Daily Archives: May 10, 2018

Keep Your Mum Safe This Mother’s Day!

On my first Mother’s Day 21 years ago, I received a pair of gorgeous fluffy pink slippers. Last year – it was a sleek shiny green Fitbit! Technology has absolutely transformed our gift giving and Mother’s Day is no exception.

The rising popularity of internet connected gifts means many lucky mums will receive a glossy new device on Mother’s Day. It may be a digital home assistant, a fitness tracker or even a big new Smart TV. Whatever it is, we must understand the potential risks involved when giving or receiving an internet enabled device. Because we don’t want to put our mums (or our families) at risk.

But don’t let this change your shopping plans! Like anything in life, if you’re prepared you can minimise the risks and avoid getting caught out by cyber threats. So, here is the low-down on threats posed by some of the more popular gifts this Mother’s Day and tips on how to protect against them.

Digital Home Assistants

Regardless of which brand you might choose, a digital assistant can be a massive help for any busy mum.  Whether it reading the kids a bedtime story or a recipe while you cook, or setting timers – it’s the closest thing many mums can get to another set of hands!

However, there are risks associated with these mother’s helpers. If your home assistant is hacked, your personal information could be at risk. Which means your  bank accounts details or your identity could be put at risk. And as the device is ‘always on’, your personal assistant can listen to and record what is being said around your house – a definite privacy issue.

What to Do to Stay Safe

  • Protecting your Home Wi-Fi is an essential step to ensuring your home assistant is secure. Solutions such as McAfee’s Secure Home Platform, available soon on D-Link routers, will secure all your devices that connect to your Home Wi-Fi, including your home assistant. So, you have protection and peace of mind.
  • Always change the manufacturer’s default password when setting up the Wi-Fi and ensure you create a complex, unique one instead. A combination of lower and upper-case letters, numbers and special characters is ideal.
  • Don’t allow your home assistant to store your private information. I also advise against allowing your home assistant to store passwords, credit card data, or any of your contact information.

Fitness Trackers

A wearable fitness tracker might be at the top of your mum’s wish list this Mother’s Day. But there are some surprisingly worrying security risks surrounding the popular gift that she should be aware of.

Researchers have found it is possible to crack PINs and passwords by hacking into the motion sensors to track hand movements. Additional research shows that the encryption offered by wearable fitness tracker manufacturers is quite easily intercepted. This means all your personal data stored on the device can easily be hacked. And while info like your calorie intake and step count many not seem valuable to a hacker, information like where you worked out and how long you were away from home can paint a very valuable picture of who you are!

What to Do to Stay Safe

  • Keep your fitness tracker up-to-date. Just like with any connected device, as soon as software updates become available, download them immediately to prevent cyber criminals from hacking your device.
  • Set up your fitness tracker and any associated online accounts with an obscure user name and unique passwords, that are completely unrelated to any of your other accounts.
  • Read the Privacy Policy of the device or app you are considering buying. Make sure you are comfortable with the company’s commitment to protecting your data.
  • Consider disabling certain features of the fitness tracker if you feel that your privacy many be jeopardised.

Smart TVs

Whilst buying mum a smart TV would certainly make her feel spoilt this Mother’s Day, they can come with a more sinister side. In March 2017, news emerged that it may be possible to hack into smart TVs to spy on users. Since then, several critical vulnerabilities have been found in Vestel firmware, which is used in more than 30 popular TV brands. These vulnerabilities could be easily leveraged to spy on smart TV users through the microphones and cameras.

What to Do to Stay Safe

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities.
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, must connect to a home Wi-Fi network to run. If they’re vulnerable, they could expose your network as a whole. Since it can be challenging to lock down all the IoT devices in a home, again a solution like McAfee Secure Home Platform can provide protection at the router-level.

If you are shopping online for mum, please remember to keep your guard up. Only shop from secure websites where the URL begins with ‘https://’ and a lock icon appears in the address bar. NEVER, EVER shop using unsecured Wi-Fi. It can leave you vulnerable to all sorts of nasty attacks and your private information may be hacked by a third party.

Finally, and most importantly, don’t forget to thank your wonderful mum for everything she has done for you. A handwritten card with a few lines of thanks is extremely powerful!!

Happy Mother’s Day!!

Alex xx


The post Keep Your Mum Safe This Mother’s Day! appeared first on McAfee Blogs.

Encryption Is Only as Strong as Your Password

In recent months, the encryption debate has heated up once again. Most recently, some shock waves were sent across the industry when ThreatWire reported a new tool, known as GrayKey, which could decrypt the latest versions of the iPhone. Fortunately, that tool is only available to law enforcement agencies… for now. The point to be […]… Read More

The post Encryption Is Only as Strong as Your Password appeared first on The State of Security.

NBlog May 11 – mind remapped

Yesterday I was wrestling with different ways to view and structure the topic on Post-It Notes. Today, a breakthrough!

[Click the diagram for a larger version]

We are not totally out of the weeds yet as the diagram is too "busy" for non-specialist audiences, but it won't be hard to simplify.  The incident management aspects need more work too.

The professionals' awareness and training seminar, plus accompanying briefing, will explain the diagram a section at a time, slide-by-slide building up the whole glorious picture.

For the management audience, a simpler version will emphasize the governance, strategic, management and business aspects.

For general staff, another simple version will emphasize their perspectives, the things they need to know - once we figure out what they are!

New law would stop Feds from demanding encryption backdoor

The Secure Data Act has returned and is lookin' for love

US lawmakers from both major political parties came together on Thursday to reintroduce a bill that, if passed, would prohibit the American government from forcing tech product makers to undermine the security of their wares.…

CVE-2018-10982 (debian_linux, xen)

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection.


An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection.

Google Releases Security Update for Chrome

Original release date: May 10, 2018

Google has released Chrome version 66.0.3359.170 for Windows, Mac, and Linux. This version addresses vulnerabilities, one of which a remote attacker could exploit to take control of an affected system.

NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Survey Finds Most Financial Firms Unprepared for Looming GDPR Deadline

With only a few weeks until the European Union’s General Data Protection Regulation (GDPR) goes into effect, many businesses are finding themselves at risk of missing the deadline and facing hefty fines. According to a recent study conducted by Cordium and AmberGate, more than 50 percent of investment firms globally are unlikely to be ready […]… Read More

The post Survey Finds Most Financial Firms Unprepared for Looming GDPR Deadline appeared first on The State of Security.

CVE-2018-3612 (ayaplcel.86a, bios, bnkbl357.86a, ccsklm30.86a, ccsklm5v.86a, dnkbli30.86a, dnkbli5v.86a, dnkbli7v.86a, fybyt10h.86a, gkaplcpx.86a, kyskli70.86a, mkkbli5v.86a, mkkbly35.86a, mybdwi30.86a, mybdwi5v.86a, rybdwi35.86a, syskli35.86a, tybyt10h.86a)

Intel NUC kits with insufficient input validation in system firmware, potentially allows a local attacker to elevate privileges to System Management Mode (SMM).

CVE-2018-3649 (dual_band_wireless-ac_3160, dual_band_wireless-ac_3165, dual_band_wireless-ac_3168, dual_band_wireless-ac_7260, dual_band_wireless-ac_7265, dual_band_wireless-ac_8260, dual_band_wireless-ac_8265, dual_band_wireless-n_7260, dual_band_wireless-n_7265, tri-band_wireless-ac_17265, tri-band_wireless-ac_18260, tri-band_wireless-ac_18265, wireless-ac_9260, wireless-ac_9461, wireless-ac_9462, wireless-ac_9560, wireless-n_7260, wireless-n_7265)

DLL injection vulnerability in the installation executables (Autorun.exe and Setup.exe) for Intel's wireless drivers and related software in Intel Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC family of products allows a local attacker to cause escalation of privilege via remote code execution.

CVE-2018-1118 (linux_kernel)

Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.


An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.


DLL injection vulnerability in the installation executables (Autorun.exe and Setup.exe) for Intel's wireless drivers and related software in Intel Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC family of products allows a local attacker to cause escalation of privilege via remote code execution.


Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.

Zero-day flaw exploited in targeted attacks is fixed by Microsoft

This month's Patch Tuesday bundle of updates from Microsoft included a fix for a critical vulnerability that has been actively exploited by at least one hacking gang in targeted attacks.

The post Zero-day flaw exploited in targeted attacks is fixed by Microsoft appeared first on The State of Security.

LookingGlass Acquires Goldman Sachs SIEM Threat Intelligence Platform


MSSP Alert, Dan Kobialka, May 7, 2018

LookingGlass Cyber Solutions, a threat protection solutions provider, has acquired Goldman Sachs‘ Sentinel threat intelligence platform for an undisclosed sum.

Goldman Sachs also has become a strategic investor in LookingGlass, according to a prepared statement. In addition, Rana Yared, managing director of Goldman Sachs’ principal strategic investments (PSI) group, has joined LookingGlass’ board of directors.

Sentinel is Goldman Sachs’ in-house security information and event management (SIEM) platform. It facilitates the ingestion, extraction and organizational workflow of cyber threat intelligence in the financial services industry, LookingGlass said, and has enabled Goldman Sachs to amplify its security analyst team’s efforts to address a wide range of cyber threats.

The Sentinel acquisition supports LookingGlass’ vision to create a centralized cyber intelligence orchestration and workflows platform, the company indicated. LookingGlass also will continue to develop and commercialize the technology behind Sentinel.

LookingGlass will incorporate Sentinel into its Automated Data Services, threat intelligence platforms, Threat Intelligence-as-a-Service solutions and network-based threat response platforms, the company noted. Furthermore, Sentinel complements the LookingGlass ScoutPrime security management command center’s visibility and situational awareness capabilities.

What Is LookingGlass?

LookingGlass offers unified threat protection solutions to safeguard enterprises and government organizations against cyber threats. The company provides threat intelligence platforms and network-based threat response products that use machine-readable data to help organizations analyze and mitigate cyberattacks.

Also, LookingGlass delivers the Cyber Guardian Program for MSSPs, solution providers, systems integrators (SIs) and original equipment manufacturers (OEMs). The Cyber Guardian Program provides LookingGlass partners with access to the company’s threat intelligence solutions and services, joint business planning support and various tools and resources.

Meanwhile, LookingGlass recently has made several moves to accelerate its channel growth.

The company last month partnered with Tech Mahindra, an Indian MSSP and IT consulting firm. Tech Mahindra now provides LookingGlass’ Threat Intelligence-as-a-Service solutions to more than 885 customers globally.

LookingGlass in November appointed Michael Taxay as its chief risk officer and general counsel and Jeremy Haas as its chief security officer. Taxay, a former member of the FBI Cyber Division‘s senior leadership team, serves as LookingGlass’ primary legal advisor. Haas, a cybersecurity expert who has held roles at the Central Intelligence Agency (CIA) and U.S. Air Force, leads LookingGlass’ internal cybersecurity strategy and supports the development of the company’s threat detection and mitigation products.

Daniel Ebrahimi
Media Associate

W2 Communications
8200 Greensboro Drive, Suite 1450
McLean, Va 22102

Source: https://www.msspalert.com/cybersecurity-news/lookingglass-acquires-goldman-sachs-threat-intelligence-platform/

The post LookingGlass Acquires Goldman Sachs SIEM Threat Intelligence Platform appeared first on LookingGlass Cyber Solutions Inc..

Meet Sunder, a New Way to Share Secrets

The moment a news organization is given access to highly sensitive materials—such as the Panama Papers, the NSA disclosures or the Drone Papers—the journalist and their source may be targeted by state and non-state actors, with the goal of preventing disclosures. How can whistleblowers and news organizations prepare for the worst?

The Freedom of the Press Foundation is requesting public comments and testing of a new open source tool that may help with this and similar use cases: Sunder, a desktop application for dividing access to secret information between multiple participants.

Sunder is not yet ready for high stakes use cases. It has not been audited and is alpha-quality software. We are looking for early community feedback, especially from media organizations, activists, and nonprofits.

While Sunder is a new tool that aims to make secret-sharing easy to use, the underlying cryptographic algorithm is far from novel: Shamir's Secret Sharing was developed in 1979 and has since found many applications in security tools. It divides a secret into parts, where some or all parts are needed to reconstruct the secret. This enables the conditional delegation of access to sensitive information. The secret could be social media account credentials, or the passphrase to an encrypted thumb drive, or the private key used to log into a server.

Sunder is currently available for Mac and Linux, and in source code form. See the documentation for installation and usage instructions. We also invite you to complete a short survey which will influence the future direction of this tool.

If you are interested in getting involved in development, we welcome your contributions! Please especially take a look at issues marked "easy" or "docs". Sunder is based on the open source RustySecrets library, which is also open to new contributors.

Sunder screenshot
Sunder allows you to divide a secret into shares, a certain number of which are required to reconstruct it

How could Sunder be useful for journalists, activists and whistleblowers?

Until a quorum of participants agrees to combine their shares (the number is configurable, e.g., 5 out of 8), the individual parts are not sufficient to gain access, even by brute force methods. This property makes it possible to use Sunder in cases where you want to disclose a secret only if certain conditions are met.

The most frequently cited example is disclosure upon an adverse event. Let's say an activist's work is threatened by powerful interests. She provides access to an encrypted hard drive that contains her research to multiple news organizations. Each receives a share of the passphrase, under the condition that they only combine the shares upon her arrest or death, and that they take precautions to protect the shares until then.

Secret sharing can also used to protect the confidentiality of materials over a long running project. An example would be a documentary film project accumulating terabytes of footage that have to be stored safely. By "sundering" the key to an encrypted drive containing archival footage, the filmmaking team could reduce the risk of accidental or deliberate disclosure.

But most importantly, we want to hear what you think. Please give Sunder a spin by downloading one of the releases and following the documentation, and please take our survey!


As noted above, Sunder is still alpha quality software. It's very possible that this version has bugs and security issues, and we do not recommend it for high stakes use cases. Indeed, Sunder and the underlying library have not received a third party audit yet.

Furthermore, any secret sharing implementation is only as robust as the operational security around it. If you distribute or store shares in a manner that can be monitored by an adversary (e.g., online without the use of end-to-end encryption) this could compromise your security.


For inquiries, please contact us at sunder@freedom.press.


Sunder was primarily developed by Gabe Isman and Garrett Robinson. Conor Schaefer has acted as a maintainer and release manager; Lilia Kai recently also joined the project as a maintainer. RustySecrets was developed by the RustySecrets team. Conversations between Ed Snowden and Frederic Jacobs were the original impetus for the project.

Internet Explorer zero-day: browser is once again under attack

In late April, two security companies (Qihoo360 and Kaspersky) independently discovered a zero-day for Internet Explorer (CVE-2018-8174), which was used in targeted attacks for espionage purposes. This marks two years since a zero-day has been found (CVE-2016-0189 being the latest one) in the browser that won’t die, despite efforts from Microsoft to move on to the more modern Edge.

The vulnerability exists in the VBScript engine and how it handles memory objects. It will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10.

The attack came via a Word document making use of OLE autolink objects to retrieve the exploit and shellcode from a remote server. However, it is important to note that it could very well have been executed by visiting a website instead.

Perhaps one of the reasons why it was not used as a drive-by download attack may be because Internet Explorer is no longer the default browser for most people, and  therefore the exploitation would never occur. However, by tricking their victims to open an Office document, the attackers can force Internet Explorer to load, thanks in part to the URL moniker “feature.”

Using rtfdump.py, we see the call for an HTTP connection:

python rtfdump.py -s 320 -H CVE-2018-8174.rtf

000014C0: 70 B2 86 8C 53 30 05 43 00 38 30 01 18 68 00 74 p���S0.C.80..h.t
000014D0: 00 74 00 70 00 3A 00 2F 00 2F 00 61 00 75 00 74 .t.p.:././.a.u.t
000014E0: 00 6F 00 73 00 6F 00 75 00 6E 00 64 00 63 00 68 .o.s.o.u.n.d.c.h
000014F0: 00 65 00 63 00 6B 00 65 00 72 00 73 00 2E 00 63 .e.c.k.e.r.s...c
00001500: 00 6F 00 6D 00 2F 00 73 00 32 00 2F 00 73 00 65 .o.m./.s.2./.s.e
00001510: 00 61 00 72 00 63 00 68 00 2E 00 70 00 68 00 70 .a.r.c.h...p.h.p
00001520: 00 3F 00 77 00 68 00 6F 00 3D 00 37 00 00 00 00 .?.w.h.o.=.7....

This remote request will download a VBS script. A Proof of Concept adapted from the blog that was published by Kaspersky can be seen below:

The flaw abused by this vulnerability relates to a reference count that is checked at the beginning of the function but not after, despite the chance of it being incremented along the way. This allows an attacker to execute malicious shellcode and eventually load the malware binary of his choice.

We tested this Use After Free (UAF) vulnerability with the publicly available PoC running Internet Explorer 11 under Windows 10. The browser crashes once it loads the VBS code, but with Malwarebytes, the attack vector is mitigated:

Microsoft has released a patch for this vulnerability, and we strongly advise to apply it, as it is just a matter of time before other threat actors start leveraging this new opportunity in spam or exploit kit campaigns.

We will update this blog if we obtain more information about this vulnerability being used widely, and in particular, if a full working exploit is available.

The post Internet Explorer zero-day: browser is once again under attack appeared first on Malwarebytes Labs.

IDG Contributor Network: The 3 hidden costs of incident response

Even for well-run security organizations, justifying expenditures can be difficult.

Sometimes it takes a significant event – the proverbial learning moment – before security teams see a needed increase in budget for staff, training and tools. This happens because it’s straightforward to analyze the costs to a business stemming from a breach that causes an outage, loss of data, or even adversely impacts a stock price.

However, there are many hidden costs to cybersecurity. Sometimes these are overlooked because they are harder to quantify but illuminating these costs can go a long way to helping justify security budgets. In the process, we hope we avoid a disastrous incident and the high cost of a breach altogether.

To read this article in full, please click here

CVE-2018-1115 (postgresql)

postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation.


postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation.

5 Questions to Ask to Determine SIEM Readiness

Are you ready for a SIEM (security information and event management) solution? It’s a question that’s top of mind for many security professionals today. A SIEM is a powerful tool that will analyze security and threat-related data from numerous sources, but your organization must have certain underlying, foundational security in place to maximize its potential.

As Splunk professional services consultants, we’ve found that security process maturity can be a significant barrier to getting the most out of a SIEM. In this post, we examine five considerations to take into account when determining your organization’s SIEM readiness.

This post is an excerpt from our new e-book, “Are You Ready for a SIEM?” You can access the full version of the e-book here.

Triage Security Alerts Rapidly

A SIEM significantly increases visibility into vulnerabilities, deviant behavior, and critical security threats. SIEM tools can do this because they correlate logs that were previously in siloed data stores (the various security point solutions throughout the enterprise). More data sources plus the correlation of that data equals the application of security analytics that eliminates security blind spots to perform that detection much more quickly.

This improved availability of data and data correlation ensures more rapid triage of security incidents. This enables:

  • Faster mean time to resolution for security incidents.
  • Increased volume of incidents a security team can investigate.
  • More time for proactive threat hunting activities.

Despite the clear benefits that a SIEM delivers to significantly enhance an organization’s security posture, not every organization is ready to deploy a SIEM.

Let’s examine five questions to determine if you are ready for a SIEM.

1. What problem(s) are you trying to solve?

You must understand the security use cases that you want to address prior to deploying a SIEM. Just as important, how many security use cases are you trying to address? If you are only trying to solve one problem — for instance, gaining visibility into Windows security event logs — a SIEM would be overkill. If you have many security use cases to address and already bring in a larger set of source data, a SIEM starts to make much more sense.

2. How large is your security team?

An organization with a smaller security team, or no security team in place, would be crushed by a SIEM. Managing the generation and investigation of alerts could overwhelm a smaller team. This will increase the risk that these alerts — many of which will be critical — will become “white noise” and may eventually be ignored.

On the other hand, if you have a team of security analysts (or a SOC) in place to handle events and tune the system, it makes much more sense to have a SIEM.

3. What security tools are currently in place?

A SIEM primarily aggregates and correlates data from other sources. The more security tools that an organization is using, the greater the benefit of the SIEM to provide end-to-end monitoring via the correlation of data from these various point solutions. Organizations with limited or incomplete security data sets — for instance, just firewalls, antivirus, and Active Directory (account activity) data — will not realize as many benefits from a SIEM as organizations with additional security tools (and data sources) in place such as vulnerability scanners, network intrusion detection, packet sniffers, threat intelligence sources, or password crackers. Organizations with all of these tools in place would gain tremendous value from the correlation a SIEM can provide.

4. How security focused is your company?

Risk reduction, compliance, and the creation of a more secure organization comes down to culture. This is driven at the executive level and cascades down through leadership to the staff level. When your security team needs to install monitoring software on someone else’s equipment (developers’ application servers, network infrastructure, user desktops, etc.), do they get pushback? Is the request met with a lack of urgency? An uncooperative culture makes a SIEM deployment, while certainly not impossible, much more difficult. Conversely, a security-focused culture where everyone works together to meet overall organization security goals can drive the success and value of a SIEM deployment.

5. Are your security policies well defined and documented?

The foundation of IT security is the existence of proper security policies. Rules that are built into a SIEM tool and the subsequent actions taken by security professionals are driven by underlying security policy. In other words, these policies feed into security tools, including your SIEM. What are the most sensitive targets in your environment? What are the most accessible or likely targets? Your security policies should be designed to defend your business priorities. A successful SIEM takes these priorities and makes them actionable. If it is a priority to prevent unauthorized access to information, your SIEM should monitor for brute force attempts, impossible travel logins, or terminated user logins. Without a security policy in place, actionable rules can’t be built into a SIEM tool, including downstream responses.

Would you like to learn more about SIEM readiness and which tools are best for your organization’s maturity level? Download your complimentary copy of “Are You Ready for a SIEM?”

Bill Ouellette and Jon Papp

Bill Ouellette is a professional services consultant at Aditum. Jon Papp is Aditum’s professional services manager.

The post 5 Questions to Ask to Determine SIEM Readiness appeared first on Recorded Future.


Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Posted by Ivan Fratric, Project Zero

With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in the browser’s Content Process to execute arbitrary code.

Since modern web browsers rely on Just-In-Time (JIT) compilation of JavaScript to achieve better performance and the code compilation in JIT is incompatible with ACG, a custom solution was needed to enable ACG in Microsoft Edge: The JIT engine was separated from the Edge Content Process into a separate, JIT Process.

We analyzed ACG and tried to answer the question of how useful this mitigation is going to be in preventing an attacker from exploiting Microsoft Edge. Additionally, we examined the implementation of the JIT server and uncovered multiple issues in it (that have been fixed at the time of publishing this). While the paper focuses on Microsoft Edge, we believe that any other attempt to implement out-of-process JIT would encounter similar problems. Thus we hope that this work would be useful for other vendors who might consider employing similar mitigations.

We published the result of this work in a whitepaper that can be found here. All related materials (tools, PoC code) can be found here.

The final compliance countdown: Are you ready for GDPR?

On May 25, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive as the new standard on data privacy for all organizations that do business with European Union (EU) citizens.[1]When GDPR goes into effect, government agencies and organizations that control, maintain, or process information involving EU citizens will be required to comply with strict new rules regarding the protection of personal customer data.

GDPRs broad scope and holistic interpretation of personal information leaves these agencies and organizations responsible for protecting a wide range of data types, including genetic and biometric data.[2]Leading up to the GDPR rollout, many companies will be reevaluating their current data storage and sharing methods, and determining whether they need to implement new strategies. More than ever, this regulatory transition highlights the importance of prioritizing a strong and comprehensive security stance within your organization.

According to a recent GDPR benchmarking survey, although 89 percent of organizations have (or plan to have) a formal GDPR-readiness program, only 45 percent have completed a readiness assessment.[3]Regardless of where your organization and its security protocols are in terms of GDPR-readiness, Microsoft can help. Microsoft has been working on GDPR-compliant business and engineering solutions for the better part of a year. Because of our extensive experience developing products with security built-in, weve been a leading voice on privacy and GDPR-related issues with EU regulators.

Weve turned these conversations and insights into a free, four-part video series. Watch the Countdown: Preparing for GDPR series today to hear from industry experts and learn more about Microsofts commitment to helping your organization achieve GDPR-compliance.

You can also read more about our point of view on this transition as the first hyper-scale cloud vendor to offer GDPR terms and conditions in the enterprise space.

Finally, you are invited to a free May 25th GDPR live webcast, Safeguarding individual privacy rights with the Microsoft Cloud. Youll learn how you can:

  • Use GDPR fundamentals to assess and manage you compliance risk.
  • Help protect your customers’ data with our built-in, intelligent security capabilities.
  • Meet your own compliance obligations by streamlining their processes.

[1] https://www.eugdpr.org

[2] https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

[3] https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-nwe-gdpr-benchmarking-survey-november-2017.pdf

Data Breach Statistics Q1 2018: Disclosure Times Remain High as Total Numbers Fall

Data breaches are down year-over-year. As noted by Infosecurity Magazine, almost 1.4 billion records were exposed in 686 breaches reported between Jan. 1 and March 31 this year.

As eye-popping as those numbers are, they represent a big improvement from 2017, when 1,442 incidents exposed a total of 3.4 billion records. In addition, tax phishing attempts for W-2 data fell from 214 attacks last year to just 31 in 2018.

Despite the downward trends in data breach statistics, however, new research revealed that disclosure remains a trouble spot for organizations, especially in light of upcoming regulations. Despite year-to-year improvement, according to Computer Weekly, the average time between incident and disclosure is still more than five weeks.

Digging Into Data Breach Statistics

As Help Net Security reported, 2018 is off to a relatively secure start, at least in terms of data breach statistics. The recent spike in cryptocurrency value may provide an explanation: Crypto-mining malware, which leverages unused central processing unit (CPU) cycles to dig for digital currency, saw a significant boost at the beginning of this year, which could account for the shift away from traditional breach methods that may attract more attention from IT security professionals.

In general, however, the nature of data breaches has not changed significantly over the past 12 months. According to Risk Based Security’s “Q1 2018 Data Breach QuickView Report,” fraud remains the top breach type compromising the most records (1.27 billion) while unauthorized access held its spot as the most common breach cause. Skimming, inadvertent disclosure, phishing and malware rounded out the top five, just as they did in 2017.

Data Breach Disclosure Times Remain High

According to the Risk Based Security report, the average time between data breach detection and disclosure is decreasing. In 2015, it took companies 82.6 days on average to disclose a breach. By 2017, this figure was cut nearly in half to 42.7 days, and it dropped even further to 37.9 days in the first quarter of 2018, showing a trend of continuous improvement over the last four years.

The challenge is that, as noted by the Computer Weekly piece, upcoming data privacy regulations include disclosure timelines. The General Data Protection Regulation (GDPR), for example, imposes a 72-hour notification rule for data breaches. Despite the encouraging year-to-year progress in the effort to reduce breach disclosure times, organizations still have a long way to go to meet this requirement.

The Risk Based Security report noted that Q1 2018 has been “the quietest first quarter for breach activity since 2012.” While some trends, such as the move to crypto-mining malware and away from W-2 phishing, help account for these numbers, the researchers identified no underlying pattern, suggesting that these data breach statistics are likely to evolve throughout the rest of the year.

The post Data Breach Statistics Q1 2018: Disclosure Times Remain High as Total Numbers Fall appeared first on Security Intelligence.

What is PCI Compliance?

What is PCI Compliance?

Sucuri aims at keeping the internet safe. That is why we are so keen on informing our customers of potential threats. We have posted many articles regarding ecommerce security breaches that steal credit card information, as well as the risks for ecommerce site owners.

There can be many dangers when purchasing through a website, and with so many cyber threats attacking ecommerce platforms and payment gateways, it’s more important than ever to reassure your customers by implementing and maintaining Payment Card Industry (PCI) Compliance.

Continue reading What is PCI Compliance? at Sucuri Blog.

Patch Tuesday problems, fixes — but no cause for immediate alarm

Results are starting to roll in about this month’s Patch Tuesday, and it’s quite a mixed bag. For those of you struggling with the new Windows 10 April 2018 Update, version 1803, there’s good news and bad news. The hand wringing about a new VBScript zero-day, thanks to our good old friend baked-in Internet Explorer, looks overblown for now. And if you can’t get RDP working because of “An authentication error has occurred” messages, you missed the memo.

Windows 10 version 1803

First, the good news. As I anticipated earlier this week, this month’s cumulative update for 1803 is a must-have, warts and all. The new build 17134.48 replaces the old 17134.1 (which went to those who installed 1803 directly or fell into the seeker trap) and the old 17134.5 (for those upgrading with the Windows Insider builds). As Susan Bradley explains, 17134.48 claims to fix both the Chrome and Cortana freeze, as well as a major VPN bug.

To read this article in full, please click here

Millennials Play a Key Role in Solving the Cybersecurity Skills Shortage

Millennials and post-millennials play a key role in solving the cybersecurity skills shortage now and in the future, according to a recent survey.

While the survey participants revealed a deep understanding of technology and computing, they also showed a lack of awareness around key cybersecurity issues. The authors of the report noted that those knowledge gaps can serve as opportunities for the security industry to recruit members of this tech-savvy generation for cybersecurity careers.

A Life Molded by Technology

The survey found that millennials and post-millennials could thrive in cybersecurity because they grew up with smartphones, digital tablets and other modern technologies. Twenty-seven percent of respondents classified themselves as technology innovators while 41 percent identified as early adopters of technology.

These viewpoints shaped many of the survey participants’ future plans. For example, 23 percent of high school-age individuals said they were interested in pursuing computer science and technology in college, while 18 percent plan to study science and math and 15 percent aspire to major in engineering.

Many respondents also expressed an interest in pursuing technology-related careers. One-third reported intentions to go into video game development, 21 percent said they are interested in software development and 15 percent would like to enter the engineering field.

Millennials Lack Awareness About Cybersecurity Careers

For the study, cloud security provider ProtectWise commissioned Enterprise Strategy Group (ESG) to survey 524 millennials and post-millennials in the U.S. Their responses suggested a general lack of awareness among those age groups about IT security as a career path.

When asked whether they’d consider a career in cybersecurity, just 9 percent responded affirmatively, and 37 percent of participants said they were not interested in the security field because they did not know enough about it. Others cited a lack of technical aptitude (28 percent), requisite education (21 percent) and professional certifications (15 percent).

The report asserted that a lack of exposure was most likely to blame for this unfamiliarity with cybersecurity. Sixty-nine percent of survey participants said they’d never taken a class in cybersecurity, and 65 percent admitted that their schools never offered such a course. In addition, only 17 percent of millennials and post-millennials reported ever having met a cybersecurity professional.

Addressing the Cybersecurity Skills Shortage

James Condon, director of threat research and analysis at ProtectWise, said that millennials, particularly women, could be the key to solving the talent shortage if they knew more about security.

“The … concerns expressed by millennials and post-millennials would seemingly be addressed by providing earlier exposure to information security learning opportunities,” Condon wrote. He also pointed out that the “vast majority” of respondents did not reject the prospect of pursuing a cybersecurity career outright.

To help close the skills gap, Condon advised cybersecurity organizations to build partnerships with schools to create early learning opportunities for students, such as after-school security programs.

The post Millennials Play a Key Role in Solving the Cybersecurity Skills Shortage appeared first on Security Intelligence.

CVE-2018-10706 (social_chain)

An integer overflow in the transferMulti function of a smart contract implementation for Social Chain (SCA), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets, aka the "multiOverflow" issue.

CVE-2018-10973 (koreashow)

An integer overflow in the transferMulti function of a smart contract implementation for KoreaShow, an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _value parameters.


An integer overflow in the transferMulti function of a smart contract implementation for Social Chain (SCA), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets, aka the "multiOverflow" issue.


An integer overflow in the transferMulti function of a smart contract implementation for KoreaShow, an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _value parameters.


In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222050.


In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222100.


In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222104.


In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x002220E4.

Rockwell Automation FactoryTalk Activation Manager

This advisory was posted originally to the HSIN ICS-CERT library on April 12, 2018, and is being released to the NCCIC/ICS-CERT website. This advisory contains mitigations for cross-site scripting, and improper restriction of operations within the bounds of a memory buffer vulnerabilities in Rockwell Automation’s FactoryTalk Activation Manager products.

Enhancing Office 365 Advanced Threat Protection with detonation-based heuristics and machine learning

Email, coupled with reliable social engineering techniques, continues to be one of the primary entry points for credential phishing, targeted attacks, and commodity malware like ransomware and, increasingly in the last few months, cryptocurrency miners.

Office 365 Advanced Threat Protection (ATP) uses a comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against a wide range of threats. Machine learning technologies, powered by expert input from security researchers, automated systems, and threat intelligence, enable us to build and scale defenses that protect customers against threats in real-time.

Modern email attacks combine sophisticated social engineering techniques with malicious links or non-portable executable (PE) attachments like HTML or document files to distribute malware or steal user credentials. Attackers use non-PE file formats because these can be easily modified, obfuscated, and made polymorphic. These file types allow attackers to constantly tweak email campaigns to try slipping past security defenses. Every month, Office 365 ATP blocks more than 500,000 email messages that use malicious HTML and document files that open a website with malicious content.

Figure 1. Typical email attack chain

Detonation-based heuristics and machine learning

Attackers employ several techniques to evade file-based detection of attachments and blocking of malicious URLs. These techniques include multiple redirections, large dynamic and obfuscated scripts, HTML for tag manipulation, and others.

Office 365 ATP protects customers from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. These automated systems include a robust detonation platform, heuristics, and machine learning models.

Detonation in controlled environments exposes thousands of signals about a file, including behaviors like dropped and downloaded files, registry manipulation for persistence and storing stolen information, outbound network connections, etc. The volume of detonated threats translate to millions of signals that need to be inspected. To scale protection, we employ machine learning technologies to sort through this massive amount of information and determine a verdict for analyzed files.

Machine learning models examine detonation artifacts along with various signals from the following:

  • Static code analysis
  • File structure anomaly
  • Phish brand impersonation
  • Threat intelligence
  • Anomaly-based heuristic detections from security researchers

Figure 2. Classifying unknown threats using detonation, heuristics, and machine learning

Our machine learning models are trained to find malicious content using hundreds of thousands of samples. These models use raw signals as features with small modifications to allow for grouping signals even when they occur in slightly different contexts. To further enhance detection, some models are built using three-gram models that use raw signals sorted by timestamps recorded during detonation. The three-gram models tend to be more sparse than raw signals, but they can act as mini-signatures that can then be scored. These types of models fill in some of the gaps, resulting in better coverage, with little impact to false positives.

Machine learning can capture and expose even uncommon threat behavior by using several technologies and dynamic featurization. Features like image similarity matching, domain reputation, web content extraction, and others enable machine learning to effectively separate malicious or suspicious behavior from the benign.

Figure 3. Machine learning expands on traditional detection capabilities

Over time, as our systems automatically process and make a verdict on millions of threats, these machine learning models will continue to improve. In the succeeding sections, well describe some interesting malware and phishing campaigns detected recently by Office 365 ATP machine learning models.

Phishing campaigns: Online banking credentials

One of the most common types of phishing attacks use HTML and document files to steal online banking credentials. Gaining access to online bank accounts is one of the easiest ways that attackers can profit from illicit activities.

The email messages typically mimic official correspondence from banks. Phishers have become very good at crafting phishing emails. They can target global banks but also localize email content for local banks.
The HTML or document attachment are designed to look like legitimate sign-in pages or forms. Online banking credentials and other sensitive information entered into these files or websites are sent to attackers. Office 365s machine learning models detect this behavior, among other signals, to determine that such attachments are malicious and block offending email messages.

Figure 4. Sample HTML files that mimic online banking sign in pages. (Click to enlarge)

Phishing campaigns: Cloud storage accounts

Another popular example of phishing campaigns uses HTML or document attachments to steal cloud storage or email account details. The email messages imply that the recipient has received a document hosted in a cloud storage service. In order to supposedly open the said document, the recipient has to enter the cloud storage or email user name and password.

This type of phishing is very rampant because gaining access to either email or cloud storage opens a lot of opportunities for attackers to access sensitive documents or compromise the victims other accounts.

Figure 5. Sample HTML files that pose as cloud storage sign in pages. (Click to enlarge)

Tax-themed phishing and malware attacks

Tax-themed social engineering attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules. These campaigns use various messages related to tax filing to convincer users to click a link or open an attachment. The social engineering messages may say the recipient is eligible for tax refund, confirm that tax payment has been completed, or declare that payments are overdue, among others.

For example, one campaign intercepted by Office 365 ATP using machine learning implied that the recipient has not completed tax filing and is due for penalty. The campaign targeted taxpayers in Colombia, where tax filing ended in October. The email message aimed to alarm taxpayers by suggesting that they have not filed their taxes.

Figure 6. Tax-themed email campaign targeting taxpayers in Colombia. The subject line translates to: You have been fined for not filing your income tax returns

The attachment is a .rar file containing an HTML file. The HTML file contains the logo of Direccin de Impuestos y Aduanas Nacionales (DIAN), the Colombianes tax and customs organization, and a link to download a file.

Figure 7. Social engineering document with a malicious link

The link points to a shortened URL hxxps://bit[.]ly/2IuYkcv that redirects to hxxp://dianmuiscaingreso[.]com/css/sanci%C3%B3n%20declaracion%20de%20renta.doc, which downloads a malicious document.

Figure 8: Malicious URL information

The malicious document carries a downloader macro code. When opened, Microsoft Word issues a security warning. In the document are instructions to Enable content, which executes the embedded malicious VBA code.

Figure 9: Malicious document with malicious macro code

If the victim falls for this social engineering attack, the macro code downloads and executes a file from hxxp://dianmuiscaingreso.com/css/w.jpg. The downloaded executable file (despite the file name) is a file injector and password-stealing malware detected by Windows Defender AV as Trojan:Win32/Tiggre!rfn.

Because Office 365 ATP machine learning detects the malicious attachment and blocks the email, the rest of the attack chain is stopped, protecting customers at the onset.

Artificial intelligence in Office 365 ATP

As threats rapidly evolve and become increasingly complex, we continuously invest in expanding capabilities in Office 365 Advanced Threat Protection to secure mailboxes from attacks. Using artificial intelligence and machine learning, Office 365 ATP can constantly scale coverage for unknown and emerging threats in-real time.

Office 365 ATPs machine learning models leverage Microsofts wide network of threat intelligence, as well as seasoned threat experts who have deep understanding of malware, cyberattacks, and attacker motivation, to combat a wide range of attacks.

This enhanced protection from Office 365 ATP contributes to and enriches the integrated Microsoft 365 threat protection, which provides intelligent, integrated, and secure solution for the modern workplace. Microsoft 365 combines the benefits and security technologies of Office 365, Windows, and Enterprise Mobility Suite (EMS) platforms.

Office 365 ATP also shares threat signals to the Microsoft Intelligent Security Graph, which uses advanced analytics to link threat intelligence and security signals across Office 365, the Windows Defender ATP stack of defenses, and other sensors. For example, when a malicious file is detected by Office 365 ATP, that threat can also be blocked on endpoints protected by Windows Defender ATP and vice versa. Connecting security data and systems allows Microsoft security technologies like Office 365 ATP to continuously improve threat protection, detection, and response.



Office 365 Threat Research


An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The Plane function in image/image.hpp allows remote attackers to cause a denial of service (attempted excessive memory allocation) via a crafted file.


The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops.


An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The TransformPaletteC::process function in transform/palette_C.hpp allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted file.

Parenting in the Digital World: a review

Before I became a new mum not so long ago, I did the best I could to prepare myself to take care of my little one by reading a lot books. From learning how to discern (possible) meanings behind baby’s various cries to finding out what you can and can’t feed your baby once they begin eating solids. It was tough, and I know it’ll get easier in some aspects and more difficult in others as the baby grows up. Truth is, I’m pretty much looking forward to giving “the Cyber Talk” to my little one. And “the Tech Talk.” And “the Privacy talk.” Hey, we have to start them young, right?

At the moment, my nipper is too young to care about anything beyond Hey Duggee, so I can only imagine what parenting is like for those who have a child old enough to use a mobile device. Would they set their phone up to limit the child from opening its browser or tell them to not click buttons when certain pop-ups appear in the middle of a game?

To my dismay, Parenting in a Digital World paints the picture that many parents don’t do a great job dealing with kids and technology—especially when it comes to online safety.

While more and more parents are handing over phones to younger and younger kids, I’m surprised that majority of parents don’t put filtering or any sort of control on these devices, forgetting that their kids can be exposed to potential risks and not knowing how to deal with them. Not only that, “accidentally” losing thousands of dollars to micro-transactions can and actually does happen to parents who don’t supervise their kids online.

Parenting in the Digital World: A Step-by-Step Guide to Internet Safety is a brilliant go-to guide for parents and guardians on how to create an online environment safe enough for their little ones to traverse. In its revised second edition, Clayton Cranford, the book’s author, touched on themes that include social media safety, the importance of privacy, managing an online reputation, and creating balance in a child’s technological life.

Read: Creating a better Internet starts now

Cranford is a leading and award-winning law enforcement professional based in California. For 20 years, he has been teaching about social media and child safety to kids and parents, and threat assessment investigation to law enforcement agencies everywhere in the United States. He has also handled numerous threat assessment cases across about 200 schools in his state.

If you’re the mum or dad who is busy with work or taking care of the second newborn and feeling overwhelmed with the thought of trying to learn about these technologies, Cranford wrote Parenting in the Digital World just for you. In less than 100 pages, you’ll get to know famous apps children use, ways to set up parenting controls for different OSes and gaming consoles, relevant security and privacy topics for conversations with your kids, and setting rules and expectations in the home about proper technology use.

I can name some things I love about Parenting in the Digital World. In the first half of the book, Cranford tells parents and guardians about the different types of social media, what are the problems with the platform, and when is an age-appropriate time for your kids to have profiles themselves. These sections also contain action plans that grown-ups can use to, say, make sure that the settings of their child’s social media profile are appropriately configured for privacy.

Cranford also sheds light on topics beyond security and privacy that parents can talk to their kids about, such as depression, body image, the consequences of making physical threats online, and even pornography. I was also quite intrigued by the Internet & Mobile Device Usage Contract, which parents can use to foster responsibility for the devices their children use and accountability for what they post online. It’s been a while since I’ve seen something similar, and I’ve always been interested in knowing how useful a working contract would be between parent and child.

The second half of the book contains detailed instructions and illustrations about all things parents may want to configure, from parental controls for the Xbox One to YouTube Safe Search and Apple iMessage Privacy.

While I wouldn’t say “no’ to having this book in my personal library, I felt it should have covered other social media risks kids and teens might encounter, such as bad bots (spammers) and trolls, and perhaps a sub-section on how to recognize compromised or fake accounts. I also think it would be helpful for both kids and parents to be given pointers on how they can discern dodgy apps from legitimate ones.

Read: When trolls come in a three-piece suit

Parenting in the Digital World: A Step-by-Step Guide to Internet Safety is as comprehensive and relevant as it was since its first publication three years ago. Cranford was right: As much as there are new devices, software, and websites, the sad reality is there are just some things—bad things—that remain the same. Online sexual exploitation, cyberbullying, and harassment cannot be fought off if we don’t do something about it. Thankfully, parents and guardians can take action. After all, learning about Internet safety and securing a child’s online environment begins in the home, too.

Other related posts:

You may also want to check our other book reviews:

The post Parenting in the Digital World: a review appeared first on Malwarebytes Labs.

5 Powerful Botnets Found Exploiting Unpatched GPON Router Flaws

Well, that did not take long. Within just 10 days of the disclosure of two critical vulnerabilities in GPON router at least 5 botnet families have been found exploiting the flaws to build an army of million devices. Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of

CVE-2018-9849 (pulse_connect_secure)

Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.

CVE-2017-6293 (android)

In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 TZ contains a vulnerability in Widevine TA where the software writes data past the end, or before the beginning, of the intended buffer, which may lead to escalation of Privileges. This issue is rated as high. Android: A-69377364. Reference: N-CVE-2017-6293.

CVE-2017-6289 (android)

In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains a memory corruption (due to unusual root cause) vulnerability, which if run within the speculative execution of the TEE, may lead to local escalation of privileges. This issue is rated as critical. Android: A-72830049. Reference: N-CVE-2017-6289.

CVE-2018-6254 (android)

In Android before the 2018-05-05 security patch level, NVIDIA Media Server contains an out-of-bounds read (due to improper input validation) vulnerability which could lead to local information disclosure. This issue is rated as moderate. Android: A-64340684. Reference: N-CVE-2018-6254.

CVE-2018-7941 (1288h_v5_firmware, 2288h_v5_firmware, 2488_v5_firmware, ch121_v3_firmware, ch121_v5_firmware, ch121l_v3_firmware, ch121l_v5_firmware, ch140_v3_firmware, ch140l_v3_firmware, ch220_v3_firmware, ch222_v3_firmware, ch242_v3_firmware, ch242_v5_firmware, rh1288_v3_firmware, rh2288_v3_firmware, rh2288h_v3_firmware, xh310_v3_firmware, xh321_v3_firmware, xh321_v5_firmware, xh620_v3_firmware)

Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A remote attacker with low privilege may craft specific messages to upload authentication certificate to the affected products. Due to improper validation of the upload authority, successful exploit may cause privilege elevation.

CVE-2018-6246 (android)

In Android before the 2018-05-05 security patch level, NVIDIA Widevine Trustlet contains a vulnerability in Widevine TA where the software reads data past the end, or before the beginning, of the intended buffer, which may lead to Information Disclosure. This issue is rated as moderate. Android: A-69383916. Reference: N-CVE-2018-6246.

CVE-2018-7933 (hirouter-cd20_firmware, ws5200_firmware)

Huawei home gateway products HiRouter-CD20 and WS5200 with the versions before HiRouter-CD20-10 1.9.6 and the versions before WS5200-10 1.9.6 have a path traversal vulnerability. Due to the lack of validation while these home gateway products install APK plugins, an attacker tricks a user into installing a malicious APK plugin, and plugin can overwrite arbitrary file of devices. Successful exploit may result in arbitrary code execution or privilege escalation.


Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.


In Android before the 2018-05-05 security patch level, NVIDIA Widevine Trustlet contains a vulnerability in Widevine TA where the software reads data past the end, or before the beginning, of the intended buffer, which may lead to Information Disclosure. This issue is rated as moderate. Android: A-69383916. Reference: N-CVE-2018-6246.


In Android before the 2018-05-05 security patch level, NVIDIA Media Server contains an out-of-bounds read (due to improper input validation) vulnerability which could lead to local information disclosure. This issue is rated as moderate. Android: A-64340684. Reference: N-CVE-2018-6254.


The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable.


Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF.


Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A remote attacker with low privilege may craft specific messages to upload authentication certificate to the affected products. Due to improper validation of the upload authority, successful exploit may cause privilege elevation.


Huawei home gateway products HiRouter-CD20 and WS5200 with the versions before HiRouter-CD20-10 1.9.6 and the versions before WS5200-10 1.9.6 have a path traversal vulnerability. Due to the lack of validation while these home gateway products install APK plugins, an attacker tricks a user into installing a malicious APK plugin, and plugin can overwrite arbitrary file of devices. Successful exploit may result in arbitrary code execution or privilege escalation.


Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than and earlier versions than have an authentication bypass vulnerability. An attacker with high privilege obtains the smart phone and bypass the activation function by some specific operations.


In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 TZ contains a vulnerability in Widevine TA where the software writes data past the end, or before the beginning, of the intended buffer, which may lead to escalation of Privileges. This issue is rated as high. Android: A-69377364. Reference: N-CVE-2017-6293.


In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains a memory corruption (due to unusual root cause) vulnerability, which if run within the speculative execution of the TEE, may lead to local escalation of privileges. This issue is rated as critical. Android: A-72830049. Reference: N-CVE-2017-6289.

Supply-Chain Security

Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users.

It's a legitimate fear, and perhaps a prudent action. But it's just one instance of the much larger issue of securing our supply chains.

All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems. And while we can ban a few specific products, services or companies, no country can isolate itself from potential foreign interference.

In this specific case, the Pentagon is concerned that the Chinese government demanded that ZTE and Huawei add "backdoors" to their phones that could be surreptitiously turned on by government spies or cause them to fail during some future political conflict. This tampering is possible because the software in these phones is incredibly complex. It's relatively easy for programmers to hide these capabilities, and correspondingly difficult to detect them.

This isn't the first time the United States has taken action against foreign software suspected to contain hidden features that can be used against us. Last December, President Trump signed into law a bill banning software from the Russian company Kaspersky from being used within the US government. In 2012, the focus was on Chinese-made Internet routers. Then, the House Intelligence Committee concluded: "Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems."

Nor is the United States the only country worried about these threats. In 2014, China reportedly banned antivirus products from both Kaspersky and the US company Symantec, based on similar fears. In 2017, the Indian government identified 42 smartphone apps that China subverted. Back in 1997, the Israeli company Check Point was dogged by rumors that its government added backdoors into its products; other of that country's tech companies have been suspected of the same thing. Even al-Qaeda was concerned; ten years ago, a sympathizer released the encryption software Mujahedeen Secrets, claimed to be free of Western influence and backdoors. If a country doesn't trust another country, then it can't trust that country's computer products.

But this trust isn't limited to the country where the company is based. We have to trust the country where the software is written -- and the countries where all the components are manufactured. In 2016, researchers discovered that many different models of cheap Android phones were sending information back to China. The phones might be American-made, but the software was from China. In 2016, researchers demonstrated an even more devious technique, where a backdoor could be added at the computer chip level in the factory that made the chips ­ without the knowledge of, and undetectable by, the engineers who designed the chips in the first place. Pretty much every US technology company manufactures its hardware in countries such as Malaysia, Indonesia, China and Taiwan.

We also have to trust the programmers. Today's large software programs are written by teams of hundreds of programmers scattered around the globe. Backdoors, put there by we-have-no-idea-who, have been discovered in Juniper firewalls and D-Link routers, both of which are US companies. In 2003, someone almost slipped a very clever backdoor into Linux. Think of how many countries' citizens are writing software for Apple or Microsoft or Google.

We can go even farther down the rabbit hole. We have to trust the distribution systems for our hardware and software. Documents disclosed by Edward Snowden showed the National Security Agency installing backdoors into Cisco routers being shipped to the Syrian telephone company. There are fake apps in the Google Play store that eavesdrop on you. Russian hackers subverted the update mechanism of a popular brand of Ukrainian accounting software to spread the NotPetya malware.

In 2017, researchers demonstrated that a smartphone can be subverted by installing a malicious replacement screen.

I could go on. Supply-chain security is an incredibly complex problem. US-only design and manufacturing isn't an option; the tech world is far too internationally interdependent for that. We can't trust anyone, yet we have no choice but to trust everyone. Our phones, computers, software and cloud systems are touched by citizens of dozens of different countries, any one of whom could subvert them at the demand of their government. And just as Russia is penetrating the US power grid so they have that capability in the event of hostilities, many countries are almost certainly doing the same thing at the consumer level.

We don't know whether the risk of Huawei and ZTE equipment is great enough to warrant the ban. We don't know what classified intelligence the United States has, and what it implies. But we do know that this is just a minor fix for a much larger problem. It's doubtful that this ban will have any real effect. Members of the military, and everyone else, can still buy the phones. They just can't buy them on US military bases. And while the US might block the occasional merger or acquisition, or ban the occasional hardware or software product, we're largely ignoring that larger issue. Solving it borders on somewhere between incredibly expensive and realistically impossible.

Perhaps someday, global norms and international treaties will render this sort of device-level tampering off-limits. But until then, all we can do is hope that this particular arms race doesn't get too far out of control.

This essay previously appeared in the Washington Post.

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan. From:    Barclays [service@barclaysdownloads.co.uk]Date:    10 May 2018, 13:16Subject:    New documents available for downloadSigned by:    barclaysdownloads.co.ukSecurity:    Standard encryption (TLS) Learn moreBarclays Bank PLC Has Sent You Important Account Documents to SignYou can view the document in your Barclays

Microsoft offers 95 Percent Revenue Share to Windows App developers

Microsoft is all set to entice more developers (non-game) by dangling higher revenue split in front of them.

At Build 2018 conference, Microsoft announced a new developer partnership stake, according to which all the non-game developers would be getting the 95% of the revenue earned from application sales. This step is possibly taken to attract more developers to work for Windows app.

What’s the drill?

The devs would be eligible for this share of 95% revenue only when the app purchased from a deep-link, i.e. from the developer’s website. However, by means, if the app has been purchased through marketing or from any other Microsoft services, such as Store app collection, developer’s share would be reduced to 85% of the revenue.

Since this new revenue technique is applicable only for the non-gaming apps, platforms like Xbox will follow the previous revenue plan, i.e., 30:70 in the favor of devs. All the other platforms such as Windows 10, Windows 8.x and/or Windows Phone 8.x, Windows Mixed Reality, Windows Phone and Surface Hub are included under this new revenue policy.

This change would aid Microsoft to compete with its rivalries with Google and Apple, as they both offer a similar share to the developers. Google follows an 85:15 policy, applicable only if the users continue for a minimum of 12 months or 1 year, or else 70:30. Likewise, Apple gives the developers 70:30 for the first 12 months and 85:15 thereafter. Now with this increase of 95% Microsoft seems to take a winning leap in the business!

In end, this new revenue plan is definitely favorable for the developers. In any case, they would be earning at least 15% more, as currently, the basic revenue share is 70% on their self-built apps.

This new revenue share structure will go live later this year!

The post Microsoft offers 95 Percent Revenue Share to Windows App developers appeared first on TechWorm.

IBM bans all staff from using USB drives out of security concern

IBM is banning all removable storage, company-wide, in a new policy that seeks to avoid financial and reputational damage stemming from a misplaced or misused USB drive.

IBM global chief Information security officer Shamla Naidoo told staff in an internal e-mail that the company “is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”

Although some departments already had this policy in place for a while, “over the next few weeks we are implementing this policy worldwide,” Naidoo said, according to The Register.

The reason for the radical new policy is simple and well justified in a world laden with data breaches: “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimized,” the CISO clarified.

Avid readers will remember that Stuxnet was written to “hop” from terminal to terminal through USB drives moving between them as attack vectors. Some of the networks it targeted were air-gapped, meaning they had no direct access to the outside world. For those who fear such an event in their respective networks, Bitdefender’s USB Immunizer prevents malware from setting itself up on USB drives.

CVE-2017-2601 (jenkins)

Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.


Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.


Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.


Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.


Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter.


SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.

Vulnerabilities in Logitech Harmony Hub Giving Adversaries Root Access to the Device

Researchers at FireEye's Mandiant Red team recently detected four vulnerabilities in the Logitech Harmony Hub as improper certificate validation, an unreliable update process, leaving developer debugger symbols and images in the production firmware and having a blank root user password.
These vulnerabilities are found to give the oppugners root access to the device– enabling attackers to control other smart home devices connected to it, for instance, smart locks and connected surveillance cameras.

Joel Hopwood, in a report about the vulnerabilities posted on Friday said that the exploitation of these vulnerabilities from the local system could enable an aggressor to control the devices connected to the Hub and in addition utilize it as an execution space to attack various other devices on the local network.

Fire Eye analysts revealed the vulnerabilities to Logitech in January 2018. Logitech discharged a firmware update (4.15.96), April 10, to address the discoveries made and public disclosure was on May 4.

Researchers first found that the Harmony Hub disregards invalid SSL declarations and certifications by testing out using their own particular self-signed certificate to block the HTTPS traffic sent by the Harmony Hub.

 “The Harmony Hub sends its current firmware version to a Logitech server to determine if an update is available. If an update is available, the Logitech server sends a response containing a URL for the new firmware version. Despite using a self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub, we were able to observe this process – demonstrating that the Harmony Hub ignores invalid SSL certificates,” the researchers wrote.

They were additionally ready to confirm that the root password of the IoT device was blank which thusly assumed a major part in granting them complete control over the device after they additionally looked more about firmware of the Hub's SquashFS file system.

It was a direct result of these two vulnerabilities that Hopwood later said made it quite easy for him to hijack the Harmony Hub by means of its update procedure.

 “Since we were able to previously observe what a real update process looked like, we could just simulate a false update to tell the Hub it has an update and tell it where to download the update from,” Hopwood told Threatpost. “Then we would download that resource onto the Hub with our own controlled web server that had a malicious update posted on it.”

Logitech's Harmony Hub is one of numerous unreliable and insecure IoT devices – from smart thermostats to connected surveillance cameras. Smart hubs, specifically, extend the potential attack vector since they go about as a hub for different associated devices across the home.
What's more, because of the way that the Harmony Hub, in the same way as other IoT gadgets, utilizes a typical processor design, malevolent devices could without much of a stretch be added to a compromised Harmony Hub, expanding the general effect of a targeted attack, Hopwood later included in his post Fire Eye’s Official website.

What Matters Most During a Data Breach? How You React

The Ponemon Institute’s 2017 study on the cost of a data breach showed companies have a one in four chance of experiencing such a breach within a two-year period. In my experience working in the cybersecurity industry, I’ve seen the damage a breach can inflict firsthand. And unfortunately, this unsettling trend will continue for the foreseeable future.

Far too often, companies are more concerned about the incident itself: How did it come to fruition? How long will it last? Where did it start? The questions are seemingly endless. While these are valid concerns, the breach is only the beginning of the trouble.

It’s what happens after a data breach that causes most companies to falter. The extent of the damage largely depends on the organization’s preparedness level. According to the Ponemon study, one of the most effective ways to reduce the cost of a data breach is to implement a cybersecurity incident response plan (CSIRP).

GDPR Regulations Impact the Cost of a Data Breach

The General Data Protection Regulation (GDPR), which goes into effect on May 25, requires companies to notify users of a data breach within 72 hours. With significant financial penalties at stake, it is even more critical to develop and test your CSIRP before a breach occurs. When you’re dealing with your company’s brand and reputation, the worst time to find out your CSIRP is flawed is in the middle of an emergency.

A CSIRP is a road map to guide your response to a cyberattack:

  • It defines the roles and responsibilities of all respondents.
  • It determines who is authorized to make major decisions.
  • It outlines communication flows and notification procedures pertaining to GDPR.

A comprehensive CSIRP — that is regularly tested and updated — can help incident response teams save valuable time and resources in the event of a breach.

Learn more about intelligent threat prevention and incident response

Building a CSIRP to Contain the Damage of a Breach

The IBM X-Force Incident Response and Intelligence Services (IRIS) team has worked with hundreds of clients to prepare for and respond to security incidents. IRIS consultants have found that nearly 50 percent of the CSIRPs they’ve evaluated show no evidence of a formal document life cycle or a history of continual revisions.

IRIS experts are noted for investigating some of the world’s top security incidents. In helping clients respond to declared incidents, these experts have observed what works well in a CSIRP — and what doesn’t. IRIS can help clients evaluate and improve an existing CSIRP or build a custom plan from the ground up. It can also help security leaders develop custom tabletop exercises to test their strategy.

In the event of an incident, it’s critical to answer three key questions: What has happened? What data have the attackers accessed? How can the damage be quickly contained and remediated? A robust incident response plan is absolutely crucial for getting these answers — especially given the strict data privacy regulations coming into effect this year.

Take Action: Get Your GDPR Plan in Place

Learn more about intelligent threat prevention and incident response

The post What Matters Most During a Data Breach? How You React appeared first on Security Intelligence.

Cut Through the Fog: Improve Cloud Visibility to Identify Shadow IT

Last summer, I journeyed to a friend’s lake house in the beautiful Berkshires of Massachusetts for a weekend of boating and fishing. Great Barrington is not too far from Boston, and I expected the road trip along the Massachusetts Turnpike to be clear and easy.

It was smooth sailing out of the gate, and I was making great time. (In fact, I was hoping to get there early enough to enjoy a Friday afternoon on the lake.) But when I was about 45 minutes away from the lake house, I encountered a dense fog that forced me to slow down. My visibility was limited to several hundred feet, and I could no longer see the extended road ahead of me.

The Enterprise Will Extend to the Cloud

Just as I was expecting a speedy arrival, today’s enterprises expect to migrate to the cloud quickly. They hope to take advantage of the dynamic efficiency of cloud computing platforms and software as a service (SaaS) applications.

However, the cloud brings with it a fog that obscures visibility into technology environments and SaaS applications. This fog leads to shadow IT, which impacts cloud security and makes it difficult to travel at speed while keeping your eyes on the road. Without adequate visibility into cloud environments, security teams cannot protect against cloud-based data breaches, malicious insiders, advanced persistent threats (APTs) and other cyberthreats.

When it comes to driving through fog in the real world, standard rules of the road include slowing down, turning on your headlights — and resisting the urge to flip on your high beams. Most importantly? Any good driving instructor will tell you to stay focused on the road, as driving through fog is no time for multitasking.

Unfortunately, these are not viable solutions for organizations competing in today’s markets. So, how can companies cut through the fog to improve overall cost efficiency, reduce IT investment, dynamically scale and deploy business services — and take advantage of cloud automation?

No Time to Slow Down

Slowing down is not an option for competitive organizations aiming to deliver innovative products and services to customers at speed. Both customers and employees demand continuous access and visibility into data. Latency problems and inhibited vision into platform resources can prevent companies from operating at full capacity. As a result, many organizations view security as an impediment to business growth and expansion. These organizations harbor valid concerns about the risks associated with deploying workloads in the cloud and procuring SaaS applications.

Shed Light on Shadow IT

It’s tempting to deploy five different solutions from five different vendors to cover all your cloud security bases, but this introduces unnecessary complexities because the disparate tools will be difficult to integrate and manage. That’s why it’s important for security leaders to weigh the pros and cons of each solution and select the one that best enables them to identify shadow IT, increase visibility and shed light on cloud application usage.

Enterprises cannot afford to place all of their security eggs in one basket either. Organizations that invest all their resources into narrowly focused solutions leave themselves vulnerable to the dynamic threat vectors that exist across business infrastructures. A single, isolated tool with a limited scope has very little to offer to a large organization with a growing cloud footprint. As complexity and diversity increase — and the enterprise continues to extend into the cloud — there is growing demand for a single security platform to provide complete enterprise protection.

Cut Through the Cloud Security Fog

The key to implementing an effective cloud security strategy is to integrate cloud tools with a cutting-edge security information and event management (SIEM) platform. Just as SaaS applications enable organizations to leverage cloud functionality and move at speed, the cloud allows threat actors to move just as quickly.

An effective cloud security strategy relies upon visibility tools integrated with an SIEM solution to quickly discover cloud threats, jump-start investigations with actionable intelligence and respond to incidents with automation.

With visibility comes clarity and the freedom to focus on the road. A single, scalable cloud security solution integrated with an SIEM platform enables enterprises to concentrate on driving business results instead of wasting time stuck in the fog of shadow IT.

Read the interactive white paper: New parity for your enterprise security

The post Cut Through the Fog: Improve Cloud Visibility to Identify Shadow IT appeared first on Security Intelligence.

Devs Find Fake Version of Bitcoin Wallet Stealing Users’ Seeds

Developers have found that a fake version of a popular Bitcoin Wallet comes equipped with the ability to steal users’ seeds. On 9 May, the Electrum team published a document on GitHub calling out “Electrum Pro” as “stealware” and “bitcoin-stealing malware.” According to the developers, the individuals behind Electrum Pro took control of “electrum dot […]… Read More

The post Devs Find Fake Version of Bitcoin Wallet Stealing Users’ Seeds appeared first on The State of Security.

Webstresser.org has been seized

Police take down a major cybercrime resource

A recent global raid conducted by police in the UK, US and the Netherlands has helped to take down a major cybercrime resource called WebStresser. The WebStresser website allowed anyone with a credit card to “buy” a distributed denial of service (DDoS) attack on another website of their choice.

What are DDoS attacks?

A DDoS attack uses a network of bots to flood a target website with traffic. Each bot attempts to access the website hundreds of times each minute; eventually there are too many access attempts for the website to handle and it crashes.

It can take many hours for a website to recover from a DDoS attack. Ecommerce sites could lose thousands of dollars during that time because genuine buyers cannot make purchases.

The DDoS attack technique is reliant on thousands of bots to generate the necessary traffic to overload a website. Normally hackers need to infect thousands of computers with malware to create the bot network – a process that can take days or weeks to complete, and which could cost thousands of dollars to set up.

The WebStresser difference

But when using the WebStresser service, anyone could access a network of preconfigured bots instantly. Even more concerning for website owners was the cost of using WebStresser – DDoS attacks could be bought for as little as $15.

This low entry price meant that anyone with a grudge could attack a website – even if they had no technical skills, or experience of hacking. The police believe that thousands of websites were targeted using the WebStresser service before it was taken offline.

A temporary win

Although WebStresser has gone, it is only a matter of time before a copycat service launches. Now that cybercriminals know they can make money from running a DDoS botnet, it is only a matter of time before we see similar hack-for-cash services pop-up elsewhere.

You can play your part

Home users are very unlikely to find themselves the target of a distributed denial of service attack – but that’s not to say you will never be part of one. The WebStresser service uses a network of compromised PCs just like your own as part of the attack.

Unprotected computers are infected with malware that sits dormant until required. When the DDoS attack is launched, these infected computers are then called into action, to target a specific website. Chances are that you will never even know that your computer has become part of a zombie network until an attack begins and your computer slows down.

To avoid becoming an unwitting accomplice, you must ensure that your PC is regularly updated, and that you have a comprehensive antimalware system installed. These combination will help to prevent malware from infecting your PC.

Play your part in making the web a safer place (and stop your PC slowing down too) by downloading a free Panda Dome trial today.

The post Webstresser.org has been seized appeared first on Panda Security Mediacenter.

Airbash – Fully Automated WPA PSK Handshake Capture Script

Airbash – Fully Automated WPA PSK Handshake Capture Script

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP).

Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng.

Read the rest of Airbash – Fully Automated WPA PSK Handshake Capture Script now! Only available at Darknet.

HP Security Bulletin MFSBGN03804 1

HP Security Bulletin MFSBGN03804 1 - Potential security vulnerabilities have been identified with Service Manager. These vulnerabilities have been identified in the OpenSSL open source library component and may be exploited to cause disruption of service and unauthorized disclosure of information. Revision 1 of this advisory.

HP Security Bulletin MFSBGN03806 1

HP Security Bulletin MFSBGN03806 1 - A potential security vulnerability has been identified in Micro Focus Network Automation and Network Operations Management (NOM) Suite. The vulnerabilities could be remotely exploited to allow SQL injection, persist cross-site scripting, and non-persistent HTML Injection. Revision 1 of this advisory.

OPC UA security analysis

This paper discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. In publishing this material, we hope to draw the attention of vendors that develop software for industrial automation systems and the industrial internet of things to problems associated with using such widely available technologies, which turned out to be quite common. We hope that this article will help software vendors achieve a higher level of protection from modern cyberattacks. We also discuss some of our techniques and findings that may help software vendors control the quality of their products and could prove useful for other software security researchers.

Why we chose the OPC UA protocol for our research

The IEC 62541 OPC Unified Architecture (OPC UA) standard was developed in 2006 by the OPC Foundation consortium for reliable and, which is important, secure transfer of data between various systems on an industrial network. The standard is an improved version of its predecessor – the OPC protocol, which is ubiquitous in modern industrial environments.

It is common for monitoring and control systems based on different vendors’ products to use mutually incompatible, often proprietary network communication protocols. OPC gateways/servers serve as interfaces between different industrial control systems and telemetry, monitoring and telecontrol systems, unifying control processes at industrial enterprises.

The previous version of the protocol was based on the Microsoft DCOM technology and had some significant limitations inherent to that technology. To get away from the limitations of the DCOM technology and address some other issues identified while using OPC, the OPC Foundation developed and released a new version of the protocol.

Thanks to its new properties and well-designed architecture, the OPC UA protocol is rapidly gaining popularity among automation system vendors. OPC UA gateways are installed by a growing number of industrial enterprises across the globe. The protocol is increasingly used to set up communication between components of industrial internet of things and smart city systems.

The security of technologies that are used by many automation system developers and have the potential to become ubiquitous among industrial facilities across the globe is one the highest-priority areas of research for Kaspersky Lab ICS CERT. This was our main reason to do an analysis of OPC UA.

Another reason was that Kaspersky Lab is a member of the OPC Foundation consortium and we feel responsible for the security of technologies developed by the consortium. Getting ahead of the story, we can say that, following the results of our research, we received an invitation to join the OPC Foundation Security Working Group and gratefully accepted it.

OPC UA protocol

Originally, OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.

If packets exchanged by services running on the host are intercepted, their structure can easily be understood. There are four types of messages transmitted over the OPC UA protocol:

  • OPEN

The first message is always HELLO (HEL). It serves as a marker for the start of data transfer between the client and the server. The server responds by sending the ACKNOWLEDGE (ACK) message to the client. After the initial exchange of messages, the client usually sends the message OPEN, which means that the data transmission channel using the encryption method proposed by the client is now open. The server responds by sending the message OPEN (OPN), which includes the unique ID of the data channel and shows that the server agrees to the proposed encryption method (or no encryption).

Now the client and the server can start exchanging messages –MESSAGE (MSG). Each message includes the data channel ID, the request or response type, a timestamp, data arrays being sent, etc. At the end of the session, the message CLOSE (CLO) is sent, after which the connection is terminated.

OPC UA is a standard that has numerous implementations. In our research, we only looked at the specific implementation of the protocol developed by the OPC Foundation.

The initial stage

We first became interested in analyzing the OPC UA protocol when the Kaspersky Lab ICS CERT team was conducting security audits and penetration tests at several industrial enterprises. All of these enterprises used the same industrial control system (ICS) software. With the approval of the customers, we analyzed the software for vulnerabilities as part of the testing.

It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”.

The first thing we decided to do as part of analyzing the security of the protocol’s implementation was to develop a basic “dumb” mutation-based fuzzer.

“Dumb” fuzzing, in spite of being called “dumb”, can be very useful and can in some cases significantly improve the chances of finding vulnerabilities. Developing a “smart” fuzzer for a specific program based on its logic and algorithms is time-consuming. At the same time, a “dumb” fuzzer helps quickly identify trivial vulnerabilities that can be hard to get at in the process of manual analysis, particularly when the amount of code to be analyzed is large, as was the case in our project.

The architecture of the OPC UA Stack makes in-memory fuzzing difficult. For the functions that we want to check for vulnerabilities to work correctly, the fuzzing process must involve passing properly formed arguments to the function and initializing global variables, which are structures with a large number of fields. We decided not to fuzz-test functions directly in memory. The fuzzer that we wrote communicated with the application being analyzed over the network.

The fuzzer’s algorithm had the following structure:

  • read input data sequences
  • perform a pseudorandom transformation on them
  • send the resulting sequences to the program over the network as inputs
  • receive the server’s response
  • repeat

After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges. The vulnerability we identified was caused by the function that handled the data which had just been read from a socket incorrectly calculating the size of the data, which was subsequently copied to a buffer created on a heap.

Upon close inspection, it was determined that the vulnerable version of the uastack.dll library had been compiled by the product’s developers. Apparently, the vulnerability was introduced into the code in the process of modifying it. We were not able to find that vulnerability in the OPC Foundation’s version of the library.

The second vulnerability was found in a .NET application that used the UA .NET Stack. While analyzing the application’s traffic in wireshark, we noticed in the dissector that some packets had an is_xml bit field, the value of which was 0. In the process of analyzing the application, we found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier. This means that if we changed the is_xml bit field’s value from 0 to 1 and added a specially crafted XML packet to the request body (XXE attack), we would be able to read any file on the remote machine (out-of-bound file read) with NT AUTHORITY/SYSTEM privileges and, under certain conditions, to perform remote code execution (RCE), as well.

Judging by the metadata, although the application was part of the software package on the ICS that we were analyzing, it was developed by the OPC Foundation consortium, not the vendor, and was an ordinary discovery server. This means that other products that use the OPC UA technology by the OPC Foundation may include that server, making them vulnerable to the XXE attack. This makes this vulnerability much more valuable from an attacker’s viewpoint.

This was the first step in our research. Based on the results of that step, we decided to continue analyzing the OPC UA implementation by the OPC Foundation consortium, as well as products that use it.

OPC UA analysis

To identify vulnerabilities in the implementation of the OPC UA protocol by the OPC Foundation consortium, research must cover:

  • The OPC UA Stack (ANSI C, .NET, JAVA);
  • OPC Foundation applications that use the OPC UA Stack (such as the OPC UA .NET Discovery Server mentioned above);
  • Applications by other software developers that use the OPC UA Stack.

As part of our research, we set ourselves the task to find optimal methods of searching for vulnerabilities in all three categories.

Fuzzing the UA ANSI C Stack

Here, it should be mentioned that there is a problem with searching for vulnerabilities in the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API. In such cases, it is often hard to determine whether a potential security problem that has been discovered is in fact a vulnerability. To give a conclusive answer to that question, one must understand how the potentially vulnerable function is used and for what purpose – i.e., a sample program that uses the library is necessary. In our case, it was hard to make conclusions on vulnerabilities in the OPC UA Stack without looking at applications in which it was implemented.

What helped us resolve this problem associated with searching for vulnerabilities was open-source code hosted in the OPC Foundation’s repository on GitHub, which includes a sample server that uses the UA ANSI C Stack. We don’t often get access to product source code in the course of analyzing ICS components. Most ICS applications are commercial products, developed mostly for Windows and released with a licensing agreement the terms of which do not include access to the source code. In our case, the availability of the source code helped find errors both in the server itself and in the library. The UA ANSI C Stack source code was helpful for doing manual analysis of the code and for fuzzing. It also helped us find out whether new functionality had been added to a specific implementation of the UA ANSI C Stack.

The UA ANSI C Stack (like virtually all other products by the OPC Foundation consortium) is positioned as a solution that is not only secure, but is also cross-platform. This helped us our during fuzzing, because we were able to build a UA ANSI С Stack together with the sample server code published by the developers in their GitHub account, on a Linux system with binary source code instrumentation and to fuzz-test that code using AFL.

To accelerate fuzzing, we overloaded the networking functions –socket/sendto/recvfrom/accept/bind/select/… – to read input data from a local file instead of connecting to the network. We also compiled our program with AddressSanitizer.

To put together an initial set of examples, we used the same technique as for our first “dumb” fuzzer, i.e., capturing traffic from an arbitrary client to the application using tcpdump. We also added some improvements to our fuzzer – a dictionary created specifically for OPC UA and special mutations.

It follows from the specification of the binary data transmission format in OPC UA that it is sufficiently difficult for AFL to mutate from, say, the binary representation of an empty string in OPC UA (“\xff\xff\xff\xff”) to a string that contains 4 random bytes (for example, “\x04\x00\x00\x00AAAA”). Because of this, we implemented our own mutation mechanism, which worked with OPC UA internal structures, changing them based on their types.

After building our fuzzer with all the improvements included, we got the first crash of the program within a few minutes.

An analysis of memory dumps created at the time of the crash enabled us to identify a vulnerability in the UA ANSI C Stack which, if exploited, could result at least in a DoS condition.

Fuzzing OPC Foundation applications

Since, in the previous stage, we had performed fuzzing of the UA ANSI C Stack and a sample application by the OPC Foundation, we wanted to avoid retesting the OPC UA Stack in the process of analyzing the consortium’s existing products, focusing instead on fuzzing specific components written on top of the stack. This required knowledge of the OPC UA architecture and the differences between applications that use the OPC UA Stack.

The two main functions in any application that uses the OPC UA Stack are OpcUa_Endpoint_Create and OpcUa_Endpoint_Open. The former provides the application with information on available channels of data communication between the server and the client and a list of available services. The OpcUa_Endpoint_Open function defines from which network the service will be available and which encryption modes it will provide.

A list of available services is defined using a service table, which lists data structures and provides information about each individual service. Each of these structures includes data on the request type supported, the response type, as well as two callback functions that will be called during request preprocessing and post-processing (preprocessing functions are, in most cases, “stubs”). We included converter code into the request preprocessing function. It uses mutated data as an input, outputting a correctly formed structure that matches the request type. This enabled us to skip the application startup stage, starting an event loop to create a separate thread to read from our pseudo socket, etc. This enabled us to accelerate our fuzzing from 50 exec/s to 2000 exec/s.

As a result of using our “dumb” fuzzer improved in this way, we identified 8 more vulnerabilities in OPC Foundation applications.

Analyzing third-party applications that use the OPC UA Stack

Having completed the OPC Foundation product analysis stage, we moved on to analyzing commercial products that use the OPC UA Stack. From the ICS systems we worked with during penetration testing and analyzing the security status of facilities for some of our customers, we selected several products by different vendors, including solutions by global leaders of the industry. After getting our customers’ approval, we began to analyze implementations of the OPC UA protocol in these products.

When searching for binary vulnerabilities, fuzzing is one of the most effective techniques. In previous cases, when analyzing products on a Linux system, we used source code binary instrumentation techniques and the AFL fuzzer. However, the commercial products using the OPC UA Stack that we analyzed are designed to run on Windows, for which there is an equivalent of the AFL fuzzer called WinAFL. Essentially, WinAFL is the AFL fuzzer ported to Windows. However, due to differences between the operating systems, the two fuzzers are different in some significant ways. Instead of system calls from the Linux kernel, WinAFL uses WinAPI functions and instead of static source code instrumentation, it uses the DynamoRIO dynamic instrumentation of binary files. Overall, these differences mean that the performance of WinAFL is significantly lower than that of AFL.

To work with WinAFL in the standard way, one has to write a program that will read data from a specially created file and call a function from an executable file or library. Then WinAFL will put the process into a loop using binary instrumentation and will call the function many times, getting feedback from the running program and relaunching the function with mutated data as arguments. That way, the program will not have to be relaunched every time with new input data, which is good, because creating a new process in Windows consumes significant processor time.

Unfortunately, this method of fuzzing couldn’t be used in our situation. Owing to the asynchronous architecture of the OPC UA Stack, the processing of data received and sent over the network is implemented as call-back functions. Consequently, it is impossible to identify a data-processing function for each type of request that would accept a pointer to the buffer containing the data and the size of the data as arguments, as required by the WinAFL fuzzer.

In the source code of the WinAFL fuzzer, we found comments on fuzzing networking applications left by the developer. We followed the developer’s recommendations on implementing network fuzzing with some modifications. Specifically, we included the functionality of communication with the local networking application in the code of the fuzzer. As a result of this, instead of executing a program, the fuzzer sends payload over the network to an application that is already running under DynamoRIO.

However, with all our efforts, we were only able to achieve the fuzzing rate of 5 exec/s. This is so slow that it would take too long to find a vulnerability even with a smart fuzzer like AFL.

Consequently, we decided to go back to our “dumb” fuzzer and improve it.

  1. We improved the mutation mechanism, modifying the data generation algorithm based on our knowledge of the types of data transferred to the OPC UA Stack.
  2. We created a set of examples for each service supported (the python-opcua library, which includes functions for interacting with virtually all possible OPC UA services, proved very helpful in this respect).
  3. When using a fuzzer with dynamic binary instrumentation to test multithreaded applications such as ours, searching for new branches in the application’s code is a sufficiently complicated task, because it is difficult to determine which input data resulted in a certain behavior of the application. Since our fuzzer communicated to the application over the network and we could establish a clear connection between the server’s response and the data sent to it (because communication took place within the limits of one session), there was no need for us to address this issue. We implemented an algorithm which determined that a new execution path has been identified simply when a new response that had not been observed before was received from the server.

As a result of the improvements described above, our “dumb” fuzzer was no longer all that “dumb”, and the number of executions per second grew from 1 or 2 to 70, which is a good figure for network fuzzing. With its help, we identified two more new vulnerabilities that we had been unable to identify using “smart” fuzzing.


As of the end of March 2018, the results of our research included 17 zero-day vulnerabilities in the OPC Foundation’s products that had been identified and closed, as well as several vulnerabilities in the commercial applications that use these products.

We immediately reported all the vulnerabilities identified to developers of the vulnerable software products.

Throughout our research, experts from the OPC Foundation and representatives of the development teams that had developed the commercial products promptly responded to the vulnerability information we sent to them and closed the vulnerabilities without delays.

In most cases, flaws in third-party software that uses the OPC UA Stack were caused by the developers not using functions from the API implemented in the OPC Foundation’s uastack.dll library properly – for example, field values in the data structures transferred were interpreted incorrectly.

We also determined that, in some cases, product vulnerabilities were caused by modifications made to the uastack.dll library by developers of commercial software. One example is an insecure implementation of functions designed to read data from a socket, which was found in a commercial product. Notably, the original implementation of the function by the OPC Foundation did not include this error. We do not know why the commercial software developer had to modify the data reading logic. However, it is obvious that the developer did not realize that the additional checks included in the OPC Foundation’s implementation are important because the security function is built on them.

In the process of analyzing commercial software, we also found out that developers had borrowed code from OPC UA Stack implementation examples, copying that code to their applications verbatim. Apparently, they assumed that the ОРС Foundation has made sure that these code fragments were secure in the same way that it had ensured the security of code used in the library. Unfortunately, that assumption turned out to be wrong.

Exploitation of some of the vulnerabilities that we identified results in DoS conditions and the ability to execute code remotely. It is important to remember that, in industrial systems, denial-of-service vulnerabilities pose a more serious threat than in any other software. Denial-of-service conditions in telemetry and telecontrol systems can cause enterprises to suffer financial losses and, in some cases, even lead to the disruption and shutdown of the industrial process. In theory, this could cause harm to expensive equipment and other physical damage.


The fact that the OPC Foundation is opening the source code of its projects certainly indicates that it is open and committed to making its products more secure.

At the same time, our analysis has demonstrated that the current implementation of the OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.

First, flaws introduced by developers of commercial software that uses the OPC UA Stack indicate that the OPC UA Stack was not designed for clarity. Unfortunately, an analysis of the source code confirms this. The current implementation of the protocol has plenty of pointer calculations, insecure data structures, magic constants, parameter validation code copied between functions and other archaic features scattered throughout the code. These are features that developers of modern software tend to eliminate from their code, largely to make their products more secure. At the same time, the code is not very well documented, which makes errors more likely to be introduced in the process of using or modifying it.

Second, OPC UA developers clearly underestimate the trust software vendors have for all code provided by the OPC Foundation consortium. In our view, leaving vulnerabilities in the code of API usage examples is completely wrong, even though API usage examples are not included in the list of products certified by the OPC Foundation.

Third, we believe that there are quality assurance issues even with products certified by the OPC Foundation.

It is likely that use fuzz testing techniques similar to those described in this paper are not part of the quality assurance procedures used by OPC UA developers – this is demonstrated by the statistics on the vulnerabilities that we have identified.

The open source code does not include code for unit tests or any other automatic tests, making it more difficult to test products that use the OPC UA Stack in cases when developers of these products modify their code.

All of the above leads us to the rather disappointing conclusion that, although OPC UA developers try to make their product secure, they nevertheless neglect to use modern secure coding practices and technologies.

Based on our assessment, the current OPC UA Stack implementation not only fails to protect developers from trivial errors but also tends to provoke errors –we have seen this in real-world examples. Given today’s threat landscape, this is unacceptable for products as widely used as OPC UA. And this is even less acceptable for products designed for industrial automation systems.

Security newsround: May 2018

We round up reporting and research from across the web about the latest security news and developments. This month: police success against cyber villains, the value of personal data, IoT security, a new ransomware strain, a new security framework and Gmail goes for 2FA.

Law’s long arm collars cyber crooks

Police forces scored three big wins against various cybercrime operations recently. In late April, authorities took down WebStresser.org, one of the world’s most popular marketplaces for launching DDoS attacks. Reuters reported that WebStresser was behind attacks on seven of Britain’s largest banks last November. The service is also alleged to have been responsible for four million attacks since 2015 against governments, police services, and businesses.

The Dutch Politie and the UK’s National Crime Agency led ‘Operation Power Off’, supported by Europol and a dozen other law enforcement agencies. They arrested alleged WebStresser administrators in four countries, seized infrastructure, and took unspecified “further measures” against some of its top users.

Before police pulled the plug, WebStresser had amassed 136,000 registered users. Threatpost aptly described WebStresser as a “criminal fantasy dream site”. It reported that there are 6.5 million DDoS attacks per year on average, earning attackers $13 million in revenue.

In separate operations, a coalition of eight countries led by Belgium took down propaganda broadcasting infrastructure of the Islamic State. Authorities targeted web assets of Amaq News Agency, an online media outlet which authorities called “the main mouthpiece of IS”. The same action also took down other IS-branded media outlets.

Completing the hat-trick, cybercrime teams from Dutch police seized the Anon-IB forum in an investigation relating to criminal offences. Vice Motherboard described Anon-IB as “possibly the most infamous site focused on revenge porn – explicit or intimate images of people shared without their consent”.

We’re always pleased to see law enforcement prevail in the fight against cybercrime. BH Consulting has been a partner of Europol for years. In 2013, our CEO Brian Honan was appointed as a special advisor on internet security to Europol’s CyberCrime Centre (EC3).

What’s your data worth?

If data is the new oil, there’s no shortage of ways that criminals can refine it for profit. As this post from Dark Reading makes clear, stolen data has many purposes that security teams need to know about. Crimes range from stolen IP to filing fraudulent tax rebates to schemes for stealing money, Steve Zurier wrote. Once hackers hold an inventory of stolen data , they package up and sell personal information such as names, addresses, phone numbers, and email addresses. They usually sell this data in bulk to maximise their profits. The more recent the records, the more value they fetch on the black market, Zurier said.

The question of what our data is worth in the digital economy is especially resonant and relevant in light of the recent Facebook/Cambridge Analytica scandal. Not to mention a certain four-letter privacy regulation. In Medium, Rik Ferguson of Trend Micro wrote a thoughtful post that considers the value of our personal information in the online economy. Data, he wrote, “unlike oil … is not burned up when used, but can be sold and resold, mined and reused”.

There’s plenty to chew on for privacy and security professionals. Rik wrote: “Our data is cataloged and combined with the traces we leave behind in the physical world, correlated and mined to reach conclusions far beyond those we might perhaps be comfortable with publicising, and then sold as a commodity or a subscription-based service to any interested party. It is an industry based our ignorance and our nonchalance.”

Securing all the things

ENISA has developed a free interactive tool based on its baseline security recommendations for the Internet of Things. This lets anyone working on IoT projects search and identify good practices. The tool is available to download here, and this page also includes a help guide. It’s based on the agency’s original study on IoT security which it published last year. The new tool is timely, as criminals have apparently begun exploiting IoT as another way to profit from cryptocurrency mining. Trend Micro researchers identified malware that hijacks the processing power of IoT devices and smartphones to mine for cryptocurrency. As Lesley Carhart of Dragos jokingly tweeted: “Your router and your IOT thermostat should really beep like your smoke detector when it’s missing a critical security patch.”

Prepare for a summer of SamSam?

Researchers are warning of criminals taking a new approach to ransomware infections. Sophos analysed the SamSam variant and found criminals carefully choose target organisations. They then launch thousands of copies of SamSam onto that organisation’s computers all at once. Once the infection has hit, the criminals offer victims a volume discount to clean all machines. This differs from the usual spam-like scattergun approach to ransomware of sending one malware copy to multiple possible targets. “The cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP)”, the researchers wrote. Here’s ThreatPost’s writeup of the research. Sophos’ own blog describes the findings, and here’s a link to the technical paper.

Guidelines in the NIST

The US National Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. This updates the original version 1.0 which proved popular on its release in February 2014. Version 1.1’s updated guidelines cover authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure. NIST programme manager Matt Barrett said the framework is flexible enough to meet an individual organisation’s business or mission needs. It applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things. Later this year, NIST will release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity. NIST’s press release is here and the framework is available free in PDF at this link.

Google beefs up Gmail security

Two-factor authentication got a shot in the arm after Google added this security feature for its Gmail app last month. Also called two-step verification, this sends a prompt to a user’s phone when they access their Gmail account on another computer. Naked Security said this is more secure than sending an SMS code to the phone, which can be vulnerable to fraud. It also pointed out that ease of use will encourage more people to use it, as takeup of 2FA to date has been low. Why does this matter? Here’s how many Gmail users there are in the world: 1.2 billion, to be exact. Google has more details on its blog. If you or your users still prefer passwords, here’s our advice from last year on how to choose better ones.


The post Security newsround: May 2018 appeared first on BH Consulting.

Data breach disclosure is still taking too long, report reveals as GDPR looms

Data breach disclosure is still taking too long, report reveals as GDPR looms

The accepted wisdom in the field of cybersecurity is that things are getting worse, and that more businesses are losing control of more data than ever before.

What a bunch of pessimists we are… The truth, however, might be rather different.

Read more in my article on the Bitdefender Business Insights blog.