific attack. Below you can see that there are 262 hits targeting the software industry. This post will explore what kinds of threats are currently trending against the software industry by showcasing a workflow from the Cyber Daily email to a relevant Recorded Future Intel Card.

Intel Cards are comprehensive summaries of relevant intelligence concerning a particular topic. They are designed to provide real-time data including targeted technologies, associated threat actors, most recent references, and actionable malware indicators.

Targeted Industries in the Cyber Daily

Targeted Industries portion of the Cyber Daily.

After clicking on the link to Targeted Industries: Software, you are taken to a sample query of the data in Recorded Future. This is the extent that a user can see without a Recorded Future account, allowing anyone to have a quick glance into the types of insight Recorded Future can provide.

Targeted Industries Query in Recorded Future

Targeted Industries query in Recorded Future.

Once logged into Recorded Future, an analyst is able to use the Reference Actions link under the relevant reference and begin pivoting into more in-depth research. In this case, Recorded Future recommends a number of query options, such as, “What malware is reported with MailChimp?” These pre-set questions are designed for analysts to leverage pre-built, yet relevant, queries.

Malware Reported With MailChimp

What malware is reported with MailChimp?

After clicking on “What malware is reported with MailChimp?”, Recorded Future provides a timeline view of the resulting query. The timeline view displays the data in a temporal context, allowing users to see when references and events occur in relation to the query. Analysts are also capable of annotating the results to add context and analysis to individual references.

Recorded Future Timeline of Malware Reported With MailChimp

Timeline of malware reported with MailChimp with annotation.

The timeline view allows an analyst to discover that the VAWTRAK Trojan was used in the attack against MailChimp. The ability to add annotations allows analysts to extract context out of references automatically and have them shown in the timeline view. These annotations can be edited for reporting purposes or for visually displaying key insights.

From the references in the timeline view, analysts are able to pivot into the VAWTRAK Intel Card.

VAWTRAK Intel Card

VAWTRAK Intel Card.

The VAWTRAK Intel Card quickly provides a comprehensive view into what kind of threat the malware poses, how it is affecting MailChimp, and the infrastructure associated with that network. Analysts can find valuable context to properly mitigate the threat in their environment (such as command-and-control IPs and domains, associated MD5 hashes, etc.). Once inside the Intel Card, we’ve been able to quickly drill down to the relevant intelligence needed to properly assess and operationalize indicators.

VAWTRAK Intel Card Context

VAWTRAK Intel Card context field.

Get More Out of Trending Threat Data

Recorded Future’s Cyber Daily delivers the latest trending topics based on the data that the product analyzes in real time. These include threats to specific industries and software or even suspicious indicators of compromise (IOCs). By using the trends to pivot into relevant threat intelligence, users are able to develop workflows meant to operationalize these indicators to defend their networks.

To learn more about the operationalizing trending threat indicators, subscribe to the Cyber Daily or request a personalized demo of Recorded Future.

Michael Ramirez

Michael Ramirez is a federal sales engineer at Recorded Future.

The post Operationalizing the Cyber Daily appeared first on Recorded Future.

     

PyRoMine Malware Sets Security Industry on Fire

It’s happened once again...

Recent headlines heralded the latest in cryptomining hacks to leverage stolen NSA exploits. This time in the form of PyRoMine, a Python-based malware which uses an NSA exploit to spread to Windows machines while also disabling security software and allowing the exfiltration of unencrypted data. By also configuring the Windows Remote Management Service, the machine becomes susceptible to future attacks.

Despite all the investments in cyber protection and prevention technology, it seems that the cyber terrorist’s best tool is nothing more than variations on previous exploits because most security products really can’t accommodate every variation of zero-day malware detection in order to prevent the ensuing damage.

Cryptomining Beats Out Ransomware

Ransomware was the threat that wreaked havoc across organizations for years and sent most IT Security professionals into a panic at the mere mention of a new exploit hitting the headlines. However, now it seems that Ransomware is taking a back seat to CryptoMiners. According to a recent article at DigitalTrends.com by Jon Martindale titled “Cryptojacking is the new ransomware. Is that a good thing?”

“In our history of malware feature, we looked at how malware tends to come in waves. While the latest and most dangerous in recent memory has been ransomware, it’s been pushed far from the top spot of common attacks in recent months by the advent of cryptominers, which look to force infected systems to mine cryptocurrency directly.”

The article goes further with this quote from a Senior E-Threat analyst on the expected growth of this type of threat:

“Since cybercriminals are always financially motivated, cryptojacking is yet another method for them to generate revenue,” said Liviu Arsene, senior E-Threat analyst at BitDefender. “Currently, it’s outpacing ransomware reports by a factor of 1 to 100, and these numbers will continue to increase for as long as virtual currencies remain popular and the market demands it.”

Variations on Old Hacks

Everything old is new again, or so goes an old adage, and it seems to apply to cyber threats as well. Fortinet researchers spotted a malware dubbed ‘PyRoMine’ which uses the ETERNALROMANCE exploit to spread to vulnerable Windows machines, according to an April 24 blog post.

“This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services," the blog said. "FortiGuardLabs is expecting that commodity malware will continue to use the NSA exploits to accelerate its ability to target vulnerable systems and to earn more profit.”

The malware isn't the first to mine cryptocurrency that uses previously leaked NSA exploits the malware is still a threat as it leaves machines vulnerable to future attacks because it starts RDP services and disables security services.

The odds are great that we will see other variations on this NSA exploit before the year is up. Now is clearly the time to start evaluating other technologies that take more preventative steps to protect your IT infrastructure.

About the author: Boris Vaynberg co-founded Solebit LABS Ltd. in 2014 and serves as its Chief Executive Officer. Mr. Vaynberg has more than a decade of experience in leading large-scale cyber- and network security projects in the civilian and military intelligence sectors.

Copyright 2010 Respective Author at Infosec Island

ProtonMail warns all users to beware of phishing scam

ProtonMail is sending a warning urging all users of the end-to-end encrypted email service to be on the lookout for phishing scams impersonating ProtonMail.

“Dear ProtonMail user, over the last few days we have noticed an unusually high number of phishing attempts targeting ProtonMail accounts. To help keep your account safe, we want to remind you of a few security tips,” reads the warning.

Users are told to look for the “star” that indicates the email is from the provider, to avoid clicking on links or attachments if the email looks or feels suspicious in any way, and more (full text body in the embedded tweet below, courtesy of Catalin Cimpanu).

The company says phishing is the most common attack vector employed by cybercrooks, and urges users to watch out for any suspicious correspondence hitting their inbox.

ProtonMail is an end-to-end encrypted email service founded in 2014 at the CERN research facility. It uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers, unlike the more common email services out there.

The service uses a combination of public-key cryptography and symmetric encryption protocols to achieve end-to-end encryption, and includes the option to log in with a “two-password mode” that requires a login password and a password for the mailbox. The service is also secured by the industry-standard two-factor-authentication (2FA) protocol.

Since ProtonMail stores decryption keys only in their encrypted form, bad actors can’t retrieve user emails nor reset user mailbox passwords. Thus, the only way (or at least one of the few ways) they can get their hands on a ProtonMail account is through a phishing campaign that tricks users into inputting their credentials.

Lantech IDS 2102

This advisory includes mitigations for improper input validation and stack-based buffer overflow vulnerabilities in the Lantech IDS 2102 Ethernet device server.

What HIPAA and Other Compliance Teaches Us About the Reality of GDPR

with contributing author, William J. Malik, CISA | VP, Infrastructure Strategies

The date for General Data Protection Regulation (GDPR) compliance is just weeks away, yet many organizations, especially those outside Europe, remain unprepared. It turns out that the experiences from other privacy compliance regulations are less helpful than assumed, but the best lessons learned may be from non-privacy regulations.

GDPR Lessons from Other Privacy Compliance Aren’t Very Helpful

Because compliance is tied to regulations and laws, they are often regional. In Canada, the Personal Information and Documents Protection Act (PIPEDA) became law in 2000. PIPEDA is mostly about privacy, specifically obtaining consent from and letting people know why their information is being collected. As with too many laws and regulations for privacy, to date there have been no penalties for PIPEDA non-compliance other than reputational. Governments are eager to pass regulations for compliance but often balk at implementing penalties. This ‘false sense of non-compliance’ will be a surprise to organizations that choose to run afoul of GDPR expecting it to be similar to privacy regulations in many jurisdictions. GDPR however has penalties in its first iteration. Rather than looking to other privacy regulations, financial compliance is a better example to use for convincing your organization to get serious about GDPR. The penalties in GDPR are real.

GDPR Lessons from PCI-DSS

PCI-DSS is a better comparison to GDPR: Regional compliance having a global impact and with penalties. When PCI was first introduced, many organizations assumed it wouldn’t apply to them as they were not a credit card processor. The next phase was compliance-surprise, when organizations discovered credit card holder information was present in new apps or added to existing apps that were previously not in scope for PCI. One noteworthy case saw a $13.3M fine levied.  The GDPR lesson is that even if you are not subject to compliance on day 1, monitor changes to your business to check if you do later become subject to GDPR.

GDPR Lessons from HIPAA

US companies are generally not ready for GDPR compliance. By examining the history of compliance with HIPAA, we can forecast how GDPR compliance will roll out. HIPAA is focused on privacy, so it has some lessons. Initially, HIPAA enforcement was light. GDPR applies to any organization processing personally identifiable information belonging to EU citizens. In the US, this requirement had been defined under the European Data Privacy Directive. Those basic definitions remain in place. What has changed are:

  1. The Safe Harbor has been supplanted by the EU-US Privacy Shield, which requires US companies to self-certify with the Federal Trade Commission (see https://www.privacyshield.gov/Program-Overview for details).
  2. Reporting requirements are much more stringent. An organization has 72 hours after discovery to report a breach.
  3. Organizations must show that they are using best-in-class or state-of-the-art technology to protect personally identifiable information.
  4. Fines are greater. There’s two tiers of fines, the first is up to a maximum of 10M Euros or 2 percent of global revenue (whichever is highest), and the second up to 20M Euros or 4 percent of global revenue (whichever is highest).
  5. Organizations must name a Data Protection Officer (DPO), who has a broad remit to investigate and report on data breaches. This individual cannot be dismissed or sanctioned by their organization for doing that job.
  6. Individuals have the right to request their information be corrected or erased, by application to the DPO.

But penalties for HIPAA non-compliance have grown steadily over the past 10 years:

 

Note that under the terms of the Privacy Shield, individuals and government agencies (specifically the FTC) can bring actions against organizations in US courts. The mechanisms for levying fines are already in place. Organizations that fail to prepare for GDPR will face the financial consequences of non-compliance, that is, Stage 3, in short order. Unlike HIPAA, GDPR is familiar to many multinationals. Organizations have faced penalties under the current Data Protection Directive for over a decade. The learning curve will be much shorter this time. Do not expect a multi-year gap before US-based organizations face substantial financial consequences. We expect to see fines levied within the next 18 to 24 months.

GDPR Lessons from Increasing Compliance Maturity

Not all compliance is created equally. For other privacy regulations it is common that there is no penalty for non-compliance, even willful breaches, whereas in some geographies privacy breaches can bring significant discomfort. So there is a gradient of maturity that compliance falls into, not by category of compliance (e.g. financial, privacy) but for the specific regulation or standard. This isn’t to argue that every compliance regime needs penalties, formality and significant oversight – but there are noteworthy differences in the ‘seriousness’ or impact of compliance with each system. We foresee that organizations will mature in their compliance following this proposed maturity model:

Maturity Level Characteristics Likely Examples (and fodder for arguments)
0 Minimal utility in compliance, can be used as excuse for doing less than due diligence standards OWASP Top 10
1 Guidance and checklists NIST Standards, ISO 27001
2 Regulations and formal laws without penalties – “name and shame” PIPEDA (current version)
3 Impact of non-compliance, fines, significant PCI-DSS, HIPAA, GDPR
4 Embedded into business. Compliance because it makes life better. FIPS 140-2

 

We will move rapidly through stages 0 and 1 to stage 2. We already have organizations that report on breaches, investigations in progress, and fines for HIPAA. The Privacy Shield site tracks registered organizations, and will provide a platform for reporting on breaches and fines, as well.

The Bottom Line

Although GDPR deadlines are approaching rapidly, this is not wholly unfamiliar territory. Use the practices already in place for your non-privacy compliance. Yes, GDPR is a more mature model of privacy compliance than most North American organizations are used to, but the compliance already in place for other regulations and laws can be a roadmap in getting compliant quickly.

The mechanisms for levying fines are already in place. Organizations that fail to prepare for GDPR will face the financial consequences of non-compliance, that is, Stage 3, in short order. Unlike HIPAA, GDPR is familiar to many multinationals. Organizations have faced penalties under the current Data Protection Directive for over a decade. The learning curve will be much shorter this time. Do not expect a multi-year gap before US-based organizations face substantial financial consequences. We expect to see fines levied within the next 18 to 24 months.

The post What HIPAA and Other Compliance Teaches Us About the Reality of GDPR appeared first on .

Get Dashlane Password Manager Premium (50% + 10% OFF)

Happy 'World Password Day'! Today is a good time for you to audit your password practices and stop using terrible passwords to protect your online accounts. Experts advice that: Your password must—be long Your password must—be unpredictable Your password must—have at least one number Your password must—not have any dictionary word Your password must—have upper and lowercase letters Your

CVE-2018-4849 (siveillance_vms_video)

A vulnerability has been identified in Siveillance VMS Video for Android (All versions < V12.1a (2018 R1)), Siveillance VMS Video for iOS (All versions < V12.1a (2018 R1)). Improper certificate validation could allow an attacker in a privileged network position to read data from and write data to the encrypted communication channel between the app and a server. The security vulnerability could be exploited by an attacker in a privileged network position which allows intercepting the communication channel between the affected app and a server (such as Man-in-the-Middle). Furthermore, an attacker must be able to generate a certificate that results for the validation algorithm in a checksum identical to a trusted certificate. Successful exploitation requires no user interaction. The vulnerability could allow reading data from and writing data to the encrypted communication channel between the app and a server, impacting the communication's confidentiality and integrity. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue.

PROTECTING YOUR PRIVACY – Part 2: How to Maximize Your Privacy on Social Media and in Your Browser

As social media sites become a bigger part of users' daily lives, they must be increasingly careful about their online privacy.

In the last post we highlighted the privacy risks associated with using popular social networking sites and browsers. You might not appreciate just how much of your personal data is being accessed by advertisers and other third parties via your social media accounts and internet browsing. Similarly, your privacy settings may have changed significantly since the last time you checked them, meaning that you’re now over-sharing via your updates and posts online.

This could lead to various unintended consequences. For example, a prospective employer may cut you from a shortlist of candidates because they don’t like what they see on your Facebook page. Or an enterprising burglar might see from a Twitter post that you’re not at home and raid your property. Hackers might even harvest the information you share and use your identity to apply for new bank cards in your name.

Fortunately, there are things you can do to protect your privacy online — both within the sites themselves and by using third-party tools like Trend Micro’s Privacy Scanner. Let’s take a look.

Changing your Privacy Settings

You can manually configure your Privacy Settings on sites including Facebook, Twitter, Google+, LinkedIn, and more, as well as in your browser. However, no two sites are the same, and some are easier than others to navigate.

Facebook:

The good news is that following the Cambridge Analytica scandal, Facebook has made several changes designed to make it easier for you to manage your privacy settings. A privacy shortcuts button   is now accessible from the top right of any Facebook page and will help you manage who can view your content; who can contact you; and how you can stop someone hassling you. In addition, anywhere you’re able to share your status updates, photos and other posts, there’s an “audience selector” tool which allows you to specify whether they can be seen by the Public (anyone on or off Facebook), Friends, or just you. Be aware that Facebook remembers your most recent setting.

The amount of data you share with apps is also increasingly important to users. Following the recent data leakage scandal, Facebook has promised to notify if it removes any apps for breaching terms of service; remove an app’s access if it hasn’t been used in three months; and will reduce the data that an app can request without app review. If you want to manually review what info your Facebook apps can access, click  in the top right, click Settings, then go to Apps and Websites on the left-hand side. You can choose between Active, Expired or Removed websites/apps and remove those you no longer wish to access your personal data.

Twitter:

As mentioned in the previous blog, Twitter is easier to manage than Facebook, but there are some settings users may prefer to enhance their privacy. In your account, click on Settings and Privacy then Privacy and Safety and you’ll be given several options. Tweets are public by default so if you want them to be private, and only shared with approved friends, click Protect your Tweets. Similarly, there are options to remove your geolocation, not allow users to tag you in photos, or let others find you by email address/phone number. Also switch personalization off to stop sharing data with advertisers and switch off Receive Direct Messages from anyone to avoid spam direct messages.

Browser (Chrome on Windows):

As the most popular browser in the world, Google Chrome tracks and sells much of your activity to advertisers as well as sharing it with other Google products. If you don’t want to sync your personal browsing history to all devices, including your work machine, then click on the three dots in the top right-hand corner, Settings, Sync, and then toggle off the features you don’t want. You’ll need to do the same at work or for other machines.

The browser also shares information with various other services. If you’re not happy with that happening, you can toggle them off by going to Settings, Advanced (at the bottom of the page). However, enabling Do Not Track will help prevent third-party sites storing your data, although it’s not 100% effective. It’s also a good idea to keep on the service protecting you and your device from dangerous sites.

Click on “content settings” to dive into additional privacy settings. Go into Cookies and “keep local data until you quit your browser” to limit what data sites can harvest from you. Finally, consider using a password manager from a third-party expert like Trend Micro instead of storing your passwords in the browser, since it’s far more secure.

Automate Privacy Settings with Trend Micro Privacy Scanner

If you want an easier way to manage your privacy on social media and browsers, consider the Trend Micro Privacy Scanner feature, which is available within Trend Micro Security on Windows and Mac, and within Mobile Security on Android and iOS. While we can’t help you with all your social network settings, we can certainly help you with quick and easy fixes on four major platforms, as well as their linked apps, and in Windows browsers.

For Windows, the social networks covered are Facebook, Twitter, Google+, and LinkedIn, as well as Internet Explorer, Chrome, and Firefox browsers. Privacy Scanner also works on Macs the same way for the same social networking platforms. And it works on Android (for Facebook) and iOS (for Facebook and Twitter). It’s turned on by default in Trend Micro Internet, Maximum and Premium Security and can also be launched from the Trend Micro Toolbar. Either click on the Privacy icon in the Console, or in the browser, select the Trend Micro Toolbar and “Check your Online Privacy.” Here are a few scenarios:

Facebook on Windows

A Facebook sign-in page is shown by default by the Privacy Scanner. Sign-in and then See Scan Results. Click Fix All and then Fix to fix all the issues highlighted, or click the drop down to tackle them individually. You can also view any apps here which may have privacy concerns. If you want to fix each separately click “Who can see each app and its posts?”

Once that has been completed you will get a message saying your friends’ accounts need help. In that case you can share a link to the Privacy Scanner with them on the social network.

Chrome on Windows

To start a scan, open up your browser. In the Trend Micro toolbar, select Check your online privacy. The Trend Micro Privacy Scanner portal will appear. Click on the browser you want to check. The scanner will show you where there are privacy concerns. Click Fix All and then Fix or manually fix/edit each one.

Twitter on iOS

To scan and fix Twitter via Trend Micro Mobile Security on iOS, swipe the Safe Surfing shield to the left and tap the Social Network Privacy Shield in the main Console. (Note: this UI will change in the Fall of 2018.) Tap the Twitter icon to sign-in and then Login to start the scan. Tap Improve Now or the individual settings panel to change the settings. The feature works similarly on Android.

Trend Micro Password Manager

Finally, Trend Micro Password Manager has been designed to help you protect the privacy of your account passwords across PCs, Macs, Android and iOS. It’s worth considering as an alternative to storing your online credentials in the browser, which exposes them to hackers. Trend Micro Password Manager is automatically installed with Trend Micro Maximum Security, but you can also install a free or paid stand-alone edition of the product, Password Manager.

  • Generates highly secure, unique and tough-to-hack passwords for each of your online accounts
  • Securely stores and recalls these credentials so you don’t have to remember them
  • Offers an easy way to change passwords, if any do end up being leaked or stolen
  • Makes it quick and easy to manage your passwords from any location, on any device and browser

At Trend Micro we understand that protecting your privacy and security online is becoming increasingly challenging. That’s why we’ve done our best to do the hard work for you—helping you to enjoy your digital life safely and easily.

For more info or to purchase Trend Micro Security for PC and Mac, as well as Trend Micro Mobile Security for iOS and Android, go here.

To watch a video on using Trend Micro Privacy Scanner, go here.

For more info on Trend Micro Password Manager go here, or to watch videos on using Password Manager go here.

The post PROTECTING YOUR PRIVACY – Part 2: How to Maximize Your Privacy on Social Media and in Your Browser appeared first on .

Critical Vulnerability in Docker Tool for Windows Allows RCE; Patch Available

A recent vulnerability in the Windows Host Compute Service Shim (hcsshim) library that allows users to import Docker container images in Docker for Windows could have enabled remote code execution on the Windows host.

The open source hcsshim library was developed by Microsoft as a wrapper for use with its Host Compute Service (HCS).

The vulnerability is triggered because the hcsshim library used by a container management service does not properly validate input whenever a container image is imported, potentially triggering the execution of malicious code on the targeted machine.

“Docker for Windows uses the Windows Host Compute Service Shim published and maintained by Microsoft,” wrote software developer Michael Hanselmann who reported the vulnerability. “Its use of Go’s filepath.Join function with unsanitized input allowed to create, remove and replace files in the host file system, leading to remote code execution. Importing a Docker container image or pulling one from a remote registry isn’t commonly expected to make modifications to the host file system outside of the Docker-internal data structures.”

Tagged as CVE-2018-8115, it has been dubbed critical by Microsoft, although the chances it would be exploited in the wild are seen as very low.

“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host,” reads the advisory. “An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”

While full technical details of the vulnerability have yet to be made available, Hanselmann did receive approval from Microsoft to release a proof-of-concept along with technical details on May 9.

The vulnerability has already been fixed with the release of hcsshim 0.6.10 and everyone using Docker for Windows is urged to get this latest version of the library.

PF-Aadhaar seeding portal hacked, information of 2,7 crore members at risk



Employees Provident Fund Organisation (EPFO) had to shut down the portal after an alleged data breach which has exposed confidential user information of about  2.7 crore members registered with the retirement fund body.

The Central Provident Fund Commissioner V P Joy raised this issue on March 23. He immediately wrote a letter to the Ministry of Electronics and Information Technology, informing them about data stolen from the Aadhaar seeding portal of EPFO.

He asked the ministry's technical team to plug vulnerabilities on the portal aadhaar.epfoservices.com, which links the Aadhaar number of employees with their provident fund accounts. This website now has been shut down.

“The web portal has been closed one-and-a-half months ago, immediately after a possible data theft was reported to us during a process of routine security check. There was some problem in the application run by CSC and it is not related to our data center that maintains the EPF accounts,” Joy told.

However, EPFO has said in their initial investigation, they have not found any evidence to confirm data leakage. "No confirmed data leakage has been established or observed so far. As part of the data security and protection, the EPFO has taken advance action by closing the server and host service through the CSC pending vulnerability checks," it said in a statement.

Moreover, The Unique Identification Authority of India (UIDAI) said: "the matter does not pertain to any data breach from UIDAI server as the alleged data breach took place on a website that does not belong to it."

59% of people use the same password everywhere, poll finds

Despite an increasingly dangerous threat landscape and heightened global awareness of hacking and data breaches, password hygiene leaves a lot to be desired. 91 percent of people know that password recycling poses huge security risks, yet 59 percent still use the same password everywhere.

Users’ behavior in creating and managing secret login data lags behind the rapid evolution of cyber threats, according to statistics compiled by password management experts at LogMeIn. This holds true both in people’s personal lives and at work.

The firm polled 2,000 users across the United States, Australia, France, Germany and the United Kingdom, and found that people are more aware of security best practices, but don’t necessarily apply them.

For example, the number one reason for password reuse is fear of forgetfulness.

“Not only do most respondents (59 percent) use the same password for multiple accounts, but many continue to use that password as long as possible — until required by IT to update or if impacted by a security incident. The fear of forgetfulness was the number one reason for reuse (61 percent), followed by wanting to know and be in control of all of their passwords (50 percent),” according to the report.

Businesses should pay closer attention to staffers’ password hygiene, with nearly 47 percent of respondents saying there is no difference in passwords created for personal and work accounts. 79 percent have between one and 20 online accounts for work and personal use. Only 19 percent are more careful with their work login details, and 38 percent never use the same password for work and personal accounts. Unfortunately, the other 62% percent do.

The survey even found distinct differences in the psychology of users who are diligent with their online credentials versus those who are less meticulous.

“Bad password behavior in Type A personalities stems from their need to be in control, whereas Type B personalities have a casual, laid-back attitude toward password security,” researchers found. “Respondents who identify as Type A personalities are more likely than Type B personalities to stay on top of password security: 77 percent put a lot of thought into password creation, compared to 67 percent of Type B. And Type A users consider themselves informed about password best practices (76 percent) over Type B users (68 percent).”

Lastly, 72% feel well informed on password best practices, but 64 percent of those also prefer a password that’s easy to remember, and they admitted they always choose convenience over security. And while 91 percent are aware of the risks of password recycling, 58 percent mostly or always use the same password or a similar variation of that password for most of their online accounts.

It’s important to give your passwords a refresh every once in a while, as you never know what data breach caused your personal data to leak onto the dark web, where bad actors can use that data for extortion, phishing scams, ransomware, or fraud.

And while a trusted AV solution limits the attack surface for cybercrooks, it’s still your duty – and your duty only – to keep your login credentials safe from prying eyes.

State Machine Testing with Echidna

Property-based testing is a powerful technique for verifying arbitrary properties of a program via execution on a large set of inputs, typically generated stochastically. Echidna is a library and executable I’ve been working on for applying property-based testing to EVM code (particularly code written in Solidity).

Echidna is a library for generating random sequences of calls against a given smart contract’s ABI and making sure that their evaluation preserves some user-defined invariants (e.g.: the balance in this wallet must never go down). If you’re from a more conventional security background, you can think of it as a fuzzer, with the caveat that it looks for user-specified logic bugs rather than crashes (as programs written for the EVM don’t “crash” in any conventional way).

The property-based testing functionality in Echidna is implemented with Hedgehog, a property-based testing library by Jacob Stanley. Think of Hedgehog as a nicer version of QuickCheck. It’s an extremely powerful library, providing automatic minimal testcase generation (“shrinking”), well-designed abstractions for things like ranges, and most importantly for this blog post, abstract state machine testing tools.

After reading a particularly excellent blog post by Tim Humphries (“State machine testing with Hedgehog,” which I’ll refer to as the “Hedgehog post” from now on) about testing a simple state machine with this functionality, I was curious if the same techniques could be extended to the EVM. Many contracts I see in the wild are just implementations of some textbook state machine, and the ability to write tests against that invariant-rich representation would be invaluable.

The rest of this blog post assumes at least a degree of familiarity with Hedgehog’s state machine testing functionality. If you’re unfamiliar with the software, I’d recommend reading Humphries’s blog post first. It’s also worth noting that the below code demonstrates advanced usage of Echidna’s API, and you can also use it to test code without writing a line of Haskell.

First, we’ll describe our state machine’s states, then its transitions, and once we’ve done that we’ll use it to actually find some bugs in contracts implementing it. If you’d like to follow along on your own, all the Haskell code is in examples/state-machine and all the Solidity code is in solidity/turnstile.

Step 0: Build the model

Fig. 1: A turnstile state machine

The state machine in the Hedgehog post is a turnstile with two states (locked and unlocked) and two actions (inserting a coin and pushing the turnstile), with “locked” as its initial state. We can copy this code verbatim.

data ModelState (v :: * -> *) = TLocked
                              | TUnlocked
                              deriving (Eq, Ord, Show)

initialState :: ModelState v
initialState = TLocked

However, in the Hedgehog post the effectful implementation of this abstract model was a mutable variable that required I/O to access. We can instead use a simple Solidity program.

contract Turnstile {
  bool private locked = true; // initial state is locked

  function coin() {
    locked = false;
  }

  function push() returns (bool) {
    if (locked) {
      return(false);
    } else {
      locked = true;
      return(true);
    }
  }
}

At this point, we have an abstract model that just describes the states, not the transitions, and some Solidity code we claim implements a state machine. In order to test it, we still have to describe this machine’s transitions and invariants.

Step 1: Write some commands

To write these tests, we need to make explicit how we can execute the implementation of our model. The examples given in the Hedgehog post work in any MonadIO, as they deal with IORefs. However, since EVM execution is deterministic, we can work instead in any MonadState VM.

The simplest command is inserting a coin. This should always result in the turnstile being unlocked.

s_coin :: (Monad n, MonadTest m, MonadState VM m) => Command n m ModelState
s_coin = Command (\_ -> Just $ pure Coin)
                 -- Regardless of initial state, we can always insert a coin
  (\Coin -> cleanUp >> execCall ("coin", []))
  -- Inserting a coin is just calling coin() in the contract
  -- We need cleanUp to chain multiple calls together
  [ Update $ \_ Coin _ -> TUnlocked
    -- Inserting a coin sets the state to unlocked
  , Ensure $ \_ s Coin _ -> s === TUnlocked
    -- After inserting a coin, the state should be unlocked
  ]

Since the push function in our implementation returns a boolean value we care about (whether or not pushing “worked”), we need a way to parse EVM output. execCall has type MonadState VM => SolCall -> m VMResult, so we need a way to check whether a given VMResult is true, false, or something else entirely. This turns out to be pretty trivial.

match :: VMResult -> Bool -> Bool
match (VMSuccess (B s)) b = s == encodeAbiValue (AbiBool b)
match _ _ = False

Now that we can check the results of pushing, we have everything we need to write the rest of the model. As before, we’ll write two Commands; modeling pushing while the turnstile is locked and unlocked, respectively. Pushing while locked should succeed, and result in the turnstile becoming locked. Pushing while unlocked should fail, and leave the turnstile locked.

s_push_locked :: (Monad n, MonadTest m, MonadState VM m) => Command n m ModelState
s_push_locked = Command (\s -> if s == TLocked then Just $ pure Push else Nothing)
                        -- We can only run this command when the turnstile is locked
  (\Push -> cleanUp >> execCall ("push", []))
  -- Pushing is just calling push()
  [ Require $ \s Push -> s == TLocked
    -- Before we push, the turnstile should be locked
  , Update $ \_ Push _ -> TLocked
    -- After we push, the turnstile should be locked
  , Ensure $ \before after Push b -> do before === TLocked
                                        -- As before
                                        assert (match b False)
                                        -- Pushing should fail
                                        after === TLocked
                                        -- As before
  ]
s_push_unlocked :: (Monad n, MonadTest m, MonadState VM m) => Command n m ModelState
s_push_unlocked = Command (\s -> if s == TUnlocked then Just $ pure Push else Nothing)
                          -- We can only run this command when the turnstile is unlocked
  (\Push -> cleanUp >> execCall ("push", []))
  -- Pushing is just calling push()
  [ Require $ \s Push -> s == TUnlocked
    -- Before we push, the turnstile should be unlocked
  , Update $ \_ Push _ -> TLocked
    -- After we push, the turnstile should be locked
  , Ensure $ \before after Push b -> do before === TUnlocked
                                        -- As before
                                        assert (match b True)
                                        -- Pushing should succeed
                                        after === TLocked
                                        -- As before
  ]

If you can recall the image from Step 0, you can think of the states we enumerated there as the shapes and the transitions we wrote here as the arrows. Our arrows are also equipped with some rigid invariants about the conditions that must be satisfied to make each state transition (that’s our Ensure above). We now have a language that totally describes our state machine, and we can simply describe how its statements compose to get a Property!

Step 2: Write a property

This composition is actually fairly simple, we just tell Echidna to execute our actions sequentially, and since the invariants are captured in the actions themselves, that’s all that’s required to test! The only thing we need now is the actual subject of our testing, which, since we work in any MonadState VM, is just a VM, which we can parametrize the property on.

prop_turnstile :: VM -> property
prop_turnstile v = property $ do
  actions <- forAll $ Gen.sequential (Range.linear 1 100) initialState
    [s_coin, s_push_locked, s_push_unlocked
  -- Generate between 1 and 100 actions, starting with a locked (model) turnstile
  evalStateT (executeSequential initialState actions) v
  -- Execute them sequentially on the given VM.

You can think of the above code as a function that takes an EVM state and returns a hedgehog-checkable assertion that it implements our (haskell) state machine definition.

Step 3: Test

With this property written, we’re ready to test some Solidity! Let’s spin up ghci to check this property with Echidna.

λ> (v,_,_) <- loadSolidity "solidity/turnstile/turnstile.sol" -- set up a VM with our contract loaded
λ> check $ prop_turnstile v -- check that the property we just defined holds
  ✓ passed 10000 tests.
True
λ>

It works! The Solidity we wrote implements our model of the turnstile state machine. Echidna evaluated 10,000 random call sequences without finding anything wrong.

Now, let’s find some failures. Suppose we initialize the contract with the turnstile unlocked, as below. This should be a pretty easy failure to detect, since it’s now possible to push successfully without putting a coin in first.

We can just slightly modify our initial contract as below:

contract Turnstile {
  bool private locked = false; // initial state is unlocked

  function coin() {
    locked = false;
  }

  function push() returns (bool) {
    if (locked) {
      return(false);
    } else {
      locked = true;
      return(true);
    }
  }
}

And now we can use the exact same ghci commands as before:

λ> (v,_,_) <- loadSolidity "solidity/turnstile/turnstile_badinit.sol"
λ> check $ prop_turnstile v
  ✗ failed after 1 test.

       ┏━━ examples/state-machine/StateMachine.hs ━━━
    49 ┃ s_push_locked :: (Monad n, MonadTest m, MonadState VM m) => Command n m ModelState
    50 ┃ s_push_locked = Command (\s -> if s == TLocked then Just $ pure Push else Nothing)
    51 ┃   (\Push -> cleanUp >> execCall ("push", []))
    52 ┃   [ Require $ \s Push -> s == TLocked
    53 ┃   , Update $ \_ Push _ -> TLocked
    54 ┃   , Ensure $ \before after Push b -> do before === TLocked
    55 ┃                                         assert (match b False)
       ┃                                         ^^^^^^^^^^^^^^^^^^^^^^
    56 ┃                                         after === TLocked
    57 ┃ ]

       ┏━━ examples/state-machine/StateMachine.hs ━━━
    69 ┃ prop_turnstile :: VM -> property
    70 ┃ prop_turnstile v = property $ do
    71 ┃   actions <- forAll $ Gen.sequential (Range.linear 1 100) initialState 72 ┃ [s_coin, s_push_locked, s_push_unlocked] ┃ │ Var 0 = Push 73 ┃ evalStateT (executeSequential initialState actions) v This failure can be reproduced by running: > recheck (Size 0) (Seed 3606927596287211471 (-1511786221238791673))

False
λ>

As we’d expect, our property isn’t satisfied. The first time we push it should fail, as the model thinks the turnstile is locked, but it actually succeeds. This is exactly the result we expected above!

We can try the same thing with some other buggy contracts as well. Consider the below Turnstile, which doesn’t lock after a successful push.

contract Turnstile {
  bool private locked = true; // initial state is locked

  function coin() {
    locked = false;
  }

  function push() returns (bool) {
    if (locked) {
      return(false);
    } else {
      return(true);
    }
  }
}

Let’s use those same ghci commands one more time

λ> (v,_,_) <- loadSolidity "solidity/turnstile/turnstile_nolock.sol"
λ> check $ prop_turnstile v
  ✗ failed after 4 tests and 1 shrink.

       ┏━━ examples/state-machine/StateMachine.hs ━━━
    49 ┃ s_push_locked :: (Monad n, MonadTest m, MonadState VM m) => Command n m ModelState
    50 ┃ s_push_locked = Command (\s -> if s == TLocked then Just $ pure Push else Nothing)
    51 ┃   (\Push -> cleanUp >> execCall ("push", []))
    52 ┃   [ Require $ \s Push -> s == TLocked
    53 ┃   , Update $ \_ Push _ -> TLocked
    54 ┃   , Ensure $ \before after Push b -> do before === TLocked
    55 ┃                                         assert (match b False)
       ┃                                         ^^^^^^^^^^^^^^^^^^^^^^
    56 ┃                                         after === TLocked
    57 ┃  ]

       ┏━━ examples/state-machine/StateMachine.hs ━━━
    69 ┃ prop_turnstile :: VM -> property
    70 ┃ prop_turnstile v = property $ do
    72 ┃   [s_coin, s_push_locked, s_push_unlocked]
       ┃   │ Var 0 = Coin
       ┃   │ Var 1 = Push
       ┃   │ Var 3 = Push
    73 ┃   evalStateT (executeSequential initialState actions) v

    This failure can be reproduced by running:
    > recheck (Size 3) (Seed 133816964769084861 (-8105329698605641335))

False
λ>

When we insert a coin then push twice, the second should fail. Instead, it succeeds. Note that in all these failures, Echidna finds the minimal sequence of actions that demonstrates the failing behavior. This is because of Hedgehog’s shrinking features, which provide this behavior by default.

More broadly, we now have a tool that will accept arbitrary contracts (that implement the push/coin ABI), check whether they implement our specified state machine correctly, and return either a minimal falsifying counterexample if they do not. As a Solidity developer working on a turnstile contract, I can run this on every commit and get a simple explanation of any regression that occurs.

Concluding Notes

Hopefully the above presents a motivating example for testing with Echidna. We wrote a simple description of a state machine, then tested four different contracts against it; each case yielded either a minimal proof the contract did not implement the machine or a statement of assurance that it did.

If you’d like to try implementing this kind of testing yourself on a canal lock, use this exercise we wrote for a workshop.

Permission slip: what consent means and where it really applies to GDPR

As data protection and privacy professionals, we use terms from data protection legislation daily and they roll off the tongue as if we were born knowing what the words mean. The problem is, GDPR contains words that have both a legal meaning and a different semantic meaning.

Talking with consumers and clients, I realise that we must temper our language carefully. As practitioners, we understand the legal meaning and frequently we don’t account for clients only understanding the semantic meaning.

You say consent, I say ‘consent’

The domain of GDPR where I have felt this disparity most strongly is with the legal instrument referred to in the GDPR as ‘consent ’. Beyond GDPR’s ‘consent as legal basis for processing data’, many other forms of consent exist in our society . I recently gave a talk to a group of executives on GDPR and when I discussed ‘consent’ as a legal basis for processing, one individual in the audience noted how horrified he was that Ireland was reducing the age of consent from 16 to 13. Realising his confusion, I quickly reaffirmed that the ‘consent’ I was referring to was as a legal instrument for certain types of processing such as e-marketing – and no other kind.

Recent media coverage of the Ulster Rugby   players trial made me realise how clear we must be with clients and others when expressing ourselves about ‘consent’.  So, if you aren’t doing so already, I encourage you to explain to your clients not just the differences between consent and the other legal instruments in the GDPR, but the actual meaning of consent under GDPR.

Consent and permission ≠ the same

The second issue I have encountered is that I so frequently encounter people who do not understand ‘consent‘ in GDPR terms and who confuse it in that context with ‘consent’ in its literal sense.

It is an understandable confusion, as consent in its literal sense means ‘permission for something to happen or agreement to do something’. In GDPR, consent can only be provided and revoked from processing that is undertaken using consent as the legal basis for processing. I have found that organisations (and data subjects) often discuss how they will facilitate ‘revoking consent’ from processing of information that is processed under a  legal basis other than consent.

Lawful bases for processing data

Elizabeth Denham, the UK Information Commissioner, summarised this issue succinctly when she noted that headlines about consent often lack context or understanding about all the different lawful bases that organisations will have for processing personal information under the GDPR. For processing to be lawful under the GDPR, at least one lawful basis is required.

Consider the following  examples: a government body processing property tax information; banks sharing data for fraud protection purposes; or insurance companies processing claims information. All these examples require a different lawful basis for processing personal information that isn’t ‘consent’. Each legal instrument has its own set of requirements. If the legal basis for processing is, for example, legitimate interest, the GDPR outlines a completely different set of requirements. In such cases, you do not need consent. This also means that the rules for ‘consent’, such as positive affirmative opt-ins, and freedom to change preferences etc. are only mandatory for consent-based processing.

With less than a month to go until GDPR , some organisations may still be grappling with the issue of ‘consent’ and the related implications for data processing under a misunderstanding of the meaning and where it applies. For our part, privacy professionals can help by being completely clear in how we communicate – while watching for signs that our intended audience understands what we mean. The regulation will be with us for a long time to come after 25 May. It is always worthwhile to ensure privacy policies apply ‘consent’ only where it’s legally necessary to do so.

The post Permission slip: what consent means and where it really applies to GDPR appeared first on BH Consulting.

What to do after a data breach: 5 steps to minimize risk

It happened again. Another major web service lost control of its database, and now you’re scrambling to stay ahead of the bad guys. As much as we hate them, data breaches are here to stay. The good news is they don’t have to elicit full-blown panic no matter how sensitive the pilfered data might be. There are usually some very simple steps you can take to minimize your exposure to the potential threat.

Here’s how.

Step 1: Determine the damage

hacker Thinkstock

The first thing to figure out is what the hackers took. If they got your username and password, for example, there’s little point in alerting your credit card company.

To read this article in full, please click here

Why securing containers and microservices is a challenge

Containers are a small, fast, and easy-to-set-up way to deploy and run software across different computing environments. By holding an application’s complete runtime environment, including libraries, binaries, and configuration files, platform and infrastructure are abstracted, allowing the application to run more or less anywhere. Containers are available from all the major cloud providers as well as in on-premises data centers and hybrid clouds. Plus, they can save companies a lot of money.

Who’s who in the Zoo

ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind the operation infect Android devices using several generations of malware, with the attackers including new features in each iteration. We label them from v1-v4, with v4 being the most recent version deployed in 2017. From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.

Evolution of ZooPark malware features

We have observed two main distribution vectors for ZooPark – Telegram channels and watering holes. The second one was the preferred vector: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in campaign include “Kurdistan referendum”, “TelegramGroups” and “Alnaharegypt news”, among others.

Target profile has evolved during the last years of campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.

If you would like to learn more about our intelligence reports or request more information on a specific report, contact us at: intelreports@kaspersky.com.

 Read the full “Who’s who in the Zoo. Cyberespionage operation targets Android users in the Middle East.” report

Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers

Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers. Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers

COURSE LAUNCH: Penetration Testing Professional version 5 – PTPv5

We are launching the Penetration Testing Professional training course version 5 (PTPv5), the best way to learn Professional Pentesting skills, on May 22 2018.

Penetration Testing Professional version 5

Find out why Penetration Testing Professional version 5 – PTPv5 is the best way to learn Professional Penetration Testing skills, see the complete syllabus and of course take part in an exciting live demonstration during this launch Webinar on May 22nd. Special deals and prizes are waiting for all attendees, so please invite your friends and colleagues too.


Win PTPv5 for Free

To make your start into IT Security even easier, we decided to give every attendee of this live webinar the option to get a free PTSv3. This Penetration Testing Student training course covers all the pre-requisites to start with the newly launching PTPv5. 2 lucky winners will also get their hands on the brand-new PTPv5 training course in the Full or Elite Edition for free. The winners will be picked from all attendees and announced during the webinar along with special deals and prizes for everyone! Register for the webinar below:

Register for the launch webinar HERE

See you on May 22 2018, 1:00pm ET.

CVE-2018-10689 (blktrace)

blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the dev_map_read function in btt/devmap.c because the device and devno arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file.

New Pluralsight Course: JavaScript Security Play by Play

Presently sponsored by: Netsparker - a scalable and dead accurate web application security solution. Scan thousands of web applications within just hours.

New Pluralsight Course: JavaScript Security Play by Play

Ah JavaScript, the answer to - and cause of - all our problems on the web today! Just kidding, jQuery has solved all our JS problems now...

But seriously, JS is a major component of so much of what we build online these days and as with our other online things, the security posture of it is enormously important to understand. Recently, I teamed up with good mate and fellow Pluralsight author Aaron Powell who spends his life writing JS things. We spoke about managing auth tokens, identity persistence across sessions, service workers, CORS, third party libraries (and their vulnerabilities), client side validation considerations, anti-forgery tokens and much, much more. This is a 1 hour and 13 minute "Play by Play" so it's Aaron and I talking to the camera whilst doing demos. It's easily consumable content and we reckon it came out great!

New Pluralsight Course: JavaScript Security Play by Play

So that's the course in a nutshell, "Play by Play: JavaScript Security" is now live!

BTW - fun fact: Aaron was responsible for introducing me to the folks at Pluralsight back in 2012 which ultimately led to many courses and my independence from corporate life and indeed, life as I know it today. Thanks mate, I owe you a beer 🍺