Daily Archives: July 12, 2018

Hiring, Training and Retention at the Mercedes-Benz Stadium

When the Mercedez-Benz Stadium was being built, leadership at AMB Sports & Entertainment decided to aim high when it comes to the quality of experience for fans attending events and games there. One key factor to becoming an “elite” venue, says Joe Coomer, CSSP, Vice President, Security, AMB Sports & Entertainment, was the game day associates – including parking attendants, ushers, beer vendors, the popcorn guy and, of course, the security staff.

Communication: A Significant Cultural Change for Embracing DevOps

Organizations can reap huge rewards by switching to a DevOps software development model. Some enterprises don’t know how to make the change. Recognizing that fact, I’ve spent the past few weeks discussing the benefits of a DevOps model, outlining how organizations can plan their transition, identifying common problems that companies commonly encounter and enumerating steps […]… Read More

The post Communication: A Significant Cultural Change for Embracing DevOps appeared first on The State of Security.

Clearing the Air

Google’s New “No Chrome Browser Injection Policy” Has No Impact on Digital Guardian’s DLP Capabilities

Cisco FXOS and NX-OS Software Cisco Fabric Services Arbitrary Code Execution Vulnerability

A vulnerability in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to read sensitive memory content, create a denial of service (DoS) condition, or execute arbitrary code as root.

The vulnerability exists because the affected software insufficiently validates Cisco Fabric Services packet headers. An attacker could exploit this vulnerability by sending a crafted Cisco Fabric Services packet to an affected device. A successful exploit could allow the attacker to cause a buffer overflow or buffer overread condition in the Cisco Fabric Services component, which could allow the attacker to read sensitive memory content, create a DoS condition, or execute arbitrary code as root.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.

Security Impact Rating: Critical
CVE: CVE-2018-0304

Your IoT security concerns are stupid

Lots of government people are focused on IoT security, such as this bill or this recent effort. They are usually wrong. It's a typical cybersecurity policy effort which knows the answer without paying attention to the question. Government efforts focus on vulns and patching, ignoring more important issues.

Patching has little to do with IoT security. For one thing, consumers will not patch vulns, because unlike your phone/laptop computer which is all "in your face", IoT devices, once installed, are quickly forgotten. For another thing, the average lifespan of a device on your network is at least twice the duration of support from the vendor making patches available.

Naive solutions to the manual patching problem, like forcing autoupdates from vendors, increase rather than decrease the danger. Manual patches that don't get applied cause a small, but manageable constant hacking problem. Automatic patching causes rarer, but more catastrophic events when hackers hack the vendor and push out a bad patch. People are afraid of Mirai, a comparatively minor event that led to a quick cleansing of vulnerable devices from the Internet. They should be more afraid of notPetya, the most catastrophic event yet on the Internet that was launched by subverting an automated patch of accounting software.

Vulns aren't even the problem. Mirai didn't happen because of accidental bugs, but because of conscious design decisions. Security cameras have unique requirements of being exposed to the Internet and needing a remote factory reset, leading to the worm. While notPetya did exploit a Microsoft vuln, it's primary vector of spreading (after the subverted update) was via misconfigured Windows networking, not that vuln. In other words, while Mirai and notPetya are the most important events people cite supporting their vuln/patching policy, neither was really about vuln/patching.

Such technical analysis of events like Mirai and notPetya are ignored. Policymakers are only cherrypicking the superficial conclusions supporting their goals. They assiduously ignore in-depth analysis of such things because it inevitably fails to support their positions, or directly contradicts them.

IoT security is going to be solved regardless of what government does. All this policy talk is premised on things being static unless government takes action. This is wrong. Government is still waffling on its response to Mirai, but the market quickly adapted. Those off-brand, poorly engineered security cameras you buy for $19 from Amazon.com shipped directly from Shenzen now look very different, having less Internet exposure, than the ones used in Mirai. Major Internet sites like Twitter now use multiple DNS providers so that a DDoS attack on one won't take down their services.

In addition, technology is fundamentally changing. Mirai attacked IPv4 addresses outside the firewall. The 100-billion IoT devices going on the network in the next decade will not work this way, cannot work this way, because there are only 4-billion IPv4 addresses. Instead, they'll be behind NATs or accessed via IPv6, both of which prevent Mirai-style worms from functioning. Your fridge and toaster won't connect via your home WiFi anyway, but via a 5G chip unrelated to your home.

Lastly, focusing on the vendor is a tired government cliche. Chronic internet security problems that go unsolved year after year, decade after decade, come from users failing, not vendors. Vendors quickly adapt, users don't. The most important solutions to today's IoT insecurities are to firewall and microsegment networks, something wholly within control of users, even home users. Yet government policy makers won't consider the most important solutions, because their goal is less cybersecurity itself and more how cybersecurity can further their political interests. 

The best government policy for IoT policy is to do nothing, or at least focus on more relevant solutions than patching vulns. The ideas propose above will add costs to devices while making insignificant benefits to security. Yes, we will have IoT security issues in the future, but they will be new and interesting ones, requiring different solutions than the ones proposed.

The Most Common Hack Is Also the Most Successful. Here’s How to Fight It.

Despite what movies might show, most hacks don’t involve frantic typing or brute-force attacks. In fact, Verizon’s “2017 Data Breach Investigations” report revealed that 90 percent of successful hacks aren’t hacks at all: They’re social engineering.

Simply put, social engineering is about manipulating people rather than computers. Modern hackers have discovered that it is easier to ask for data than it is to take it by force. These manipulators continue to trick everyone from secretaries to CEOs into giving up passwords, network access, and everything else they want. To safeguard against hacking, cloud service providers don’t need stronger firewalls; they need to learn how to protect themselves from human-to-human deception.

What Do Hackers Want?

Social engineers have different goals, but these hackers generally have one of two motivations: Some do it for personal profit; others commit intellectual property theft as state-sponsored actors.

The first group of social engineering hackers gain access to personal data (like credit card and Social Security numbers) to sell on the dark web. Last year, NBC News reported that breaches for personal gain are on the rise, especially those targeting Social Security numbers, which means hackers are getting more comfortable using this type of strategy.

But don’t discount the second group: state-sponsored hackers. Private companies might not feel as threatened by social engineers working on behalf of other governments, but they should. The Equifax breach appears to be the work of state-sponsored Chinese professionals, according to the Chicago Tribune. And, of course, the social engineering activities of hackers sponsored by Russia are well-documented. In Verizon’s report, 94 percent of the 620 breaches in the manufacturing sector last year qualified as espionage. Any company with intellectual property that can be stolen or copied should be wary of attacks from foreign agents.

How to Stop Social Engineers

Companies in every industry should fear the ramifications of a successful breach. Hackers typically target companies in financial services, government, healthcare, and retail, but they’re opportunistic above all else. If a company doesn’t protect its data well, hackers will eventually discover the weaknesses and take what they want. Usually, though, they won’t bother trying to force their way in — they let their victims do the work for them.

Social engineering takes many forms. Hackers send mass emails to businesses, leave USB drives in parking lots, send physical media in the mail, and make phone calls pretending to be other people. Even if they fail 99 percent of the time, their occasional successes provide all the incentive they need to keep going.

To protect your company against social engineering, follow these tips:

  1. Inventory data assets, and restrict access appropriately.

If you don’t know where your information is, you can’t protect it. Start your protective measures by identifying and classifying all the data you store. Don’t forget the data your users store in spreadsheets and Word documents. This isn’t just about your production databases.

Start by asking yourself the same questions a hacker might ask: What happens to customer data after you receive it? Where do you store sensitive intellectual property, and who has access to that information? If hackers want to get your financial records or product designs, who would they need to trick into giving it to them?

Classify that data by tiers ranging from highly sensitive to totally public. Customer data and intellectual property deserve the strictest security. After you complete your review, set a schedule to reassess these data flows at regular intervals to plug potential leaks before they happen.

  1. Require multifactor authentication.

According to the Verizon report, 81 percent of hacks involve weak or stolen passwords. In fact, Deloitte suffered such a breach that could’ve been easily avoided. After hackers got the password to an administrator’s account, they logged in and stole data from an email server. If that administrator had implemented MFA, the hackers would have been stumped.

Require anyone with access to sensitive data to use MFA on all company accounts. Text messaging is the most common MFA technique, and while this method isn’t totally secure, it’s better than nothing. Soft tokens, like push notifications, are a stronger option. For administrators with the keys to the kingdom, require a hard token (like a USB drive) that guarantees that the person entering the password has the right to do so.

  1. Use communication media with end-to-end encryption.

Encrypt data both when it’s stored and as it transfers from one place to another. This end-to-end encryption ensures hackers can’t actually use any data they manage to grab.

Use end-to-end encryption on everything from customers’ credit cards to employee emails. Microsoft recently introduced end-to-end encryption into Outlook, allowing users to shield their emails from would-be attackers and prevent unintended parties from gaining access to sensitive information.

  1. Create a culture of security.

Ultimately, the most important line of defense in data protection comes down to the social engineers’ targets: employees. By now, most people know that those Nigerian princes aren’t real, but not everyone knows how to spot a well-crafted hacker persona. For example, UC Davis Health suffered a breach last year when a hacker impersonated an employee through email and proceeded to access to the university’s health data.

Regularly educate employees on evolving phishing tactics. Talk to employees in different roles about how people might approach them to ask for illegitimate access. Remind workers about the importance of internal security, and help them easily report suspicious requests.

These tips will help you safeguard your organization against social engineers. However, if someone still manages to access your data, don’t try to hide it — contact local FBI agents immediately. Your data can’t be “unhacked,” but you might be able to stop the hackers before they do any more damage.

The ISBuzz Post: This Post The Most Common Hack Is Also the Most Successful. Here’s How to Fight It. appeared first on Information Security Buzz.

Choosing Convenience Or Security?

Please find the comment below, from Andy Cory, Identity Management Services lead at KCOM as part of our security experts comments series on latest cyber security news.

Andy Cory, Identity Management Services lead at KCOM:

“There has always been a conflict between security and convenience. Consumers are increasingly irritated by intrusive authentication measures, including obscure security questions and complicated passwords. They want their lives to be made constantly easier, so are happiest using apps and services that are both simple and fast to log into. However, they may fail to understand that the smoothest logins are compromising security for the sake of that convenience. All too often this ends in disaster, as we have seen with Timehop this week.

“It is time we found a balance between these tricky demands. The future of secure authentication is certainly multi-factor, but it should also aim for low friction. To improve customer experience without reducing security, authentication strategies should be both integrated and simple.

“An example of this would be an ‘adaptive’ authentication mechanism that reviews a combination of factors such as geographic location, source IP address, device fingerprint as well as a password before allowing the user access. Most of this information can be obtained from the device being used, while the consumer only has to provide their password. This gives multi-factor authentication where the user is only aware of one factor.

“If an authentication platform determines that the person trying to log in using your username and password is doing so from the device you usually use and from the location from which you usually log in, that gives a good indication that it’s really you. This means the platform doesn’t feel the need to ask you to provide the middle name of your favourite cricket player, or the colour of the first pair of socks you ever bought, before trusting that you are indeed you.”

The ISBuzz Post: This Post Choosing Convenience Or Security? appeared first on Information Security Buzz.

NBlog July 13 – ISO/IEC 27001 Annex A status

I've just completed an internal audit of an ISO27k ISMS for a client. By coincidence, a thread on ISO27k Forum this morning brought up an issue I encountered on the audit, and reminded me of a point that has been outstanding for several years now.

The issue concerns the formal status of ISO/IEC 27001:2013 Annex A arising from ambiguities or conflicts in the main body wording and in the annex. 

Is Annex A advisory or mandatory?  Are the controls listed in Annex A required by default, or optional, simply to be considered or taken into account?

The standard is distinctly ambiguous on this point, in fact there are direct conflicts within the wording - not good for a formal specification against which organizations are being audited and certified compliant.

Specifically, main body clause 6.1.3 Information security risk treatment clearly states as a note that "Organizations can design controls as required, or identify them from any source." ... which means they are not required to use Annex A.

So far so good .... however, the very next line of the standard requires them to "compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted". This, to me, is a badly-worded suggestion to use Annex A as a checklist. Some readers may interpret it to mean that, by default, all the Annex A controls are "necessary", but (as I understand the position) that was not the intent of SC 27.  Rather, "necessary" here refers to the organization's decision to treat some information risks by mitigating them using specific controls, or not. If the organization chooses to use certain controls, those controls are "necessary" for the organization, not mandatory for compliance with the standard.

To make matters worse still, a further note describes Annex A as "a comprehensive list of control objectives and controls", a patently false assertion. No list of control objectives and controls can possibly be totally comprehensive since that is an unbounded set. For starters, someone might invent a novel security control today, one that is not listed in the standard since it didn't exist when it was published. Also, there is a near-infinite variety of controls including variants and combinations of controls: it is literally impossible to identify them all, hence "comprehensive" is wrong.

The standard continues, further muddying the waters: "Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.  NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed."  This directly contradicts the previous use of "comprehensive".

As if that's not bad enough already, the standard's description of the Statement of Applicability yet again confuses matters.  "d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A".  So, despite the earlier indication that Annex A is merely one of several possible checklists or sources of information about information security controls, the wording here strongly implies, again, that it is a definitive, perhaps even mandatory set after all.

Finally, Annex A creates yet more problems. It is identified as "Normative", a key word in ISO-land meaning "mandatory". Oh. And then several of the controls use the key word "shall", another word reserved for mandatory requirements in ISO-speak.

What a bloody mess!

Until this is resolved by wording changes in a future release of the standard, I suggest taking the following line:
  • Identify and examine/analyse/assess/evaluate your information risks;
  • Decide how to treat them (avoid, mitigate, share and/or accept);
  • Treat them however you like: it is YOUR decision, and you should be willing to justify your decision … but I generally recommend prioritizing and treating the most significant risks first and best, working systematically down towards the trivia where the consequences of failing to treat them so efficiently and effectively are of less concern;
  • For risks you decide to mitigate with controls, choose whatever controls suit your situation.  Aside from Annex A, there are many other sources of potential controls, any of which might be more suitable and that’s fine: go right ahead and use whatever controls you believe mitigate your information risks, drawing from Annex A or advice from NIST, DHS, CSA, ISACA, a friend down the pub, this blog, whatever. It is your choice. Knock yerself out;
  • If they challenge your decisions, refer the certification auditors directly to the note under 6.3.1 b: “NOTE Organizations can design controls as required, or identify them from any source.” Stand your ground on that point and fight your corner. Despite the other ambiguities, I believe that note expresses what the majority of SC27 intended and understood. If the auditors are really stubborn, demonstrate why your controls are at least as effective or even better than those suggested in Annex A;
  • Perhaps declare the troublesome Annex A controls “Not applicable” because you prefer to use some other more appropriate control instead;
  • As a last resort, declare that the corresponding risks are acceptable, at least for now, pending updates to the standard and clearer, more useful advice;
  • Having supposedly treated the risks, check that the risk level remaining after treatment (“residual risk”) is acceptable, otherwise cycle back again, adjusting the risk treatment accordingly (e.g. additional or different controls).
If you are still uncertain about this, talk it through with your certification auditors – preferably keeping a written record of their guidance or ruling. If they are being unbelievably stubborn and unhelpful, find a different accredited certification body and/or complain about this to the accreditation body.  You are the paying customer, after all, and it’s a free market!

Here’s Why Your Static Website Needs HTTPS

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

Here's Why Your Static Website Needs HTTPS

It was Jan last year that I suggested HTTPS adoption had passed the "tipping point", that is, it had passed the moment of critical mass and as I said at the time, "will very shortly become the norm". Since that time, the percentage of web pages loaded over a secure connection has rocketed from 52% to 71% whilst the proportion of the world's top 1 million websites redirecting people to HTTPS has gone from 20% to about half (projected). The rapid adoption has been driven by a combination of ever more visible browser warnings (it was Chrome and Firefox's changes which prompted the aforementioned tipping point post), more easily accessible certificates via both Let's Encrypt and Cloudflare and a growing awareness of the risks that unencrypted traffic presents. Even the government has been pushing to drive adoption of HTTPS for all sites, for example in this post by the National Cyber Security Centre in the UK:

all websites should use HTTPS, even if they don't include private content, sign-in pages, or credit card details

However, there remains an undercurrent of dissent; Scott Helme recently wrote about this and dispelled many of the myths people have for not securing their traffic. I shared some thoughts on what I suspect the real objection is in the tweet thread beginning with this one just a few days ago:

In one of many robust internet debates (as is prone to happen on Twitter), the discussion turned to the value proposition of HTTPS on a static website. Is it needed? Does it do any good? What's it actually protecting? I'd been looking for an opportunity to put together some material on precisely this topic so when a discussion eventually led to just such an offer, it seemed like the perfect time to write this post:

And just to be extra, extra sure this was Jacob's intention, he did later extend the same offer to another party and also (quite rightly in my opinion) observed that permission really isn't necessary to man in the middle your own traffic! So that's precisely what I've done - intercepted my own traffic passed over an insecure connection and put together a string of demos in a 24-minute video explaining why HTTPS is necessary on a static website. Here's the video and there's references and code samples for all the demos used immediately after that:


The HTTPS Is Easy video series is 4 short videos of about 5 minutes each that make it dead simple to serve almost any site over a secure connection. Not only is the video series awesome (IMHO), the awesome community of people who've watched this have translated closed captions into 16 different languages already making HTTPS more accessible to more people than ever!

WiFi Pineapple

The Wifi Pineapple is a super-easy little device made by Hak5 that's not only easy stand up as a wireless hotspot, but can trick devices into thinking it's a known network that they automatically connect to without any user interaction whatsoever. I've done a heap of writing on this little device and regularly use it at conferences and training events.


Everybody loves a bit of Clippy, just so long as it's in jest! I did this demo with ClippyJS and if you really want to relive the memories of days gone by, you can also embed Merlin, Rover and Links then orchestrate their behaviour via a set of actions invoked in the JS.


Who doesn't love unicorns, right?! Cornify will help you liven up those otherwise dull pages with magical beasts and rainbows. Comes complete with Cornify buttons to add to your website (or someone else's).

Harlem Shake

There's actually a bit more to this than just entertainment value, the Harlem Shake has regularly been used as a "proof" for running script on a vulnerable site. For example, check out how it's used when embedded in the TXT record of a DNS entry which is then loaded into a WHOIS service which doesn't properly output encode the results. There's also Brenno de Winter's excellent example of XSS flaws in Dutch banks, again, demonstrated via a lot of shaking. Grab the entire script and then inject as required.


I used Coinhive which offers to "Monetise Your Business With Your Users' CPU Power". Frankly, it's a pretty shady service regularly abused for malicious purposes but that was precisely what was required in this situation.

Router CSRF Exploit

This is from CVE-2018-12529 and the sample exploit was taken from the SecurityResearch101 blog. We've often seen CSRF attacks against routers result in DNS hijacking which, of course, is yet another risk that HTTPS protects against. We've known about this for years, including how the proceeds of this crime have been used to pay for Brazilian prostitutes.

DNS Hijacking

This was done with just a few lines of FiddlerScript in the OnBeforeRequest event:

if (oSession.HostnameIs("btlr.com")){
  oSession.hostname = "scripting.com";  

Were you using a device such as the Wifi Pineapple you can could achieve the same result using DNSspoof. The outcome is identical - traffic going to one insecure address results in traffic from a totally different address being returned.

China's Great Cannon

This was the attack back in 2015 that sought to take down GitHub, or at least the repository greatfire.org maintains there. I showed the de-obfuscated version in the video which you can find on Pastebin. The original version and a more detailed technical writeup on the incident can be found in this piece from Netresec. Incidentally, Baidu still doesn't serve their homepage over HTTPS by default (although the can serve a valid cert if explicitly requested over HTTPS) which gives the service the unenviable title of being the world's largest website not to do so according to Alexa.


This, to me, was the most impactful demo not just because it resulted in pushing malware and phishing attacks to the target website, but because it shows just how much control an attacker can take over the browsing experience of victims on that site. Check out the BeEF project website for more background on that and if you want to implement the demo I ran, go and grab Kali Linux from VMDepot (now rolled into the Azure Marketplace) and deploy it directly into an Azure VM (I used the smallest size and it worked fine). I allowed inbound requests on port 80 as well as port 22 so I could SSH in. I then changed the port from 3000 to 80 in the config.yaml file (refer to the BeEF config documentation), included a script file from [vm ip]/hook.js in the victim site an browsed over to [vm ip]/ui/panel and logged in with "beef" and "beef". That's it!

Rick Roll

This one needs no introduction, going on half a billion views on YouTube, it's the surprise gift that keeps on giving!

Apache CouchDB Arbitrary Command Execution

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

HP Security Bulletin MFSBGN03811 1

HP Security Bulletin MFSBGN03811 1 - An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC) allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Revision 1 of this advisory.

RSA Identity Governance And Lifecycle Bypass / XSS

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system. RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

Packet Storm: RSA Identity Governance And Lifecycle Bypass / XSS

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system. RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

Packet Storm

Ubuntu Security Notice USN-3714-1

Ubuntu Security Notice 3714-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass CORS restrictions, obtain sensitive information, or execute arbitrary code. It was discovered that S/MIME and PGP decryption oracles can be built with HTML emails. An attacker could potentially exploit this to obtain sensitive information. Various other issues were also addressed.

Red Hat Security Advisory 2018-2186-01

Red Hat Security Advisory 2018-2186-01 - This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Issues addressed include a remote SQL injection vulnerability.

Red Hat Security Advisory 2018-2185-01

Red Hat Security Advisory 2018-2185-01 - This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Issues addressed include a remote SQL injection vulnerability.

Government Bodies Are At Risk Online

It’s a statement that’s true for a lot of industries, but it’s different for the government. These aren’t traditional ransomware attacks, or email phishing scams carried out by people at home trying to make easy money.

Government hacks are calculated. They’re resourceful. People that target the government are often politically motivated and looking to steal specific information. In the most extreme cases, these hackers are state-funded, giving them the time and money they need to ensure their efforts are successful. Hacking is a full-time job for them.

We only have to look at the Clinton campaign email hacking scandal where sensitive information getting into the wrong hands potentially led to a presidential campaign being derailed, and arguably compromised a US election.

It’s not just global attacks on such influential government figures that are a threat though. Local councillors and external government staff like teachers are targeted daily by hackers after private party data. These staff are often too busy to stay up to date with best practice for staying safe online, leaving them as prime targets and entry points for hacks.

Here we’re going to look at the common day-to-day threats to government online, and what you need to do to make sure your organisation is kept safe.

Information worth stealing

According to some economists, oil is no longer worth more than gold, but data now leads the way. Therefore, government information has become extremely precious to the right people. Where traditional online hacks might look to steal credit card information or personal details – government hackers are after more substantial data. From central through to local governments, to schools, and to national elections – government information is in high demand.

This is why many hacking operations targeting governments have so much time, money and resources invested into them. Because the reward of acquiring private data is huge. Many state-funded hacking groups work on stealing government information as a full-time job – ready to pounce on opportunities with the latest technologies.

These hackers don’t attempt a breach, then move on to the next target if they fail. It’s their job to make sure they get the data. If they fail a login attempt on a website and get suspended from the account, they simply create a new identity and try again. It’s important for government bodies to make sure no-one other than authorised users can access private information. Two-factor Authentication (2FA) solutions require users to provide a password, plus a one-time code to log-in to a platform – meaning their data can’t be stolen or replicated.

Human error

Busy government staff don’t always have the time to learn cybersecurity best practice. Government employees working in departments such as planning, finance, human resources and the administration staff that support them, have intense workloads – so it’s important they can work quickly and efficiently, without compromising their safety online.

It’s thought that as many as 95% of successful online hacks come down to human error. Mistakes are made by those who aren’t educated in online risks and can’t spot threats to their data. Sometimes it’s not a lack of knowledge, but a problem with relying solely on human performance. Even the most educated person can make mistakes that cause huge data breaches.

Government organisations need to limit the risk of human error as much as possible. If it’s a case of staff reusing static or simple passwords that can be stolen using brute force attacks, then 2FA can be a solution. Once it has been used, successfully or unsuccessfully, then it becomes invalid. The OTC can be provided to the user in a number of ways including SMS, email, mobile app, or a hardware token.

An alternative precaution is the principle of least privilege – which suggests that users should only be able to access the areas of a network that they need, rather than all staff having access to everything. Limiting what different users can access means that if someone clicks through a malware link, or their account becomes compromised, the infiltrator can’t hack into applications they are unauthorised to access.


Few government jobs involve sitting at the same desk each day. Council workers may have to log in to multiple devices daily – with agile hotdesking a large part of many people’s roles.

It’s important to secure your network when you have staff logging on from multiple devices at all times. Government staff need to be able to access their files from anywhere, but they can’t risk the same files becoming accessed by unauthorised users.

Tokenless 2FA solutions can prevent security risks by authenticating the user every time they log-in from a different device. Staff can put 2FA software on their phones, and use the solution to generate a new one-time code every time they want to access the network using a different device. Securing your network with 2FA software gives staff the freedom to use a hot desk working environment – without leaving private data open to hackers.

To increase flexibility for employees accessing their applications through different devices, 2FA systems should be licensed for each user. Users can have multiple tokens active under one license. This helps to improve uptake when implementing change and rolling out the deployment.

Third party access

It’s not just central government workers that can spark network access risks. Third party users like healthcare staff and social workers may need to access a local government network – and it’s more difficult to regulate the security of people logging on externally from different devices. Government IT staff don’t have the time to assess and verify every log-in attempt when staff numbers are in the thousands. Where possible, government organisations should invest in Risk-Based Authentication (RBA) solutions that let you set up automatic verification of users based on things like their location, IP address and more. This automates and therefore reduces the workload away from the IT desk without compromising network security.

Watering hole attacks

Popular sites that drive a lot of traffic from certain groups – like a local government or political party staff – are often targeted by hackers. It’s called a watering hole attack because it mirrors predators waiting for prey when they fetch water. Eventually, someone will click through a malicious link and become infected with malware, giving hackers access to their account information and potentially letting them move horizontally through the network.

IT staff need to make sure their colleagues aren’t accessing compromised websites from their network. Setting up a web filtering solution is one way to stay on top of potentially harmful sites. The filter constantly updates with sites that have been flagged as compromised or dangerous, and blocks users from accessing them from their network.

Keeping the work process efficient

Staff need to focus on their primary role, and online security is often an afterthought. Time-stretched government staff need working practices to be as efficient as possible. This includes familiarisation and efficiency within their primary applications and platforms, and not having to spend extra time on additional concerns like online safety. Secure solutions should fit into current working practices seamlessly. This way, staff can work how they choose, without their working patterns leaving the network open to attacks.

Recent high-profile government cases show us the startling consequences of a successful attack. Government organisations can hold millions of people’s data, sensitive political information and more – which can be incredibly costly if they end up in the wrong hands. It’s a challenge to secure networks in an industry where staff need to access information at all times, and from multiple devices. So, our government partners need to find a solution that integrates with how they already work, and with minimal disruption.

Adrian Jones

The ISBuzz Post: This Post Government Bodies Are At Risk Online appeared first on Information Security Buzz.

PUBG streamer ‘Shroud’ banned for playing the game with a hacker

Popular Streamer ‘Shroud’ Banned For Cheating In PUBG

PUBG Corp., the developer behind the popular online battle royale game, “PlayerUnknown’s Battlegrounds” (PUBG) have been strict against those who are creating and selling hacks for the PUBG game. In the month of April, 15 suspects were arrested for developing and selling hacking/cheating programs that affect PUBG. The company is very clear that it wants to root out cheating from PUBG, as they want to create an environment for players that’s completely safe from hackers and cheaters.

And their latest action just showcased that. According to Kotaku, PUBG Corp. has issued a one-month ban to Michael ‘Shroud’ Grzesiek – the most popular streamer on Twitch for PlayerUnknown’s Battleground – for playing alongside a hacker. The ban was issued after he shared a few clips online where he is seen riding in a flying car and shooting a player hiding inside of a building using hacks.

While he was half-way through a match, Shroud found that PUBG decided to ban him for an entire month for committing two offences as said above. “It really goes to show that [developer] PUBG [Corp.]-full offense to you guys-don’t give as-, because that guy should have been banned immediately,” Shroud commented after the ban.

He also questioned as to why the original hacker had not been banned yet whom he had encountered on three separate occasions. “He ran into me twice — the first time he ran me over fine that was kind of quick, whatever. Second time, he parked his car and I killed him when he was flying his car into the house. At that point, he should already be banned. Third time, I said F*** it, let’s see how long this last. We are riding around together — he’s still not banned,” he added.

However, post the ban, Shroud apologized for his actions via a Twitch stream. “I was trying to have a good time. Obviously, I knew what the fuck I was doing. It wasn’t a great idea. It seemed like a great idea. But it wasn’t a great idea. I’m sorry to those peeps that are really upset with me, with all the, you know, flying around with the cheater and stuff. I got banned for a month.”

He also described the round as “the most enjoyable game of PUBG I’ve had in a long time.” Shroud can still play PUBG if he wishes to; it’s just that he won’t be able to use his main account to do so.

When Kotaku contacted PUBG Corp. to clarify as to why Shroud was banned and why, a representative of the company said: “We do not publicly disclose/discuss individual player penalties. We encourage all players to refer to our posted PUBG Rules of Conduct, here.”

What do you think the 30-day ban on Shroud? Do let us know your thoughts in the comments section below.

The post PUBG streamer ‘Shroud’ banned for playing the game with a hacker appeared first on TechWorm.

Google flips switch on Chrome’s newest defensive technology

Google has switched on a defensive technology in Chrome that will make it much more difficult for Spectra-like attacks to steal information such as log-on credentials.

Called "Site Isolation," the new security technology has a decade-long history. But most recently it's been cited as a shield to guard against threats posed by Spectre, the processor vulnerability sniffed out by Google's own engineers more than year ago. Google unveiled Site Isolation in late 2017 within Chrome 63, making it an option for enterprise IT staff members, who could customize the defense to shield workers from threats harbored on external sites. Company administrators could use Windows GPOs - Group Policy Objects - as well as command-line flags prior to wider deployment via group policies.

To read this article in full, please click here


The r_bin_java_annotation_new function in shlr/java/class.c in radare2 2.7.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted .class file because of missing input validation in r_bin_java_line_number_table_attr_new.


The r_bin_mdmp_init_directory_entry function in mdmp.c in radare2 2.7.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted Mini Crash Dump file.


The sdb_set_internal function in sdb.c in radare2 2.7.0 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted ELF file because of missing input validation in r_bin_dwarf_parse_comp_unit in libr/bin/dwarf.c.

Clone of Careers


Digital Guardianは、データ中心のセキュリティを10年以上ご提供してきた経験と、世界レベルのツールを組み合わせて、お客様のデータを盗み出そうとする窃盗犯の一歩先を行くことを可能にします。弊社チームにご参加ください。

Pwned Passwords V3 is Now Live!

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

Pwned Passwords V3 is Now Live!

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed and brought the password count up to just over half a billion whilst also adding a count to each password indicating how many times it had been seen. Far more significantly though, it introduced the k-anonymity search model that Cloudflare worked on and that's when things really took off. Only about 6 weeks ago, I wrote about some of the awesome use cases I was seeing and shared a couple of graphs; 37 million requests in the month to May 29 then 5.5M requests in a single day towards the end of that period. These days, however, things are very different - here's the last 24 hours at the time of writing:

Pwned Passwords V3 is Now Live!

Only the day before I excitedly shared a new record that was more than 1 million requests lower than this graph. In short, the service is growing fast. (Incidentally, if you're wondering what this costs me to run it, I shared detailed numbers a couple of weeks ago.)

But inevitably the question arises - when will the next version land? I kept collecting plain text passwords as I processed data breaches with the thinking that I'd have a good sense of when the scale was sufficient to publish a V3. It's not a trivial task - crunching the data, updating the counts, dumping it into different formats, uploading tens of GBs (over Aussie internet...), preparing the torrents - so it was never going to happen regularly. Eventually, the catalyst came by virtue of the data I loaded 2 days ago in the 111 million Pemiblanc credential stuffing list. People wanted to see their passwords so they could better understand their exposure and I took the tried and tested stance of "I never store that information against your email address because of the risk it poses". But, of course, I do have the Pwned Passwords service which allows people to check their passwords whilst also retaining the anonymity of the secret itself.

So that's the background, let me now talk about what's in this release.

What's New?

We'll start with the raw numbers: in total, there are 517,238,891 passwords which is 15.6M more than in V2. That's only about just over a 3% increase but that number belies the sheer scale of additional data that's gone into this. In all, just the new V3 data had 194,092,745 total passwords in it, it's just that the vast majority of them were already in the system. This speaks to the prevalence of password reuse but also to the diminishing returns when loading new data; because there's already so many passwords in there, new breaches - even sizable ones - aren't adding many new ones.

The other thing that changes with V3 is the counts on the existing passwords. For example, the worst password in V2 was "123456" which had been seen 20,760,336 times. In V3, it's still the worst password (surprise, surprise), except the count has now been upped to 22,390,492 due to it being seen in the new breach corpuses.

Functionally, there are no breaking changes to the V3 API which was obviously pretty important given the extent of the existing dependencies. The size of the responses increases slightly, of course, but only by a few percent. The average hash range size goes from 478 to 493 but it's returned via super-efficient brotli compressed responses (or gzip if the client doesn't support br) and I highly doubt anyone will see any measurable difference there.

One addition I did make to the API is to add a Last-Modified header to each response. The primary reason for this is to help consumers of the service identify whether they've received a V2 response (the Last-Modified value will be in Feb) or a V3 response. That's important because of caching at both the Cloudflare level and in the client. Let's talk about that for a moment.

The Cache Situation

The reason my costs are so low for running this (and incidentally, there are absolutely zero commercial angles to Pwned Passwords) is due to a combination of the efficiency of Azure Functions and Cloudflare aggressively caching the responses. Here's the cache stats from the last 24 hours:

Pwned Passwords V3 is Now Live!

Pwned Passwords V3 is Now Live!

The reason the bandwidth saving rounds to "all of it" is because Cloudflare also caches the downloadable hashes which are big. Point being that they're taking a huge amount of traffic off the back end and were it not for them, I'd be seeing 14 times more requests hitting Azure. A big part of how I make that happen is with a 31-day cache expiry header, which brings us to the following problem:

Right after I push the button on this new set of data, I'm going to invalidate the Cloudflare cache which will immediately multiply my traffic 14x. It'll reduce quickly as requests start being returned from Cloudflare cache again, but I'm kinda curious about what my Azure charts are going to look like if I'm honest! I'll take a hit on the server, but at least that's within my control and it'll get the API returning fresh V3 results.

Clients are trickier because if someone has already done a search for a hash prefix (remember, that's what is being sent with k-anonymity), they may still see V2 results after V3 has already been flushed through the Cloudflare cache. Now frankly, when there's only 3% more data I'm not too worried and time will fix that problem anyway, but I'd be remiss if I didn't highlight it here. Or, of course, you can flush the cache for api.pwnedpasswords.com or use a different browser. My original plan had been to gradually reduce the cache period but I didn't anticipate the Pemiblanc data and the reaction regarding access to passwords. I should have.

Moving on, let me touch on the quality of data itself because that's also important to understand.

Control Characters and Data Integrity

One of the biggest problems in creating this resource is the quality of the source data. Not only am I talking about the way plain text passwords are stored in the original site (and yes, that still occurs with alarming regularity), but the way they're then dumped out by whoever breached that site. Then there's the large aggregation lists like Exploit.in, Antipublic and indeed the Pemiblanc list that prompted the V3 release; all of these have passwords cobbled together from many different sources and whoever has done that doesn't always have the most hygienic of data handling practices.

The next challenge is that I need to get my import process right. When I first grabbed the passwords out of the Pemiblanc data, I used SQL bcp wrapped in a PowerShell script to enumerate through all the files in the data set and extract the passwords which resulted in 50M ones not already in Pwned Passwords. However, it was only when doing manual verification of the data in preparation for the V3 release that I realised this import process had added control characters to the data set, namely tabs and carriage returns. Once I stripped those out, the unique passwords in that data set I hadn't seen before dropped all the way down to 3.3M. Still a significant number, but clearly much less than originally thought.

I spent a big chunk of yesterday working on the data quality and I'm confident V3 is in good shape. That's not to say there aren't passwords in there that might still contain some junk - there are - but it's a tiny slice of the overall data set and frankly, that doesn't matter. If, for example, 1% of the "passwords" contain junk (and I'm sure it's only a tiny fraction of that), the worst that can happen is either a password that was in a breach isn't found in Pwned Passwords (for example, because I imported a control character) or one that wasn't in a breach returns a hit anyway (for example, because the delimiting of the source data was off and I imported a rogue semicolon). But as soon as a password starts appearing in multiple incidents (i.e. it's a bad one), the chances of it being missed go way down to near zero anyway.

And while I'm talking about data quality, in V2 I inadvertently added trailing whitespace characters to the end of every line in the downloadable files. I later realised the sqlcmd utility pads the results unless the -W switch was present so V3 has included that and makes the data a little cleaner for those downloading the whole lot.

Checking Your Passwords in 1Password

As it specifically relates to the Pemiblanc situation, clearly people want to know if a password they've been using is in that data set. The easiest possible way I know of to do this is to use the Watchtower feature within 1Password to check your entire vault:

This feature was built into 1Password 7 and is available on both the Mac and PC versions. It's a single-click to scan your entire vault of passwords and get a result like the one above.

Of course, this is predicated on being a 1Password user and if that's not you, you're pretty much down to checking them one-by-one via the Have I Been Pwned website or scripting out the checks against the API. And if you're not using a password manager at all and are worried about the Pemiblanc breach (or all the other ones), now seems like a perfect time to start using one!


So that's the V3 story and everything that's gone into making it what it is today. It's a much more incremental change than V2 was and I think that's reflective of the service now being in a pretty stable, steady state. As always, I welcome your comments below and I hope this background has been useful.

Trustwave On European Parliament Approving A Draft Cyber Security Act

Please see below for comment from Trustwave regarding a key committee of the European Parliament approving a draft Cybersecurity Act that will introduce a new security certification system for connected devices, as well as strengthen the EU’s networks security agency Enisa.

Ed Williams, Director EMEA, SpiderLabs at Trustwave:

amrit williamsI welcome any initiative to increase the security and assurance of ICT products; given the current climate this legislation is welcome.  Without question, this is a difficult task, ICT products can be difficult and complex, ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do – secure by design is a must in 2018 and moving forward.  I have some reservations around the certification framework, depending on the type of product, certification may be voluntary or mandatory. Personally, I would like to see mandatory security for ‘all’ products.

It also appears that assurance will be broken down into different categories, basic, substantial and high; where basic “provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service”, I’d prefer all my ICT products to have high levels of assurance, I don’t think that’s too much to ask for?  It will be interesting to see how consumers take to this, my hope is that the certification framework is agile, simple and clear and that having high assurance doesn’t come with additional costs (whatever they may be).  In 2018 we shouldn’t be paying more for secure products, we should be expecting all products to be secure.

The ISBuzz Post: This Post Trustwave On European Parliament Approving A Draft Cyber Security Act appeared first on Information Security Buzz.

Advanced Mobile Malware Campaign in India uses Malicious MDM

This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.


Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.

An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.

The attacker used the BOptions sideloading technique to add features to legitimate apps, including the messaging apps WhatsApp and Telegram, that were then deployed by the MDM onto the 13 targeted devices in India. The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages. Such information can be used to manipulate a victim or even use it for blackmail or bribery.

Thanks to the logs located on the MDM servers and the malware's command and control (C2) server, we were able to determine that the malware has been in use since August 2015. The campaign targeted only a few select devices (13) that are all located in India. The attacker left essential data on the servers, such as emails and usernames. As part of the attacker's development and testing it appears that they compromised their device — we observed a device named "test" or "mdmdev." The log files we identified contain the phone number of the device. The number originates from India and uses the "Vodafone India" network with roaming capability disabled. With all of this information in mind, we assume with high confidence that the malware author works out of India.

MDM is becoming more popular throughout large enterprises, and users should be aware that installing additional certificates on their device to allow remote management can result in potential malicious activity. By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this. Users must be aware that accepting an MDM certificate is equivalent to allowing someone administrator access to their device, passwords, etc. This must be done with great care in order to avoid security issues and should not be something the average home user does.

The following information warns the security community and users of how this attack works. The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices.

The overall workflow of the deployment method and capabilities is pictured below.

iOS MDM infrastructure

My tiny MDM

Talos identified two different MDM servers:

  • hxxp://ios-certificate-update[.]com
  • hxxp://www[.]wpitcher[.]com

Both servers above are based on the open-source project mdm-server — a small iOS MDM server. MDM allows for operating system-level control of multiple devices from a centralized location. A remote administrator can install or remove apps, install or revoke certificates, lock the device, or change password requirements, among other things. The operator is able to uninstall legitimate applications such as Telegram and WhatsApp to install the malicious versions described in the next section.

Device enrollment

Each step of the enrollment process needs some type of user interaction. That's why Talos assumes the attackers use social engineering to get victims on the MDM. The first step for enrolling a device is to install the certificate authority:

If the user clicks on "Allow," the following message is displayed:
By clicking on "Install," the signature will switch to "Verified:"
The device is ready to be enrolled:
We can control the installed profile:
The attacker is now able to control the device. A pop-up appears when the attacker pushes a new app to the user device. Here is an example with the compromised Telegram app mentioned later in the article:
This gives the attacker a significant level of control over the victim device(s). This process is used similarly to a large-scale enterprise using MDM solutions. It is likely that the user is advised that the certificate must be installed to allow enrollment. This is most likely performed via a social engineering mechanism, i.e. a fake tech support-style call.

The attacker used a domain which allowed them to try and fool the user. The use of "ios-certificate-update[.]com" may make it easier to reassure the user that this is normal. Since we believe this attack is targeting devices in India this is also something which a non-native English speaker may see as "normal." The certificate and update naming convention is also designed to trick the user.

Technical information about the MDM

The attacker left a lot of information behind, which allowed us to analyse files used by this MDM. First, the certificate used by the MDM:

Serial Number: 13905745817900070731 (0xc0fb222544ceb74b)
Issuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=nicholas.vukoja@mail.ru
Not Before: Sep 6 11:33:09 2017 GMT
Not After : Sep 6 11:33:09 2018 GMT
Subject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=nicholas.vukoja@mail.ru
The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a "classical Russian hacker." False flags are becoming more common in malware, both sophisticated and simple. It's an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.

Serial Number: 14177612590375883362 (0xc4c0ff88e475d262)
Issuer: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=Aleksi.Dushku@mail.ru
Not Before: Jan 6 04:59:56 2018 GMT
Not After : Jan 6 04:59:56 2019 GMT
Subject: C=CR, ST=Split, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=Aleksi.Dushku@mail.ru
This is another certificate, which points to an apparent reference to Russia by using another mail.ru address.

Subject: C=HR, ST=Hrvatska, L=Split, O=NA, OU=IT, CN=ios-certificate-update.com/emailAddress=nicholas.vukoja@mail.ru

In this certificate, the attacker mentioned Hrvatska ("Croatia" in the Croatian language) with the same Russian email.

The certificates are self-signed, or signed by the Comodo certificate authority.

Log analysis

One of the most interesting pieces of information about the MDM is found in the log file. Because of this, we can confirm the following points:

  • There are 13 compromised devices based off serial number
  • All the devices are located in India (based on the phone numbers and phone providers)
  • Phone models: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, iPhone 9.4
  • iOS versions: 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, 11.2.6

At this time, we don't know how the attacker enrolled the 13 targeted devices into the MDM. It could be through physical access to the phones, or by using social engineering, motivating the user to enroll their device.

We believe the attackers used their personal phone to test the MDM because they included devices named "Test" and "mdmdev." These two devices share the same phone number and a name that is uncommon for a personal phone.

The phone number originates from India and is registered on the "Vodafone India" network provider. When the device was registered on the MDM server, roaming was disabled. We assess with high confidence that the author is based out of in India.

iOS Applications

Malicious applications using BOptions sideloading


The attacker's purpose appears to deploy malicious apps onto the 13 compromised devices. To do so, they decided to use the BOptions sideloading technique. The technique is described here. The purpose is to inject a dynamic library into the legitimate app. The GitHub project was used by the attacker to create the malicious BOptionspro.dylib library held in the iOS package (.ipa file). The injection library can ask for additional permissions, execute code and steal information from the original application, among other things. Milan-based technology company HackingTeam has previously used this technique.

Telegram, WhatsApp & AppsSLoader

In this campaign we identified three compromised versions of apps using this trick hosted on the MDM server. AppsSLoader is seemingly harmless. The app was created to test the library injection. It simply opens a pop-up to the user confirming the execution of the dynamic library. This was most likely created to test the effectiveness of the library prior to malicious deployment.

The compromised versions of the Telegram and WhatsApp applications used in this campaign are more interesting and relevant. They first contain the same malicious code. The purpose is to send collected data to a C2 server located at hxxp[:]//techwach[.]com.

The malicious code checks permissions and asks for additional permissions if it does not already have them:

  • Permission to access the user's contact list (PhnNumber::getContAccess)
  • Permission to access the user's photos (PhnNumber::getPAccess)

One of the most relevant features of these compromised versions of the applications is the Telegram and WhatsApp message stealing feature. Here is the global workflow of it:

For Telegram:

  • Opens 'tgdata.db', an SQLite3 database used by Telegram
  • Checks for the key 'UPLOADED_CHAT' in the key store
  • Queries "select users_v29.phone_number, users_v29.uid from users_v29;"
  • Queries for "select messages_v29.from_id AS oid,users_v29.first_name, users_v29.last_name,users_v29.phone_number,messages_v29.message,messages_v29.mid,messages_v29.to_id from messages_v29 join users_v29 ON (messages_v29.from_id = users_v29.uid);"
  • Parses results, storing off counts, timestamps, and other metadata.
  • Sends by posting to hxxp[:]//techwach[.]com

Query screenshot:

For WhatsApp:

  • Opens 'ChatStorage.sqlite', the database used for WhatsApp messages
  • Parses results, storing off counts, timestamps, and other metadata.
  • Sends by posting to hxxp[:]//techwach[.]com

Additionally, the malware is designed to be able to send the contacts, location, and images from the compromised device.

Here is the list of the PHP pages available on the techwach C2 server:

  • all.php
  • dyrKztORKwVWOGo.php
  • get.php
  • hh.php
  • info.php
  • jDRucchWSoWQGpU.php
  • UfmcRxYDaVVbrBl.php

Another intriguing aspect of this malware is the way in which the malicious code achieves periodic code execution when the legitimate app bundled with it is running. One technique is to modify the app's code at runtime to execute the malicious code — this has been observed in previously analyzed iOS malware. Instead, this malware remains almost entirely independent of the app and gains execution by creating a timer that eventually executes the malicious code in a background thread. From there, it schedules tasks to be executed asynchronously in the background by leveraging the apps' background task queue. Ultimately, this means that the malicious code is invisible to the user of the app, and can be easily reused alongside any real application.


Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it's time to pray. The malicious code connects to the domain voguextra[.]com. The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.


MyApp is a regular iOS app. However, the application does not do anything. It has almost no code associated with it other than standard iOS app runtime code. This could potentially be another testing app, but we're unable to determine the exact use. This app is non-malicious.

Techwach C2 server

The malicious code within Telegram and WhatsApp sent collected data to the server techwach[.]com. The server has been active since August 2015. Initially, the username used on the server was arnoldrex. Subsequently, this was changed to chernobog (referencing a Slavic deity).


This investigation shows us that this attack targeted a very limited number (13) of users using iPhone devices in India. At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact purpose was. It's very likely the vector for this campaign was simply social engineering - in other words asking the user to click "ok". This type of vector is very difficult to defend against since users can often be tricked into acting against their best interests. This is another important reminder that users must think twice before clicking on unsolicited links or requests and also that users should verify credentials from any unsolicited calls requesting they take action on devices.

The attackers installed an open-source MDM and used this to deploy malicious code into secure chat applications such as Telegram and WhatsApp to surreptitiously retrieve the messages/chats, photos and user's location from the victim's phone. Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices. All the technical details point to an actor based in the same country as the victims: India. The attacker tried to mimic Russian hackers by using mail.ru email. However, we found testing devices enrolled on the MDM with an Indian phone number and registered on an Indian provider.

Once a user has lost physical access to their phone, it's really a case of the attacker having a much easier playing field for malicious activity. The fact that the attacker was also able to get devices onto his own malicious MDM shows that the attacker was indeed motivated to obtain initial access but also to maintain persistence across the devices.


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.



  • 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa
  • aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa
  • 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa
  • 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa
  • e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa

MDM Domains:

  • ios-certificate-update[.]com
  • www[.]wpitcher[.]com

C2 Domains:

  • Voguextra[.]com
  • Techwach[.]com

Advertising Domain:

  • voguextra[.]com

Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Web UI Command Injection Vulnerability

A vulnerability in the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an authenticated, remote attacker to perform a command injection and execute commands with the privileges of the web server.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field.

Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

Security Impact Rating: High
CVE: CVE-2018-0341

Organisations Pay $250K For Critical Security Bugs

HackerOne has today launched its 2018 Hacker-Powered Security Report, which is an annual study of the bug bounty and vulnerability disclosure ecosystem. The study analyses over 72,000 resolved security vulnerabilities, 1,000 customer bug bounty programs and more than $31 million in bounties awarded to hackers from over 100 countries.

The full study can be found here, however key findings include:

  • Critical vulnerabilities are earning higher bounties. The average award for a critical vulnerability increased 33% to $20,000 for the top awarding programs. A total of 116 unique critical vulnerabilities earned over $10,000 each in the past year.
  • Some of the most advanced organizations offer bounty awards in the six-figure range, with Intel and Microsoft offering up to $250,000, and Google and Apple offering up to $200,000,to name just a few.
  • The highest bounty paid in 2017 was $75,000,paid by a Technology company for three unique vulnerabilities that when chained together produced a remote code execution (RCE). The exploit chain could have allowed an attacker to steal credit card information, deploy mass ransomware campaigns, take over user accounts, attack employee accounts and access infrastructure code.
  • The total number of high or critical severity vulnerabilities increased by 22 percent in 2017. Furthermore, 24 percent of resolved vulnerabilities were classified as high to critical severity across industries.
  • Hackers in the U.S. earned 17% of all bounties awarded, with India (13%), Russia (6%), K. (4%),and Germany (3%) rounding out the top 5 highest-earning countries. Hackers in Germany are on a roll, earning 157% more in 2017 versus 2016.
  • Governments are leading the way with adoption internationally. In the government sector there was a 125 percent increase year over year with new program launchesincluding the European Commission and the Ministry of Defense Singapore, joining the U.S. Department of Defense on HackerOne
  • Enterprise vulnerability disclosure policy adoption is on the rise. Organizations like Goldman Sachs, Toyota, and American Express adopted VDP’s representative of a broader trend of a 54% increase year over year. The Forbes Global 2000, however, only marginally improved, as 93% still do not have a policy in place.

The ISBuzz Post: This Post Organisations Pay $250K For Critical Security Bugs appeared first on Information Security Buzz.

Cost Of Data Breaches Doubles In Just 5 Years

The amount of so-called mega breaches – cases that involve more than 1m records being lost – have nearly doubled over the last five years, with 16 mega breaches occurring in 2017. Data compiled by IBM revealed that breaches on this scale can cost a business anywhere from $40m (£30m) to $340m, with more than 90 per cent of these breaches stemming from malicious and criminal attacks as opposed to glitches or human error. Tim Helming, Director of Product Management at DomainTools commented below.

Tim Helming, Director of Product Management at DomainTools:

“This is a worrying, but expected statistic. The cost of breaches has skyrocketed in recent years due to a commercialization of the cybercrime industry, with attack kits available to purchase for non-technical actors to ply their trade. Legislative changes such as GDPR will also make the administrative costs of a breach soar even further in the next five years, without even considering the implications of reputational costs. I’m slightly doubtful that human error accounts for so little of the breach activity; failing to have a proper culture cybersecurity awareness at an organisation is implicated in phishing, which is one of the leading vectors of breaches. The ultimate responsibility for this lies with humans.”

The ISBuzz Post: This Post Cost Of Data Breaches Doubles In Just 5 Years appeared first on Information Security Buzz.


qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.


An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.


An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.


An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injecting code within the WBM. The code will be rendered and/or executed in the browser of the user's browser.


qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.


The svpn component of the F5 BIG-IP APM client prior to version 7.1.7 for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host. A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or disrupt service.


qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

Building an Effective API Security Strategy: Easy If You Have the Right Tools

In their approach to application programming interface (API) security, organizations exposing web APIs must balance ease of access with control. Like the bank robber attacking banks because “that’s where the money is,” the use of APIs to provide access to applications and to business-critical data has naturally led to API security incidents. These have occurred particularly in the form of data breaches.

Some of the key challenges organizations currently face include:

  • An increase in attacks and data breaches involving poorly protected application programming interfaces (APIs)
  • Ineffectiveness of protecting web APIs with traditional application security solutions alone
  • New APIs are being added and consumed by organizations on an ongoing basis, meaning that API security is not a one-time exercise.
  • Modern application architecture trends — including mobile devices, microservice design patterns, and hybrid on-premises/cloud usage — complicate API security since there is rarely a single “gateway” at which protection can be enforced.

API gateways, combined with web application firewalls and other application security infrastructure where necessary, are used to implement API security. However, a purely edge-based web application security defense strategy is not fully ready for the new challenges posed by APIs. The widespread use of internal APIs, combined with mobile access and increased reliance on cloud APIs, mean that defending from the edge is insufficient. New hybrid approaches highlight the fact that organizations should take a holistic view of API security.

The best practices described in this research explain how an organization should use API security to enable its integration and digital business initiatives.

Interested? Get access to the Gartner API Security Strategy here.

Timehop provides additional details on the recent security breach

Timehop has recently announced to have suffered a data breach that affected 21 million user accounts. The company now shares additional details about the incident.

Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.

The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.

Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.


Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.

According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.

The attackers accessed the systems through an IP address in the Netherlands.

In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.

On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.

“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”

Pierluigi Paganini

(Security Affairs – Timehophacking)

The post Timehop provides additional details on the recent security breach appeared first on Security Affairs.

Apple insider attempts to take autonomous car secrets to China

The security checkpoint at Mineta San Jose International Airport in San Jose, California, was a bit more exciting than normal when Xiaolang Zhang passed through the TSA checkpoint on July 7. The FBI arrested Zhang at the Terminal B checkpoint for stealing information about Apple’s autonomous or self-driving car. 

Zhang, clearly not the brightest light in the chandelier, shared with his supervisor his intent to depart Apple and take a position at a Chinese startup XMotors (aka Xiaopeng Motors). Following his declaration of intent to move on to a competitor, he was immediately walked out the door; that was on April 30, 2018. Prior to that meeting, though, Zhang had downloaded the plans to a sophisticated circuit board being developed by Apple. 

To read this article in full, please click here

Coinvault, the court case

Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the prosecutor there were also several members of the press, a sketch artist (to make a drawing of the suspects), several members of the Dutch police, a few victims and other people who were interested in the case.

The defence started by calling the public prosecution service “niet ontvankelijk” for one of the defendants, meaning they are not allowed to prosecute the case. As a reason there was given that one of the defendants was underage during some of the actions. However, all three of the judges also do cases concerning underaged defendants and after a quick consultation with each other they decided to continue.

The hearing was resumed with what the two brothers were accused of:

  1. Breaking into computers;
  2. Make other people’s work inaccessible;
  3. Extortion of 1295 people.

For us it was quite interesting to understand how they came up with the number of 1295 people, because when we released our final decryption tool we had at least 14k keys. So most likely much more people were infected. In fact, we think a zero could be added to 1295 to give a more realistic view on the number of victims.

The judge then went on with was basically a summary of the case. What happened, why did they do certain things etc. We as researchers often guess about motives behind actions, but we can never be 100% certain until there is a confession of the criminal. One of such an example is the amount of ransom to pay. During the time this all took place the brothers wanted 1 bitcoin as a ransom, which was worth about 220 euro at the time. We always say that we believe ransomware criminals choose a relatively small amount to make it more attractive to pay. When the judge asked the same question they gave exactly this answer. Always good to see your theories being confirmed 🙂

Some other interesting facts were that the case file was too big to fit in a moving box, they made around 20k euro (10k each), they didn’t stop with making ransomware because of the technical challenges, they accepted the risk of C2 seizure and they didn’t really see the influence their actions had on the victims. One of the judges then asked how this was possible, because they had a helpdesk where victims could e-mail to in case they had problems. All their “helpdesk” replies were that the victims just had to pay. The answers they gave to the judge weren’t very convincing.

The suspects mentioned though they started the helpdesk because their malware had some implementation mistakes (files were encrypted twice for example). A consequence of this is that even today, despite releasing our decryption tool which has all the keys, some victims were not able to recover all of their files. There was even one victim who mentioned that he just deleted all of his files because he didn’t believe a decryption tool would come available.

Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path. When we worked with the police on this case they kindly asked us to remove that screenshot (which we did), so that the suspects didn’t realize they made a mistake. During the court case they mentioned that they read the blogpost and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to.

It then continued with claims by victims who paid money to get their files back. One of the victims was interested in Bitcoin and decided to pay the ransom. However, he already had some bitcoins on his computer, which were stolen by the suspects (the software supported this functionality) and now he wanted his bitcoin back :). One other victim had his own company and this took place while he was on vacation. He wanted 5000 euro because the suspects ruined his vacation and with the 5000 euro he could go on vacation again.

Now it was time for the prosecutor: twelve months of jail time will all but three suspended. Effectively this comes down to three months – the time they already did * ⅔ = about two months of jail. The lawyers then requested (since they made a full confession, wanted to help the victims getting their files back, etc) many hours of community service. One of the reasons not request jail time was because: “Bitcryptor is not malware”. But BitCryptor was the follow up of Coinvault, different name for the same software. Nobody really understood the quote, except for the lawyer, since it was obvious malware and made some victims.

In two weeks, on the 26th of July at 13:00 CET we know the outcome.

Lessons learned? Cyber crime doesn’t pay off, and if you become a victim of cyber crime and especially ransomware, keep your files and file a case at the police. And of course visit Safety 101 page to see if there is a tool available to help you get your files back.

Inspire 2018: Opening doors for partner innovation, growth and differentiation

Organizations around the world are undergoing transformation fueled by cloud, artificial intelligence, mixed reality and the Internet of Things. These technologies are helping businesses and society reach new heights – retail is becoming more personal, banking is becoming more seamless, and healthcare is becoming more predictive and preventive.

At the heart of these incredible stories of transformation – and more – are Microsoft partners. The Microsoft partner ecosystem is a group of hundreds of thousands of organizations driving positive, global impact. Building everything from line-of-business apps to industry-specific solutions on Dynamics 365 to gaming experiences, these companies are a natural extension of the team at Microsoft, delivering cutting-edge technology to millions of customers.

For Microsoft partners – their success is our success. We are squarely focused on delivering a true, two-way partnership with our partner network. It is with success and partnership in mind that, on the eve of Inspire 2018, I’m thrilled to announce new programs, tools and resources to help partners innovate, grow and differentiate their businesses.

Delivering innovation through apps and services

Whether they’re building apps or services, we know partners need access to the latest technology from Microsoft and guidance on how to extend that technology to build tailor-made solutions.

Today, we are announcing exciting new innovations in Microsoft 365, including a free version of Teams, new intelligent events capabilities, the Workplace Analytics teamwork solution and more. We are also announcing new cloud, apps and data technologies including Azure Data Box Disk, Azure Virtual WAN, Azure Firewall and more. We’re so excited to see how our partners will leverage these new offerings to help customers embrace and innovate in the modern workplace and continue to help customers in their journey to the cloud.

In addition to new technologies, we’re releasing new Digital Transformation eBooks, and practice-building playbooks, expanding on the popular resources already leveraged by tens of thousands of partners looking to build and enhance their practices.

Reach more customers to sell your solutions

In our third quarter, we noted that Azure revenue grew by 93 percent, with partners driving a considerable portion of that growth. To build on this great momentum, we’re doing two new things to fuel partner growth – leaning in on our marketplaces and enhancing AppSource as the entry point for selling with Microsoft, and enhancing our go-to-market benefits for partners to help them grow their businesses.

The new marketplace capabilities, available today, include integrated partner-to-partner solutions, private offers, and expanded consulting services. Each of these new capabilities provides partners new ways to get solutions in front of a bigger base of customers and to provide them with a better buying experience. There is no greater priority for us than connecting partners with customers.

We’re also providing greater flexibility and more opportunities to unlock new benefits that help partners go to market. Starting later this year, partners with competencies will have a choice of benefits packages based on their business focus. We’re expanding core benefits to include access to services that support generating leads, improving lead velocity and increasing close rates for app or service offerings.

Focus on differentiation to attract customers

We hear from partners that specialization is key to growth. This concept has been a cornerstone of our profitability guidance to partners and many have taken that message to heart. The ask to Microsoft, from partners and customers, is to do more to help customers find the right partners with the right solutions. Today, we’re announcing new ways for partners to demonstrate their proven expertise to customers with the introduction of new advanced specializations and the new Microsoft Azure Expert MSP initiative. Partners can now demonstrate that they have the right capabilities to help with specific customer business challenges.

Last year at Inspire, we initiated a transformation at Microsoft, and a new journey with our partners that continues together. We are here for our partners, we are working hard to prepare them for the future, and we are committed to their success. We are at a unique time when the combination of technology and opportunity brings us together, and we need to rely on each other more than ever. In the world of Digital Transformation, everyone needs an ecosystem, and a partnership with Microsoft is a partnership with our ecosystem. Together, we are in a position to take advantage of the unprecedented $4.5 trillion opportunity and unleash the power of true partnership to unlock incredible growth and success – for each other, and for our customers.

The post Inspire 2018: Opening doors for partner innovation, growth and differentiation appeared first on The Official Microsoft Blog.

Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says

Some hacks are serendipitous events for skiddies who happen across a website with an easily exploitable common vulnerability. Others, especially the major breaches of major enterprises, are planned and executed with care. Such planning often leaves traces of noise across the internet. IntSights, founded in 2015, searches both the surface and deep web for this noise, and converts it into actionable intelligence. It looks for evidence of planned attacks before they actually occur.

read more

Failed GDPR Consent Efforts

The Facebook fine announced today for the Cambridge Analytica breach would have been significantly larger under GDPR.  While the flurry of activity around the May 25 GDPR deadline may have subsided, the confusion regarding privacy, consent and what comprises actual GDPR compliance is only building.

Pravin Kothari, Founder and CEO of cloud security provider CipherCloud, offers insights and advice regarding consent and other GDPR issues.

Pravin Kothari, Founder and CEO at CipherCloud:

Pravin Kothari

Lack of Compliance readiness:

“With compliance regulations in the U.S. such as HIPAA, most companies were active well ahead of the deadline to ensure compliance. With GDPR, most companies are still struggling to understand how it affects them.  At best, businesses focused on the compliance deadline of May 25 as a point of departure to begin the conversation. For a large multinational this is a dangerous and risky state of affairs. You may get called out on compliance failure. The EU is putting together plans, member by member, to proactively audit in support of GDPR compliance. Ending up on the wrong side of such an audit could constitute a business disaster given the large fines. Large multinationals will be in the bulls-eye before anyone else.”

Misleading approval for collection of personal data:

“The first issue that requires immediate action is the explicit approval for the collection of personal data. This notification is necessary for the websites of companies that collect data on European Union residents. This requires explicit approval or you cannot collect the data. Most companies have instead structured a privacy notice exclusion where you can click yes, or in some cases not click anything at all, and still proceed to use the website and have your data collected. This is ingredient number one of a recipe for compliance failure.”

The role of encryption:

“Encryption is a nice fail-safe to successfully completing the GDPR compliance journey. The breach of encrypted data does not require notification under GDPR as this data is useless to the attacker. In order to gain this safe harbor it is essential that you maintain tight control and do not share the data encryption keys, keep the data encryption keys stored in a separate location from the data, and that you encrypt the data end-to-end, not just when the data is sitting in the back-end database. Based upon anecdotal evidence, we believe that over 75% to as many as 85% of the cloud data in large multinationals which would appear to require compliance under GDPR is not properly encrypted, managed, or compliant.”

Tips for good security hygiene:

“Once you have decided to move decisively to support the GDPR compliance journey, there are other important steps to help you maintain good security hygiene. We recommend you review the number and access levels of privileged users such as administrators. Limit and restrict these privileges to the smallest possible number. All users should be observed using technologies such as user experience behavior analysis (UEBA) to understand if the behavior of a user fits expected behavior, as opposed to that of an attacker. This can identify and stop an attack quickly. UEBA monitors all user activity, time of day, attempts to bulk file download and more. Access control monitoring should also look a the time of day, IP address and geo-location of the user, device (official company issued device, user provided device, mobile device, or something else) to also ascertain if a potential user is legitimate. Digital rights management is another important technology to secure data, both online and offline, and can reduce risk substantially in the event of an active breach event. In the event that downloaded data needs to be protected from misuse ,administrators have the ability to retract access to the data, even if it was downloaded and copied to another device, stolen or even lost. Finally, logging and tracking must be comprehensive in order to support any GDPR related activities or audit.”

The ISBuzz Post: This Post Failed GDPR Consent Efforts appeared first on Information Security Buzz.

Ukrainian Law Enforcement Thwart Digital Attack Against Chlorine Station

Ukrainian law enforcement personnel thwarted a digital attack that targeted equipment owned and operated by a chlorine station. According to Interfax, the Security Service of Ukraine (SUB) detected an attempt to attack the LLC Aulska chlorine station. Located in the village of Auly in the Dnipropetrovsk region, the station functions as critical infrastructure in providing chlorine […]… Read More

The post Ukrainian Law Enforcement Thwart Digital Attack Against Chlorine Station appeared first on The State of Security.

Juniper Networks Releases Security Updates

Original release date: July 12, 2018

Juniper Networks has released security updates to address vulnerabilities affecting multiple Junos OS versions. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Juniper Security Advisories website and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Block all or nothing to prevent ICO fraud?

At Malwarebytes, we feel we have reached a point where we need to ask our customers how to proceed on the subject of ICO scams. Asking for your opinion may seem strange to some of you, but Malwarebytes comes from a community of mutual help and trust. If you were unaware of this, reading how our CEO got involved in the anti-malware business is a good way to get acquainted with the cornerstones this company was built on.

To elaborate on what we need your help with, we will need to explain a bit of the background, so bear with us.

What is an ICO?

ICO is short for Initial Coin Offering, which is, in fact, a method of crowdfunding, used for many crypto-related projects. The founders of a new company offer shares of their own blockchain-product for sale in exchange for established crypto-currencies like Bitcoin, Ether, or Monero. With the funds they gather the capital to get their company up and running. Once the company is successful the “coins” bought by the investors will be worth more than what they bought them for.

That is how it should go, but what we see over and over is that the people that initiated the crowd-funding, grab the investments and are never to be heard from again. Or we will see them at a later time, under a different name, repeating the same procedure. Some of these imposters are using templates that they re-use for every fake ICO. These templates are for:

  • Creating an account at the Ethereum blockchain
  • The packet script for the blockchain
  • The sites to promote their new product
  • Advertising campaigns to get people to visit that site
  • Accounts on bitcoin-related forums to promote the ICO
  • The whitepapers explaining the goals and targets

To put this into perspective, it might also be good to mention that a recent study showed that only 8% of ICO’s managed to trade on an exchange. So, even if we only consider 80% of them to be a scam, the chances of investors losing their money are much bigger.

How to spot ICO’s that might be fraudulent?

There are a few methods you can use to decide for yourself whether an ICO is worth your hard earned money:

  • Do the people behind the ICO actually exist?
  • Does the plan they have make sense?
  • Is the earning model realistic?
  • Does the team behind the ICO answer questions about their plans?
  • How far are they in the development of their currency, do they have safe wallets etc.?
  • Do they stipulate that US participants need to be accredited investors?

The problem at hand

We have been seeing a lot of ICO’s that are nothing short of scams. And we would like to protect our customers against them. But, if we wait until we can prove that they are a scam, it’s probably too late and the crooks have run off with the investments. So we would need to be more pro-active.

Are we alone in this battle? We certainly are not.

What do we ask of you?

Please let us know in the comments section below this post whether you feel we should block ICO advertisements, all ICO related sites, or leave it up to our customers to decide for themselves.

Please take note that users of our Chrome or Firefox extensions may already see some of the sites being blocked. This is because the extensions are behavioral based and may have spotted a scam for you.

If your comment does not show up immediately, you may be able to find the reason in this post: Did my comment on your blog get lost?

The post Block all or nothing to prevent ICO fraud? appeared first on Malwarebytes Labs.

PayPal tells deceased woman that her death violated its rules

PayPal forced to apologize after informing the customer that her death ‘breached its rules’

In a sheer case of no empathy, PayPal, a U.S. based worldwide online payments system, sent a payment notice to a woman who had passed away due to cancer, claiming that her death “breached its rules” and she must pay up immediately. The deceased’s husband slammed PayPal for sending the letter after his wife’s death and having no sympathy for a Facebook post.

Lindsay Durdle, a U.K. resident aged 37, died of breast cancer on May 31. Her husband, Howard Durdle, forwarded the death certificate, her will and his ID as requested PayPal to close Mrs. Durdle’s account. However, in spite of informing PayPal about Mrs. Durdle’s death and submitting all the necessary documents, Mr. Durdle received a warning letter addressed to his wife from PayPal at his residence in Bucklebury, West Berkshire three weeks later, which was headlined: “Important: You should read this notice carefully.”

The warning letter stated that Mrs. Durdle owed the company £3,200 and went on to say: “You are in breach of condition 15.4(c) of your agreement with PayPal Credit as we have received notice that you are deceased… this breach is not capable of remedy.”

In other words, PayPal had sent a threatening letter to Mrs. Durdle stating that her death was a breach of the company’s agreement with PayPal credit, and warns her of further actions, including termination of her agreement and legal proceedings.

“What empathy-lacking machine sent this?” Mr. Durdle asked in his post.

PayPal gave three possible explanations for this unfortunate event: a bug, a bad letter template or human error, Mr. Durdle told the BBC. PayPal issued an apology to Mr. Durdle and promised him that they would find the cause of the insensitive letter and address the problem. However, the company would not be able to share the information because it was an “internal matter”.

“We apologize unreservedly to Mr. Durdle for the understandable distress this letter has caused. As soon as we became aware of this mistake, we contacted Mr. Durdle directly to offer our support, cleared the outstanding debt and closed down his wife’s account as he requested. We are urgently reviewing our internal processes to ensure this does not happen again,” a spokesman for the online payments service said in a statement to BBC. Meanwhile, the company also wrote off any outstanding debt against Mrs. Hurdle’s account.

Mr. Durdle, who is a member of the charity group Widowed and Young, said, “I’m in a reasonable place at the moment – I’ve got quite a level head on my shoulders -and am quite capable of dealing with paperwork like this.”

He wants the letter to serve as an example to organizations of how upsetting automated letters can be and the damage they can cause the recently bereaved. His priority is to ensure that other bereaved families don’t have to go through the same treatment, not just from PayPal but from anyone.

“I’m a member of the charity Widowed and Young, and I’ve seen first-hand in there how a letter like this or something like it can completely derail somebody. If I’m going to make any fuss about this at all, it’s to make sure that PayPal, or any other organization that might do this kind of insensitive thing, recognise the damage they can cause the recently bereaved,” he added.

The post PayPal tells deceased woman that her death violated its rules appeared first on TechWorm.

When three isn’t a crowd: Man-in-the-Middle (MitM) attacks explained

Gone are the days when eavesdropping is just the stuff of spies and the town gossip. In fact, it has evolved to become everyone’s favorite pastime. Thanks to the internet, it is exponentially easier now more than ever to idle by and catch juicy information than to press your ear against your neighbor’s wall.

While we can easily forgive and forget listeners within earshot of our vicinity when we’re having conversations in public, digital eavesdropping, on the other hand, raises the privacy red flag to new heights. And this can quickly be done via taking advantage of two things: one, our penchant for connecting to Wi-Fi networks (whether they’re insecure or not, whether they’re for public use or private use); and two, the exploitation of that Wi-Fi network. Suffice to say, digital eavesdropping isn’t and shouldn’t be considered a pastime, especially if you have the skills and the means to do so.

And when it comes to eavesdropping online, the term that immediately comes to mind is man-in-the-middle, essentially a scenario wherein a third person places themselves in the middle of two parties communicating with each other. A third wheel, so to speak. However, this person or entity is unseen by the two parties. In fact, they don’t even know that they are in the company of a third wheel.

While we know that eavesdropping is generally a passive exercise—Person C takes the role of listener-observer, and not get involved with Person A and Person B while they chat—MitM attacks are anything but. On top of snooping, controlling the conversation is required; thus, contact with the targets is inevitable. This makes a MitM attack an active exercise. And such an interfering activity demands inventiveness, attention, patience, guile, and the willingness to be as deeply involved as needed to attain their goal.

MitM attacks could be aggressive, always surreptitious, and invasive.

Not to mention worrying and creepy. How can threat actors do this, and why even do it?

MitM attacks involve the unlawful tapping of a network to exploit transactions, conversations, and data transfers on-the-fly. Threat actors can do this by taking advantage of weaknesses of a network or of any of its elements like software (browser, VoIP, etc.).

Many organizations practice what are essentially MitM tactics—whether they claim they know of this or not—so they can monitor their employees. Some do it for advertising purposes, as in the case of Superfish, a piece of software that was pre-installed in Lenovo consumer products.

Governments are also known operators of MitM attacks to proactively spy on their citizens, circumvent security measures of technologies, spy on enemy countries to steal classified information, and steal money from financial institutions based on other countries to fund their projects.

Furthermore, we’ve seen MitM used in large part of the modus operandi of a criminal group to essentially steal from the clients of private European companies they targeted. They did this by infiltrating target networks to gain access to email accounts, monitoring payment requests from these companies, and then—putting themselves in the middle of the email conversation by impersonation—instructing clients to send payments to bank accounts the criminal group controls.

Read: How to encrypt your email

Okay, so, we have Wi-Fi eavesdropping and email hijacking as two types of MitM attacks. Are there others?

These are just two of the most common types. Others are:

  • ARP poisoning
  • DNS spoofing
  • Port stealing
  • STP mangling

Note that not all the types we mentioned can be done in all kinds of computer networks. For example, ARP poisoning can be done against systems connected via Ethernet in a LAN. However, this cannot be done when attacking remote systems.

There are also different ways a threat actor can perform MitM attacks, such as sniffing, injecting, hijacking, stripping, and filtering.

I’ve read somewhere that MitM comes in many forms. What are they?

There is an attack called man-in-the-browser (MitB), which starts when a piece of malware arrives on user systems, runs when the browser runs and then does its magic by modifying banking transactions behind the scenes while maintaining the appearance of legitimacy to the unknowing user. That said, one can deduce that MitB attacks are made for financial fraud.

MitB attacks are particularly dangerous to users and tricky to spot because criminals can siphon off money even though security controls, mechanisms, and encryption are present on the bank website, and the user’s antivirus program is working normally.

Then there’s a type used against mobile devices called man-in-the-mobile (MitMo). This is also known as man-in-the-phone. Like, MitB, this is also malware, and its purpose is to specifically circumvent SMS two-factor authentication. It does this by monitoring incoming messages with transaction authentication numbers (TAN) and other verification codes sent over to users via SMS. Android users are mainly targeted by MitMo malware like SpyEye and ZeuS. CatchApp, an app capable of stealing encrypted chat messages from WhatsApp, is another example of software that can perform MitM attacks on mobile devices.

Still, in the realm of mobiles, we now have the relatively new type called man-in-the-app, wherein an attacker can use a self-signed certificate to communicate directly with a compromised app.

Then we have MitM for the cloud called the Internet of Things, appropriately called man-in-the-cloud and man-in-the-IoT, respectively.

Are MitM attacks still happening?

Yes. They’re quite prevalent, actually. Some types of MitM attacks are easy to do, and there are readily available hacking tools a budding threat actor can use to set up an attack. It’s even possible (if not highly likely) for insider threats in a company to conduct such attacks within the organization’s intranet.

Unfortunately, detecting most of the MitM attack types are difficult. Therefore, nipping such attacks in the bud by prevention is still very important. And preventive measures to counter this type of attack also enhance a network’s security and privacy.

Since prevention is better than cure in this case, what are the ways to protect me from MitM attacks?

  • Avoid using public Wi-Fi networks, if you can, especially if they are not password-protected. If you do use secure Wi-Fi, limit your use to browsing, reading, and other activities that wouldn’t involve you entering your credentials.
  • Like we always say, log out of secured sessions whenever you’re not using them. Majority of social networks do this automatically the moment you kill the browser or close its tab, but it still pays to log out manually for others.
  • If possible, access only websites sporting the green lock or those using the HTTPS protocol. Also, if you can use apps or extensions, such as HTTPS Everywhere, to force the browser to visit the secured versions of websites you visit, then install them.
  • Apply multiple authentications to accounts if this option is available.
  • If possible, install and use a virtual private network (VPN) when conducting your sensitive transactions and communications online, or if you absolutely feel the need to use a public Wi-Fi connection.
  • Look out for potential phishing emails asking you to update your passwords. In line with this, also be wary of emails carrying attachment, which could be a malware that could expose you to MitM attacks.
  • Make sure that your home router is configured securely as well. You can do this by changing the default router username and password to a unique and strong one.

Additional reading:

The post When three isn’t a crowd: Man-in-the-Middle (MitM) attacks explained appeared first on Malwarebytes Labs.

Corporate Networks Vulnerable To Insider Attacks

During penetration testing performed as an internal attacker, Positive Technologies researchers were able to obtain full control of infrastructure on all corporate networks they attempted to compromise. Penetrating the network perimeter has become easier over time, the report reveals, with the difficulty of accessing the internal network assessed as “trivial” in 56% of tests in 2017, compared with just 27% in 2016. On average, Positive Technologies testers found two attack vectors (vulnerabilities) per client that would allow their internal network to be penetrated. Christopher Day, Chief Cybersecurity Officer at  Cyxtera commented below.

Christopher Day, Chief Cybersecurity Officer at  Cyxtera:

“Organizations must reduce the attack surface to effectively combat today’s cyber threats. Insiders shouldn’t have access to systems they don’t need to do their job. External threat actors shouldn’t be able to exploit a weak password and gain the keys to the digital kingdom. We recommend that organizations adopt a Zero Trust mindset and build their security controls accordingly. Also, take a fresh look at your tool set and determine whether it’s adequate to secure today’s hybrid, decentralized infrastructure. For example, the network perimeter is not only easy to penetrate, it has extended well beyond traditional premise-based boundaries. Software-defined perimeter (SDP) solutions can address the entirety of the IT environment, wherever it is, and employ fine-grained access controls to reduce the attack surface dramatically. Wi-Fi networks continue to be an area of weakness so we need to do more than merely scan them to identify possible vulnerabilities. Newer technologies can determine whether assets behind the vulnerable access point can be compromised and whether or not a mitigating control is in place.”

The ISBuzz Post: This Post Corporate Networks Vulnerable To Insider Attacks appeared first on Information Security Buzz.


An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.


The Shein Group Ltd. "SHEIN - Fashion Shopping" app -- aka shein fashion-shopping/id878577184 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.


The komoot GmbH "Komoot - Cycling & Hiking Maps" app before 9.3.2 -- aka komoot-cycling-hiking-maps/id447374873 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.


"Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka shpock-boot-sale-classifieds/id557153158 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The UK’s Minimum Cyber Security Standard: What You Need to Know

In June 2018, the UK Government, in collaboration with NCSC (National Cyber Security Centre), produced a new security standard that all Government “Departments,” including organisations, agencies, arm’s length bodies, and contractors must adhere to without exception. These measures will continue to increase over time in order to ‘address new threats or classes of vulnerabilities’ and […]… Read More

The post The UK’s Minimum Cyber Security Standard: What You Need to Know appeared first on The State of Security.


An integer overflow vulnerability exists in the function transfer_tokens_after_ICO of GlobeCoin (GLB), an Ethereum token smart contract. An attacker could use it to set any user's balance.


An integer overflow vulnerability exists in the function multipleTransfer of Neo Genesis Token (NGT), an Ethereum token smart contract. An attacker could use it to set any user's balance.

Handling Social Media Stress – Pointers to Share with Your Teens

The lion’s share of modern day communication happens online and for that, thanks to the hundreds of apps available. Whether it is news or videos, blogging or education, social media or gaming, entertainment or social movements – a lot is happening online, all the time.

In fact, social media apps have become the new ‘hangout’ zones for virtual citizens. After all, we live in a connected world and enjoy being online. But that may not be always good for tweens and teens as they are still too young to process all the information download happening. This may lead to stress.

Stress is not uncommon in our physical lives. We get stressed by our education, career, relationships and the environment. The same happens in the digital world. In the physical world, our responses to stress are primarily venting, having face-to-face spats or ignoring the issue. Not so in the digital world. In the virtual space, stress may arise from different causes and the repercussions may take on a viral form.

Why do children get stressed by social media? The common causes are:

  • Peer pressure: THE most important reason for children being online is to connect with their friends. And to keep this friendship alive and kicking, they often blindly copy the group leaders, even if they are not comfortable with what they are doing
  • FOMO (Fear of Missing Out): Teens, especially girls, have a competitive spirit when it comes to online presence and don’t want to be ‘the last to know’ so, they end up spending a lot of time online
  • Keeping up with the Jones’: The same competitive spirit leads kids to spend hours posing and selecting the perfect pics to share online or seek approval from strangers. This is risky, as negative comments online can harm self-confidence
  • Excessive sharing: When kids share a lot of their private information on social media, they leave themselves vulnerable to hacking, as well as opening themselves up to contact from inappropriate individuals online
  • Cyberbullying: Most kids have witnessed or experienced some forms of cyberbullying and often end up as either perpetrators or victims or mute spectators. In all cases, this is a disturbing occurrence
  • Lack of screen time limits: Lack of digital balance can have psychological effects and so digital usage rules are a must
  • Lack of empathy: When children are not taught to respect others and their traditions, they do not develop empathy and may end up bullying those with differing views and lifestyles
  • Exposure to inappropriate content or people: The wrong connections and information are a big source of stress
  • Online spats: Differences crop up, leading to squabbles and heated exchanges. It gets complex when this is done in a public forum and strangers join in
  • Disturbing global news: The slew of violent news often creates negative tension in the minds of youngsters, leaving them feeling confused and belligerent

Parenting plays a major role in helping children learn how to tackle social media stress.  As parents, you know your children the best. Yes, even teens.

Observe them and if you note any change in their social media habits or general behaviour, talk to them. The earlier you start having frank one-to-one conversations, the easier will it be for you later. But before that, you may need to modify your own response to stress and learn to control your reactions. That way you will teach them a very important lesson without having to use a single word.

Help your kids fight social media stress:

  • Accept differences: People are different and will have different opinions. Accept the differences and respect their values
  • Be discerning: Life isn’t a bed of roses for anyone, so don’t let profiles fool you. Don’t judge someone by their bio and pictures
  • Practice tact: When things get bitter, the decent thing to do is to agree to disagree and walk away. If you don’t react, it doesn’t mean you are the weak one; it means you are smart enough not to get provoked. However, if the meanness gets out of hand, be the strong one and report and block account
  • Practice digital balance: Limit screen time and have good friends in the real world who will always stand by you
  • Be aware: The world will have both good and bad and growing up means learning to understand and accept this. Maturity is being able to stay true to values. Wisdom is knowing which is bad and avoiding it

Say goodbye to stress and lead a healthier and happier life online. Apply your values from your physical life in the digital one and practice STOP.THINK. CONNECT. And don’t forget! Use McAfee Total Protection on all connected devices to protect what you value the most.

The post Handling Social Media Stress – Pointers to Share with Your Teens appeared first on McAfee Blogs.

IDG Contributor Network: Staying secure as the IoT tsunami hits

Just when we thought we were gaining control over our networks and computing environments, bam!  Here comes the Internet of Things (IoT), and it’s the wild, wild west all over again.

This new wave of device proliferation has moved more quickly than any other computing or technology phase we’ve experienced in modern times. IDC estimates that there are 13 billion connected devices in use worldwide already, and that number could reach 30 billion in the next three years. To put this into perspective, Ericsson’s most recent Mobility Report estimated that there are less than four billion active smartphone subscriptions active around the world. The IoT phenomenon is that big.

To read this article in full, please click here

Geeky ways to celebrate Friday the 13th

You're in luck
021315 geekyfriday 1

We've cobbled together a slew of things for the geeky among you to do on July 13 -- Friday the 13th that is. And we suggest you do it up because you won’t get another chance until Sept. 13, 2019.

Don’t miss the day!
021315 geekyfriday 2

Mobile apps exist solely for the purpose of reminding you when Friday the 13th is coming up. Pocketkai’s free iOS app will remind you of the one to three Friday the 13ths coming up each year for the next 50 years. The Bogeyman’s Android app will do likewise, for the next 10 Friday the 13ths.

To read this article in full, please click here