Daily Archives: May 11, 2018

Quase 9 mil cartas de presos – a destinatários como Temer e STF – expõem os horrores do cárcere

“Temos um médico na unidade, […] a gente chega lá com problema no coração, na cabeça, no peito, ou qualquer outra parte do corpo, o único diagnóstico que ele passa é ‘problema de ansiedade’, e receita clonazepam, ou seja, remédio para dormir”, relata um preso de Minas Gerais em uma carta enviada ao Supremo Tribunal Federal. A correspondência é uma das 8.818 escritas ao longo de 2016 e analisadas pelo projeto Cartas do Cárcere, que mapeia as demandas e as narrativas do presos no Brasil.

“Geralmente, as análises produzidas sobre o sistema prisional são feitas por pessoas que estão fora das grades. Com as cartas escritas pelos presos, a gente tem a oportunidade de entender os efeitos dessa decisão política de manter o cárcere nos termos em que ele é hoje através de quem vive essa realidade”, explica Thula Pires, coordenadora do projeto. O Cartas do Cárcere foi uma demanda da Ouvidoria Nacional de Serviços Penais, e acontece em parceria com o Programa das Nações Unidas para o Desenvolvimento, o PNUD, e a PUC-Rio.

Todos os brasileiros podem se reportar a qualquer instituição pública, mesmo os que estão presos. O que é garantido pelo direito de petição da Constituição Federal. A Lei de Execução Penal também prevê que as pessoas em privação de liberdade tenham garantias de contato com o mundo externo.

No entanto, quem vive no cárcere tem dificuldades para encaminhar essas correspondências. Um dos presos relata, em uma das cartas às quais The Intercept Brasil teve acesso, que chegou a ficar sem café da manhã por uma semana para conseguir papel e caneta com outro detento. Ele trocou a comida pelo direito de escrever.

“Venho através desta, em nome de todos os reeducandos que se encontram cumprindo pena na penitenciária de segurança máxima, pedir ajuda à vossa excelência, ou até mesmo socorro, pois a situação aqui está crítica.”

Das mais de 1418 unidades prisionais do país, 610 tiveram cartas analisadas. Existem ainda correspondências que são censuradas e recebem um carimbo de inspeção da administração penitenciária, as quais não pudemos ler.

Das quase 9 mil cartas que romperam os filtros, boa parte exige direitos como acesso à assistência jurídica, saúde, educação e trabalho. Outra parte pede remissão de pena e regressão de regime, direitos legais que vêm sendo negligenciados em um país de presos provisórios. Do total, 48% das correspondências são destinadas à Ouvidoria, 28% ao STF e 11% a Presidência da República.

“Não são cartas pedindo perdão ou alegando inocência. São cartas no sentido de fazer valer a Lei de Execução Penal. Se a Justiça foi aplicada para garantir a condenação, que ela seja aplicada em todas as suas dimensões. Se o preso tem o direito à progressão de regime pelo tempo de cumprimento de pena, ele quer ter a remissão da pena”, diz Thula.

Os escritos são ricos e revelam de dentro do sistema a situação de um dos maiores complexos carcerário do mundo. Relatam abuso de autoridade, violência física e psicológica, falta de acesso à saúde, educação e assistência médica. Em 8% das cartas há referências a enfermidades que foram desenvolvidas na unidade prisional. As mais comuns são HIV, hepatite C, tuberculose e depressão.

Nos próximos 40 dias, a página Cartas do Cárcere irá divulgar correspondências dos presos. Com esse mapeamento, a Ouvidoria vai buscar agora criar estratégias de sensibilização da sociedade e políticas públicas que possam enfrentar a situação.  Será possível acompanhar a divulgação dos materiais nas redes sociais do projeto. “Não queremos fazer a mediação dessas vozes, porque uma das formas de a gente silenciar essas pessoas é mediar”, diz Thula Pires. Eles querem dar o microfone (ou a caneta) nas mãos dos apenados.

Leia a seguir, na íntegra, uma dessas cartas, enviada ao então presidente do Supremo Tribunal Federal, Ricardo Lewandowski. Clique na imagem para abrir o original, ou siga para a transcrição abaixo.

Screen-Shot-2018-05-11-at-17.12.49-1526069639

 

Excelentíssimo senhor presidente do Supremo Tribunal Federal, senhor Ricardo Lewandowski,

Venho através desta, em nome de todos os reeducandos que se encontram cumprindo pena na Penitenciária de segurança máxima de […],  pedir ajuda à vossa excelência, ou até mesmo socorro, pois a situação aqui está crítica. Quero deixar claro para o senhor que não estamos querendo mordomia e nem regalias não, só estamos querendo os nossos direitos. Direitos esses que nós que nos são garantidos por lei, mas que em pleno século 21 estão sendo usurpados, pois estamos jogados aqui igual bicho.  

E quando cobramos os nossos direitos, o que ouvimos da direção é que os nossos direitos são apenas os nossos deveres. Creio eu que o senhor não pensa dessa forma, pois uma vez que erramos e estamos pagando nossa pena, não cabe a ninguém nos julgar pois já fomos julgados e condenados. E com isso só perdemos o nosso direito de ir e vir, mas a nossa integridade física e moral e nossos direitos como ser humano e cidadão nós não perdemos.

Vou relatar para o senhor algum dos nossos problemas. A falta de respeito com a nossa família, a negligência médica e a omissão de socorro, onde viemos a ter cinco mortos na unidade por omissão de socorro só no ano de 2015.  Não temos dentistas na unidade e nem medicamentos. Onde estamos sofrendo dia e noite com dor de dente. Não temos psicólogo e psiquiatra na unidade. Onde quando um reeducando chega a demonstrar algum problema psicológico, devido às operações da unidade e por falta desses profissionais, acaba cometendo suicídio. Fora as agressões físicas e verbais.

A alimentação é precária. Onde já veio e vem acontecendo de estarmos achando pedras e pedaços de ferro na comida. E quando vamos reclamar, o que escutamos é o seguinte: se quiser é essa que tem.

Vivemos em cenas inadequadas, pois não temos ventanas na cela, ou seja, abertura de um fundo para o ar circular. E aqui sendo norte o calor é sobrenatural.  Não temos água potável pois a água que é fornecida para nós é puro calcário. Isso vem causando vários problemas renais e estomacais em nós. Se pedir a secretaria de saúde para fazer uma análise da água o senhor pode ter certeza que vai dar imprópria para consumo. E se medir a temperatura das celas, pode ter certeza que vai dar acima do normal. E fora o excesso de execução que vem sendo cometido nesta comarca, pois temos vários reeducandos no direito de semiaberto, mas continua no fechado.

Outro problema é o rdd que é para os reeducandos que estão cumprindo medidas de segurança, mas tem vários que chegam de transferência e em vez de ficar 15 dias de observação estão ficando 30 60 90 e até 120 dias sem estar cumprindo medida de segurança.  Outro problema, os abusos referentes às faltas graves pois são aplicados na gente e não ficamos sabendo, pois aqui não deixa a gente participar do Conselho disciplinar para a gente tentar se explicar. Pois quando vamos saber, só chega o castigo e a falta. Como pode sermos condenados, sem sequer participar do julgamento.

Outro problema, temos um médico na unidade que vem na parte da manhã e atende cinco presos e vai embora, pois o mesmo trabalha no […]. Mas o atendimento que ele oferece é da seguinte forma: a gente chega lá com problema no coração, na cabeça, no peito, ou em qualquer parte do corpo, o único diagnóstico que ele passa é o problema de ansiedade e receita clonazepam, ou seja, remédio para dormir e vai embora.  Se a Secretaria de Saúde fizer uma análise na unidade, vai constatar que a capacidade que é para 332 presos, mas de 80% acaba tomando, pois se não acaba louco, pois muitos que estão aqui já estão perdendo a vontade até de viver. Pois devido à distância, a situação financeira, já foram abandonados pelas esposas, pelos familiares, pois o descaso é muito grande e comparando com outras unidades que temos tanto no estado como no país, com quase dez vezes mais de presos que tem aqui, não era para ser dessa forma. E outra coisa aqui é designado para ficar um ano e voltar para o próximo dos nossos familiares. Assim, conseguimos ficar mais perto dos nossos filhos e ter um apoio das nossas famílias. Mas isso também não acontece pois tem preso aqui há mais de 4 anos.

Sei que o senhor é conhecedor da lei, mas vou citar os direitos que a lei nos favorece.

Lei 7210/84 nos garante e é de total responsabilidade do sistema prisional:

Aproximação familiar – não tem

Dentista – não tem

Médico – não tem

Psicólogo – não tem

Psiquiatra – não tem

Assistente social

Chamamento nominal

Nossa integridade física e moral – precária

Alimentação adequada – péssima qualidade

ETC

Às vezes, excelência, para não acabar bebendo a própria urina e comendo as próprias fezes e vir tirar a própria vida, é que acontece várias rebeliões com resultados trágicos. Mas isso não é porque somos monstros não, isso acontece por desespero e descaso para com os reeducandos.

Vou fazer uma comparação grosseira, só para o senhor entender:

Pega um cachorro que foi maltratado e colocaram numa jaula. E trata com respeito e dignidade, pode ter certeza que ele vai se tornar um animal dócil e preparado para viver em qualquer lugar.

Mas se jogar-lo na jaula e só maltratar, humilhar, pode ter certeza que ele vai ser 10 vezes pior que entrou.

Ou seja, é exatamente o que está acontecendo com  nós aqui na penitenciária […]. É por isso que vem pedir ajuda do senhor, pois já comunicamos a execução, Ministério Público, Corregedoria, Secretaria, Ouvidoria, mas não tivemos nenhuma atenção.

Sem mais no momento, muito obrigado.

Venho pedir o senhor também para estar vendo a situação do artigo [número não identificável], pois a lei é feita para beneficiar o réu. Mas esse [número não identificável] só prejudica. E ninguém sai mais da cadeia, estamos privados até de recorrer as nossas cadeias, pois quando volta, é unificado no [número não identificável] e começa tudo de novo.

OBS: Peço atenção para a saúde, pois realmente está precária.

Devido a tudo isso, peço ao senhor, se possível, esteja pedindo aos órgãos competentes para estar vindo na unidade e ouvir tudo isso pessoalmente e vendo com os própios olhos os fatos narrados.

The post Quase 9 mil cartas de presos – a destinatários como Temer e STF – expõem os horrores do cárcere appeared first on The Intercept.

CVE-2018-11004 (sdcms)

An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.

CVE-2018-11003 (yxcms)

An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.

CVE-2018-11004

An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.

CVE-2018-11003

An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.

CVE-2018-10996

The weblogin_log function in /htdocs/cgibin on D-Link DIR-629-B1 devices allows attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a session.cgi?ACTION=logout request involving a long REMOTE_ADDR environment variable.

NBlog May 12 – plummeting toward the deadline


With less than a fortnight now remaining, are you all set for the GDPR deadline with everything on your privacy projects either completed or well in hand?

If not, now is your last chance to refocus on priorities and squeeze the last ounce of effort from all involved.

The usual approach for many managers and team leaders facing just such a situation is to crack the whip. Maybe you have already done that. Maybe you are being thrashed, and feel obliged to do the same.

Hey, listen. Stop a moment and think. That's not the only way.

Assuming things have been run reasonably effectively to this point, everyone is well aware of the impending deadline. The increasing tension will be plain to all. People will have been slaving away, playing their part and (in most cases) doing their level best to hit the goal ... so piling on the pressure now may be counterproductive. When people are close to their breaking points, there's a chance they'll snap rather than bend, especially if they've learnt that bending get them nothing but sore backs and yet more grief. The team and team leader need to trust each other and that's achieved by experience, not by demand.

What else would help move things along in the right direction? There are almost always other options, other avenues to try besides whip-cracking. Has it occurred to you to ask the team? Seriously, find out what are their main pain points, and do something positive about them, now, before it's too late. 

A significant part of management's role is to facilitate things, enabling the workers to work and give of their best. This includes reducing or removing barriers, tackling issues and, well, teamworking. OK so the deadline is fixed. What about everything else? Look harder for slack in the system, opportunities to cut corners safely and sprint for the finish. Ask for creative suggestions and explore the options as a team. It's not just about 'sharing the solution': given some slack, people will often surprise us with novel responses.

By the way, once the line is crossed and the crowd cheers, what's in store for your little athletes? Maybe not a medal, but will there anything at all to thank them for their supreme efforts, and celebrate a job well done? 

Aside from you, who is most anxious right now? Who has the biggest stake in the success (or failure!) of this effort? What are their main concerns? And can you persuade them to help out, if only to turn up at or before the medal ceremony in order to congratulate the team on a job well done?

Thinking still further forward, what is the current situation teach us? Deadlines are a fact of life, hence we have plenty of chances to try different approaches and learn what works best. Aside from that, right now a substantial number of organizations and teams around the globe are plummeting towards May 25th. What can we learn from others' experiences?

Speaking personally, I'll certainly be reading all I can about how organizations, teams and individuals have faced up to the GDPR challenge, both out of my general interest in management and perhaps to pick up new motivational techniques worth including in my toolbox or, for that matter, the ones to avoid like the plague. 

This motivational stuff is highly relevant to making security awareness and training more or less effective - obvious, if you think about it, which hopefully now you are.

New Facebook-Spread Malware mines for cryptocurrency and steals social media credentials




A new malware campaign has been discovered on social media which spreads through via Facebook is stealing users social media credentials and downloading crypto mining code on victims’ systems.

The malware is known as Nigelthorn, and was discovered by the Radware researchers in May only, but was active March 2018. and it has already infected more than 100,000 users globally.

The new campaign focuses on the social media websites, but its main victim is Facebook's users. The malware abuses a legitimate Google Chrome extension called "Nigelify," to bypass validation check by Google.


According to the researchers, "the malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video. Once the user clicks on “Add Extension,” the malicious extension is installed, and the machine is now part of the botnet."


“This is done to trick users and retrieve access to their Facebook account. Over 75 percent of the infections cover the Philippines, Venezuela, and Ecuador. The remaining 25 percent are distributed over 97 other countries,” said researchers.

A Google spokesperson told Threatpost that "we removed the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of being alerted."

CVE-2018-10992 (lilypond)

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

CVE-2018-10992

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

Mães afastadas dos filhos por denunciar os abusadores das crianças querem o fim da lei que as puniu

No gramado do Congresso Nacional, um gigantesco coração marcou a passagem de 23 mães por Brasília. Elas vieram de várias partes do Brasil na última quinta-feira para entregar à CPI dos Maus Tratos Infantis cópias de seus processos judiciais. Todas foram afastadas dos próprios filhos após denunciarem, na Justiça, suspeitas de abuso físico ou sexual contra as crianças, praticados, na maior parte dos casos, por ex-maridos. Nas decisões, elas perderam a guarda dos filhos, que ficaram justamente com os acusados por elas de serem os agressores.

“Pode mostrar meu rosto, meu nome. Escreva. Eu não vejo meu filho há dois anos, o que pode piorar? Já perdi meu emprego, minha casa vai a leilão, meu filho vive com o abusador”, conta Marta, mostrando algumas das provas que ela incluiu nos autos do processo no qual denunciou o ex-marido, com quem foi casada por quase dez anos, pai do seu filho caçula. São áudios de uma voz infantil falando abertamente sobre jogos sexuais que o pai fazia com o filho, e desenhos de criança mostrando, com clareza desconcertante, uma ereção masculina adulta.

Marta denunciou o ex-marido por suspeita de “jogos e brincadeiras sexuais”. Para seu espanto, a situação se reverteu no processo – foi ela a acusada de abusar do filho para incriminar o pai. “Não fui ouvida pela psicóloga que emitiu o laudo atestando minha suposta ‘psicopatia’”, denuncia.

“Pode mostrar meu rosto, meu nome. Escreva. Eu não vejo meu filho há dois anos, o que pode piorar?” 

Luísa teve um laudo da perícia confirmando lesão corporal em seus dois filhos usado contra si. Ela denunciou o ex-marido, mas acabou enquadrada na Lei da Alienação. A legislação, aprovada à revelia do Conselho Federal de Psicologia, busca assegurar o direito à convivência da criança com ambos os pais. O problema é que, em casos de suspeitas de abuso que não resultem em condenação penal, a lei se impõe, podendo inclusive afastar a criança de quem denunciou o abuso.

Há um ano e quatro meses, ela só pode ver as crianças com supervisão. “O oficial de Justiça chegou a ligar para o juiz, dizendo que não poderia cumprir o mandado de busca e apreensão porque as crianças estavam em pânico. Mesmo assim, meus filhos foram levados”, conta. Eles se encontram semanalmente no Centro de Visitação Assistida do Tribunal de Justiça de São Paulo. Segundo ela me disse, os indícios de violência do pai contra as crianças continuam. “Meus filhos não me contam nada, têm medo. Mas já chegaram com hematomas, dente quebrado. Quando perguntei sobre o olho roxo, ele disse que estava lendo a Bíblia e que o livro caiu no rosto.”

A relação afetuosa e preservada com o pai também pode ser considerada indício de que a suspeita de abuso foi fabricada pela mãe para dificultar a convivência, dependendo da percepção do perito. Foi o caso do processo de Luana, afastada do filho após denunciar suspeita de abuso sexual ao menino, então com 3 anos. “Tenho sorte. Vou passar o Dia das Mães com o meu filho, mesmo com vigia”, afirma. Ela tem direito a passar o final de semana com o filho, com acompanhantes designados pelo pai, mas não pode participar da vida escolar e outras atividades de rotina. Os gastos do processo, conta, já passam de 200 mil.

Luana me mostrou um xerox da agenda escolar da criança. O nome da mãe está riscado, foi substituído por o de outro parente. “Para a Justiça, é aceitável que o meu nome venha riscado da agenda do meu filho. Aparentemente, a ‘alienação parental’ se aplica apenas às mulheres”, diz.

Apoiadores da Lei da Alienação Parental negam viès de gênero da legislação, mas admitem que pode haver mau uso da lei. Para o presidente do Instituto Brasileiro de Direito da Família, Rodrigo da Cunha, “o principal efeito da lei é pedagógico, inibindo atos de alienação parental”. Na prática, a situação obriga mulheres a conviverem em silenciosa harmonia com agressores, sob pena de serem afastada dos filhos.

As mães contestam Cunha, lembrando que a justificativa do Projeto de Lei trazia apenas materiais produzidos e distribuídos por associações de pais separados, ignorando toda a produção científica sobre o tema existente no Brasil. A “síndrome de alienação parental”, distúrbio psiquiátrico descrito pelo perito americano Richard Gardner, que fundamenta a lei, não é sequer um diagnóstico aceito da Organização Mundial de Saúde, nem pelas principais entidades da área de Saúde, Psiquiatria ou Psicologia.

Depois que saíram do gramado do Congresso, naquela quinta-feira, as mães participaram de audiência fechada na CPI dos Maus Tratos Infantis, presidida pelo senador Magno Malta, do Partido da República, que promete apresentar Projeto de Lei para alterar ou revogar a Lei da Alienação Parental. Após a entrega dos processos à Comissão, peregrinaram pelo Ministério de Direitos Humanos e pelo Superior Tribunal de Justiça denunciando o texto. “Já perdemos nossos filhos, mas não desistiremos deles. Nossa única esperança é mudar a lei”, diz Luana.

Os nomes das mães foram trocados para preservar suas identidade e as das crianças, e para dar ampla defesa aos acusados.

The post Mães afastadas dos filhos por denunciar os abusadores das crianças querem o fim da lei que as puniu appeared first on The Intercept.

CVE-2018-5304 (r420_rfid_reader_firmware)

An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The affected web interface is vulnerable to ClickJacking or UI Redressing: it is possible to access the web application in an iframe, and clicking on the iframe will redirect to a third-party application or perform other malicious actions.

CVE-2018-10832 (modbuspal)

ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.

CVE-2018-5304

An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The affected web interface is vulnerable to ClickJacking or UI Redressing: it is possible to access the web application in an iframe, and clicking on the iframe will redirect to a third-party application or perform other malicious actions.

CVE-2018-10832

ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.

CVE-2018-6617

Easy Hosting Control Panel (EHCP) v0.37.12.b, when using a local MySQL server, allows attackers to change passwords of arbitrary database users by leveraging failure to ask for the current password.

CVE-2018-5303

An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The license key parameter of the web application is vulnerable to Cross Site Scripting; this vulnerability allows an attacker to send malicious code to another user.

CVE-2018-1257 (openshift, spring_framework)

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

CVE-2018-1261 (spring_integration_zip)

Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

CVE-2018-1259 (spring_data_commons, spring_data_rest, xmlbeam)

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

CVE-2018-1260 (spring_security_oauth)

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

CVE-2018-1278 (pivotal_application_service)

Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.

CVE-2018-1280

Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents.

CVE-2018-1278

Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.

CVE-2018-1261

Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

CVE-2018-1259

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

CVE-2018-1258

Spring Security in combination with Spring Framework versions prior to 5.0.6 contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

CVE-2018-1260

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

Syn/Ack Unique Proactive Protection Technique

McAfee’s Advanced Threat Research team has performed analysis on samples of Syn/Ack ransomware implementing Process Doppelgänging.  For those who are concerned about the potential impact of this ransomware but are currently unable to implement McAfee product protections, we have found a simple but interesting alternative method.  Prior to encryption and ransom, the malware first checks if one of several hardcoded keyboards or languages is installed on the target machine.  If found, the malicious code will terminate, effectively resulting in an extremely simple “patch” of sorts. We have tested the following steps to be effective on several versions of Windows 7 and theoretically on Windows 10 – preventing the malware from encryption and ransom.  These steps can be taken proactively.  Due to limited scope of testing at this time, this technique may not work on all systems, release versions, and configurations.

Windows 7 – Adding Keyboard Layout:

Control Panel > Clock, Language, and Region > Region and Language > Keyboards and Languages

Click the “Change Keyboards” tab

In the Installed Services section click “add”

Select Keyboard – For example: Russian (Russia) > Keyboard > Russian

Click “Ok”

Click “Apply”

Click “Ok”

Here is the list of keyboards layouts you can add – any will suffice:

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

Windows 10 – Adding Language Support:

Control Panel > Language > Add a language

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

That’s all it takes!  Please note – this should not be considered a fully effective or long-term strategy.  It is highly likely the malware will change based on this finding; thus, we recommend the McAfee product protections referenced above for best effect.

The post Syn/Ack Unique Proactive Protection Technique appeared first on McAfee Blogs.

Threat Roundup for May 04 – 11



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Dropper.Zbot-6533101-0
    Dropper
    Zeus (AKA Zbot) is a trojan horse malware package used to carry out many malicious and criminal tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
     
  • Win.Dropper.Khalesi-6535750-0
    Dropper
    A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function, but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly distributed via spam, drive-by downloads or embedded into games or internet-driven applications.
     
  • Win.Dropper.Gandcrab-6530134-0
    Dropper
    Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB" or ".CRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
     

Threats

Win.Dropper.Zbot-6533101-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoConfigURL
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: SavedLegacySettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: DefaultConnectionSettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
    • Value: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
    • Value: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
    • Value: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
    • Value: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
    • Value: CheckSetting
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
    • Value: CleanCookies
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: {1BBA4DA8-81FD-E86C-47AD-DE1A52F353F7}
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • Value: CachePrefix
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpNetbiosOptions
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpNameServerList
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpDefaultGateway
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpDomain
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpSubnetMaskOpt
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpInterfaceOptions
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • Value: CachePrefix
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value: DhcpDomain
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value: DhcpNameServer
  • <HKCU>\SOFTWARE\MICROSOFT\NAEGOP
    • Value: Kypuubb
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
    • Value: DhcpScopeID
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • Value: CachePrefix
  • <HKU>\Identities\{20DF22BC-6CEF-4DC3-9D67-B017F18A4D87}\Software\Microsoft\Outlook Express\5.0
  • <HKU>\Software\Microsoft\Bole
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
    • Value: 1609
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
    • Value: 1406
  • <HKU>\Software\Microsoft\Internet Explorer\PhishingFilter
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
    • Value: 1609
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
    • Value: 1406
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
    • Value: 1609
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
    • Value: 1406
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
    • Value: Collection
  • <HKCU>\SOFTWARE\MICROSOFT\Naegop
  • <HKCU>\SOFTWARE\Microsoft\Naegop
  • <HKU>\Software\Microsoft\Internet Explorer\Privacy
  • <HKCU>\Software\Microsoft\Windows\Currentversion\Run
  • <HKU>\Software\Microsoft\WAB\WAB4
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKCU>\Software\Microsoft\Internet Explorer\Privacy
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKCU>\SOFTWARE\Microsoft
  • <HKU>\Software\Microsoft\Bole
Mutexes
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-A687-6AA2864FE740}
  • \BaseNamedObjects\Local\{A3B40D9B-F602-0E7A-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Local\{A3B40D98-F601-0E7A-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-0E81-6AA22E49E740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-AE83-6AA28E4BE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-FE84-6AA2DE4CE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-E682-6AA2C64AE740}
  • \BaseNamedObjects\Local\{881268A9-9330-25DC-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{C252BB8C-4015-6F9C-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-6680-6AA24648E740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-8A81-6AA2AA49E740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-4E82-6AA26E4AE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-D287-6AA2F24FE740}
  • \BaseNamedObjects\Global\{C252BB8D-4014-6F9C-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{2A12683C-93A5-87DC-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{CEBE6CB8-9721-6370-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9283-6AA2B24BE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-2683-6AA2064BE740}
  • \BaseNamedObjects\Global\{CEBE6CB7-972E-6370-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9A82-6AA2BA4AE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-368F-6AA21647E740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-5E8A-6AA27E42E740}
  • \BaseNamedObjects\Global\{A86A58AE-A337-05A4-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-BE86-6AA29E4EE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-2E8D-6AA20E45E740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-8E85-6AA2AE4DE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-C684-6AA2E64CE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-4686-6AA2664EE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-1A83-6AA23A4BE740}
  • \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9284-6AA2B24CE740}
  • \BaseNamedObjects\Global\{320B4DE2-B67B-9FC5-E1A6-CDF8C16E401A}
  • \BaseNamedObjects\Global\{3D11D76B-2CF2-90DF-E1A6-CDF8C16E401A}
IP Addresses
  • 185[.]24[.]234[.]54
Domain Names
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\tmp60e9fbcd.bat
  • %AppData%\Neku
  • %AppData%\Neku\amto.exe
  • %AppData%\Leolo
  • %AppData%\Leolo\peogh.vus
File Hashes
  • f5dd87d465516dd03308ae2e7673681fc497d4c30751e5a0fcefdf320761b56e
  • 48fcb5ce8670e1829205abd6a911937a9b591d079067c8b25f6867bac059897c
  • a6b52e4b6803092c91f81aeff5093cdee346b810b415b7b82a24afd63a33c309
  • 59de88ff962f019ad7b0bc2b242120ff0c916743c975f74c169247809ae2cfa5
  • 158a7f507f494481083c4137dbb11474d7d8625c4ca45d0554caa4fcbb903992
  • 8298f4cfb3d5d6838bdebc4642e6b3aba2b1e74562014be11f6fc106af1be491
  • 28a2e64885f1aa2d81fefb0fda91ae7eb2801dfdbf4d9dc65f3848e4bdbf4d65
  • a3a4c038aa654a5dac595465222404deef3f133828f6209f42ea8395156205da
  • 5f9afad7831895772534737ac2c036b1b65d02a46bc0f91ea0ef2879de3ba8fb
  • 1392b5afc478adfc11e6690ff6b6f9d55658bb2edf064b1cfbf655e674dcdc0f
  • 7326ec6dcf89d8e86d797ab70d4a8ad1a08b672af0c0a45cfb315ef83685cf43
  • 908f86c043b0bb012e639d6c2b102a6af11288b7596c574abc4734213f5d95cb
  • dd8c0af99b112521bfebdb19afa5fe130925d158703180063c2b2c027b8adbc9
  • 38a951f8f57f1028a92d658841df63068d0a59aa9f140087870b2b6450002baa
  • f92989215865e61e5cfed94d716d37b4b9fdd92ddd3699ab269b2dad39d0e93a
  • 03eaea48946117d85dde3d2a4668eb24b94323a255bc1fb7536b1de2bd888e74
  • 8db0ff52b62f3f07bc3c7a359dd06cf78e875a18f8b5120107a7f39bed3243b9
  • 6baab60dcfdbd2ee3dbb012b1a00d063a4b05305a444f7ffe633d6175dca6852

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Dropper.Khalesi-6535750-0


Indicators of Compromise


Registry Keys
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Mutexes
  • N/A
IP Addresses
  • 204[.]11[.]56[.]48
  • 74[.]220[.]215[.]63
  • 184[.]168[.]221[.]42
  • 198[.]54[.]117[.]217
  • 187[.]84[.]225[.]36
Domain Names
  • www[.]backpackerdesi[.]info
  • backpackerdesi[.]info
  • www[.]lovelouevents[.]com
  • parkingpage[.]namecheap[.]com
  • www[.]riopumpen[.]com
  • riopumpen[.]com
  • www[.]shungavietnam[.]com
  • lovelouevents[.]com
  • www[.]tourniquetleash[.]com
Files and or directories created
  • %LocalAppData%\Temp\~DF84B5AD10771E60C5.TMP
File Hashes
  • db560e6239674b9b4ea242d13e83269bc7cc26972bfc36d1ca729a95bec86311
  • 214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c
  • 093bd942ba8d60e579f1f6ec68f997e609d1ec2d1dee37369ea61e33d175ab0b
  • 8c668d6ec3c6a619342d674e6f696403bcb872342fa17d7b18642861b4c9b596
  • f40486fa225ebc8fdfc133136453d84649860c55bdb03966f58500030c4d50d7
  • 58182cbb334d50f9758cd669ead059ddd8902fe0902bc8e3a9b5d9ad21906a0d
  • ef52d2737ded930694deb98880041e97a22be13240e143e9fe7c665dd8ba486d
  • ba8e4a8555628171ee51b9730e3d5fb549936921645b34e4bc5669573fa1fccd
  • 6972e8b418b60905c630c80c8476b43c941eafab0e0f79ebe6a985e3e60bdb00
  • f047a66647005edfb80ce99ce23dfab6874989081d3ff33c0795ccfddb47b0c7
  • 8aeecbac14b07c7498a0a14ec5f6faba3586ef253e63a6ff035090e937cee4ad
  • cf0425375056e906b8cb739d432d724ac30870995915342bc275d047637ea54d
  • 1b8f2e90a2be6bfbcb409b0a87236abddfdeb6c8f1e43c87dea1ad384b3853ac
  • eb8f9802493874e099e8b026be2736f2bb15ecb5c3bc0e82a967fdcf1f319fdf
  • 606d305ed683a5b6b32fb3d4d8f1567416b3e6e0cc57b2a2ae22abc23563fc13

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Dropper.Gandcrab-6530134-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: SavedLegacySettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: DefaultConnectionSettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • Value: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: _FileId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: _ObjectLru_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: _Usn_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: _ObjectId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: AeFileID
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: _UsnJournalId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
    • Value: AeProgramID
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
    • Value: ObjectLru
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
    • Value: ObjectId
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D
    • Value: AB5
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
    • Value: _IndexName_
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • Value: CachePrefix
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
    • Value: CurrentLru
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • Value: CachePrefix
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE
    • Value: _CurrentObjectId_
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value: zcwgnjwshlm
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
    • Value: ExceptionRecord
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoConfigURL
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
    • Value: 100000000967D
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKLM>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\ObjectTable
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • <HKLM>\Software\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\Indexes
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
  • \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=359814f23c28b0e4
IP Addresses
  • 66[.]171[.]248[.]178
Domain Names
  • zonealarm[.]bit
  • ns2[.]corp-servers[.]ru
  • 1[.]0[.]168[.]192[.]in-addr[.]arpa
  • ipv4bot[.]whatismyipaddress[.]com
  • ns1[.]corp-servers[.]ru
  • ransomware[.]bit
Files and or directories created
  • %LocalAppData%\CrashDumps
  • %AppData%\Microsoft\jczhdq.exe
  • %LocalAppData%\CrashDumps\82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3.exe.2772.dmp
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\7TZAD419.htm
  • %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044\Report.wer
  • %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044
  • %WinDir%\SysWOW64\rsaenh.dll
File Hashes
  • 82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3
  • 8b0122198f51599af74f7e40783bf8f8273e8c5bd1a0e0747161bb3fb74bff75
  • 1c69810013cb87242df28f48ff1b80bd006b2bd0cec8bdcb3ad0c0441a9c48a7
  • 9ba83f1273348883e47f60b3497d14f259656d366cd9c38be1b15c99a4887433
  • 4f5d759ad38c44b01c5442a985f25c10b2863ac890d26f42a3661a39eb6233d3
  • 5cd57d70b048fa751d8d093614cb86096567958778c7bd99ac6ff0355b699d19
  • a17fba572e8a74bc22061711196df78b603d6a857f8b687f55da21296b3cbba3
  • 6637106cacc9767350a3ad1518e513996accbf45daeb9bebdffb699ae2d89dac
  • a332b560a01b6e07a5810ec6428314c23e426ea4292280ee0d06bfc2201ac47b
  • a7250b307556cb0e6716312dce166ce8d6329cdbbe1e7a7ec7d9ad8dc37bef1c
  • ba7cc79a6b9ee4973b90ce17f4552a6c8a869ebcda495109e7558788f5dd4581
  • 722d9b3b235c118fd93c35d76535310f32ef383037645f9539dd46eedbe908a1
  • 749cc6d350bccd23970b70463abcd9efb782a35da7c03bc8de5c555f2bdda430
  • e4b1789755f543b508745baaa7325e337e6b7f132cc5e051985ca677836cc571
  • fd2de37d51a398725239f1c9943604506d52bb623ecfcbc40f6fb474cde9fbd0

Coverage


Screenshots of Detection

AMP


ThreatGrid


U.S. Moves Forward With Multibillion-Dollar “Smart Bomb” Sale to Saudi Arabia and UAE Despite Civilian Deaths in Yemen

Last month, warplanes belonging to the Saudi-led coalition fighting in Yemen repeatedly bombed a wedding party in the northern part of the country, killing more than 20 people, including the bride, and injuring dozens of others. In the days that followed, local media published a photograph of a bomb fragment with a serial number tying it to the U.S.-based weapons manufacturer Raytheon.

Now the State Department is taking preliminary steps toward a massive, multibillion-dollar sale of similar weapons to Saudi Arabia and the United Arab Emirates, three congressional aides, a State Department official, and two other people familiar with the sales told The Intercept.

The State Department has yet to announce the exact details and dollar value of the package, but it is said to include tens of thousands of precision-guided munitions from Raytheon, the same company that was involved in producing the weapons used in last month’s strike.

Reuters reported in November that Saudi Arabia had agreed to buy $7 billion in precision-guided weapons from U.S.-based companies Raytheon and Boeing. Raytheon was “courting lawmakers and the State Department to allow it to sell 60,000 precision-guided munitions to both Saudi Arabia and the United Arab Emirates,” according to the New York Times.

The State Department has briefed staff on the House and Senate Foreign Relations committees about the sale, but has yet to release details of the package to members of the committees, according to three aides who were not authorized to speak on the record. Once the chair and ranking member of the committees give the nod, the State Department can formally notify Congress about the sale, which could happen as early as next week.

Under the Arms Export Control Act, the State Department reviews potential arms sales to make sure they align with U.S. foreign policy goals and decides whether to issue export licenses. It then notifies Congress about sufficiently large sales, giving Congress a 30-day window to review and potentially block them.

The sale in question is a direct commercial transaction between Raytheon and the Gulf countries, which does not require the government to publicly announce the sale at the time of congressional notification. That means it will be up to senators to decide how many of the details to make public.

The sale is likely to face stiff opposition in the Senate, where members have grown increasingly frustrated with the U.S. role in the devastating conflict in Yemen. Last June, the Senate almost rejected a similar sale of precision-guided weapons, but ultimately approved it by a narrow margin.

A State Department spokesperson and a Raytheon spokesperson did not respond to requests for comment.

Since March 2015, Saudi Arabia and the UAE have led a military intervention in Yemen aimed at restoring the former Saudi-backed president, Abdu Rabbu Mansour Hadi. Hadi was deposed after an Iran-linked rebel group commonly known as the Houthis overran the capital in 2014.

Rights groups have documented violations by all sides, but critics have singled out the Saudi blockade as the largest driving force behind the humanitarian crisis. The coalition’s blockade has left 18 million people – roughly two-thirds of the country’s population – in need of humanitarian assistance. The crisis has been exacerbated by coalition airstrikes, which have targeted food sources, water infrastructure, markets, and even schools and hospitals.

The munitions in the forthcoming sale are precisely the kind that rights groups have documented in these bombings. The U.S. has been a silent partner to the intervention since the beginning, refueling planes, providing weapons, and targeting intelligence.

Kristine Beckerle, a Yemen researcher for Human Rights Watch, said that her organization has documented a number of strikes in which coalition planes used U.S.-produced, precision-guided munitions to strike civilian targets.

“The Trump administration has consistently prioritized selling Saudi Arabia weapons over calling the coalition out for war crimes, despite U.S. arms being used repeatedly in unlawful attacks — including the type of weapon at issue in this sale,” said Beckerle. “Congress should see this as a chance to finally make clear that some members of the U.S. government are no longer willing to reward Saudi abuses with more arms, nor risk U.S. complicity, as the coalition continues to bomb weddings and homes to kill and maim Yemeni civilians.”


FILE - In this March 20, 2018, file photo, President Donald Trump shakes hands with Saudi Crown Prince Mohammed bin Salman in the Oval Office of the White House in Washington. The Trump administration is signing off on selling more than $1.3 billion in artillery to Saudi Arabia. The State Department says the administration told Congress on April 5 that it plans to approve the sale. The package includes about 180 Paladin howitzer systems. The artillery-firing vehicles launch 155mm shells. (AP Photo/Evan Vucci, File)

President Donald Trump shakes hands with Saudi Crown Prince Mohammed bin Salman in the Oval Office of the White House on March 20, 2018. The Trump administration is signing off on selling more than $1.3 billion in artillery to Saudi Arabia.

Photo: Evan Vucci/AP

A spokesperson for the coalition told Reuters that it would investigate reports of civilian deaths in the wedding bombing, but human rights advocates have routinely criticized the standards of such investigations.

The coalition has used these weapons against civilians so many times that in December 2016, a month before Trump was inaugurated, Barack Obama held up a sale of precision-guided weapons over “systemic, endemic” problems with their targeting. That sale went forward after Trump was inaugurated.

Top photo: Yemenis inspect the damage after deadly airstrikes in and near the presidential compound, in Sanaa, Yemen on May 7, 2018. Airstrikes by the Saudi-led coalition fighting Yemen’s Shiite rebels targeted the presidency building in the heart of the Yemeni capital, leaving at least six people dead and some 30 wounded, according to health officials.

The post U.S. Moves Forward With Multibillion-Dollar “Smart Bomb” Sale to Saudi Arabia and UAE Despite Civilian Deaths in Yemen appeared first on The Intercept.

CVE-2009-5150 (computrace_agent)

Absolute Computrace Agent V80.845 and V80.866 does not have a digital signature for the configuration block, which allows attackers to set up communication with a web site other than the intended search.namequery.com site by modifying data within a disk's inter-partition space. This allows a privileged local user to execute arbitrary code even after that user loses access and all disk partitions are reformatted.

CVE-2009-5151 (computrace_agent)

The stub component of Absolute Computrace Agent V70.785 executes code from a disk's inter-partition space without requiring a digital signature for that code, which allows attackers to execute code on the BIOS. This allows a privileged local user to achieve persistent control of BIOS behavior, independent of later disk changes.

CVE-2009-5152 (computrace_agent)

Absolute Computrace Agent, as distributed on certain Dell Inspiron systems through 2009, has a race condition with the Dell Client Configuration Utility (DCCU), which allows privileged local users to change Computrace Agent's activation/deactivation status to the factory default via a crafted TaskResult.xml file.

CVE-2009-5150

Absolute Computrace Agent V80.845 and V80.866 does not have a digital signature for the configuration block, which allows attackers to set up communication with a web site other than the intended search.namequery.com site by modifying data within a disk's inter-partition space. This allows a privileged local user to execute arbitrary code even after that user loses access and all disk partitions are reformatted.

CVE-2009-5151

The stub component of Absolute Computrace Agent V70.785 executes code from a disk's inter-partition space without requiring a digital signature for that code, which allows attackers to execute code on the BIOS. This allows a privileged local user to achieve persistent control of BIOS behavior, independent of later disk changes.

CVE-2009-5152

Absolute Computrace Agent, as distributed on certain Dell Inspiron systems through 2009, has a race condition with the Dell Client Configuration Utility (DCCU), which allows privileged local users to change Computrace Agent's activation/deactivation status to the factory default via a crafted TaskResult.xml file.

ThreatConnect and the Rise of the Security Developer

Taking Your Team & Career to the Next Level with ThreatConnect's GitHub Repositories

Going to the Next Level with ThreatConnect's GitHub Repositories

When I walk the show floors at RSA or Black Hat, I'm always struck by the number of new products that pop up every year. The "hot topic" varies - this year it was AI - but new booths springing up from the expo center carpet like magic is a constant. It can be a bit overwhelming: like showing up at a bar with an outrageously huge beer selection. But it can also be exciting, like (responsibly) trying all of those beers.

threatconnect-github-repositories

Yep, this is what Black Hat is like. In so, so many ways.

 

We get it. There's finally a hot new EDR or UEBA tool that does everything that you want, but you're nervous: will it work in your environment? Can your existing tools talk to it? Will your team understand how to use it? At ThreatConnect, our vision is to ensure that your answer is consistently "yes": if you're excited about new software, you should be able to integrate it into your team, your processes, and your tech stack. We've written at length about our platform strategy, but that "yes" is what it really comes down to.

The Rise of the Security Developer

One trend that makes this strategy possible is the rise of the Security Developer - security analysts who are dangerous enough with Python to take advantage of all of these new tools. If you're able to get that new EDR or UEBA or AMA or vulnerability scanner to work with your existing SIEM, ticketing system, whatever... you'll be a hero. Honing your skills with Python (or other security-friendly scripting language) and becoming familiar with APIs are big parts of becoming a Security Developer. To really take advantage of those skills, though, you need a "partner in crime": an extensible security platform that can bring all those APIs and exciting tools into a central location where all of your data and teammates can take advantage. Like ThreatConnect.

To enable new and mature Security Developers, we've created robust SDKs that can help you write apps, build automations, and more. A great place to get started is in our documentation.

 

github-repos-threatconnect

Dogs are the best.

No One is an Island

Our Security Developer customers make extensive use of these tools in their own ThreatConnect environments: integrating systems, automating common tasks, and flexing their developer muscles. But part of growing as a Security Developer is collaborating with other Security Developers.

We provide an exclusive Slack workspace¹ for our customers to exchange best practices about threat intelligence, security, and ThreatConnect. One day, something exciting happened: customers started sharing ThreatConnect software they'd built on Slack. This was amazing! Security Developers were collaborating!

Of course, while we love Slack, it's not the best tool for sharing software.

To more effectively enable our Security Developer users, we're excited to announce the launch of four GitHub repositories (repos) that they can use to share and collaborate. Our hope is that these repos not only help our users share successes and get more value out of ThreatConnect, but also help them hone their skills and make themselves and their teams more effective defenders.

_______________________

¹ If you're a current customer and are interested in joining our Slack community, please contact your
customer success manager.

Announcing: ThreatConnect GitHub Repositories

To more effectively enable our Security Developer users, we're excited to announce the launch of four GitHub repositories (repos) that they can use to share and collaborate. Our hope is that these repos not only help our users share successes and get more value out of ThreatConnect, but also help them hone their skills and make themselves and their teams more effective defenders.

 

threatconnect-github

This is more like it.

 

Let's go over the four repositories:

Spaces Repository

Available here: https://GitHub.com/ThreatConnect-Inc/threatconnect-spaces

"Spaces" are applications that run in the ThreatConnect UI. Using Spaces, you can extend the abilities of ThreatConnect in a way that benefits other analysts. Enrich indicators in VirusTotal or DomainTools, visualize relationships between intelligence, do some quick static analysis: these are all tools that users have built using Spaces that run smartly in ThreatConnect.

Jobs Repository

Available here: https://GitHub.com/ThreatConnect-Inc/threatconnect-jobs

"Jobs" are apps that run in the background: collecting data from external feeds, enriching indicators in bulk, deploying indicators to a SIEM based on rules, etc.

Tools Repository

Available here: https://GitHub.com/ThreatConnect-Inc/threatconnect-tools

Unlike the other repos, this one is intended for software that doesn't run in ThreatConnect, but instead is designed to enable developers in other ways. A tool to make it easier to developer other ThreatConnect apps, a Chrome extension, etc.

Playbooks Repository

Available here: https://github.com/ThreatConnect-Inc/threatconnect-playbooks

Playbooks are custom, intelligence-driven automated or partially automated processes that users can build in ThreatConnect. The Playbooks Repository allows users to collaborate on a variety of Playbooks resources: one of these is obviously Playbooks themselves, but the two most important are Components and Apps.

Integrations between security products today are more and more commonplace, but they are largely point solutions. It's nearly impossible for them on their own to incorporate logic based on what your team is doing or what all other products across your security technology stack are seeing. Furthermore, these integrations often lack some desired functionality that is unique to your needs. That's part of why your role as a Security Developer is so valuable: you can tune integrations to your needs and automate the processes that make them and your teams work together. What makes your job easier isn't a silver bullet, it's having the right building blocks. Components and Playbook Apps are those building blocks.

Playbook Components

Components allow users to utilize any Playbook App: HTTP Client for REST API calls, Email and Slack apps for notification, JSON Path for JSON queries, and the Regex App for data extractions as just a few examples. These Components give users quite a bit of power and can be turned into reusable components in any Playbook (it's like writing a Python function). For example, we've been able to build enrichment Components that call an API with authorization, extract data using JSON Path, and expose them as variables for other apps in a Playbook. Components can be reused in multiple Playbooks and look just like apps. It's a good way to create basic integrations with Playbooks that can then be integrated into other processes.

Playbook Apps

For when you need to build or modify an app, we provide a SDK and app framework so they can build any Playbook App in Python or Java. While you need to be comfortable in Python (...or Java) , it gives users full control over the functionality. Your apps behave just like any other app in Playbooks with inputs and outputs.

Ready to Start or Learn More?

The next time you're at a show like RSA and are overwhelmed by all the new tools you know your CISO is going to buy, just remind yourself: I have ThreatConnect. I have the support of the entire ThreatConnect Security Developer community. I can make this work.

If you're ready to start contributing or leveraging what others are doing, go ahead and check out the GitHub repos now! If you'd like to learn more about them, please contact support@threatconnect.com. For product feedback, please contact me directly at dcole@threatconnect.com.

The post ThreatConnect and the Rise of the Security Developer appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

Google Makes it Mandatory for OEMs to Roll Out Android Security Updates Regularly

Security of Android devices has been a nightmare since its inception, and the biggest reason being is that users don't receive latest security patch updates regularly. Precisely, it's your device manufacturer (Android OEMs) actually who takes time to roll out security patches for your devices and sometimes, even has been caught lying about security updates, telling customers that their

Google Maps vulnerability abused by hackers to redirect users to malicious sites


 

A major problem is in the store for the Google map users much to the mileage of the cyber criminals on the wait. Top cyber security experts, of late, have started talking of a major vulnerability in the link service that could reach the malicious elements.

The experts doing extensive research in the country and abroad say that the hackers have not an effective mechanism to redirect the Google map users to go into another website in the absence of URLs. But the element that could help them cash in on is the open redirect vulnerability which could redirect the users to the sites in question.

According to what the experts claimed to have found, the hackers keep banking on the use of URL shortener which help them hiding the links from the malware sites. An affected Google map user is redirected to a page in question before the phishing links are allowed to be shared in the Google map.

That’s the more or less of what the researchers say. But there is hardly any scope to deal with the links in question in the absence of a mechanism to counter it. Same problem persists here to configure a fraudulent URL since Google map with this URL feature is an unofficial product.

A recent blog post has observed that the code that could take the Google map users to redirection should only send users to URLs which matches a pattern or list of links. Its simple – if the URL in the link parameter isn’t a Google Map, there’s no reason to allow the redirection.

Unless and until the Google Map users remain alert and vigilant the cybercriminals might keep striking round-the-clock. That’s what the experts conclude before coming out with an effective mechanism to counter the menace.

Failure to Comply With Data Protection Regulations Can Cost Firms Nearly $15 Million

The average cost for organizations that fail to comply with data protection regulations is $14.82 million, a recent research study warned. These costs stem from a variety of issues, including disruption to business, legal settlement costs, and fees or penalties imposed by regulators.

The results of the report underscore the importance of preparing for upcoming privacy regulations such as the European Union (EU)’s General Data Protection Regulation (GDPR), which will take effect on May 25.

The Rising Cost of Complying With Data Protection Regulations

The effort required to comply with data privacy regulations is significant. The report estimated that audits, the development of incident response plans, staff certification and other compliance-related activities could add up to an average cost of $5.47 million, a 43 percent increase from 2011.

This jump reflects the increasing complexity of security risks and data privacy issues, the authors suggested. In addition, the average cost of establishing incident response strategies to achieve compliance increased by 64 percent between 2011 and 2017, while investment in technology went up by 36 percent.

The study, conducted by the Ponemon Institute on behalf of Globalscape, also noted that the cost of compliance varies from sector to sector, depending on the sensitivity of the data organizations must protect. For example, the average cost of complying with data protection regulations in the financial services industry is $30.9 million, versus just $7.7 million for media companies. Smaller organizations also tend to pay more for compliance, since larger firms are more likely to have in-house expertise and sophisticated data protection technologies.

Reducing the Cost of Compliance

The report revealed that the cost of noncompliance is 2.71 times higher than the cost of aligning with data protection regulations. The authors outlined several steps organizations can take to reduce expenses related to compliance. Centralizing the governance of compliance activities, for example, can save firms more than $3 million. Conducting compliance audits, meanwhile, can save up to $2.86 million.

The post Failure to Comply With Data Protection Regulations Can Cost Firms Nearly $15 Million appeared first on Security Intelligence.

IDG Contributor Network: Why enhanced authentication methods should play a bigger role in your security plan

Compromised credentials give the bad guys access to your data. Attackers use a legitimate username and password to initially obtain access and then escalate privileges in order to access increasingly valuable data. Relying on old-school authentication methods gives the bad guys a helping hand.

There seems to be no end to the news of large-scale data breaches. And, while the majority of these incidents highlight the loss of customer data, there is also a risk to both internal corporate data and employee data. Employee data loss doesn’t just impact the employee; it can also cause measurable harm to the employer. In 2017, UK-based Morrisons Supermarkets was found liable by a court after a former senior auditor for the retailer posted the payroll data of nearly 100,000 staff online. Thousands of the staff will now be allowed to lodge compensation claims. There’s no shortage to the data that needs protecting.

To read this article in full, please click here

IDG Contributor Network: The rise of the NIST cybersecurity framework

The National Institute of Standards and Technology (NIST), the technical standards agency, has recently released the widely-referenced Cybersecurity Framework (version 1.1), incorporating input from industry and other stakeholders.

The Framework now includes: (i)  a new section on correlating cybersecurity risk management metrics to organizational objectives; (ii) expanded guidance for mitigating supply chain cyber risk, and underscores this new component by adding a Supply Chain Risk Management Category to the Framework Core; (iii) addresses vulnerability disclosures; (iv) refined language on authentication, identification and authorization; and (v)  treatment of the risks inherent in the Internet of Things (IoT) in addition to critical infrastructure. NIST removed a superfluous section on Federal Alignment, which detailed requirements for federal information systems. 

To read this article in full, please click here

Do security ratings protect you from a data breach? You need LookingGlass 24×7 monitoring.

the cyberwire

There’s a lot of talk about “continuous monitoring” in the marketplace. At LookingGlass, we are clear that it is NOT a database or look-up service. Our Third Party Risk Monitoring solution is the only managed service in the marketplace that offers 7x24x365 monitoring for real-time notifications of compromises and data breaches, all human-vetted to reduce false positives. Want to know more? Contact LookingGlass now for an exclusive offer.

 


Source: https://thecyberwire.com/issues/issues2018/May/CyberWire_2018_05_08.html

The post Do security ratings protect you from a data breach? You need LookingGlass 24×7 monitoring. appeared first on LookingGlass Cyber Solutions Inc..

Reston-Based LookingGlass Acquires Threat Intelligence From Goldman Sachs

potomac-tech-wire

Reston, Va. – LookingGlass Cyber Solutions, a Reston-based provider of unified threat protection services designed to help clients guard against sophisticated cyber attacks, said on Monday it has acquired Sentinel, creator of a threat intelligence platform developed by investment banking and securities firm Goldman Sachs. Financial terms of the deal were not disclosed. Goldman Sachs also has made an unspecified investment in the company, as part of the deal. Rana Yared, managing director in the principal strategic investments group at Goldman Sachs, will join the company’s board of directors. LookingGlass, which for years has counted Goldman Sachs as a client, said the acquisition, said it plans to further develop and commercialize the platform, while expanding it to the broader financial services industry. “The financial services industry has traditionally led other sectors in building or buying cybersecurity tools to safeguard the corporate and customer information within their networks,” said CEO Chris Coleman. “As we worked with Goldman Sachs in discussing threats and intelligence-powered security operations, it quickly became apparent that acquiring Sentinel was a natural way to meaningfully advance the state of technology and help protect the wider financial services industry as well as other sectors facing greater cyber risk stakes.”


Source: https://secure.campaigner.com/csb/Public/show/e06u-oy311–fj0i3-7fgwbof3

The post Reston-Based LookingGlass Acquires Threat Intelligence From Goldman Sachs appeared first on LookingGlass Cyber Solutions Inc..

Experts Say Keep Amazon’s Alexa Away From Your Kids

What’s the best way to keep adults from questioning the use of a deeply problematic product? Get them started when they’re too young to question anything. Amazon has a new addition to its line of voice-commanded artificial intelligence Alexa assistants, marketed for use by children as young as 5 years old, who can barely grasp a box of juice, let alone digital privacy. Now, a coalition of children’s privacy and psychology advocates are warning parents away from Amazon’s latest, cutest device, saying it could normalize surveillance and harm children’s mental development.

The Echo Dot for kids is functionally identical to the Echo Dot for adults, except that it’s brightly colored and inexplicably costs $30 more than the grown-up version. Cosmetics aside, Echo Dot is still an AI-powered microphone that listens constantly for an activation keyword, relays a user’s voice to remote servers where it is analyzed and processed opaquely, and then responds to an increasingly long list of commands; on its packaging, Amazon highlights commands like “tell me a story” and “start SpongeBob.” Dot for kids will not only perpetually listen to and entertain your children, but attempt to teach them manners in your stead: “Alexa even provides positive feedback when kids ask questions and remember to say ‘please,'” says Amazon.

But a group of experts says Amazon’s little Play-Doh-colored pucks have no place near children. A statement released today by the Campaign for a Commercial Free Childhood, or CCFC, which previously led a prominent campaign against a version of Facebook Messenger aimed at kids, claims that Dot for kids and its ability to streamline a kid’s interaction with brands “pose significant threats to children’s wellbeing and privacy.” The CCFC statement is joined by critical letters from Sen. Edward Markey and Rep. Joe Barton. According to the CCFC’s Executive Director Josh Golin, “Amazon wants kids to be dependent on its data-gathering device from the moment they wake up until they go to bed at night. … AI devices raise a host of privacy concerns and interfere with the face-to-face interactions and self-driven play that children need to thrive.” Jeff Chester, executive director of the Center for Digital Democracy, which co-signed the statement, added his concerns:

Commercially-produced voice-recognition technologies, such as Amazon Echo, are primarily designed to promote products and brands. Amazon is acting irresponsibly by urging parents to unleash an AI-driven Alexa product into their children’s lives, without first ensuring that it will not harm their cognitive and emotional development. Echo Dot Kids is designed to encourage children to give up their personal information so it can drive even more revenues for the E-Commerce colossus.

In particular, Amazon’s relatively cheap devices, including Kindle and Echo, are more or less openly a play at getting consumers locked into the Amazon Prime ecosystem of services, serving as a firehose of Amazon-licensed content and, of course, an easy way to buy goods from the megastore.

Amazon provided counter-statements to both the CCFC statement and the congressional letter, stating that the company “will be working directly with the Senator’s office to address each question, and that “Amazon takes privacy and security seriously.” Amazon also touted the “communal nature” of Dot for Kids:

Technology– in general – isn’t a replacement for parenting or social connection. One of the great things about Alexa and Echo is the communal nature of the device – parents and kids can join in the learning and fun together. We believe one of the core benefits of FreeTime and FreeTime Unlimited is that the services provide parents the tools they need to help manage the interactions between their child and Alexa as they see fit. For example, parents can review and listen to all their children’s voice recordings in the Alexa app, they can also review FreeTime Unlimited activity via the Parent Dashboard, and set bedtime limits or pause the device whenever they’d like.

“It may serve as a substitute for real friendships with other children and pose new temptations to parents to monitor their children in ways that aren’t good.”

The CCFC statement includes critical statements from a variety of experts in a variety of fields, including Massachusetts Institute of Technology professor Sherry Turkle, developmental pediatrician Jenny Radesky, and Kade Crockford of the American Civil Liberties Union of Massachusetts, who stressed that “children cannot consent to the type of surveillance a device like this will perform on them. They are too young to understand what it means to provide Amazon and potentially numerous other entities with their sensitive information, or to understand what it means to interact with artificial intelligence.”

George Loewenstein, a professor of economics and psychology at Carnegie Mellon University and director of its Center for Behavioral Decision Research, who is not affiliated with the anti-Echo campaign, told The Intercept that he’s worried about the effects the device could have on not just children, but the parents who buy Dot for kids:

For the children, if Alexa is very interactive, it may serve as a substitute for real friendships with other children, which are so important for socialization. And Alexa is never going to argue with a child, or want to play a different game, so it risks raising a generation of poorly socialized, bossy, children used to ordering their playmates around. And, Alexa will just instantly answer any question they have, so they won’t ever incubate their curiosity or learn how to navigate the world to obtain answers to their questions. For adults, it will be a temptation to not arrange playdates or spend time reading to their children or listening to music with them. Why read a book to a child when Alexa can do it for you? It may also pose new temptations to parents to monitor their children in ways that aren’t good for parent or child.

As a bonus, Dot for kids advertises its ability to function as a sort of intercom between parents and children, offering the chance to cut down on face time: “You can use compatible Echo devices or the Alexa app to let kids know dinner is ready, ask for help with a chore, or remind them to go to sleep—all without raising your voice.”

It’s easy for those with a brain more developed than a 5-year-old’s to feel disturbed — or at least creeped out — by the thought of an always-on microphone in your home. But the fact that these devices sell so well for Amazon (as well as Google and Apple, which continue to develop new listening device assistants at a rapid pace) shows how easy it is for consumers to adjust to a new normal, in which audio access to the home by a technology firm is worth a litany of small conveniences. But presumably, adult users who can remember a time when none of this existed will be able to continue to adjust their tolerance for increased home surveillance as it grows in sophistication. For a child literally raised in part by a robot voice, what could be the big deal? It’s just the friendly box that taught me to say please and played SpongeBob on demand, after all.

Update: May 11, 2018, 4:11 p.m.
This story has been updated with statements from Amazon. The company also noted that the $30 price premium on Dot for Kids is “because the Echo Dot Kids Edition comes with one year of the FreeTime Unlimited family plan ($6.99 per month regularly), premium Alexa skills and over 300 Audible kids titles included, a case, and a 2 year worry free guarantee.”

The post Experts Say Keep Amazon’s Alexa Away From Your Kids appeared first on The Intercept.

Firefox 60 world’s first browser to go for password-free logins


Mozilla has released its new browser, Firefox 60, which supports password-free logins to websites using Web Authentication API.

The browser comes with the Web Authentication or WebAuthn enabled by default. With the WebAuthn API, users will be able to use authentication keys such as YubiKey, fingerprint readers or facial-recognition features on smartphones, and such for logging into websites rather than passwords.

For now, WebAuthn supports security keys like Yubico but in future will also support mobile authentication using notifications from supporting websites.

“This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords),” Mozilla wrote.

Some are saying that this will replace passwords entirely, but for now it is being used as an extra layer of protection for users. In support of the same, Dropbox this week introduced WebAuthn login support as well.

“Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device,” wrote Dropbox programmer Brad Girardeau in a blogpost. “There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.”

WebAuthn is also expected to be seen in Chrome 67 and Microsoft Edge.

FTC Issues Warning Letters for Potential COPPA Violations

On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”  

Importantly, in commenting on its ability to reach foreign companies that target U.S. children, the FTC stated that “[t]he COPPA Rule applies to foreign-based websites and online services that are involved in commerce in the United States. This would include, among others, foreign-based sites or services that are directed to children in the United States, or that knowingly collect personal information from children in the United States.”

In both letters, the FTC warned that it had specifically reviewed the foreign operators’ online services and had identified potential COPPA violations (i.e., a failure to provide direct notice or obtain parental consent prior to collecting geolocation data). The FTC stated that it expected the companies to come into compliance with COPPA, including in the case of Tinitell, which had stopped marketing the watch in an effort to adhere to COPPA’s ongoing obligation to keep children’s data secure.

Two more evolving threats: JavaScript in Excel and payment processing in Outlook

Once upon a time – dating back to the first “Concept” macro virus in Word – the Office folks were wary of new features that had possible security implications. But in the past few weeks, we’ve been introduced to two new features that have “Kick Me” written all over them.

First, JavaScript in Excel. I mean, what could possibly go wrong?

Last December, Microsoft published a Dev Center article that talked about using the new Excel JavaScript API to create add-ins for Excel 2016.

To read this article in full, please click here

Imperva Python SDK – We’re All Consenting SecOps Here

Managing your WAF can be a complicated task. Custom policies, signatures, application profiles, gateway plugins… there’s a good reason ours is considered the best in the world.

Back when security teams were in charge of just a handful of WAF stacks and a few dozen applications, things were relatively manageable. Today, however, with the shift to cloud and microservices, organizations have to deal with securing thousands of web endpoints that change on a daily basis.

I recently met with an Imperva AWS customer with a strict rehydration policy – every 60 days they tear down their entire environment and bring it up from scratch. Everything not source controlled and automated has to go, including their security products and configurations. This poses a unique challenge to security professionals, but we’ve got a solution.

We recently launched the Imperva GitHub, where our global community (we get around) can access tools, code repositories and other neat resources that’ll aid collaboration and streamline development.

To that effect, we developed imperva-sdk, an open source project hosted on our GitHub. ‘Impervians’ around the world can now contribute to the SDK and more projects that are on their way. This new collaboration between Imperva professionals and experienced Imperva customers will bring greater knowledge-sharing and faster deliveries.

Securing thousands of web endpoints doesn’t sound so scary anymore.

For a long time now Imperva Securesphere has been providing automated deployment support and extended management REST API coverage. Still, administrators had to work hard writing their own wrappers and integrations for the granular APIs.

In this blog post I’ll be introducing imperva-sdk – A Python SDK for Imperva SecureSphere Open API. We’ll see how the SDK can be used to automate your SecureSphere management operations, migrate different environments, source control your configuration, and generally switch to a more SecOps mindset.

imperva-sdk is easy to use, changes to the Python objects are propagated immediately to SecureSphere:

The SDK objects are hierarchal and aware of the different connections between resource types:

Standard Python documentation for the SDK is available, including module references and examples to get you started:

Figure 3: imperva-sdk documentation

imperva-sdk objects can be converted to dictionaries and saved as JSON. This allows you to use Python capabilities for advanced automation:

Figure 4: Create a new custom policy from JSON

One of the strongest features imperva-sdk has to offer is the ability to export the entire configuration of your SecureSphere management server to JSON (Note: only APIs that are implemented in the SDK are exported and imported). This gives you the ability to copy configurations between management servers, source control your WAF configuration, and easily incorporate your WAF settings in your CI/CD process.

In the next example we migrate the configuration from a staging management server to production, and in the process replace any reference to “staging” to “v1”:

Figure 5: Copy configuration between management servers

The ability to control the entire configuration from JSON frees users from the need to know Python. We have imperva-sdk wrappers for Jenkins and AWS Lambda, allowing end-users to simply provide management credentials and a JSON configuration file without writing a line of code:

Figure 6: imperva-sdk Jenkins job

The launch of the Imperva GitHub and imperva-sdk allows us even more flexibility and responsiveness when it comes to mitigating threats and extends those benefits to our larger community.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 7, 2018

This week marked National Teacher Appreciation Week here in the United States. I was happy to see that many other countries celebrate educators in all the other months of the year. All of us have at least one teacher, instructor or professor who really made a difference in our lives. There are two for me, and while they may not remember me out of the thousands they taught over the years, I definitely remember them. The first one helped me realize that I could write, and had me focus my frustration through poetry and essays as a 10-year-old moving from a city of almost two million (at the time) to a small town with 3,000 people trying to fit in. The second one validated my love for writing and journalism in college, encouraged me to ask the tough questions (don’t forget the five Ws and the H!) and reminded me to never bury the lead. He never forgave me for “going to the dark side” – that was his definition for marketing – but told me that as long as I’m still writing in some capacity, he was happy.

It’s only fitting that during National Teach Appreciation week that the University of Texas at San Antonio announced its plans to open a new cybersecurity center for government agencies and businesses seeking future cybersecurity workers and research. The space may potentially host a startup incubator, a computing center for research, data visualization lab and other research and training facilities. With a predicted 3.5 million unfilled cybersecurity positions by the year 2021, according to the Cybersecurity Jobs Report 2018-2021, we need all the help we can get to stay ahead of sophisticated cyber threats. You can learn more about the new center here.

TippingPoint Operating System (TOS) v5.0.3

Late last week, we released TOS v5.0.3 build 4867 for the TippingPoint TX-Series devices (8200TX/8400TX). For a complete list of enhancements and changes, customers can refer to the product Release Notes located on the Threat Management Center (TMC) website. Customers with any concerns or questions can contact the Trend Micro TippingPoint Technical Assistance Center (TAC).

Microsoft Security Updates

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before May 8, 2018. It was another busy month for Microsoft with 68 security patches covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Azure IoT SDK. Of these 68 CVEs, 21 are listed as Critical, 45 are rated Important, and two are listed as Low in severity. Eleven of these CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month’s security updates from Dustin Childs’ May 2018 Security Update Review from the Zero Day Initiative:

CVE # Digital Vaccine Filter # Status
CVE-2018-0765 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0824 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0854 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0905 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0943 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0945 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0946 31487
CVE-2018-0951 31488
CVE-2018-0953 31489
CVE-2018-0954 31490
CVE-2018-0955 31563
CVE-2018-0958 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0959 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0961 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1021 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1022 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1025 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1039 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8112 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8114 31491
CVE-2018-8119 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8120 31562
CVE-2018-8122 31492
CVE-2018-8123 31552
CVE-2018-8124 31558
CVE-2018-8126 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8127 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8128 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8129 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8130 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8132 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8133 31494
CVE-2018-8134 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8136 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8137 31617
CVE-2018-8139 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8145 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8147 31554
CVE-2018-8148 31555
CVE-2018-8149 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8150 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8151 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8152 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8153 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8154 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8155 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8156 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8157 31556
CVE-2018-8158 31557
CVE-2018-8159 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8160 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8161 31573
CVE-2018-8162 31559
CVE-2018-8163 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8164 31561
CVE-2018-8165 31571
CVE-2018-8166 31572
CVE-2018-8167 31560
CVE-2018-8168 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8170 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8173 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8174 31493
CVE-2018-8177 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8178 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8179 31498
CVE-2018-8897 Vendor Deemed Reproducibility or Exploitation Unlikely

 

Zero-Day Filters

There are two new zero-day filters covering one vendor in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Trend Micro (2)

  • 31495: ZDI-CAN-5550 Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway)
  • 31496: ZDI-CAN-5551 Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

The post TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 7, 2018 appeared first on .

Russian Fake News Ecosystem Targets Syrian Human Rights Workers

Kremlin linked news sites like RT and Sputnik figure prominently in an online disinformation campaign portraying Syrian humanitarian workers (“White Helmets”) as terrorists and crisis actors, according to an analysis by researchers at University of Washington and Harvard.  An online “echosystem” of propaganda websites...

Read the whole entry... »

Related Stories

Nicola Esposito: “The key to resilience is having a mature strategy and a good partner”

Our first cybersecurity summit, the Panda Security Summit (#PASS2018), is approaching fast, and will feature talks from key figures in the sector, such as Nicola Esposito, Director of Deloitte’s CyberSOC EMEA Center. In his lecture, “Keys for a more attentive, safer and resilient organization in the face of advanced cyberthreats“, Esposito will explain how Deloitte, from its Cyber ​​Risk area, helps organizations to strengthen their risk and security management program. In advance of the summit, we asked this expert about resilience in the corporate cybersecurity environment.

What are the most significant advanced threats facing companies today?

Advanced threats combine numerous tools, techniques and targeting methods. Malware is currently one of the major threats due to its capacity to spread rapidly across an organization and even around the world.

Which aspect of resilience would you say is most important for the security of companies?  

You can’t single out one aspect. All of them (prevention, detection, containment, response and continuous improvement) have to be taken into account to adopt a serious approach to IT security. In line with this approach, and in order to offer its customers an end-to-end solution, Deloitte has developed its Common Storefront based on the four areas of Strategy, Security, Vigilance and Resilience.

How can the creation of an integrated and connected ecosystem contribute to improving corporate security infrastructure?

The creation of this ecosystem can help make companies more secure and become part of a chain of security. This is one of the reasons why Deloitte promotes the Threat Intelligence network, so as to share indicators of compromise (IoCs) and increase the detection capacity of customers. Such networks allow these IoCs to be shared practically in real time, and consequently reduce the time of exposure to the corresponding malware.

What risks do non-resilient companies face?

Non-resilient companies are probably not taking cybersecurity risks seriously. This is the biggest challenge. Once a company’s management recognizes the threat, it needs a trusted partner to set up a robust security program. So the second challenge is to find a partner able to guide you along a potentially complicated path.

What are the keys to creating resilient companies?

The key to resilience is having a mature strategy and a good partner. With a mature strategy you can address risks in the proper way, starting with business risks and not focusing on them directly from the technological perspective. This strategy should include the values ​​mentioned earlier: Security, Vigilance and Resilience. It is also important to have partners with a global vision, who understand the scope of current threats, and have end-to-end capabilities to understand business risks, advise customers accordingly, and implement and operate the technologies to make their business resilient.

What is the risk of ignoring resilience?

The greatest risk is the likelihood of being hit by a cyberattack and the inability to recover from it. It is not just that critical systems are compromised, there is also the potential damage to brand reputation, which in some cases may take years to restore. There are also risks associated with regulatory compliance, which are related to the security controls implemented in every company.

To what aspect of cyber-resilience should we pay most attention?

The aspect of resilience that is often ignored, or not adequately considered, is detection. Mainly because detection means having visibility, and to have this, you have to understand where and how to pay due attention to all the other sections that comprise cyber-resilience.

At Panda we know that detection and the response to attacks is essential to business cybersecurity. That’s why tools such as Panda Adaptive Defense guarantee the protection of aspects that could sometimes be overlooked. To bolster cyber-resilience, Nicola Esposito will be taking part in the Panda Security Summit on May 18 in Madrid. Don’t miss it?

The post Nicola Esposito: “The key to resilience is having a mature strategy and a good partner” appeared first on Panda Security Mediacenter.

McAfee Protects Against Doppelgänging Technique

That adversaries adopt new techniques is a known fact. However, the speed they include new innovative techniques to bypass end-point security and or evade sandboxing appears to be at an ever-increasing pace. Indeed, adversary adoption is often faster than the InfoSec industry can implement and test effective countermeasures. For example, in December 2017, a tool was released to hide PowerShell in a graphic file. Within 7 days of the release, McAfee Advanced Threat Research started to see the technique being exploited by a Nation State actor. From announcement to inclusion, test and use in production within 7 days is impressive.

This week, security-researchers from Kaspersky discovered that an actor was applying the so-called Process Doppelgänging technique in what has been named the “SynAck” ransomware. (https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/)

So What is the Process Doppelgänging Technique in a Nutshell?

Using this technique gives the malware writer an ability to run malicious code/executable under the cover of a legitimate executable by using the transaction features of the NTFS filesystem (Windows Transactional NTFS API).

McAfee Detects and Protects

Since the initial release of this technique in December 2017, McAfee Labs has been investigating this technique and how we might protect our customers. In contrast to adversaries who can release mistakes in code and implementation, we simply cannot. We have to thoroughly test to ensure that when we release our solution it detects correctly and does not disrupt or break other software.

McAfee’s Product Security Incident Team (PSIRT), working in coordination with McAfee’s product teams1 delivered a protection to Process Doppelgänging in two of McAfee’s product suites (see below for more detail). McAfee’s protection has tested effective against EnSilo’s original proof of concept (PoC) and other examples. As an example, we tested recent malware using the technique against our detection feature with success:

McAfee’s protection prevents execution of a file if changes to it are contained within a Windows NTFS transaction. There are no legitimate uses for the Transactional API to be used in this way, so far as McAfee know.

Details of products that include protection against Process Doppelgänging follow:

  • ENS 10.5.4, released April 24, 2018
  • VSE 8.8 patch 11, released April 24, 2018
  • ENS 10.6, Public Beta available March 9, 2018. Release is targeted around June 1, 2018

WSS 16.0.12 will include the same protection.  Release of WSS is targeted for the end of May, or the beginning of June, 2018.

What Is Protected 

Windows 7 & 8 -> McAfee protection is effective

Win 10 RS3 -> McAfee protection is effective

Win 10 RS4 -> Microsoft has implemented the same protection as McAfee

EnSilo have documented that attempts to exploit Win 10 Pre RS3 results in a Windows crash, “Blue Screen of Death” (BSOD). McAfee’s testing confirms Ensilo’s results.

Users may not see a detection alert with some versions of McAfee products under some versions of Windows. McAfee testing indicates that all versions of product under every Windows version listed above are protected.

 

1McAfee thanks McAfee Software Engineer, Alnoor Allidina for the diligence and insight that lead to the Process Dopplegänging protection.

The post McAfee Protects Against Doppelgänging Technique appeared first on McAfee Blogs.

Where did the tech support scam blacklist go?

For about five years, we’ve maintained a blacklist of recognized tech support scammers, along with websites and phone numbers they might use to contact victims. The blacklist was part of our Tech support scams: help and resource page, which tells readers how scams work, what tricks to look out for, how to get help after you’ve been scammed, and who to contact to report the scam.

The blacklist was started long before the scale of tech support scamming was understood, and very quickly became unwieldy, hard to search, and, in many cases, outdated. Given the ease with which scammers can stand up low cost infrastructure and switch VOIP numbers on the fly, we decided that a static blacklist is not the best way to share information with other researchers and interested users.

What we’re doing instead

On the Malwarebytes forums, we now have a “Report a Scam” section. (You must be logged in to view it.) After logging in, post any scam number you encounter, along with the URL of the company, if you have it. Posting in the forums makes it much more likely that a researcher will see it and block the scam ASAP.

What if you haven’t been scammed, but still want to help?  How do you find scammers to report?

Digging up fake tech support

Loading a typo squat for a large, popular website can be a good starting point to find a browser locker (which leads to a tech support scam). But varying user agents and locations can deliver actual malware instead of a locker, so use this method at your own risk.

It’s a bit safer to start with social media, where scammers spam links for their fake companies. Searching Twitter for “Malwarebytes Support” yields a few tweets like the following:

More competent scammers will make use of link shortening services so as to not expose their infrastructure to potential takedown requests. We chose an amateur example for simplicity. (Twitter declined to take down the account when we asked.)

Clicking through yields a convincing scam site:

Now that we’ve got a scam URL and phone number, we can stop there and make a report. Or we can take a look at the website metadata and see if the scammer decided to set up a few alternate sites.

Throwing the latest IP into Passivetotal’s query tool yields a whopping 1,029 domains, including historical hits that are no longer active. Most look to be part of an SEO operation, which makes sense because tech support scammers generally hire third-party SEO services to get their sites in front of victims.

Moving to Hurricane Electric, who provides a free pDNS tool without any historical data, yields the following:

Right away we can see two probable candidates for additional scams. Sifting through pDNS can often improve your scam hunting results, as well as help attribute multiple scams to the same threat actor group. Be sure to actually load the sites to confirm scamming, as legitimate tech companies overseas can sometimes exhibit design cues and domain names similar to fake tech support.

Scam hunting is fun and fairly straightforward. But we can’t be everywhere, and tech support scammers excel at setting up infrastructure with bargain hosting companies quickly. So why not help us get better, and report a scam in our forums? Happy hunting—and stay safe.

The post Where did the tech support scam blacklist go? appeared first on Malwarebytes Labs.

CVE-2018-7248 (manageengine_servicedesk_plus)

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

CVE-2018-7248

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

CVE-2018-10580

The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.

This Week in Security News: Exposure and Susceptibility

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, a new report revealed that the Equifax breach had a larger impact than previously thought. In addition, The Senate Intelligence Committee released an interim report declaring that the Department of Homeland Security had an “inadequate” response to the Russian hack of the 2016 election.

Read on to learn more.

The Role of Sales & Channel in GDPR Compliance

Sales people and channel partners are integral parts of our business, and we have considered them key parts of our journey to GDPR compliance.

Equifax Breach Exposed Millions of Driver’s Licenses, Phone Numbers, Emails

A new investigation revealed that millions of driver’s license numbers, phone numbers and email addresses in connection with names, dates of birth and Social Security numbers were exposed.

Get Ready for the GDPR: Fix Susceptible Email Systems

Email is a particularly weak link for companies because of its role as a communication tool, and the fact that it is still the number one threat vector for cybercriminal exploits.

Senate Intelligence Committee Releases Interim Report on Election Security

The Senate Intelligence Committee determined that the Department of Homeland Security mounted an “inadequate” response to the Russian government-affiliated campaign in 2016.

1.13M Records Exposed by 110 Healthcare Data Breaches in Q1 2018

According to the Protenus Breach Barometer, around 1.13 million patient records were compromised in 110 healthcare data breaches in the first quarter of 2018.

Canada to Impose Own Data Breach Notification Regulations

These regulations enshrine mandatory data breach notification in Canadian law in the form of an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000.

Twitter Fixes Bug, Advises Users to Reset Passwords

After advising users to change their account passwords on May 3, Twitter recently revealed that it fixed the bug that stored passwords unmasked in an internal log and that there’s no indication of a breach.  

Exposed Video Streams: How Hackers Abuse Surveillance Cameras

Hackers are gaining access to cameras and recording videos, selling camera access to other parties, or even using cameras to snoop around shops and scoop credit card information from customers. 

What do you think of Canada’s new data breach notification regulations? Share your thoughts in the comments below or follow me on Twitter to continue the conversation; @JonLClay.

The post This Week in Security News: Exposure and Susceptibility appeared first on .

The smarter the student, the stronger the password – study

A consulting director at Asia Pacific College (APC) in the Philippines decided to match student GPAs against the strength of their passwords. The findings suggest there is some degree of correlation between smarts and good password hygiene.

JV Roig, who is also a software developer in addition to dispensing his consulting expertise, compared the password hashes from APC’s 1,252 students to the database of leaked passwords maintained by the handy Have I Been Pwned? site created by security researcher Troy Hunt. The database holds a whopping 320 million exposed password hashes resulting from various data breaches over the years. The weakest passwords, and implicitly the most common ones, are found there.

Of the 1,252 students, 215 had a match in the database. Roig then looked at the students’ grade point average (GPA) and found that the lower the student’s GPA, the weaker the password and the greater the chance of it being fount in Hunt’s database.

“If we only take into account students with a GPA of at least 3.5, only 12.82 per cent of them use compromised passwords, which compares favorably to the population average of 17.17 per cent,” Roig wrote. “Looking at students with a minimum GPA of 3.0 results in 15.29 per cent compromised passwords, which is significantly closer to the population average.”

Roig thus determined that students with a higher GPA knew better than to use a weak password, versus students with a low GPA. However, he admitted the disparities were small, and the sample group not very large either.

“This shouldn’t be taken as the end-all or be-all of whether smarter people have better passwords, but merely one interesting data point in what could be an interesting series of further experiments,” he said.

It’s also worth noting that the single student who had a lower than 1.5 GPA also happened to use an unsafe password.

Security Flaws & Fixes – W/E – 051118

Adobe's Flash Player, Other Products Receive Security Updates (05/09/2018)
Adobe has updated ConnectFlash, and Creative Cloud to mitigate risks from known vulnerabilities.
Google's Monthly Security Batch of Fixes Includes Meltdown Mitigations (05/10/2018)
Google released its May Android Security Bulletin, which contains additional mitigations for the Meltdown zero-day vulnerability that affects microprocessors from Intel and other vendors. The bulletin is divided into two parts. The first level plugs seven "high severity" bugs in various products including Android runtime and Framework. The second level alleviates vulnerabilities in Nvidia and Qualcomm components.

Hardware Debug Exception Documentation Could Cause Unexpected Behavior (05/09/2018)
US-CERT advisory warns that in some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS. An authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions. AppleUbuntuVMware and other vendors are affected.

iOS 11.4 Feature to Lock Unused Device After One Week (05/08/2018)
Security analysts at Elcomsoft say they have discovered a feature being readied for Apple's upcoming iOS 11.4 release that will disable the Lightning port if the device is not unlocked for seven days. The new USB Restricted Mode will still allow charging after the seven day period but will prevent the phone or tablet from establishing a data connection. According to Elcomsoft's report, "Even the `Trust this computer?' prompt will not be displayed once the device is connected to the computer, and any existing lockdown records (iTunes pairing records) will not be honoured until the user unlocks the device with a passcode." The security company suggests that the USB Restricted Mode is "aimed squarely at law enforcement," although an ancillary target is vendors such as Cellerbrite and GreyShift whose business model revolves around helping law enforcement agencies find ways to unlock protected iPhones.

Lenovo's System x Servers, ThinkPads Patched Following Bug Discoveries (05/10/2018)
Lenovo has patched for its ThinkPad and System x server lines to fix a pair of vulnerabilities. The servers are affected by a bug in the Secure Boot process while the ThinkPad line is vulnerable to an arbitrary code execution situation.

LG Patches Bugs Affecting Its Smartphones (05/09/2018)
Check Point Software discovered two vulnerabilities that reside in the default keyboard on all mainstream LG smartphone models (termed by LG as `LGEIME'). The vulnerabilities were tested and proven exploitable on some of LG's flagship devices, including LG G4, LG G5, and LG G6. These issues could be used to remotely execute code with elevated privileges on LG mobile devices by manipulating the keyboard updating process, act as a keylogger, and compromise the users' privacy and authentication details. The first vulnerability was the use of an insecure connection used for a sensitive process, and the second was a validation flaw in LG's file system. Both bugs were disclosed to LG, which have since been patched.

Logitech Fixes Security Bugs in Harmony Hub IoT Device (05/07/2018)
FireEye's Mandiant team discovered vulnerabilities in the Logitech Harmony Hub Internet of Things device that could be exploited, resulting in root access to the device via Secure Shell. The Harmony Hub is a home control system designed to connect to and control a variety of devices in the user's home. Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network. Logitech worked with Mandiant and addressed the vulnerabilities in firmware version 4.15.96, which was released in April.

Microsoft Products Receive Updates, Zero-Day Bugs Get Squashed (05/09/2018)
Microsoft has fixed over 60 security issues in its product lines thanks to the release of its monthly batch of security updates. Users are instructed to immediately apply the updates, which have been issued for Internet Explorer, Microsoft Edge, Windows, Office, .NET Framework, and other products. A zero-day remote code execution bug which affects all versions of Windows was patched and further details related to this issue have been released in an advisory from Kaspersky Lab. A second zero-day vulnerability is an elevation of privilege that affects Windows 7, Server 2008, and Server 2008 R2.

Mozilla Releases Firefox 60 and Updated Version of Firefox ESR (05/09/2018)
Mozilla has released Firefox 60 and Firefox ESR 52.8. These updates offer various security fixes that were unavailable in previous versions.

New Report Discusses IP Camera Security Issues, Ways to Improve Protection (05/09/2018)
Trend Micro has exposed security issues pertaining to IP surveillance cameras which are used in and around the home and for businesses to protect their interests. Since many cameras haven't had their default passwords changed, the devices can be easily altered by individuals with minimal technology expertise. Hackers can take things a step further using penetration tools in conjunction with certain types of software to brute-force IP cameras. The report discusses guides available on underground forums that miscreants can access to learn step-by-step how to access cameras. Trend Micro offers further information in the report, along with recommendations for vendors and device manufacturers on how to provide better security for these cameras before they are shipped to buyers.

Philips Advises on Bugs Found in Brilliance CT Scanners (05/07/2018)
Brilliance CT Scanners from Philips are vulnerable to several critical issues, which could result, among other things, in an attacker gaining access to patient health information and allow for the execution of software. At this time, Philips has said that there haven't been any reports of vulnerability exploitation. The vendor posted an advisory with further information, including guidance and mitigation methods. The ICS-CERT has also issued an advisory regarding these issues.

Security Issues Found in Products from Silex Technology, GE Healthcare (05/08/2018)
An alert posted by the ICS-CERT warns of security bugs in Silex Technology's SX-500 and SD-320AN, and in GE Healthcare's MobileLink. Successful exploitation of these vulnerabilities could allow modification of system settings and remote code execution. Further details can be found in the advisory.

Siemens Advises on Multiple Vulnerabilities in Siveillance VMS and SINAMICS (05/10/2018)
Siemens released three advisories to address vulnerabilities in its products. The first advisory patches two vulnerabilities that could result in a denial-of-service condition in the vendor's medium voltage SINAMICS products. The second advisorycontains an update for the Siveillance VMS Video app for both Android and iOS and remedies an improper certificate validation bug. Another advisory addresses a .NET vulnerability in Siveillance VMS.

Siemens Warns about Vulnerabilities in Multiple Products (05/08/2018)
Siemens has released multiple advisories to address vulnerabilities within its products. Five advisories were posted on May 3 and provide insight into, among other things, bugs in Medium Voltage SINAMICS products; an improper certificate validation issue in Siveillance VMS Video Mobile App for Android and iOS; and a denial-of-service condition in the vendor's industrial products.

Twitter Tells Users to Reset Passwords After Discovering Bug (05/07/2018)
In response to a detected vulnerability, Twitter is advising users to immediately change their passwords. The social media platform warned that it had uncovered a bug that stored passwords in plaintext in an internal log, but that there had been no indication of a data incident. While Twitter does use a hashing function called bcrypt to mask passwords, the vulnerability caused passwords to be written to the internal log prior to completing the hashing process. The Federal Trade Commission (FTC) posted an advisory regarding the Twitter issue.

Vulnerabilities in Lantech IDS 2102 Remain Unpatched (05/07/2018)
Lantech's IDS 2102 versions 2.0 and prior are affected by improper input validation and stack-based overflow vulnerabilities. A third-party researcher reported the bugs to the vendor, but Lantech has not been responsive, so he then notified the ICS-CERT, which posted an advisory.

Zero-Day Vulnerability Exploits Patched Version of Microsoft Word (05/09/2018)
A new zero-day vulnerability targeting Internet Explorer and assessed by multiple security vendors exploits a fully patched version of Microsoft Word, the scientists at Kaspersky Lab have determined. Kaspersky researchers analyzed the bug in a sandbox and discovered that it is a use-after-free vulnerability that is made possible due to incorrect object lifetime handling in the Class_Terminate VBScript method. Microsoft has confirmed this vulnerability and patched it in its May 8 release of security fixes.

Malware Watch – W/E – 051118

Maikspy Malware Steals Info from Windows, Android Users (05/08/2018)
Both Android and Windows users can be victimized and have their data stolen by the Maikspy malware, which masquerades as an adult game. The latest variant appears to be promoting a game called Virtual Girlfriend and can swipe contacts, phone numbers, accounts, contacts, and more from the user. Trend Micro has analyzed Maikspy.

Symantec Spots Hidden Malware in Android Apps on Google Play (05/09/2018)
Symantec has identified 38 malicious applications in Google Play disguised as games and education apps. These malicious apps hide their existence on victims' devices by removing their icons from the home screen and redirect victims to install another app from Play that displays advertisements and has minimal additional functionality. The malicious apps also load several blog URLs in the background without the user's knowledge. The malware has been detected as Android.Reputation.1. The same malware has been found in Play apps even after Google removed them for being malicious. In a separate report, Symantec noted that the apps are pulled from Play but then reappear with a slightly different name under a new publisher.

Updated SynAck Trojan Uses Doppelgänging Method to Avoid Detection (05/07/2018)
A new variant of the SynAck ransomware Trojan is using the Doppelgänging technique to bypass antivirus security by hiding in legitimate processes. The developers behind SynAck have integrated other evasion techniques in an effort to obfuscate all malware code prior to sample compilation and it exits if signs suggest it is being launched in a sandbox. This is the first time the Doppelgänging technique has been seen in ransomware in the wild, the researchers at Kaspersky Lab said.

CyberCrime – W/E – 051118

Android-Based ZooPark Threat Campaign Found Spying on Middle Eastern Nations (05/07/2018)
Kaspersky Lab has uncovered ZooPark, a sophisticated cyber espionage campaign that has been targeting Android device users based in Middle Eastern countries for several years. Using legitimate Web sites as sources of infection, the campaign appears to be a nation-state backed operation aimed at political organizations, activists, and other targets based in the region. Some of the malicious ZooPark apps are being distributed from news and political Web sites popular in specific parts of the Middle East and are disguised as legitimate apps with names that are recognizable in the targeted countries.

Cybercriminals Take Advantage of Telegram's Security Features to Stay Hidden (05/09/2018)
Researchers at Check Point Software have discovered that cyber thieves are using the Telegram mobile messaging app to hide their malicious activities in the criminal underground. Telegram's hosted chat groups, or "channels," are used to broadcast encrypted messages to an unlimited number of subscribers which remain private to outsiders. Check Point has uncovered such clandestine channels as "Dark Jobs," "Dark Work," and "Black Market," all of which discuss illicit activities.

FBI Report: Cybercrime Resulted in Losses of $1.4 Billion in 2017 (05/08/2018)
The FBI released the Internet Crime Complaint Center (IC32017 Internet Crime Report, which highlights trending Internet scams. The report's data represents a total of 301,580 complaints with reported losses in excess of $1.4 billion USD. The top three crime types reported by victims in 2017 were non-payment/non-delivery, personal data breach, and phishing.

Hide and Seek Botnet Returns with Persistence Tactics (05/10/2018)
Bitdefender has identified a new variant of the Hide and Seek botnet that is using a custom peer-to-peer protocol and is able to survive a reboot to remain persistent on the affected system. The new version includes code that abuses two vulnerabilities to allow the malware to compromise more IP TV camera models. Research has shown that the botnet has 10 different binaries compiled for various platforms, including x86, x64, ARM, and more.

Patched Drupalgeddon Bug Abused in Cryptocurrency Mining Campaign (05/10/2018)
A cryptojacking campaign has been taking advantage of over 400 Web sites, including the San Diego Zoo, that are not patched from the Drupalgeddon 2.0 vulnerability. All of the affected sites are running outdated versions of the patched Drupal content management system. Security researcher Troy Mursch discovered the infected sites, many of which belong to governments and universities from around the world. LenovoUCLA and at least one US federal government agency are known to be infected with the Coinhive JavaScript software that is used by hackers to mine Monero cryptocurrency.

Surface Pro (2017) owners hitting Win10 1803 update blue screens. Now we know why.

As Win10 version 1803 rattles through the unpaid beta-testing phase, it’s snagged another victim — Intel’s aging SSD6 solid-state drives. Both Microsoft and Intel now admit that running Win10 version 1803 on Intel 600p or Pro 6000p is a recipe for disaster.

Some Surface Pro (2017) models ship with “bad” Intel SSD Pro 6000p drives. Customers are complaining about freezes with Win10 version 1803 — and the Microsoft support folks don’t have a clue what’s causing the problem. Now we know.

Here’s how the drama unfolded.

Win10 version 1803 has been in beta testing for centuries, in internet time. The “final” version, build 17134.1, entered the Windows Insider Fast ring almost a month ago, on April 16. In a jumble of mixed-up build numbers, Win10 version 1803 has been officially pushed since April 30. Why did it take so long to figure out that the 600p and Pro 6000p cause problems?

To read this article in full, please click here

CVE-2016-8627 (jboss_enterprise_application_platform, keycloak)

admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired.

CVE-2017-6015 (factorytalk_activation)

Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.

CVE-2017-6015

Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.

CVE-2016-8627

admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired.

Breaking Bad Behavior: Can AI Combat Insider Threats?

Cyberattacks are on the rise as ransomware continues to plague companies across all industries and malicious actors look to nab bitcoin payouts and steal personal data. The first quarter of 2018 also saw a spike in both distributed denial-of-service (DDoS) attack volume and duration.

But despite the prevalence of these external threats, a February 2018 report found over one in four attacks start inside corporate networks. These insider threats can be devastating, especially if employees have privileged accounts. Plus, threats may go undetected for months if companies aren’t looking inward.

Enterprises need a new way to break bad behavior that takes the guesswork out of identifying accidental (or acrimonious) employee incidents. With that in mind, artificial intelligence (AI) may offer the next iteration of insider attack security.

Cyberattacks: Insider Threats by the Numbers

According to the report, the number of insider attacks varies significantly by sector. In manufacturing, just 13 percent of threats stem from insiders. In the public sector, 34 percent of all incidents start with authorized users. Health care tops the insider threats list with 56 percent of incidents tied to human error or intentional misuse.

In 17 percent of insider breaches, mistakes — rather than malice — were the underlying cause. Employees might send emails to the wrong recipient, improperly delete classified information or misconfigure privacy settings. While intention matters when it comes to discipline and long-term staffing decisions, it has no bearing on the impact of a data breach. Employees who mistakenly click on malicious links or open infected email attachments can subject organizations to the same types of IT disasters that stem from targeted outsider attacks.

The worst-case scenario when it comes to insider threats, according to ITWeb, is a hybrid attack that includes both internal and external actors. Described as a “toxic cocktail,” it’s incredibly difficult to detect and mitigate this type of incident.

IT Security: Need for Speed

The Department of Energy saw a 23 percent boost in cybersecurity spending in 2018, while the Nuclear Regulatory Commission received a 33 percent increase, according to GCN. But no matter how much money organizations invest in cybersecurity, humans remain the weak link in the chain. GCN suggests moving IT security “from human to machine speed” to both detect and resolve potential issues.

Insider threats also took center stage at the 2018 RSA Conference. Juniper Networks’ CEO, Rami Rahim, spoke about the “unfair advantage” criminals enjoy because of the internet since it eliminates the typical constraints of time, distance and identity.

So, it’s no surprise industry experts like Randy Trzeciak of the CERT Insider Threat Center see a role for AI in defending corporate networks against insider threats. Trzeciak noted in a 2018 RSA Conference interview with BankInfoSecurity that “insiders who defraud organizations exhibit consistent potential risk indicators.”

AI offers a way to detect these potential risk patterns more quickly without the inherent bias of human observers — which is critical given the nature of insider attacks. Since these attacks stem from authorized access, organizations may not realize they’ve been breached until the damage is done.

Teaching AI Technology

AI assisting security professionals makes sense in theory, but what does this look like in practice? According to VentureBeat, training is an essential part of the equation. For cybersecurity controls, this means teaching AI to recognize typical patterns of insider threat behavior effectively. These might include regular file transfers off corporate networks onto physical media or private email accounts — or strange account activity that doesn’t coincide with regular work shifts. Individually, these signs could be outliers. But when detected in concert by AI tools, they’re a cause for concern.

Also concerning is the double-edged nature of intelligence tools. As noted by Health IT Security, AI could be used to both bolster and undermine health data security. There’s also an emerging category of adversarial AI tools designed to automatically infiltrate networks and custom-design attack vectors that can compromise security.

The philosophy of AI development also matters. As shown by recent experiments that released AI-enabled bots into the world of social media, artificial intelligence tools can learn the wrong lessons just as easily as the right ones.

What does this mean for AI as insider defense?

Applied Learning

Insider threats are now a top priority for organizations. Despite good intentions, employees may unwittingly expose critical systems to malware, ransomware or other emerging threats. Given the sheer number of mobile- and cloud-based endpoints, it’s impossible for human security experts to keep pace with both internal and external threats, especially when inside actors may go undetected.

AI offers a way to detect common patterns of compromise and network abuse, restrict access as applicable and report actions taken to IT professionals. The next step toward breaking bad behavior is to implement AI and train it to recognize key patterns, disregard signal noise and accelerate security from human to machine speed.

Learn more about adversarial AI and the IBM Adversarial Robustness Toolbox (ART)

The post Breaking Bad Behavior: Can AI Combat Insider Threats? appeared first on Security Intelligence.

Aided by Palantir, the LAPD Uses Predictive Policing to Monitor Specific People and Neighborhoods

Police stops in Los Angeles are highly concentrated within just a small portion of the population, and the Los Angeles Police Department has been using targeted predictive policing technology that may exacerbate that focused scrutiny. That’s according to a report put out this week by the research and activist organization Stop LAPD Spying Coalition, which draws from the testimony of city residents and newly released police documents to paint a picture of a “racist feedback loop” in which a “disproportionate amount of police resources are allocated to historically hyper-policed communities.”

Survey results included in the report suggest that very few people in Los Angeles bear the brunt of most police interactions: Two percent of residents who responded to the survey reported being stopped by police between 11 and 30 times a week or more, while 76 percent of respondents reported never being stopped at all. The 300 survey respondents were distributed across geography, race, age, and gender. In focus groups, people who lived in areas heavily targeted by police described a state of constant surveillance. Asking “how often do I see police in my area is like asking me how many times do I see a bird in the day,” said one resident.

Asking “how often do I see police in my area is like asking me how many times do I see a bird in the day.”

What’s more, the LAPD has been using technology from the data-mining firm Palantir that may amplify that concentration, as part of a predictive policing program that targets and surveils specific individuals within select neighborhoods based off their recent history with the criminal justice system.

Officers and analysts who work on Operation LASER, or Los Angeles Strategic Extraction and Restoration, are tasked with maintaining an ongoing list of community residents to monitor, by creating “Chronic Offender Bulletins” for so-called persons of interest. Each of the 16 department divisions that currently use the program is required to maintain a minimum of a dozen of these “bulletins,” which are intended to help officers “identify the most active violent chronic offenders” in a given geographical area.

That identification process has two stages: an initial screening phase, in which a “crime intelligence analyst” subjectively decides whether the police records, like arrest reports and field interview cards, associated with an individual are “relevant” enough to move them to a “workup” phase. The “workup” involves software provided by Palantir that pulls data on criminal history and affiliations, and from license plate readers and social media networks, and uses it to create a “chronic offender score” for the individual.

Once someone is deemed a sufficient threat based off their score, officers send them letters and are encouraged to knock on their doors to let them know they’re being monitored. Officers are also instructed to look out for opportunities to stop or arrest them (if they have a warrant out). An October 2017 version of a checklist that instructs analysts and officers on how to deal with chronic offenders was among the documents that Stop LAPD Spying obtained through a California Public Records Act request. (Stop LAPD Spying first provided the documents to In Justice Today, which reported on them Tuesday.)

“If they don’t get stopped, they stop being on the list,” said Dennis Kato, an LAPD deputy chief, in an interview with The Intercept. In other words, the only way for someone to get off a chronic offenders list for an area is to not have any interactions with the police — a sort of Catch-22 since the program is intended to flag individuals for increased police attention. And if someone is removed from the list, they aren’t notified. “I don’t think it’s an ideal system,” Kato said. By early 2019, he says, the entire city of Los Angeles will be using the LASER program.

The report also highlights another predictive policing program currently in use by the LAPD, called PredPol. Both Operation LASER and PredPol are sponsored by the federal Bureau of Justice Assistance’s SMART Policing Initiative, which aims to use “evidence-based, data-driven” policing strategies to try and pre-empt and prevent crime.

PredPol software, marketed by a private company, relies on a machine-learning algorithm much like the ones used by corporate giants such as Facebook and Amazon for advertising purposes. It’s a mathematical model that inputs three variables: where a crime was committed, when it was committed, and what type of crime it was. The model is used to calculate “hot spots” throughout a given metropolitan area —150 square-meter areas where, theoretically, certain types of crimes are more likely to be committed on a given day — which patrol officers use to plan out their daily routes. Studies have already shown that PredPol technology re-enforces racially biased policing patterns and practices, but the technology remains in use by the LAPD and at least 50 other law enforcement agencies around the country, according to a PredPol spokesperson.

The Stop LAPD Spying Coalition received October 2017 documents on Operation LASER after filing a lawsuit against the police department in February of this year, but is still waiting on more documents related to the program, including its funding and data sources, according to Hamid Khan, one of the coalition’s co-founders.

“Predictive policing programs … enable the continuation of decades of discriminatory and racist policing under the apparent neutrality of objective data.”

Both programs draw on scientific disciplines: PredPol is adapted from models that predict earthquake aftershocks, while the documents obtained by the coalition indicate that the LAPD uses a series of medical analogies to describe the functions and goals of Operation LASER — from the very title of the program, to describing the amount of visible police presence in an area as a “dosage,” to calling repeat offenders “chronic.” The BJA, the federal bureau which sponsors the local program, admits as much: Operation LASER “is analogous to laser surgery, where a trained medical doctor uses modern technology to remove tumors or improve eyesight,” according to a BJA report.

The Stop LAPD Spying Coalition criticizes the scientific assumptions that underlie predictive policing for “pathologizing” individuals and entire neighborhoods, and says that the programs “enable the continuation of decades of discriminatory and racist policing under the apparent neutrality of objective data.”

Unlike PredPol hot spots, so-called LASER zones are based off geographical data and determined in part based on observations that analysts make about a neighborhood and its residents. According to an LAPD document, the analysts ask questions like, “What they were doing? Talking to neighbors? Walking? Driving down the streets slowly? Playing chess in the park? Or, are they dealing drugs on the street corner or just hanging out?”

The coalition’s community-based focus group results indicate that residents, while not always aware of the details of police surveillance in their communities, nonetheless have a sense that it is occurring. “I feel like they already know who you are by the time they stop you or give you a citation,” one resident said. “They already know your name and who you are hanging out with.”

Update: May 11, 2018, 1:35 p.m.
This article has been updated to note that In Justice Today first reported on the documents obtained by the Stop LAPD Spying Coalition.

Top photo: LAPD officers search for robbery suspects near Beverly Drive and Juanita Avenue in the early morning hours of May 5, 2018.

The post Aided by Palantir, the LAPD Uses Predictive Policing to Monitor Specific People and Neighborhoods appeared first on The Intercept.

Connect the Dots: IoT Security Risks in an Increasingly Connected World

Nowadays, there is a lot of noise about the Internet of Things (IoT), as the technology has finally emerged into mainstream public view. IoT technology includes everything from wearable devices equipped with sensors that collect biometric data and smart home systems that enable users to control their lights and thermostats to connected toothbrushes designed to help improve brushing habits. These devices typically come with built-in electronics, software, sensors and actuators. They are also assigned unique IP addresses, which enable them to communicate and exchange data with other machines.

IoT devices make our lives easier. Smart home technology, for example, can help users improve energy efficiency by enabling them to turn on (and off) lights and appliances with the tap of a touchscreen. Some connected devices, such as smart medical equipment and alarm systems, can even help save lives.

However, there are also serious security risks associated with this technology. As the IoT ecosystem expands, so does the attack surface for cybercriminals to exploit. In other words, the more we rely on connected technology in our day-to-day lives, the more vulnerable we are to the cyberthreats that are increasingly tailored to exploit vulnerabilities and design flaws in IoT devices.

This presents a daunting challenge for cybersecurity professionals. They must not only protect their own devices, but they must also defend against threats targeting external machines that might connect to their networks.

Avoiding IoT Security Pitfalls

Potential consequences of an IoT data breach include loss of sensitive personal or enterprise information, which can lead to significant financial and reputational damage, massive distributed denial-of-service (DDoS) attacks designed to take down major websites and more. These incidents often stem from misconfigurations, default or easy-to-guess passwords and inherent vulnerabilities in the devices themselves.

Although many experts are calling for regulatory bodies to implement industrywide standards to hold IoT device manufacturers and developers accountable for these pervasive flaws, progress has been slow on that front. In the meantime, IT professionals and device owners must take security into their own hands by following basic IoT best practices.

The most important rule of thumb for IoT devices manufacturers is to test security during each phase of the development process. It is much easier (and less costly) to nip security issues in the bud during the prerelease stages than to waste resources fixing bugs after devices have infiltrated the market. Once developed, devices should undergo rigorous application security testing, security architecture review and network vulnerability assessment.

When devices ship to end users, they should not come with default passwords. Instead, they should require users to establish strong, unique credentials during the installation process. Since IoT devices collect so much personal data, including biometric information, credit card details and locational data, it’s important to embed encryption capabilities according to the least privilege principle.

Protecting Data Privacy

For organizations deploying IoT technology, it’s crucial to establish an incident response team to remediate vulnerabilities and disclose data breaches to the public. All devices should be capable of receiving remote updates to minimize the potential for threat actors to exploit outlying weaknesses to steal data. In addition, security leaders must invest in reliable data protection and storage solutions to protect users’ privacy and sensitive enterprise assets.

This is especially critical given the increasing need to align with data privacy laws, many of which impose steep fines for noncompliance. Because some regulations afford users the right to demand the erasure of their personal information, this capability must be built into all IoT devices that collect user data. Organizations must also establish policies to define how data is collected, consumed and retained in the IT environment.

To ensure the ongoing integrity of IoT deployments, security teams should conduct regular gap analyses to monitor the data generated by connected devices. This analysis should include both flow- and packet-based anomaly detection.

Awareness Is the Key to IoT Security

As with any technology, an organization’s IoT deployment is only as secure as the human beings who operate it. Awareness training and ongoing education throughout all levels of the enterprise, therefore, are critical. This applies to both device manufacturers and the companies that invest in their technology.

The IoT has the potential to boost efficiency and productivity in both domestic and enterprise settings. However, the exposure of IoT data — or the illegal takeover of devices themselves — can cause immeasurable damage to a business’ bottom line and reputation. The keys to unlocking the benefits and avoiding the pitfalls of this technology include embedding security into apps and devices throughout the development life cycle, investing in robust data protection solutions and prioritizing security education throughout the organization.

Listen to the podcast series: Five Indisputable Facts about IoT Security

The post Connect the Dots: IoT Security Risks in an Increasingly Connected World appeared first on Security Intelligence.

IDG Contributor Network: Zero Trust: Why ‘cyber insurance’ offers no GDPR compliance

Unacceptable practice

Virtually every business is struggling to get to grips with the challenges of the new EU General Data Protection Regulation (GDPR).  But the current feeding frenzy, from IT vendors to ‘GDPR data experts’ and, now, insurance companies is, quite frankly, unconscionable.   

Offering an insurance policy to ‘transfer the risk’ of cyber security breach is nonsense; and emphasizing the new regulatory reporting demands associated with GDPR is a classic piece of misdirection. Wrapping it up with threats about the number of businesses that fail after a security incident is little more than profiteering.

The fact is that no insurer will insure any company against GDPR breach – the costs, from punitive fines to business loss, are simply too high. Secondly, no insurer will cover any organization that fails to protect its data or assets. Leave the door unlocked and the home owner is not covered in the event of burglary – the same applies to poorly secured data. So just what is ‘cyber security insurance’ actually providing?

To read this article in full, please click here

Airline Ticket Fraud

New research: "Leaving on a jet plane: the trade in fraudulently obtained airline tickets:"

Abstract: Every day, hundreds of people fly on airline tickets that have been obtained fraudulently. This crime script analysis provides an overview of the trade in these tickets, drawing on interviews with industry and law enforcement, and an analysis of an online blackmarket. Tickets are purchased by complicit travellers or resellers from the online blackmarket. Victim travellers obtain tickets from fake travel agencies or malicious insiders. Compromised credit cards used to be the main method to purchase tickets illegitimately. However, as fraud detection systems improved, offenders displaced to other methods, including compromised loyalty point accounts, phishing, and compromised business accounts. In addition to complicit and victim travellers, fraudulently obtained tickets are used for transporting mules, and for trafficking and smuggling. This research details current prevention approaches, and identifies additional interventions, aimed at the act, the actor, and the marketplace.

Blog post.

Phishing Site Encrypted With AES Designed to Steal Users’ Apple IDs

Scammers designed a phishing website and encrypted it with the Advanced Encrypted Standard (AES) in their attempts to steal unsuspecting users’ Apple IDs. Researchers at Trend Micro came across the phishing campaign on 30 April. It all began when they received an email designed to look like it came from Apple. The email warned recipients […]… Read More

The post Phishing Site Encrypted With AES Designed to Steal Users’ Apple IDs appeared first on The State of Security.

Business Is Booming for the U.K.’s Spy Tech Industry

Driving into Cheltenham from the west, it is hard to miss the offices of Government Communications Headquarters, or GCHQ, the United Kingdom’s surveillance agency. The large, doughnut-shaped building sits behind high-perimeter fencing with barbed wire and many levels of security. The facility – used to eavesdrop on global emails and phone calls – is located on the edge of the sleepy Gloucestershire town, which feels like an incongruous location for one of the world’s most aggressive spy agencies.

Cheltenham has a population of just 117,000 people, and GCHQ’s presence has turned the area into one of Europe’s central hubs for companies working in the fields of cybersecurity and surveillance. GCHQ says it employs almost 6,000 people in Cheltenham and at some smaller bases around the U.K., although the agency has in recent years secretly expanded its workforce, reportedly employing thousands more staff.

People in the area are now talking of a cyber “corridor” that stretches for 50 miles from Malvern, just north of Cheltenham, all the way to Bristol, where the Ministry of Defence has its equipment and support headquarters at Abbey Wood. Many quaint English towns, known for their farming and country pubs, have seen an influx of companies dealing in cybersecurity and electronic spying. Even office space on former farms is being used for this burgeoning industry.

Chris Dunning-Walton, the founder of a nonprofit called Cyber Cheltenham, or Cynam, organizes quarterly events in the town attended by politicians and entrepreneurs. “Historically, there has been a need for the companies that are working here to be very off the radar with their relationships with GCHQ and to some extent, that does exist,” says Dunning-Walton. But since Edward Snowden leaked information in 2013 about GCHQ’s sweeping surveillance activities, the agency has been forced to come out of the shadows and embrace greater transparency. One consequence of this, according to Dunning-Walton, is that GCHQ is now more open to partnering with private companies, which has helped fuel the cyber industry around the Cheltenham area.

Northrop Grumman, the world’s fifth-largest arms manufacturer, has located its European cyber and intelligence operations in Cheltenham, where it has two offices in the center of the town. In the nearby city of Gloucester, a 20-minute drive west of Cheltenham, Raytheon, the world’s third-largest arms company, in 2015 opened a Cyber Innovation Centre that it says is focused on “big data, analytics and network defense.” BAE Systems Applied Intelligence, the cyber arm of the world’s fourth-largest arms company, also has offices in Gloucester, where it says it “delivers information intelligence solutions to government and commercial customers.”

Many of these companies are secretive about the work they do – especially when it concerns surveillance technology – and refuse to speak to the media. But L3 TRL Technology – which is based in Tewkesbury at the northern tip of this new cyber corridor – does grant an interview via email.

L3 says it provides “electronic warfare” equipment that can jam communication signals and gather intelligence. A spokesperson for the company says it plays “a crucial role in counter terrorism and the protection of military forces with our electronic warfare solutions.” He declines to provide any information about any of the company’s customers. But a video posted on YouTube by a Middle Eastern news agency reveals one potential client: It documents a recent meeting between L3’s parent company and Mohammed bin Zayed, the crown prince of Abu Dhabi and deputy commander of the UAE military.

According to government records, the U.K. has sold weapons and other equipment worth £7.3 billion ($9.9 billion) to the UAE in the past decade, including components for telecommunications eavesdropping technology and “intrusion software,” which is used to hack into targeted phones and computers.

Another Cheltenham-based company is CommsAudit, whose flagship product is a surveillance system called Spectra Black, a portable device that can monitor cellphone calls and other wireless communications. CommsAudit did not respond to a request for comment and does not publicly disclose the identities of its customers. The company was, however, showcasing its products at the 2017 DSEI arms fair in London, which was attended by government delegations from across the world.

Latching onto this wave of innovation, last year, the British government pledged £22 million ($30 million) in funding for a new cyber business park on a patch of land close to GCHQ’s headquarters. “It will act as a ‘honeypot’ for cyber security and high tech supply chain businesses,” the promotional literature said, creating 7,000 jobs, while boosting the number of private companies in the area that can then potentially become GCHQ’s clients. There is a lot of largesse to go around. GCHQ takes the majority of the share of the roughly £2.8 billion ($3.8 billion) budget for Britain’s intelligence services and has twice the number of personnel of MI5 and MI6 combined.

David Woodfine, a former head of the Ministry of Defence’s Security Operations Centre, worked inside GCHQ’s Cheltenham headquarters for two years. He left in September 2013 to found Cyber Security Associates, a Gloucestershire-based company providing cyber consultancy services to the public and private sector.

Woodfine says toward the end of his tenure at GCHQ, there was a realization that the agency needed to partner more with private industry. “From a GCHQ perspective, I think their whole attitude has changed from quite a hard approach – ‘we’ll keep everything in-house’ – to ‘actually, we need to open up.’ They changed their recruiting, their apprenticeship schemes, so they are attracting more young talent into their organization.”

The National Cyber Security Centre – which opened in 2016 under the remit of GCHQ – is currently piloting new “Cyber Schools Hubs” in Gloucestershire. The idea is to send staff into local schools to “encourage a diverse range of students into taking up computer science,” in effect grooming the next generation of cyber-competent spies.

GCHQ offers meager salaries compared to the private sector, but the agency can offer prospective employees the chance to work with technologies that they could not use anywhere else – because if they did, they would be breaking the law. “That’s a good way of retaining people on public sector pay,” says Woodfine. “So you can argue that they don’t join for the money, they join for the ability to learn and to test their techniques and their abilities.”

A GCHQ employee can work with the agency for a few years, learn about its tools and methods, and then take that knowledge with them to a job in the more lucrative private sector, where there are plenty opportunities for surveillance innovation. According to the London-based advocacy group Privacy International, the U.K. has 104 companies producing surveillance equipment for export to foreign governments and corporations. Only the United States – with 122 companies – has more.


A general view of the 24 hour operations room at Government Communication Headquarters (GCHQ) in Cheltenham on November 17, 2015. AFP PHOTO / POOL / Ben Birchall        (Photo credit should read Ben Birchall/AFP/Getty Images)

A view of the 24-hour operations room at Government Communication Headquarters in Cheltenham on Nov. 17, 2015.

Photo: Ben Birchall/AFP/Getty Images

Since 2013, sales of surveillance and hacking technology have been controlled under the Wassenaar Arrangement, which was signed by 42 countries, including the U.S. and most of Europe. The arrangement is intended to prevent authoritarian regimes from obtaining arms and sophisticated spy tools that could be used to commit human rights violations. However, it is not legally binding. And the U.K. has continued to sell eavesdropping equipment to a number of countries with questionable human rights records, such as Honduras, Bahrain, Saudi Arabia, China, and Qatar.

Inside the bustling Victoria train station in central London, Digital Barriers, the world’s premier video analytics company, has its offices. Video analytics sounds like an arcane branch of the high-tech industry, but in terms of surveillance technology, it is a field that has rapidly advanced in recent years. Zak Doffman, chief executive at Digital Barriers, founded the company in 2010 after recognizing that in the area of video intelligence, there was a gap in the international market. Digital Barriers’s technology is designed to analyze video – and identify people’s faces – in real time, where the cameras are placed, rather than having to rely on retrospective analysis.

In its London offices, the company demonstrates to this reporter how even with a scarf wrapped around a person’s face, its software can successfully identify them within a few seconds using a standard surveillance camera. Facial-recognition technology is notoriously inaccurate and can produce false positives, but Digital Barriers claims its software can pick out obscured and blurred faces in crowds and match them with photographs that are held on databases or published on the internet. It is, the company says, most useful for counterterrorism operations. But in the wrong hands, wired up to a nationwide camera network, the technology could potentially be used to trace the movements of millions of people in real time. “We built the business primarily in the public sector working for government agencies,” says Doffman. “We are now working increasingly in the private sector with the commercial customers.”

Digital Barriers’s website boasts that it has clients in more than 50 countries. Doffman won’t reveal the names of his customers, and when questioned about the export licensing process, he says the company’s products are exempt. “It’s not export control per se,” he says, “so there’s no formal restrictions on the technology.” What would he do if countries with authoritarian governments wanted to buy the system? Doffman says only that Digital Barriers has a “moral code on this stuff.”

People within this industry want the technology to remain uncontrolled; they argue that countries with authoritarian governments don’t want this type of video surveillance anyway. “Countries where you have a lot of corruption, the last thing they want is facial recognition,” says one industry source, because of elite factionalism. But that seems scant reassurance for dissidents living in dictatorships that can now freely access this technology at the right price.

Support for this article was provided by the Pulitzer Center on Crisis Reporting.

Top photo: An aerial view of the Government Communications Headquarters, also known as GCHQ, in Cheltenham, Gloucestershire, on July 1, 2014.

The post Business Is Booming for the U.K.’s Spy Tech Industry appeared first on The Intercept.

7 Chrome Extensions Spreading Through Facebook Caught Stealing Passwords

Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cybercriminals to spread malware. Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users

5 top trends in endpoint security for 2018

Endpoint security is in many ways the direct descendent of the first forms of computer protection in the earliest days of IT. But it's a rapidly developing category, as organizations look to coordinate control of the PCs, servers and phones on their networks to keep out malware and intruders. Let's look at what this year has in store for the industry, as multiple vendors scramble for your attention and money.

What is endpoint security?

Endpoint security is a security approach that focuses on locking down endpoints— individual computers, phones, tablets and other network-enabled devices — in order to keep networks safe. That might sound like a fancy name for putting a firewall and antivirus software on your PC, and indeed in the early days of the category there was some suspicion that it was a marketing buzzphrase to make antivirus offerings sound cutting edge.

To read this article in full, please click here

Is Trump Trying to Start a War With Iran?

Subscribe to the Deconstructed podcast on Apple PodcastsGoogle PlayStitcherRadio Public, and other platforms. New to podcasting? Click here.

 

 

When Israeli Prime Minister Benjamin Netanyahu gave a presentation purporting to reveal new intelligence on Iran’s nuclear program last week, many suspected he had an audience of one in mind: Donald Trump. And on Tuesday, the president cited the Israeli intel as one of the key justifications for his decision to withdraw from the Iran nuclear deal. Does this move us one step closer to war with Iran? Has John Bolton taken the helm of U.S. foreign policy? On this week’s Deconstructed podcast, Tommy Vietor, who served as spokesperson for the U.S. National Security Council under President Obama, breaks down Trump’s latest and scariest political gambit.

Tommy Vietor: I mean, there’s just no case I can understand that explains why he did this on the merits. So that to me leads to the second option for why he did it, which is that he hates Obama.

[Musical interlude.]

Mehdi Hasan: Welcome to Deconstructed. I’m Mehdi Hasan and I’ll be trying this week to understand why Donald Trump made this mad decision on Tuesday:

President Donald J. Trump: I am announcing today that the United States will withdraw from the Iran nuclear deal.

MH: So what happens now? My guest this week is the host of Pod Save the World and co-founder of the Crooked Media podcasting empire, Tommy Vietor, who also served as National Security Council spokesman under President Obama, who, of course, is the one who negotiated the nuclear deal that Trump trashed.

TV: To sort of throw that strategy out the window without anything to replace it, does feel like a partisan dogmatic, stupid thing to do from the neo-cons in the White House, now.

MH: Before I get to that interview, this week, I want to try to do something different. Recently, I was watching Israeli Prime Minister Benjamin Netanyahu do an entire PowerPoint presentation on the Iran deal, and on why the Iranians are supposedly lying and cheating, which was basically designed for Donald Trump to watch and lap up: the president of the United States was Bibi’s audience of one.

Now, I know it’s too late, Trump’s made his decision, but I want to try and do the same as Bibi. I want to try and speak directly to the president of the United States today — because obviously he’s a Deconstructed listener — and explain to him as simply as possible why his announcement on Tuesday was so monumentally disastrous and self-destructive. So, here we go.

[Musical interlude.]

MH: Mr. President, if you’re listening, I want to talk to you about your decision to breach the Iran deal, because I think you’ve been kind of misled by some of the people around you. Especially the guy with the moustache!

And I know you must be busy, with golf games to play and porn stars to pay off. So I am going to keep this as simple and to the point as possible.

Mr. President, the Iran nuclear deal, the JCPOA, was working. And it wasn’t just working; it was in the national security interest of the United States. Don’t take my word for it: listen to your own defense secretary, retired General James Mattis, who you love, by the way.

DJT: Secretary Mattis, who is doing a great job, thank you. [Audience applauds.]

MH: Mattis said he backed the deal, on the basis of reading it three times.

General James Mattis: I’ve read it now three times, all 156 pages or whatever it is, the verification, what is in there is actually pretty robust as far as our intrusive ability to get in.

MH: It’s robust and intrusive, he said! Your own guy! Yet you declared in the White House on Tuesday:

DJT: We cannot prevent an Iranian nuclear bomb under the decaying and rotten structure of the current agreement. The Iran deal is defective at its core.

MH: Well, hold on, how many times did you read it before you decided to tear the whole deal up?

OK, that’s unfair, you’re a busy man. You’re the president. I mean, “Fox & Friends” doesn’t watch itself. And I know, the deal document doesn’t have any colorful pictures in it, it’s hard to follow, I get it. I do.

But it wasn’t just Defense Secretary Mattis who wanted you to stay in the deal, as you know. There’s General Joseph Dunford, too, America’s top general, the chairman of the joint chiefs of staff; General John Hyten, head of U.S. Strategic Command; General Joseph Votel, head of US Central Command, CentCom. They all said to you, to Congress, that Iran was complying with the terms of the deal, that the deal had prevented Iran from building nuclear weapons. And yet, you just ignored them! Said the exact opposite of what they said!

Look, Mr. President: I know right now you want to be awarded the Nobel Peace Prize for ending the war on the Korean peninsula. You really want one, don’t you?

[Audience chants, “Nobel! Nobel! Nobel!”]

DJT: That’s very nice. Thank you. Nobel! [He laughs.]

MH: But do you really think the North Korean government is going to do a nuclear deal with you if you’ve violated the nuclear deal that was done with Iran? Why would they trust you to stick to any agreement? I mean, we all know you’re a prolific liar whose word has no value, but by violating the Iran deal this week, by announcing you’re pulling out, you sent a message to the world that the U.S. government as a whole cannot be trusted either to stick to any kind of deals or agreements.

Again, don’t listen to me, just listen to General Dunford:

General Joseph Dunford: Sir, it makes sense to me that our holding up agreements that we have signed, unless there’s a material breach, would have an impact on others’ willingness to sign agreements.

MH: Now, I know you said on Tuesday that Iran can’t be trusted. And look, no one’s saying the Iranian government isn’t guilty of a lot of bad shit — especially in Syria — but the fact is that at least eight different reports from the IAEA, the U.N. agency charged with stopping the spread of nukes, eight different reports say Iran hasn’t been cheating; Iran was sticking to the terms of the nuclear deal when you decided to violate it.

I know, I know, you’ll say, “But don’t the Israelis say Iran’s been cheating?” “Don’t the Israelis claim to have a smoking gun?” You called it.

DJT: Definitive proof that this Iranian promise was a lie.

MH: You’ve been listening to Bibi, haven’t you?

Prime Minister Benjamin Netanyahu: Iran lied big time. The nuclear deal gives Iran a clear path to an atomic arsenal. This is a terrible deal. It should never have been concluded. And in a few days’ time, president Trump will make his decision on what to do with the nuclear deal. I’m sure he’ll do the right thing.

MH: Now Prime Minister Netanyahu has a flair for the dramatic, he has the gift of the gab, he’s a friend of yours, he’s got a record of dishonesty not dissimilar to yours, and, let’s be honest, that scary presentation of his was only for you, Mr. President: you were his audience of one.

But Netanyahu doesn’t actually speak for the Israeli security establishment, who actually support the Iran deal. Yeah, I know, it’s hard to believe. You’ve never heard their names mentioned on Fox or Breitbart, have you? People like General Gadi Eisenkot, head of Israel’s military; Efraim Halevy, former chief of Israel’s spy agency Mossad; Ehud Barak, Israel’s former prime minister, defense minister and most decorated soldier, who says abandoning the nuclear deal is a “mistake.”

Even Bibi’s own former national security adviser, Uzi Arad, says Netanyahu offered “no smoking gun.”

Interviewer: No smoking gun for you, huh?

Uzi Arad: None. At no point was there an indication of any piece of information that they violated the various clauses of the agreement.

MH: Mr. President, I know and you know that the reason you really hate the Iran deal is because it was signed by the black dude. I get it. You want to reverse anything and everything Barack Hussein Obama ever put his Kenyan-Muslim name to. But remember this wasn’t a deal signed only between Obama and Iran. Your allies, Mr. President, the Germans, the Brits, the French, signed that deal; the JCPOA, they still plan on staying in that deal. Listen to what your friend, the President of France, Emmanuel Macron, said in front of Congress last week.

President Emmanuel Macron: That’s why France will not leave the JCPOA. Because we signed it.

MH: So I know you want to scrap it because of Obama, but it’s not just Obama who supports the Iran deal. It’s also your European allies, your own defense secretary and top generals, Israel’s top general and almost all of the top nuclear non-proliferation experts out there.

So Mr. President, I have some bad news because you listened to Benjamin Netanyahu, and to John Bolton and to the Saudis, about an agreement that you clearly haven’t read, with a country you probably can’t find on a map, you’re now much, much less likely than you already were, to win the Nobel Peace Prize. Sorry!

The North Koreans are going to be much more suspicious. You’ve pissed off your allies in Europe. And you’ve put the United States on the path to yet another potentially disastrous war in the Middle East, the kind of Middle East war you yourself slammed on the campaign trail.

DJT: Look at the mess we have. We’ve destabilized the Middle East, and it’s a mess.

MH: So well done! In your pretty, transparent attempt to undo the Obama presidency, you may have screwed your own. And, of course, screwed the rest of us, too the entire world. Good job, Mr. President.

Anyways, I’m done. You can go back to working on your swing.

[Musical interlude.]

MH: My guest today served as press spokesman for President Obama’s National Security Council and has since become a social media and podcasting star. Tommy Vietor is the cofounder of crooked media, co-host of Pod Save America and host of Pod Save the World. He’s also a supporter of the Iran deal, and as angry as I am to see it shredded by Donald Trump this week.

[Musical interlude.]

MH: Tommy Vietor, thanks for joining me on Deconstructed.

TV: Hey, thanks for having me.

MH: Tommy, when you heard Donald Trump say this in the Diplomatic Room, of all rooms, of the White House on Tuesday afternoon —

DJT: The United States will withdraw from the Iran nuclear deal.

MH: — what was your instant response, your gut response to that announcement?

TV: Enormous frustration at a couple things. One, he clearly just didn’t have any handle on the substance of the deal. Two, I mean he was purposely offering disinformation. He said, once again, the White House said that Iran had violated the terms of the agreement that was put into place with the P5+1 in the United States Europeans, Russia, China and Iran, that limited their nuclear program. That is simply not true.

MH: Just on the on the substance of the deal and what it means now, the substance of this decision, the Obama administration was often criticized, you were part of the administration not in 2015, I think you were there until 2013.

TV: Right.

MH: But it was criticized back in 2015 when the deal was actually being signed, it was obviously hammered out in the previous years. It was criticized for saying that the choice was between the deal and war. Given America is now out of the deal as of Tuesday of this week, are we now on a path to war with Iran?

TV: It feels like we are certainly on a path to greater tension and conflict. You have hardliners in Parliament burning the American flag. I obviously, you know, I see that image, I think it’s abhorrent, but it shows you, I think, which side of the political spectrum is likely to be ascendant in the wake of this decision.

MH: You mentioned hardliners in Tehran, and obviously there are hardliners in Tehran, especially the ones who, as you say, you know, burn on flags ,encourage the burning of U.S. flags, I’m always wondering where the Iranians get all these U.S. flags at such short notice, so quickly. [Mehdi laughs.]

TV: Kinko’s.

MH: A roaring business in Iran. But there are undoubtedly hardliners in Tehran. Here’s the thing though, now America now has its own set of hardliners, pretty brazen hardliners, otherwise, how else do you describe Trump, Pompeo, Bolton, Stephen Miller on Iran and other issues, other than as hardliners? But we only ever seem to call the Iranians hardliners.

TV: Yeah I mean I think we, the United States, like, you know, I’ve never been to Iran. I imagine that 99.9 percent of the people commenting on the news on a daily basis or that work in the White House haven’t been to Iran. We have a pretty facile understanding of the people, the culture, their politics. But what we were trying to do with the deal is take the nuclear issue off the table, and hopefully empower some of the more moderate voices like Rouhani and others in their system. And to sort of throw that strategy out the window without anything to replace it does feel like partisan, dogmatic stupid thing to do from the, you know, neo-cons in the White House now.

And you know how big John Bolton is smiling. I mean, this has been his ambition for a long time.

MH: Oh yeah, he’s been chuckling on Fox News and elsewhere, all week long since Tuesday.

Laura Ingraham: Are you having fun in this job?

John Bolton: I’m having a great time.

LI: This is kind of like your dream job.

JB: It’s even more fun than being a Fox News commentator. [John laughs.]

MH: What’s baffling to me is that the Iran deal, and I wrote about this this week, the Iran deal is one of those issues where even the military in places like the United States, in places like Israel are actually almost 100 percent behind U.S. generals, U.S. spy chiefs serving and retired, Israeli generals, ex-Mossad spies, and they’ve all lined up and said Iran wasn’t violating the deal, the deal is working, it’s preventing Tehran from building nukes. And yet, despite the military, the top guys in uniforms coming out and saying, “We back it, too, for security reasons. You still have Trump able to just scrap it, just like that, Thanos-style with a click of his finger, getting rid of the deal in a single afternoon despite, you know, the military, foreign policy intelligence and diplomatic establishment all backing him.

TV: You’re right, you’re right. It doesn’t make any sense. I don’t understand why those voices aren’t given more credibility or taken more seriously. Especially, you know, when Netanyahu did his sort of dog and pony show.

MH: The PowerPoint presentation.

TV: Yeah, the PowerPoint presentation, which I should stipulate like, was an incredibly impressive intelligence success by the Mossad, by the Israeli government to go in there and get those documents and pull them out. Why, you know, what I took issue with in that presentation was there was no evidence that Iran had resumed its nuclear program since signing the deal, but I believe that the timing and the way it was talked about and the way there was coordination between the Trump administration made it seem like an effort to suggest that that had taken place, rather than these were historical documents.

But, you know, you had former national security advisors and Mossad officials, et cetera, saying, “This is old news.” And yet, that didn’t seem to matter.

MH: Let alone, a national security adviser, former one, went on TV and said there’s no smoking gun in this.

And interesting, you mention kind of the collaboration between the Netanyahu administration the Trump administration, if not between their intelligence agencies, and when you tweeted about Netanyahu’s very melodramatic presentation about Iran’s lies, et cetera, and secrets, you tweeted, and I quote, “After years of bashing U.S. intelligence agencies for getting Iraq WMD wrong, Trump is now cooking up intel with the Israelis to push us closer to a conflict with Iran.” And some people lost their minds.

You were attacked by Tablet magazine for pushing a “vile conspiracy theory,” that apparently, you were partly “blaming the Jews.” How do you respond to kind of batshit criticism like that?

TV: So, if I’m being totally honest, and I try to be self-critical, maybe the word cooking up was not the best word because it led people to interpret me as saying that they fabricated evidence. That’s not at all what I meant. What I meant was they presented old news in such a way to make it seem like it reflected on the current state of Iran’s nuclear program. And, I feel like, that was borne out by the fact that the Trump administration put out a statement that said Iran has resumed its nuclear program. Trump, yesterday, in a statement said the same and referenced, speaking in current tense, referencing Netanyahu’s government. So, you know, that seems like a pretty unassailable point.

You know, the notion that any criticism of Netanyahu or of Israel is somehow anti-Semitic, I think that’s, you know, that’s a ridiculous charge. I actually think throwing around an accusation like that makes it harder to call out real vile anti-Semitism, of which there is far too much in this day and age. It’s rising in places like Europe. It’s something we need to focus on and stamp out completely. But, you know, you shouldn’t attack, you know, someone for using an imprecise word in a tweet. Give me a break.

MH: And the Trump folks obviously have been building up to this decision for nearly eighteen months now, since the inauguration, since before the inauguration. Trump himself spent time on the campaign trail viciously attacking the deal.

TV: Yeah.

DJT: My number one priority is to dismantle the disastrous deal with Iran.

DJT: One of the worst deals ever negotiated.

DJT: They are laughing at us back in Iran.

DJT: One of the dumbest deals in world history.

DJT: And it’s a bad deal.

MH: But thanks to The Observer newspaper in the U.K., we now learn that they weren’t just kind of rhetorically attacking the deal, and Obama and the administration you were part of. We now know that they may have been laying the groundwork for this deal pull-out by going after prominent former Obama administration officials who defend the deal in the media, on social media.

The Observer newspaper in the U.K. reported last weekend that an Israeli private intelligence firm, Black Cube, was reportedly hired by people with ties to the Trump administration to dig up dirt on President Obama’s deputy national security adviser Ben Rhodes and Vice President Joe Biden’s national security adviser Colin Kahl, as a way of trying to discredit the deal.

Isn’t this, Tommy, even by the low, low standards of the Trump political era, a bonkers story? I mean Nixonian doesn’t do it justice.

TV: Nixonian does not do it justice. I think anyone who ever served in government anywhere should be shocked and chilled to the core by the idea that they could, you know, work and do public service and then leave the government and have a White House-associated spy company start to go after them. Not to go after policy arguments, like personal stuff about them, to contact their families, to reach out to their spouses, to photograph their homes. I mean, this is some serious, dark, messed up stuff. And I am shocked by the collective yawn that seems to have come in response from Washington D.C. I’m shocked that members of Congress aren’t issuing statements and calling for investigations. I think Democrats in Congress and the Senate, on the Intelligence Committee, on the Oversight Committee, are falling on their faces and doing nothing in response to this. It needs to be fully investigated and this needs to be outlawed, prevented from ever happening again. We need to get to the bottom of what the hell happened here.

MH: And Trump is very proud of what’s going on in North Korea, what might happen in North Korea. He announced at the end of his Iran deal statement on Tuesday that, you know, he’ll be heading there very soon, Pompeo was on his way there.

What I love was in that same statement, he talks about how he’s cancelling the Iran deal because he wants to stand up to Iran’s nuclear blackmail, and then moments later he proudly reminds everyone that he’s heading to the Korean Peninsula to meet with a nuclear armed Kim Jong-un. How is that not giving in to nuclear blackmail?

TV: It’s so frustrating. There’s no consistency. I mean, it’s hard because tearing up the Iran deal, it’s clear the only motivation that’s leading him to do this is that Obama did it and he hates Obama, and antipathy to Obama drives everything that he does.

You know, I support negotiations with North Korea. I pray that we can come to some sort of peaceful diplomatic solution to solve that problem, but the fact that that consistency isn’t more glaring to the entire world, to the press, to everybody else is frustrating.

MH: You mentioned Trump undoing the deal because of Obama. So what I’m wondering is How much do you think Trump undoing the deal is about him wanting to undo Obama’s achievements and how much of that desire to undo Obama’s achievements is to do with the fact that Obama is a black dude and he thinks he wasn’t born here?

TV: I think that, I mean the fact that literally no one can articulate a national security benefit that comes from doing the Iran deal is, I think, telling. Certainly the birther movement that Trump was the chief supporter of was a racist movement. I think he probably also hates Obama because Obama mocked him and, you know, that’s everything for Trump. I mean he’s an ego-driven maniac. So that’s where we are.

MH: What a lovely combination, of racism and egomania. Tommy, I spent most of Obama’s two terms, like a lot of people on the left, slamming various aspects of his foreign policy decisions. I didn’t like his drone strikes in Pakistan and Yemen. I didn’t like him killing U.S. citizens without trial. I didn’t like the way he armed dodgy Syrian rebel groups. I didn’t like the fact he was complicit in Israel’s Gaza war, Saudis’ Yemen war. But towards the end of his presidency, I admit I softened on Obama’s foreign policy — you had the Paris climate change agreement, you had the reopening with Cuba and, of course, the Iran nuclear deal. In less than 18 months, though, Donald Trump has undone, scrapped, all of those three things — Paris, Cuba, Iran.

TV: Yeah.

MH: And basically, I’m forced to become a massive Obama defender. I get criticized by left-wingers that say, “Well, what about Obama —?” These were the good things that Obama did that Trump is now destroying.

How much damage do you think Trump has done to Obama’s foreign policy legacy in less than 18 months?

TV: Enormous damage, enormous damage. I mean, I think he’s done enormous damage to that record of accomplishments. I think he’s done enormous damage to U.S. security.

But Obama was criticized from the left on a whole host of issues, in part because I think folks on the left understood that Obama cared what they thought and would actually engage on the merits of those conversations. Like, for example, on drones: Over time, there was a pretty significant evolution in terms of talking about restraining, moving drone usage over to the Department of Defense, right? All those restrictions that Obama talked about, even if people think they were totally insufficient, which is a fair —

MH: They’re all gone now. Yeah.

TV: They’re all gone now.

MH: There was a recent report about how civilian casualties are massively up on drones.

I remember interviewing Ben Rhodes for my Al Jazeera show back in 2015, in the White House, and I kind of really grilled him hard on the failures in Syria, on drones, on all these issues. And he said to me afterwards, he said, “You’ll miss us when we’re gone.” And I kind of laughed. And unfortunately, it’s true! As someone who spent eight years criticizing a lot of what Obama did in international affairs, when you look at the Trump administration now, and there were so many people on the left unfortunately who thought Trump would be less hawkish or more isolationist than Hillary Clinton, you look at what he’s doing now, you can’t help but miss a lot of what a Obama did, and I was a critic of Obama. It’s just such a bizarre situation if Trump is that bad, that he’s kind of turned everything on its head, all these old positions, and that’s what he’s thrown out.

TV: It’s hard to know what to think or what to feel. I mean, you know, look, Obama, he was certainly not perfect. I don’t think anyone who worked on Syria policy can look at the situation on the ground and tell you today that that was anything but a failure. It is something that all of us will think about, will re-litigate in our own heads for as long as we live.

But it was also an impossibly difficult problem, and the conversation that usually emerged around it was about military action or no military action. It was about the red line or no red line, arming people or not. It was not about, you know, a broader set of diplomatic or humanitarian responses that helped people who are suffering about allowing refugees into the country, et cetera, and like Trump is just, you know, turned off all those humanitarian policies.

MH: So let me ask you this, I know we’re talking about Iran, but before we finish, the other big story of this week is the Gina Haspel confirmation hearings, the CIA director choice by Donald Trump, who is implicated in all sorts of torture, waterboarding, abuse in her CIA career.

A lot of people, and I would argue, justifiably are pointing the finger at the Administration, you were part of them, saying, you are partly to blame for this appointment. You did not prosecute people like Gina Haspel. Obama wanted to look forwards, not back. That is why Trump is able to bring back the torturers, promote the torturers. Because the Obama administration dropped the ball on this, didn’t want to prosecute these people, when they should’ve been prosecuted.

TV: Yeah, I mean, so, you know, the challenge here is that the Bush DOJ, a whole bunch of career people, non-political appointees evaluated that program and deemed it lawful. And then years later, the Obama DOJ, Eric Holder’s folks, career officials appointed a career prosecutor to investigate them and ended up clearing them, and said that none of their actions broke the law.

Now, if you want to say to me, “It’s really hard to investigate your own people and make a judgment that makes me feel confident in what was rendered,” that’s fine. But I think the CIA’s perspective was, the OLC, the Bush administration, Cheney’s office handed us these legal judgments.

MH: Yeah, I was only following orders has never been a defense. Listen —

TV: I’m not defending that. I’m not defending that. I think it’s fucking unconscionable to waterboard someone to the point where they die and you have to bring them back to life.

MH: But just to be clear, you worked for Obama for many years, you’re still a supporter, you said he’s not perfect. I think many people would go further than that in their criticisms. But let’s just agree on one thing — surely it was a mistake for him to come into office in 2009 and say, we’re going to look forward on this issue of torture, not backwards.

TV: So, I don’t know what I think about it. But let me just sort of tell you from his perspective, which is you are sitting on this enormous set of, you’re balancing these two things, which is accountability for this horrific program, this stain on our history and our legacy, which he has ended, but you also are dealing with a whole host of threats going forward in a CIA workforce that is demoralized and beaten down because of Iraq, because of EITs, because of torture and you’re trying to figure out how to keep that building functioning to gather intelligence to keep people safe.

Do I think it would have been a better idea to send some of these people to jail? I honestly don’t know. Like, would the world be safer, better off, if Gina Haspel was prosecuted? I don’t know. But I do know —

MH: Well she wouldn’t be up for the CIA job if she had been.

TV: But here’s what I’d say is: She should be voted down. I don’t think any Democrat should vote for her. I don’t understand why of all the human beings on the planet who could take this job, you name someone who ran a black site. That’s crazy to me. It’s unconscionable. It’s stupid.

MH: What do you think Barack Obama is thinking this week? I saw him post on Facebook in defense of the JCPOA, the Iran deal, a few days ago. But really, his two biggest signature achievements as president were health care at home, Iran deal abroad and Trump has taken an axe to both of them. Do you still talk to him? Is he depressed? Angry? Does he plan to say or do anything about it publicly?

TV: You know, what’s funny about him is after Trump was elected and everybody was despondent and like weeping at their desks, he was the person who was able to step back and say, “Guys, you know, progress is two steps forward, one step back.” I mean, I know that sounds like happy talk and spin, but he is someone who is uniquely able to sort of see the long game in all these things.

I haven’t talked to him in a year or so, so, you know, I don’t know how he feels after the Iran deal was torched. I imagine watching seven years of work go down the tubes must piss him off enormously.

MH: And here’s a last question for you Tommy, as someone who presents a podcast about foreign affairs, international policy, it’s a question often kind of troubles me, frustrates me as someone who writes about foreign policy: it seems to be easier to get people, especially people in the quote-unquote #resistance mobilized to defend health care or push for a higher minimum wage or come out against corporate tax cuts, but foreign policy is often seen, especially in the United States, as some sort of distant, elite, less important issue than the bread and butter issues at home.

How do you get progressives as worked up about something like the scrapping of the Iran deal, which could go on to cost American lives in the not-too-distant future if we go to war, how do you get them as worked up about that as they are over Medicare for all or debt-free tuition.

TV: This is a great question. You know, the way I think about it is, I think people sometimes feel like these issues are too complicated and that smarter people than them should focus on them and figure them out. The reason I started my show, Pod Save the World, is because I think the opposite is true, is that if you are not intimidated by the acronyms and by the faraway places, you can actually engage on these issues and learn and be a part of these conversations and vote accordingly.

I, though, I remain continually frustrated every day that when I do a show on genocide in Burma, against the Rohingya, a Muslim minority population that is being driven out en masse, hundreds and hundreds of thousands of people slaughtered, you see the numbers go way down and you get less listeners. I have not cracked the code on getting people to care, to mobilize and to focus on these issues, then I see a whole bunch of kids in Parkland, you know, get a million-some-odd people at a rally in Washington D.C., and I think, you know what? Maybe the answer is talking to that generation and engaging them as much as we can because those kids seem like they can do anything.

MH: Yeah, and if they don’t come out, the problem is it’s left to the geniuses in Washington D.C., who bring back people like John Bolton to decide foreign policy.

There’s that famous William F. Buckley, quote the conservative journalist said, “I’d rather entrust the government of the United States to the first 400 people listed in the Boston telephone directory than to the faculty of Harvard. And I often feel that way about foreign policy. U.S. foreign policy would be much better off with 400 people from the phone book than from some of the people in this town, sadly. And we’re seeing the effects of that this week.

Tommy, thanks so much for taking time out to come on the show and being on Deconstructed.

TV: Thank you for having me. I appreciate it. It was great to be here. Good to talk to you, and hope to do it again.

MH: Good to talk to you, too. Thanks.

TV: Alright. Bye.

[Musical interlude.]

MH: That’s our show.

Deconstructed is a production of First Look Media and The Intercept, and is distributed by Panoply. Our producer is Zach Young. Dina Sayedahmed is our production assistant. Leital Molad is our executive producer. Our theme music was composed by Bart Warshaw. Betsy Reed is The Intercept’s editor in chief.

I’m Mehdi Hasan. You can follow me on Twitter @mehdirhasan. If you haven’t already, please do subscribe to the show, so you can hear it every Friday. Go to theintercept.com/deconstructed to subscribe from your podcast platform of choice, iPhone, Android, whatever. If you’re subscribed already, please do leave us a rating or review — it helps people find the show. And if you want to give us feedback, email us at Podcasts@theintercept.com. Thanks so much!

See you next week.

The post Is Trump Trying to Start a War With Iran? appeared first on The Intercept.

West Virginia Republican Said Teachers Won’t “Have Any Significant Effect” On Elections. Then They Voted Him Out.

Following the longest teacher strike in West Virginia’s history, the state’s educators won a 5 percent pay raise. The much-needed hike lifted spirits and helped spark walkouts around the country, but the larger political implications of the increase in teacher activism are still unclear.

Are lawmakers who opposed the teacher movement going to pay a political price? Will politicians who stood with them be rewarded?

Republican state Sen. Robert Karnes thought he knew the answer to that. He’s a longtime political foe of the state’s unions —  he once referred to union members who were assembled in the legislative gallery as “free riders” as he advocated for right-to-work legislation. During the teacher strike, he had complained that they were holding kids “hostage.”

In late March, he told a local newspaper that he couldn’t imagine there would be much political fallout from the strikes.

“I can’t say that it will have zero effect, but I don’t think it’ll have any significant effect because, more often than not, they probably weren’t voting on the Republican side of the aisle anyways,” he said of the state’s teachers.

On Tuesday, they did just that. And Karnes lost re-election.

Labor activists, it turns out, know how to get involved on the Republican side of the aisle, too. Karnes was facing a primary challenge from fellow Republican Delegate Bill Hamilton, who beat him, with all the votes counted, 5,787 to 3,749. It was a blowout.

Hamilton is a moderate Republican who opposes right-to-work and was sympathetic to the teacher strikes, breaking with those in his party who wanted to offer only a smaller raise.

Unions responded by heavily investing in his campaign; he raised over $10,000 of his $53,850 haul from organized labor.

Karnes poked fun at this support base with tweets sent out just hours before he was officially defeated:

The win followed a surprising strategy because, as Karnes assumed, organized labor is traditionally aligned with Democrats and participates in Democratic primaries far more often than GOP primaries.

Edwina Howard-Jack, a high school English teacher and Indivisible activist in Upshur County, the area that Karnes represents, told The Intercept that some labor activists were concerned that after the strike wound down, teachers would be less active in politics. But Karnes’s defeat proved to her that they are still a potent force.

“I think that teachers showed their political power in the primary,” she told The Intercept. “Teachers showed up and they were voting in their 55 united, 55 strong shirts. … Once the results started rolling in, it was phenomenal. Teachers were really empowered to say, if we stick together we can make a difference.”

“I heard one teacher today say … after yesterday they may want to think twice about arming teachers,” she joked. She told The Intercept that a number of teachers chose a nonpartisan affiliation so they could vote in the Republican primary on Tuesday; under West Virginia’s rules, you either have to belong to the party or be an unaffiliated voter in order to vote in the primary.

Howard-Jack described Hamilton as a more accommodating Republican who has listened to teachers.

“Bill Hamilton, he’s more bipartisan. He will listen to our concerns. He’s more personalized with us when we were trying to pass the medical marijuana bill last year. For instance, I called his office to talk to him to find out his position to see if I could convince him to support it. He spoke to me in person; he assured me that, yes, he was willing to support it and that he was doing all he could to make that happen,” she said. “So there are issues where he’s willing to cross party lines, and that’s really appealing to people here. Because teachers were really trying to be more issue-oriented, and teachers were looking for [someone who], No.1, had integrity, someone they could trust, someone who was part of the community.”

Top photo: In Charleston, W.Va., school teachers react to news that West Virginia Gov. Jim Justice and Senate Republicans reached a tentative deal to end a strike by giving them 5 percent raises on March 6, 2018.

The post West Virginia Republican Said Teachers Won’t “Have Any Significant Effect” On Elections. Then They Voted Him Out. appeared first on The Intercept.

10 competitors Cisco just can’t kill off

10 competitors Cisco just can't kill off
Network World / Cisco Survivors [Slide-00]

Image by IDG / jesadaphorn, Getty Images

Creating a short list of key Cisco competitors is no easy task as the company now competes in multiple markets.  In this case we tried to pick companies that have been around awhile or firms that have developed key technologies that directly impacted the networking giant. Cisco is now pushing heavily into software and security, a move that will open it up to myriad new competitors as well. Take a look.

To read this article in full, please click here