Daily Archives: September 5, 2018

You: The First, Last and Best Data Protection and Privacy Defense – Part 2

As part of this two-part series, let’s now look to another exhibit demonstrating of how people act as the first, last and best data and privacy defense. Exhibit B: Potentially Unwanted Leaks If you have some technical literacy, you may have heard of potentially unwanted programs (“PUPs”). It’s all that glop and gloop – malware, […]… Read More

The post You: The First, Last and Best Data Protection and Privacy Defense – Part 2 appeared first on The State of Security.

Before Senate Facebook, Twitter Defend Efforts to Stop Fake News

Facebook and Twitter executives defended recent efforts to stop the use of their platforms by Russia, Iran and other countries to influence U.S. elections. In testimony before the U.S. Senate, Facebook COO Sheryl Sandberg and Twitter Chief Executive Jack Dorsey on Wednesday defended their employers’ recent efforts to thwart influence...

Read the whole entry... »

Related Stories

Snake Oilers 7 part 2: Assetnote.io launch, InQuest and Aiculus

On this edition of Snake Oilers we hear from three companies, and for one of them, it’s actually their product launch!

Assetnote is a cloud asset discovery and security scanning platform spun out of the bug bounty community. If you’re a CSO with any large public attack surface you’ll really want to hear about that one. This platform finds things you didn’t even know your company had online in cloud environments and then scans them for real, actual RCEs. The user interface is awesome, too.

Then we’re going to hear from Pedram Amini of InQuest – they make a box that reassembles files from network packets captured off the wire or funnelled in through ICAP and then rips them to bits looking for badness. They call it deep file inspection and it’s a great way to supplement client side detection, at scale. You can even pass these reassembled files on to multi-AV or cloud services and use this platform to do spot threat hunting. It’s very powerful stuff, and honestly that’s an interview that got me thinking in a new way about detection concepts.

And then finally we’re joined by Omaru Maruatona of Aiculus. Omaru has a PHD in applying machine learning to bank fraud that he obtained while working for one of the big four banks here in Australia. After that he moved on the PwC as a penetration tester and now he’s running Aiculus. Aiculus has developed an API proxy that uses machine learning to detect funky calls. If you’re not satisfied that your API gateway has you completely covered then yeah, you’ll want to listen to that one.

Cisco Enterprise NFV Infrastructure Software Information Disclosure Vulnerability

A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system.

The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could exploit this vulnerability by sending a malicious API request with the authentication credentials of a low-privileged user. A successful exploit could allow the attacker to read any file on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-infodis


Security Impact Rating: Medium
CVE: CVE-2018-0460

Cisco Integrated Management Controller Command Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device.

The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cimc-injection


Security Impact Rating: High
CVE: CVE-2018-0430,CVE-2018-0431

Cisco SD-WAN Solution Command Injection Vulnerability

 A vulnerability in the command-line interface (CLI) in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility.

The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-injection


Security Impact Rating: High
CVE: CVE-2018-0433

Cisco Cloud Services Platform 2100 Command Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to perform command injection.

The vulnerability is due to insufficient input validation of command input. An attacker could exploit this vulnerability by sending customized commands to the web-based management interface.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-csp2100-injection


Security Impact Rating: Medium
CVE: CVE-2018-0454

Cisco SD-WAN Solution Certificate Validation Vulnerability

A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate.

The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-validation


Security Impact Rating: High
CVE: CVE-2018-0434

Cisco Email Security Appliance URL Filtering Bypass Vulnerability

A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass certain content filters on an affected device.

The vulnerability is due to incomplete input and validation checking mechanisms for certain Sender Policy Framework (SPF) messages that are sent to an affected device. An attacker could exploit this vulnerability by sending a customized SPF packet to an affected device. If successful, an exploit could allow the attacker to bypass the URL filters that are configured for the affected device, which could allow malicious URLs to pass through the device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-esa-url-bypass


Security Impact Rating: Medium
CVE: CVE-2018-0447

Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns


Security Impact Rating: Medium
CVE: CVE-2018-0451

Cisco Tetration Analytics Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-xss


Security Impact Rating: Medium
CVE: CVE-2018-0452

Cisco Umbrella API Unauthorized Access Vulnerability

A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations.

The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-api


Security Impact Rating: Critical
CVE: CVE-2018-0435

Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pca-xss


Security Impact Rating: Medium
CVE: CVE-2018-0458

Cisco Webex Teams Information Disclosure and Modification Vulnerability

A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization.

The vulnerability exists because the affected software performs insufficient checks for associations between user accounts and organization accounts. An attacker who has administrator or compliance officer privileges for one organization account could exploit this vulnerability by using those privileges to view and modify data for another organization account.

No customer data was impacted by this vulnerability.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod


Security Impact Rating: High
CVE: CVE-2018-0436

Cisco RV110W, RV130W, and RV215W Routers Management Interface Information Disclosure Vulnerability

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain access to sensitive information.

The vulnerability is due to improper access control to files within the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device. A successful exploit could allow the attacker to gain access to sensitive configuration information, including user authentication credentials.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-disclosure


Security Impact Rating: High
CVE: CVE-2018-0425

Cisco Webex Meetings Client for Windows Privilege Escalation Vulnerability

A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user.

The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges.

Attacks on single-user systems are less likely to occur, as the attack must be carried out by the user on the user's own system. Multiuser systems have a higher risk of exploitation because folder permissions have an impact on all users of the device. For an attacker to exploit this vulnerability successfully, a second user must execute the locally installed malicious file to allow remote code execution to occur.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe


Security Impact Rating: High
CVE: CVE-2018-0422

Cisco RV110W, RV130W, and RV215W Routers Management Interface Buffer Overflow Vulnerability

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to cause a denial of service condition or to execute arbitrary code.

The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-overflow


Security Impact Rating: Critical
CVE: CVE-2018-0423

Cisco Webex Player WRF Files Denial of Service Vulnerability

A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF) files could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

An attacker could exploit this vulnerability by sending a user a link or email attachment with a malicious WRF file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could cause the affected player to crash, resulting in a DoS condition.

For more information about this vulnerability, see the Details section of this security advisory.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos


Security Impact Rating: Medium
CVE: CVE-2018-0457

Cisco SD-WAN Solution Privilege Escalation Vulnerability

A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected device.

The vulnerability is due to a failure to properly validate certain parameters included within the error reporting application configuration. An attacker could exploit this vulnerability by sending a crafted command to the error reporting feature. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-escalation


Security Impact Rating: High
CVE: CVE-2018-0432

Cisco Secure Access Control Server XML External Entity Injection Vulnerability

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system.

The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe


Security Impact Rating: Medium
CVE: CVE-2018-0414

Cisco Prime Access Registrar Denial of Service Vulnerability

A vulnerability in TCP connection management in Cisco Prime Access Registrar could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition when the application unexpectedly restarts.

The vulnerability is due to incorrect handling of incoming TCP SYN packets to specific listening ports. The improper handling of the TCP SYN packets could cause a system file description to be allocated and not freed. An attacker could exploit this vulnerability by sending a crafted stream of TCP SYN packets to the application. A successful exploit could allow the attacker to cause the application to eventually restart if a file description cannot be obtained.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cpar-dos


Security Impact Rating: High
CVE: CVE-2018-0421

Cisco Data Center Network Manager Privilege Escalation to Underlying Operating System Vulnerability

A vulnerability in the web interface of Cisco Data Center Network Manager could allow an authenticated application administrator to execute commands on the underlying operating system with root-level privileges.

The vulnerability is due to incomplete input validation of user input within an HTTP request. An attacker could exploit this vulnerability by authenticating to the application and then sending a crafted HTTP request to the targeted application. A successful exploit could allow the authenticated attacker to issue commands on the underlying operating system as the root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cdcnm-escalation


Security Impact Rating: High
CVE: CVE-2018-0440

Cisco Meeting Server Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-meeting-csrf


Security Impact Rating: Medium
CVE: CVE-2018-0439

Multiple Vulnerabilities in Cisco Packaged Contact Center Enterprise

Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface or conduct a cross-site request forgery (CSRF) attack.

For more information about these vulnerabilities, see the Details section of this security advisory.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pcce


Security Impact Rating: Medium
CVE: CVE-2018-0444,CVE-2018-0445

Cisco RV110W, RV130W, and RV215W Routers Management Interface Directory Traversal Vulnerability

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain access to sensitive information.

The vulnerability is due to improper validation of directory traversal character sequences within the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to the targeted device. A successful exploit could allow the attacker to gain access to arbitrary files on the affected device, resulting in the disclosure of sensitive information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-traversal


Security Impact Rating: High
CVE: CVE-2018-0426

Cisco RV110W, RV130W, and RV215W Routers Management Interface Command Injection Vulnerability

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an authenticated, remote attacker to execute arbitrary commands.

The vulnerability is due to improper validation of user-supplied input to scripts by the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-injection


Security Impact Rating: High
CVE: CVE-2018-0424

Cisco Enterprise NFV Infrastructure Software Denial of Service Vulnerability

A vulnerability in the user management functionality of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform a denial of service (DoS) attack against an affected system.

The vulnerability is due to insufficient validation of user-provided input. An attacker could exploit this vulnerability by logging in with a highly privileged user account and performing a sequence of specific user management operations that interfere with the underlying operating system. A successful exploit could allow the attacker to permanently degrade the functionality of the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos1


Security Impact Rating: Medium
CVE: CVE-2018-0462

Cisco Data Center Network Manager Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the management interface on an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-dcnm-xss


Security Impact Rating: Medium
CVE: CVE-2018-0450

Can Your SOC Use More Visibility?

The Security Operation Center (SOC) is an intricate ecosystem of personnel, network equipment, cybersecurity appliances, traffic and flow data, all working to manage the workflow from threat alerts. To minimize exposure, a SOC is designed to provide a “defense-in-depth” posture. This comprehensive approach to cybersecurity involves antivirus and endpoint tools, log management, a Next Generation Firewall (NGFW), website defenses, and other complimentary security technologies. However, SOCs have several critical limitations.

The first limitation is “paralysis of analysis.’” With each layer of defense, a level of complexity occurs. For example, a miscreant attempting to access the network may simultaneously trigger alerts for known malware, a rules-based violation from a SIEM, and an extrusion attempt by an end-user from a restricted port found by the NGFW. Redundant alerts are often mixed in with benign alerts from non-security events.

A perimeter defense only activates through alerts or an ongoing breach. Step back and think about this for a second. When a SOC analyst begins a forensic investigation, the analyst only knows that something is wrong. Their first move should be to look for bad malware hashes or perhaps look up IP addresses, fully qualified domain names, DNS, and registered owners to learn about an attack’s origins or what sites an end-user has visited and where malware has been acquired. Historically, SOC teams have had no advanced triage of the external threat environment, and they often must develop strategies on the fly.

Another problem is that traditional SOC strategies assume that threat vectors must always be signature-based. In 2018, the malefactor is pride-less. Often, an adversary can create a damning social media attack against a company’s brand or against individuals—the proverbial “fake news.”

The network is changing to expedite business use cases. From a security perspective, this brings about new challenges. Contractors may need access to a network, and integration partners often share intellectual property on the network to facilitate better operations or integrate to build a deeper security posture. However, contractors and business partners may bring their own sets of vulnerabilities to the host network.

External threat feeds can add to the aggravation. Like flow data, network performance indicators, and the investigation of alerts, external threat feed data is yet another source of information that needs to be normalized and contextualized inside the SOC.

Fundamentally, IDC believes there needs to be an approach that can complement defense-in-depth. With LookingGlass ScoutPrime, we see a platform that:

  • Produces a single risk score called the Threat Indicator Confidence (TIC) score that calculates the potential impact of malware, the topography of connections to the network, and the reliability of the source.
  • Provides a platform that scans the entire Internet which is a greater capability than collecting and normalizing multiple threat feeds.
  • Monitors deceptive proxy activities to spot when adversaries are using APIs, fuzzes, and anagrams of keywords to make a website look authentic.
  • Combines human insight with machine-readable threat intelligence to normalize data in real time. LookingGlass has over 500 algorithms designed to prioritize threat feed data and weed out redundancies.

Defense-in-depth is still effective, and cybersecurity is often the execution of many things done well. However, the next security wave may be to think outside the SOC.

The post Can Your SOC Use More Visibility? appeared first on LookingGlass Cyber Solutions Inc..

Mozilla Releases Security Updates for Firefox

Original release date: September 05, 2018

Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Mozilla Security Advisories for Firefox 62 and Firefox ESR 60.2 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Cisco Releases Security Updates

Original release date: September 05, 2018

Cisco has released updates to address multiple vulnerabilities affecting Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.  

NCCIC encourages users and administrators to review the Cisco Security Advisories and Alerts website and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Get caught up on your July and August Windows/Office patches

With the arrival of “Fourth Week” patches on the last working day of August, and having had a few days to vet them, it looks as if we’re ready to release the cracklin’ Kraken.

The steaming pile of Windows Intel microcode patches

Microsoft continues to unleash microcode patches for Meltdown and Spectre (versions 1, 2, 3, 3a, 4, n for n >=4). You won’t get stung by any of them, unless you specifically go looking for trouble.

To read this article in full, please click here

Stop Impersonations of Your CEO by Checking the Writing Style

If one of your employees receives an email that looks like it’s from the CEO asking to send sensitive data or to make a wire transfer, could that employee spot it as a fake based on how it is written? He or she may be so concerned with pleasing the CEO that they may urgently respond without a second thought. What if artificial intelligence could recognize that the writing style of suspect email doesn’t match the style of your CEO to spot fraud? It can.

Writing Style DNA technology is now available to prevent Business Email Compromise Attacks (BEC) which according to the FBI has cost organizations $12.5 billion with some companies losing as much as $56 million dollars.

Want to skip the reading? Watch this short video

Unique Writing Style

Some of us write long sentences with a variety of words while others are more direct with short words and small paragraphs. If we look at the email of three Enron executives (based on a dataset of 500,000 emails released publicly during the Federal Energy Regulatory Commission’s investigation) we can see the differences in how they write. Looking at the emails from Jeffrey Skilling, Sally Beck, and David Delainey, we can compare writing style elements such as sentence length, word length, repeated words, paragraph length, pronoun usage, and adjective usage.

Graph of writing style elements of 3 Enron executives

We see that the three executives style vary across the 16 elements in the chart above. As humans, we can perhaps come up with 50 or maybe 100 different writing style elements to measure. A computer AI though can see many more differences between users writing. The AI powering Writing Style DNA can exam an email for 7000 writing style elements in less than a quarter of a second.

If we know what an executive’s writing style looks like, then the AI can compare the expected style to the writing in an email suspected of impersonating that executive. 

Training an AI model of a User’s Writing Style

Based on previous Business Email Compromise attacks, we see that the CEO and Director are most likely to be impersonated and can define these individuals as “high-profile users” within the admin console for Trend Micro Cloud App Security or ScanMail for Exchange.

 

Titles of impersonated senders in 1H 2018 Business Email Compromise attempts 

To create a well-defined model of a high-profile user’s writing style, the AI examines 300-500 previously sent emails. Executive’s email is highly sensitive and to protect privacy, the AI extracts metadata describing the writing style but not the actual text. 

Your executives style of writing isn’t static but rather evolves over time just like this infographic shows JK Rowling’s style changing over the course of writing the Harry Potter books. As such, the AI model for a high-profile user can be regularly updated at a select interval. 

Process Flow

When an external email from a name similar to a high-profile user, the writing style of the email content is examined after other anti-fraud checks. The volume of BEC attacks is small to start with (compared to other types of phishing) and other AI based technologies catch most attacks which leaves only a small number of the stealthiest attacks for writing style examination. For these attacks, if the style doesn’t match, the recipient is warned not to act on the email unless he/she verifies the sender’s identity using a phone number or email from the company directory. Optionally, the impersonated executive can also be warned of the fraud attempt on their behalf. 

Internal and Beta Results

Internally, Trend Micro has been testing this since January of 2018. Writing style models are in place for our executive team and some other high-profile users. During this time, Writing Style DNA detected 15 additional BEC attacks which were attempting to impersonate our CEO, Eva Chen. This works out to an average of 1 additional attack detected every other week. To date, there have been no false positives.

Sample BEC attempt detected with Writing Style DNA

We have also had more than 60 beta customers try the technology over the past few months. Many initially found their executives were using their personal email accounts occasionally to email others at the organization and these personal accounts can be whitelisted by the admin. Writing Style DNA detected 15 additional BEC attacks at 7 organizations. 

Available now and included with your license

Writing Style DNA is now available with Cloud App Security for Office 365 and ScanMail for Microsoft Exchange at no additional charge.

The Cloud App Security service has been updated already to include this functionality and ScanMail customers can upgrade to SMEX 12.5 SP1 to start using this technology. ScanMail customers can learn more about upgrading to v12.5 SP1 at this webinar September 6.

The post Stop Impersonations of Your CEO by Checking the Writing Style appeared first on .

SQLMAP – Automatic SQL Injection Tool 1.2.9

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Problems with Automatic DNS Registration and Autodiscovery

Original release date: September 05, 2018

The CERT Coordination Center (CERT/CC) has released information on problems associated with small office/home office routers using automatic Domain Name System (DNS) registration and autodiscovery. An attacker could exploit these problems to obtain sensitive information.

NCCIC encourages users and administrators to review CERT/CC's VU#598349 for further information and mitigation recommendations.


This product is provided subject to this Notification and this Privacy & Use policy.


Red Hat Security Advisory 2018-2561-01

Red Hat Security Advisory 2018-2561-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include code execution and traversal vulnerabilities.

Why Security Configuration Management (SCM) Matters

In the Godfather Part II, Michael Corleone says, “There are many things my father taught me here in this room. He taught me: keep your friends close, but your enemies closer.” This lesson Vito Corleone taught his son Michael is just as applicable to IT security configuration management (SCM). Faster breach detection Today’s cyber threat […]… Read More

The post Why Security Configuration Management (SCM) Matters appeared first on The State of Security.

ThreatConnect achieves ISO 27001:2013 certification

Continuing our commitment to protect our customers' data

What is ISO 27001?
ISO 27001 is an internationally recognized standard defining requirements for a systematic  approach to managing sensitive information, also known as an information security management  system (ISMS).

But what's an ISMS?
Think of an ISMS as the blueprint for how we identify, assess, and act on or manage risk. Through  our ISMS, we employ functionally verifiable processes to protect your data and our services.

So why does ThreatConnect follow ISO 27001?
ISO 27001 is the gold standard for risk management. It's both specific and comprehensive. When  implementing a security program, it's important to select effective and appropriate security controls. A security program needs to be adaptable and extensible to address changing technologies, industries, and threats. It also needs to be verifiable. The ISO 27001 standard defines a well-understood process that trusted auditors use to examine a submitted ISMS and certify that it conforms to the gold standard.

What does it mean to be certified?
Certification provides verifiable third-party proof of compliance with the standard and guarantees that we have accomplished the following objectives:

  • formally adopted a risk management approach;
  • assessed our information security risks according to this approach;
  • selected an appropriate set of security controls to mitigate these risks;
  • implemented appropriate methodologies and processes to continually monitor and improve the system and its controls;
  • performed an internal audit of the ISMS;
  • received favorable audit results of the ISMS against the ISO 27001:2013 standard by an ISO-accredited third party.

Certification itself doesn't change our ISMS or security practices. It doesn't mean we protect your data any differently than before. It does mean, however, that you can be confident in our security practices. We've not only let an internationally recognized third party examine them, but we've also committed to keep those practices improving on an ongoing basis.

What does it mean for our customers?
ThreatConnect has always been committed to securing customer data. While we didn't have to submit our ISMS for certification, we chose to do so to provide our customers with additional confidence in our commitment to them. Because we follow the ISO 27001:2013 standard, we understand the risks to the data they entrust us with, as well as to our services, and have implemented controls to manage those risks.

Trust is earned, and we understand this. It's ThreatConnect's commitment to continue to show that your trust in us is well founded. For more information about ThreatConnect or our security program, please connect with us.

(Configuration, management, support, and delivery activities related to cloud systems supported by Amazon RDS)

The post ThreatConnect achieves ISO 27001:2013 certification appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

Practical application of artificial intelligence that can transform cybersecurity

As I write this blog post, Im sitting by the beach on my computer in a sunny destination while my family plays in the water. Were on vacation, but we all have our own definition of fun. For me its writing blogs on the beachreally! The headspace is outstanding for uninterrupted thinking time and focus. However, my employer may not find my vacation destination to be the safest place to access certain applications and data. They want me to strongly authenticate, and they want to understand the health of the systems and devices I am using, as well as the network and geolocation. But thanks to the power of machine learning and conditional access I am able to write this blog when and where I want. My employer is able to enforce all-encompassing security measures to ensure my device, location, and network are safe and confirm its really me trying to sign in.

The ability for my organization to reason over all of the data, including location, device health, sign-in, and app health, is just one example of the way artificial intelligence (AI) is helping us evolve the tools we use to fight cybercrime. In this post Ill focus on two practical use cases for deploying AI in the cybercrime battlefield. In the first example, I explain how layering AI onto on-premises Security Information and Event Management (SIEM) solutions can give you better insights and predictive capabilities. The second use case is the one I just hinted at, which is how we can take AI even further to protect user access. By the end I hope Ive proven to you that there is tremendous opportunity to use AIparticularly machine learningto improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.

If you are skeptical, I understand. I often tell a story about how for many years at the annual RSA Conference, vendors and customers rallied around themes such as the year of the smart card, the year of biometrics, “the year of machine learning, the year of blockchain. Some of these technologies never lived up to their promise, and many are still nascent and immature in their application, architecture, and use cases. But I think there are practical applications of AI that will meet our expectations, especially when it comes to cybersecurity. If one reflects on broad based attacks like WannaCry and NotPetya and critical vulnerabilities like Spectre and Meltdown, it only stands to reason that the attack surface is rapidly growing, the bad actors are becoming more sophisticated, and the need for tool evolution is compelling. AI is the path to that evolution. As an industry, we need to be cautious in how we position and explain machine learning and AI, avoiding confusion, conflating capabilities, and overpromising results. There is definitely a place for both, and they are highly complementary. AI has the power to deliver on some of the legacy promise of machine learning, but only if it is trained, architected, and implemented properly.

Like all technologies, there is a risk that AI will be misused or poorly used. For the purpose of this blog, I ask you to make the assumption that the tech is being used ethically, the engines are properly trained in a non-biased manner, and the user understands the full capability of the technology they are deploying. Am I asking you to suspend reality? No, I am simply asking you to imagine the potential if we fully harness AI to further improve our cybersecurity defenses and recognize the threat of bad actors who will also embrace AI now and in the future. Please also read The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum for a broader vision on AI and its role in society.

Using AI to gain powerful insights

There are several use cases where AI is interesting for cybersecurity applications but lets first start with what is possibly the most obvious use casemaking sense of signal and intelligence. Collective sigh readers before continuing. I understand the consternation related to legacy SIEM solutions, and your visceral response. SIEM solutions were purpose-built to collect logs and data from a wide range of sources, largely for compliance, and they do this particularly well. They also enable users to effectively produce reporting specific to a use case. They do not, however, work well in detecting real-time attacks and allowing an organization to automate and/or orchestrate defenses that will minimize damage to the organization.

Take a moment to think about how powerful it would be to apply the machine learning algorithms that exist today to the data and logs that SIEM collects. AI could reason over the data at global scale in near real-time using the cloud and produce attack scenarios, which you could then tie to a security operations tool that automates the response and defenses based on the outcome of the AI reasoning. With a large volume of globally sourced data, you could use AI to look at anomalies in the behavior patterns of humans, devices, data, and applications at scale and make accurate predictions of the threats to your enterpriseallowing you to deploy defenses well in advance of a specific attack. AI, when trained and deployed properly, has the ability to allow your enterprise to be this effective. You can continue to gain value from the on-premise SIEM infrastructure you built and use the data you gathered for historical context. The cloud provides a true value in this use case in its ability to analyze the data at a global scale. And finally, AI will become predictive as it learns what is normal and what isnt normal. You can then automate responses via tooling that will allow your admins to focus only on the highest value tasks.AI will reduce the workload of security administrators in the short term, reducing duplication and increasing efficacy of signal.

Intelligently secure conditional access

My ability to write this blog from the beach is evidence that todays systems for conditional access are good and getting better. The ability to provide access control based on the authentication of the user, device, data, application, and known geo-location provide us a certain level of confidence. The tools that exist can potentially maintain state, have the potential to be quite granular, and are powered by global cloud networks. They often use machine learning to detect anomalous behavior, but todays tooling suffers from a dependence on legacy architecture, technical debt, dependence on the integration of disparate authentication systems, and hybrid systems. The tooling is often built for just one environment, one use case, or one system of record. In most large, complex enterprises, security admins dont have the luxury of using the most up-to-date tools for a single environment or use case. Their environments are complex, the attack surface is large, and their users are often unaware of sophisticated security risks. I encounter this in my own home when I explain to family members the inherent risks of free, public Wi-Fi, as an example.

AI for conditional access use cases is not only practical, its necessary. We have long lived with an employee base that is working from a large variety of personal and company-issued devices and working from a wide range of locations including corporate owned office space, shared work facilities, coffee houses, hotel rooms, conference facilities, and other global locations. There is also still a gap in the security industry related to the percentage of the population that owns and successfully deploys Multi-Factor Authentication (MFA) tooling. Biometrics HAS actually made MFA more ubiquitous by reducing the friction and expense of purchasing and deploying authentication systems, but organizations are still not investing in MFA across 100 percent of their enterprises. Cybersecurity, like many fields, operates on a risk model. High risk applications and users equal higher security profiles and tools. Now, imagine if we can reduce the risk while also reducing the friction of rolling out tools? AI is dependent on data and good architects and developers to truly live up to its promise, but it is systems agnostic. The data you supply from your mainframe is not ranked higher in priority than the data you supply from the cloud, unless you create a scenario where you desire specific data types to be higher priority or ordinal in ranking.

Conditional accesspowered by AI reasoning over the behavior of the user, device, data, application, network, location, etc.has the ability to create much safer data access for companies and reduce the overall risk. Imagine a dynamic, real-time, global environment whereregardless of where your users choose to workyou can determine their precise level of access and change their level of access in real-time without human intervention. Did something change that causes concern, and would you like your user to reauthenticate? Do you want to block access to some or all systems? Do you want to block access to certain data sets or require some level of encryption? The AI enginelinked with automated toolingwill give you this ability and provide the logging and reporting needed to support the automated actions or human intervention. Your ability to integrate with current tooling to enforce the actions will be the highest bar to full usage in your environment.

There are no silver bullets when it comes to technology and, particularly, cybersecurity. I have talked about two use cases where I believe AI can improve cybersecurity, but there are others a well, such as AI’s ability to allow more robust device-related IoT detection, sophisticated malware detection, and improvements in vulnerability management. The bad actors will continue to innovate and create weapons that can be deployed for large scale attacks. The attack surface is growing with the proliferation of IoT devices on corporate networks on control systems. As an industry, we have a moral responsibility and imperative to continue improving processes, training, and technology to meet new and yet to be developed threats. Artificial intelligence is one weapon in our tool bag. It must be used prudently. And when used effectively, it can truly be a change agent for the industry. Check out my blog, Application fuzzing in the era of Machine Learning and AI, where I wrote about application fuzzing and AI.

Check back in a month when I will blog about how we can use AI to improve device-related IoT detection. In the meantime, I invite you to follow me at @ajohnsocyber.

The post Practical application of artificial intelligence that can transform cybersecurity appeared first on Microsoft Secure.

Bitfi withdraws ‘unhackable’ claim

Bitfi, a cryptocurrency wallet backed by anti-virus software entrepreneur and POTUS candidate John McAfee, has issued a statement saying it will no longer describe its service as “unhackable”.

The announcement followed the release of evidence by a group of security researchers showing the wallet being compromised.

While this was not even the first time the $120 hardware wallet was hacked, it was enough for Bitfi to strike the “unhackable” claim from its website.

At the end of July, McAfee had announced a bounty programme: following certain rules, a hacker had to get access to Bitfi’s wallet and in return receive a bounty, which was raised by McAfee from $100 000 to $250 000. Eventually, a few hackers, including a fifteen-year-old, rooted the device which is apparently a cheap Android phone. That bounty, which many in the security community deemed a sham, specified that a hack counted only if someone got the coins off the “cut-down Android phone” wallet. Bitfi and John Mcafee, in particular, have continuously denied that the hack occurred with McAfee openly challenging the word’s definition and refused to pay researchers who did hack the device, claiming the attacks didn’t meet the bounty conditions. It wasn’t horribly surprising that Bitfi won the PwnieAward for “Lamest Vendor Response.”

Bitfi stated that the Bitcoin inside must be removed from the wallet - which was controversial among the cybersecurity community as often weaknesses are identified but not acted upon. Security researchers had argued that the terms of the bug bounty programme were too specific.

The newest hack of Bitfi, a cold boot attack, was pulled off by 15-year-old Saleem Rashid, who previously turn Bitfi into a Doom gaming console. Rashid is part of a team of security researchers going by “THCMKACGASSCO.”

Despite Bitfi having been hammered and exploited many times, Bitfi finally backed off its “unhackable” claim shortly after Rashid posted video proof of the hack on Twitter.

Now the company is even labelling their actions as “counterproductive” and has allegedly hired an experienced Security Manager to fix multiple “vulnerabilities.”

4 Ways Machine Learning Produces Actionable Threat Intelligence

Key Takeaways

  • Threat intelligence needs to be timely and relevant to be actionable. Unfortunately, producing threat intelligence is a process that does not scale up well for human analysts in the current era of big data.
  • A new white paper from research firm IDC found that organizations appreciated threat intelligence produced by Recorded Future because its automation, powered by machine learning, creates timely and relevant intelligence at scale.
  • Recorded Future uses machine learning in four ways: structuring data into ontologies and events, structuring text across multiple languages with natural language processing, prioritizing events and alerts, and creating predictive models.

A big challenge in collecting and analyzing intelligence has always been scalability. Good, actionable intelligence takes expertise to develop. Let’s say you’re a government trying to gather information on a foreign power. You’ll need experts who speak the language, know the culture well enough to blend in, have the right skill sets, and are sympathetic to your goals. Finding enough experts who meet those criteria will be difficult — and even then, it still might not be enough to get regular, actionable intelligence.

You don’t have to be a national government to share these problems — anybody trying to figure out what hackers and other threat actors are up to on dark web forums will face the same information-gathering challenges. And these challenges are only getting worse; yearly ESG research has charted a growing trend of staffing shortages in the cybersecurity industry, with 51 percent of organizations surveyed saying they had a problematic staffing shortage in 2018, up from 23 percent in 2014.

One possible solution to this problem of scale and expertise is the application of machine learning techniques to evaluate large sets of data. And it’s great that machine learning can be used to process a much larger amount of data than any group of human analysts could do on their own. But more data can just get in the way, too, giving analysts more to sort through further down the line and raising the chances of false positives.

Automating Threat Intelligence Saves Time and Money

That’s why analysts at IDC asked Recorded Future’s customers whether their cybersecurity teams had actually seen time and money savings when they started using threat intelligence. Was all of that extra data actually helping them stay safe and work smarter? And if so, how?

The organizations interviewed by IDC made particular note of the machine learning processes that drove the creation of relevant and timely threat intelligence provided by Recorded Future — intelligence that helps Recorded Future users identify threats 10 times faster on average and find 22 percent more security threats before they have an impact, for example.

4 Ways to Use Machine Learning

More data doesn’t equal better results — sometimes, it just means more work. What we’re all looking for is more good data, leading to threat intelligence that you can actually follow through on.

Data processing takes place at a scale today that requires automation to be comprehensive. Not only that, but data processing should also include the combination of data points from many different types of sources — including open, dark web, and technical sources — to form the most robust picture possible.

It’s worth looking a little closer at how Recorded Future’s machine learning processes work under the hood to understand why. We use machine learning techniques in four ways:

1. Structuring data into ontologies and events.

Ontology has to do with how we split concepts up and how we group them together. In data science, ontologies represent categories of entities based on their names, properties, and relationships to each other, making them easier to sort into hierarchies of sets. For example, Boston, London, and Gothenburg are all distinct entities that will also fall under the broader “city” entity.

If ontologies represent a way to sort physically distinct concepts, then events sort concepts over time. Recorded Future events are language independent — something like “John visited Paris,” “John took a trip to Paris,” “Джон прилетел в Париж,” and “John a visité Paris” are all recognized as the same event.

Ontologies and events enable powerful searches over categories, letting analysts focus on the bigger picture rather than having to manually sort through data themselves.

2. Structuring text in multiple languages through natural language processing.

With natural language processing, ontologies and events are able to go beyond bare keywords, turning unstructured text from sources across different languages into a structured database.

The machine learning driving this process can separate advertising from primary content, classify text into categories like prose, data logs, or code, and disambiguate between entities with the same name (like “Apple” the company, and “apple” the fruit) by using contextual clues in the surrounding text.

This way, the system can parse text from millions of documents daily across seven different languages — a task that would require an impractically large and skilled team of human analysts to do. It’s features like this that explain why the organizations interviewed by IDC found that their IT security teams worked 32 percent more efficiently with Recorded Future.

3. Classifying events and entities, helping human analysts prioritize alerts.

Machine learning and statistical methodology are used to further sort entities and events by importance — for example, by assigning risk scores to malicious entities.

Risk scores are calculated through two systems: one driven by rules based on human intuition and experience, and the other driven by machine learning trained on an already vetted dataset.

Classifiers like risk scores provide both a judgment (“this event is critical”) and context explaining the score (“because multiple sources confirm that this IP address is malicious”). Automating how risks are classified saves analysts time sorting through false positives and deciding what to prioritize.

The context and sourcing provided by the explanation behind these risk scores help IT security staff spend 34 percent less time compiling reports, according to IDC’s research.

4. Forecasting events and entity properties through predictive models.

Machine learning can also generate models that predict the future, oftentimes much more accurately than any human analysts, by drawing on the deep pools of data previously mined and categorized.

This is a particularly strong “law of large numbers” application of machine learning, and the big challenge is to make sure that the predictions are based on the right assumptions.

Threat Intelligence Improvements in 3 Ways

This strong focus on applying machine learning techniques to solving problems that are not humanly scalable is one of the reasons that organizations interviewed by IDC consistently found that the threat intelligence produced by Recorded Future was relevant and timely.

As noted in the white paper, “instead of spending significant time investigating potential threats and remediating them, organizations can be more proactive in their approach to security threats and concerns.”

Organizations saw their threat intelligence compilation and threat investigation procedures becoming more efficient with Recorded Future in three key ways:

  • Their existing security solutions were improved. Recorded Future’s API integrates easily into existing SIEMs, incident response functions, and ticketing platforms, enriching already existing data with contextualized intelligence.
  • They were able to make more informed decisions faster. Detailed information on threat actors, vulnerabilities, and more is displayed as easy-to-read Intelligence Cards, which also include details like Risk Scores and indicators of compromise.
  • The information they accessed became more relevant and actionable. Customized updates about the products and services used by each organization are accompanied by high-level reports on big stories in the cybersecurity world.

To look more closely at IDC’s findings, download your free copy of the new white paper, “Organizations React to Security Threats More Efficiently and Cost Effectively With Recorded Future.”

The post 4 Ways Machine Learning Produces Actionable Threat Intelligence appeared first on Recorded Future.

     

SonarSnoop attack can steal your smartphone’s unlock patterns

Smartphone unlock patterns can be hacked using SonarSnoop attack

Researchers from Lancaster and Linkoping University have come up with a new attack technique that uses your smartphone’s speaker and microphone to steal unlock patterns from Android devices, reports ZDNet.

Dubbed as ‘SonarSnoop’, this method transforms a smartphone’s speaker and microphone into a sonar and uses sound waves to track a user’s finger position across the screen. In other words, the attack technique depends on the basic echo principle of sonar systems.

Also Read- Android smartphones can be hacked with AT commands attacks

For those unaware, Sonar (Sound Navigation and Ranging) uses sound propagation normally in submarines for detecting objects on or under the surface of the water, such as other vessels.

The study has been published in the research paper titled “SonarSnoop: Active Acoustic Side-Channel Attacks” that has detailed testing information of SonarSnoop on a Samsung Galaxy S4 running Android 5.0.1.

How does the SonarSnoop attack work?

SonarSnoop uses FingerIO as the primary source of inspiration and is the malicious version of FingerIO. The attack uses a malicious app on the device that emits sound waves from the phone’s speakers generated at frequencies – 18 KHz to 20 KHz – that are inaudible to the human ear.

The malicious app uses the device’s microphone to pick up the sound waves and bounces it back to nearby objects, which in this case are the user’s fingerprints. Depending on the position of the speakers and microphones, a machine learning (ML) algorithm is employed in the malicious application to determine the possible unlock patterns.

“The received signals are represented by a so-called echo profile matrix which visualizes this shift and allows us to observe movement. Combining observed movement from multiple microphones allows us to estimate strokes and inflections,” the researchers explained.

Results of SonarSnoop attack

With the help of SonarSnoop, the researchers were able to reduce the number of possible unlock patterns by more than 70%. Thanks to the ML algorithms built into the attack. The research team used 12 unlock patterns with 15 unique strokes in their experiment.

SonarSnoop currently cannot unlock the devices with 100% accuracy, as the method is still in the experimental stage. However, the accuracy is expected to improve with the ML Algorithm becoming more efficient with time, thereby reducing false unlock patterns.

Researchers also point out that although their experiment focuses on smartphones, SonarSnoop is “is applicable to many other kinds of computing devices and physical environments where microphones and speakers are available.”

Also Read- Hackers can spy on your computer screens through the webcam microphone

The post SonarSnoop attack can steal your smartphone’s unlock patterns appeared first on TechWorm.

When spyware goes mainstream

Stealware.

Surveillanceware.

Stalkerware.

These are terms alternately used to effectively identify a file-based threat that has been around since 1996: spyware. More than two decades later, consumer or commercial spyware has gone mainstream, and the surprising number of software designed, openly marketed, and used for spying on people is proof of that.

Forget the government, nation-states, private agencies, and law enforcement. Normal, ordinary citizens can now wield powerful surveillance software and use it against any target they wish—all thanks to “legitimate” companies like mSpy, Retina-X, FlexiSpy, Family Orbit, TheTruthSpy, and others. While the spyware they market can be placed in the hands of employers who want to keep tabs on employees in the workplace, or in the hands of parents who want to look after their kids, it can also be placed in the hands of stalkers, abusive partners, or someone who just wants to get a leg up in the divorce proceedings.

Spyware: spotting the signs

Spyware is usually stealthy by nature—but that doesn’t mean its activities or the effects of its presence on a desktop machine, laptop, or mobile device aren’t unnoticed. Below is a rundown of common symptoms that may indicate your computing devices have spyware installed:

Desktop or laptop:

  • Computer or device sluggishness
  • Crashing (when it usually doesn’t)
  • Multiple, unexpected pop-ups
  • Changes in certain browser settings
  • Unusual redirections to sites you haven’t seen or visited
  • Difficulty logging in to secure websites
  • New browser toolbars, widgets, or apps
  • The appearance of random error messages
  • Certain browser hotkeys stop working

Mobile phone or tablet:

  • Battery runs out quicker than normal
  • The device feels warm even when not in use and not charging
  • Increased data usage/Internet activity
  • Clicking, static, echo-y, or distant voices can be heard when on a call
  • Takes a while to shut down
  • Unexplained phone charges, phone calls, and messages
  • Autocorrect features stop working correctly
  • Longer response time
  • For iPhones: Presence of the Cydia app (although there are products now that don’t require a jailbroken iPhone)
  • For iPhones: Request for Apple ID credentials

Read: IoT domestic abuse: What can we do to stop it?


Spying is caring?

While many of us wrinkle our noses in disgust at spyware, some well-intentioned individuals see the good in planting and using such software in the devices of their loved ones. As mentioned earlier, parents (for example) want to stay in touch with their kids who are out and about. Sometimes just knowing where they are when Mom or Dad checks up on them—of course, they aren’t going to pick up the phone—can help them go about their day a little easier.

If you are already considering or using commercial spyware to “keep an eye” on your kids, we suggest you ask yourself the following questions:

Will I be/Am I breaking any laws?

You are if the following qualifications are true:

The states of Iowa and Washington criminalize some forms of spyware.

Even spyware developers have the Software Principles Yielding Better Levels of Consumer Knowledge (or the SPY BLOCK Act), the Securely Protect Yourself Against Cyber Trespass (or the SPY ACT), and the Internet Spyware Prevention Act (or The I-SPY Act) to contend with.

Have I already looked for better alternatives?

Almost every “legitimate” spy software in the market wears the slogan “completely undetectable,” or a variant of it. As we always say, if it sounds too good to be true, it probably is. Not only is spyware often detectable (see symptoms above), it’s also intruding on privacy. Instead of installing spyware, look for alternative apps that can help you monitor your loved one’s locations without snooping on their other stuff like messages and calls. If you’re an iPhone user, take advantage of Find My Friends. For Android users, you can use Trusted Contacts.

Do I know how these companies treat my target’s information?

“Carelessly” is probably the first word that comes to mind. Just look at the number of breaches that have happened against spyware companies in the last 18 months. Not only that, hackers who claim to target these companies consistently state that the data they siphoned from spyware targets aren’t encrypted at all.

How would I feel if I were in their shoes?

Monitoring a loved one isn’t inherently wrong in and of itself, but doing so without their consent is, even if it’s well-intentioned. This is why it’s so essential for all individuals involved to ask for and give consent when it comes to installing monitoring apps on devices. This doesn’t just apply to the parent-child dynamic.

Of course, for parents of pre-teens, many feel and believe that consent is optional, so they exercise their tough love on the young ones for a little while longer for their own protection and safety. As long as monitoring doesn’t (and shouldn’t) replace a healthy communication between parent or carer and child, this is fine. Parents of teens, on the other hand, may have to reassess their monitoring practices. Perhaps it’s time they sit down with the kids and talk to them about it.

Spying on someone without them knowing sucks. And when they do find out, even if you mean well, the damage caused by the invasion of privacy and breach of trust could be rather hard to undo.

Whether you think it’s beneficial or not to use spyware doesn’t change the fact that it’s still classified as malware, and malware—regardless of the law—isn’t something that should typically be found installed on computing devices of average users.

Stay safe, everyone!

The post When spyware goes mainstream appeared first on Malwarebytes Labs.

Malicious MDM: Let’s Hide This App

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Nick Biasini

Summary


Since our initial discovery of a malicious mobile device management (MDM) platform that was loading fake applications onto smartphones, we have gained greater insight into the attacker's methods. We now know how the attacker took advantage of a common MDM feature and used an iOS profile to hide and disable the legitimate versions of the apps to force the use of the malicious stand-ins.

Cisco Talos previously published two articles (here and here) on the subject. In the aforementioned campaigns, the attackers enrolled iOS devices into the MDM and used the devices to control the victim's devices, deploying malicious apps disguised as the messaging services WhatsApp, Telegram and Imo, as well as the web browser Safari.

After additional research, we now know that the attacker deployed the malicious apps after the actor deployed a profile on the enrolled devices and abused the age rating restriction functionality that exists on iOS devices. The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively. After the age rating limit was set to 9-plus, the installed legitimate applications disappeared from the device:






The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open.

All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM. In the text and videos below, we will walk through the process of checking your phone for an unauthorized MDM and any changes in the age settings.

More details on the profile setup


In the iOS ecosystem, you can configure devices using profiles. This is an XML file that can be distributed to iOS devices. For example, the MDM enrollment mechanism is performed using a profile. Profiles can be easily created using the official Apple tool Apple Configurator 2. Thanks to these profiles, we can restrict app usage:



As you can see in the screenshot, the app restriction is limited to the supervised device. In our investigation, the enrolled iPhones were not in supervised mode, but the legitimate WhatsApp application disappeared to force the user to only have access to the malicious one. How?

The attackers used the age rating to forbid the usage of apps rated for ages 9 and above:



Here is the capture of the XML content of the profile hosted on the malicious MDM:

<key>ratingApps</key>
<integer>200</integer>
<key>ratingMovies</key>
<integer>1000</integer>
<key>ratingRegion</key>
<string>us</string>
<key>ratingTVShows</key>
<integer>1000</integer>

In this context, the 200 equates to the "age 9-plus" rating.

Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard. Using the app store, you can see that the application is still installed, but the user cannot launch it. You can control the restriction settings on your device:



We can see that the restrictions are displayed as "disabled" — that's why the text is in grey. But, it is enabled.



If the profile is installed manually via Apple Configurator, or by opening the profile XML from Safari, a new entry will appear in the Settings > General > Profile menu. If the MDM deploys the profile, it does not appear (the MDM enrollment profile will be present).

How to check iPhone profiles


In the videos below, we are going to show you how an attacker can obtain access to your phone by enrolling you in a malicious MDM platform. You'll notice there is a fair amount of user interaction involved. However, if the attacker can correctly socially engineer a user via a phone call, or if they have physical access to the device, enrollment can be quick and effective.

The first video shows the enrollment process from an end user's perspective. We have carried out this test on an iPhone X running the latest 11.4.1 iOS from Apple. The lab phone used is not jailbroken or tampered with in any way. It's an iPhone X fresh out of the box updated to the latest iOS.



As you can see in the video, the user has accepted a couple of INSTALL/TRUST processes to allow the phone to be enrolled. Once we successfully enroll the phone within the malicious MDM, we could push profiles and applications on to the device. To this end, we were able to push a profile that had age restrictions in place, as detailed earlier in the blog, which meant that our legitimate WhatsApp application disappeared and, with our MDM access, we pushed a new malicious version of WhatsApp to the phone.

It's important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process.

Talos recommend the following methods to check if your phone has additional profiles or is enrolled in an MDM platform:

1. Users can view restrictions set by MDM profiles in Settings > General > Profiles & Device Management > [MDM configuration] > Restrictions

2. Users can also check which applications a MDM profile installed on their device in Settings > General > Profiles & Device Management > [MDM configuration] > Apps.

Note: If you do not have any PROFILE & DEVICE MANAGEMENT menu option available, this means the phone is currently not enrolled in an MDM, nor are there any additional profiles trusted on the phone.



Conclusion


When most consumers think about malware on their mobile devices, they usually think that they need to download a patch to fix a bug or vulnerability. However, this technique is not a vulnerability. Rather, it's an existing, legitimate feature used by this threat actor in order to hide the victim's legitimate applications and hide them while deploying a malicious version. This technique is completely opaque once the user enrolls in the MDM.

An MDM can silently deploy a profile. Therefore,e strongly recommend that iPhone profiles are audited and suspicious profiles are deleted. Additionally, you can check the restrictions menu on your phone to verify if an age rating is configured on it.

Linus Torvalds: Changes in hardware change Linux development

In Linux Version 4.19, Linux’s developers had to deal with a hardware security bug, an issue that was particuarly frustrating becasue it was someone else’s bug. But Linux creator Linus Torvalds hopes that such incidents will be less common in the future.

In the Linux development process, there is a two-week merge window for new code, then developers spend six to seven weeks looking for bugs. Usually, this process is not a big deal, Torvalds says. Most often, by the middle of the second week, bug-fixing ensues.

But Version 4.19’s hardware security issue arose in the middle of the merge window period. Thegood news, says Torvalds: Bugs lately have become more and more esoteric, impacting fewer and fewer cases. “I hoping we’re getting to the dregs of hardware security bugs and going forward, we’ll have much fewer of them.”

To read this article in full, please click here

How Does a Spy Cell Phone Software Work? Protect Your Phone

The last years have demonstrated a powerful boost in modern inventions in the world of tracking and surveillance. Now with the use of mobile technologies, it became possible to keep an eye on someone`s device remotely.

The appearance of spyware is directly linked to the way modern technologies have changed our lives over the past few years. While before a smartphone was only a way to stay in touch with a family, now it is an integral part of our everyday life.

Many people live their lives on their devices, storing information and recording everything they do. For this reason, cell phones became the main target for spying apps.

Spyware for cell phones helps to make this task easier and available to everyone. Actually, even if you don`t have access to the target device, you still can check what the owner is up to, getting useful insights about the information stored on the phone.

What is Cell Phone Spyware?

Spyware is malicious software (or malware) that secretly intercepts and shares sensitive information without a user`s consent. It can be installed as a hidden component of the software or through fraudulent ads, websites, instant messengers, links, file-sharing connections, etc.

In most cases, malware is difficult to detect as it runs quietly on the background, capturing the user information and device activities.

This includes browsing history, keystrokes, authentication credentials, keystrokes, screenshots, emails, credit card numbers, passwords, and other personal information.

How to Get a Spyware for Cell Phone

Spyware can infect your device in the same ways any other type of malware does. For instance, by means of a Trojan, exploit worm-like viruses, etc. Here is the list of the most common techniques to infect your computer or cell phone:

  • Security vulnerabilities: You may infect your computer by following suspicious links or opening attachments know as they may contain viruses and spyware. More than this, it is also possible to infect your device with spyware just visiting a malicious website or clicking a fraudulent pop-up.
  • Deceptive marketing: Quite often, spyware authors introduce their malicious programs as a must-have tool, which may improve the device performance and provide a range of benefits.
  • Software bundles: All people like cost-free applications. But very often they are only a host program that hides malicious add-ons, plugins or extensions. The worst thing is that even if you uninstall the host app, the spyware will still be on your device.
  • Misc: In addition to the primary malicious intent, Trojans, worms and other viruses also distribute spyware.

What Harm Can Spyware Do?

Spyware tracks all your activities, including Web browsing and movements having a direct effect on your information.

A thing to worry about is spyware for cell-phones. These programs are aimed at gathering device information for nefarious purposes. For instance, identity theft, corporate espionage, spying on camera or recording someone`s surroundings.

The spyware for cell phones is a kind of malware, which is about to become more prevalent in the future as mobile devices get more like computers.

What Can Spyware for Cell Phones Do?

Whatever app you choose, all major spyware manufacturers offer a similar number of features:

  • Text messages: all text messages, both sent and received are available for tracking. Some companies even allow the deleted messages monitoring.
  • Web history: Internet browsing history, bookmarks, and cookies are also visible for checking.
  • GPS: current GPS location, as well as the recent movements, are available for tracking.
  • Downloads: photos, videos, calendar entries, contacts, and other data are also available for monitoring.
  • Email: sent and received emails can be viewed, including the other information like sender, recipient, date and time.

All these features are considered as basic ones provided by all spyware manufacturers. But some of them offer advanced features for the extra cost. The advanced features include:

  • Call recording: all target phone incoming or outgoing voice calls can be recorded, download and played back later on.
  • Instant messengers:  WhatsApp, Facebook Messenger, Viber, Snapchat and other platforms can be monitored.
  • Phone surroundings: target device surroundings can be recorded with the activated microphone.
  • Remote controls: this feature allows getting full control over the target device, blocking and unlocking it. If needed it is possible even to wipe all the data from the target device.
  • Installed apps: all the installed apps can be tracked, helping to restrict the unwanted ones.
  • Alerts: using this feature it is possible to set up a list of trigger words and be informed when they appear on the target device. The same can be done with phone numbers.

Facts About Spyware for Cell Phones-

  • The spyware for cell phones can be installed from suspicious websites, Bluetooth, MMS or PC connection. Its way directly depends on the target device compatibility.
  • Spyware for cell phones which is claimed to be installed remotely via Bluetooth connection, need to be paired with a target device first.
  • Spyware for cell phones remote installation is possible, but it is needed to trick a person into downloading and installing it on their device.
  • The easiest way to trick a target into the installation of spyware for a cell phone is to send bogus MMS with a hazardous link. Sending messages with fake links can easily trick the owner into the spyware download.
  • Spyware for phones can spy the following activities: calls, texts, installed apps, browsing history, GPS location, multimedia, and any other information.
  • Some individuals claim that it is possible to extract voice from target phone without installation and spy the phone only having a phone number. But it is absolutely impossible.
  • Spyware for cell phone can be used as a bug to record the target device surroundings and play it back later.

There is a great number of spyware for cell phones available on the market these days. We do hope that in this article, we’ve shed some light on the spyware functionality and possibilities.

The post How Does a Spy Cell Phone Software Work? Protect Your Phone appeared first on TechWorm.

NIST Issues Guidance for Medical IoT Device Security

As the popularity of medical IoT devices grows, so do security vulnerabilities. There are more connected devices than there are humans on Earth. Organizations have been as quick to embrace the Internet of Things as consumers have, and the healthcare industry is no exception. Medical IoT devices have exploded in popularity and grown in complexity.… Read More

The post NIST Issues Guidance for Medical IoT Device Security appeared first on .

Hacking smart buildings

You're settling into your cubicle with a hot cup of coffee when the haunting begins. The HVAC blows cold on your neck. That's weird, you think. You take a sip of your coffee but choke when the moaning starts. The pipes never sound like that. The lights flicker, go out. A hush, then panic sets in across the office.

To read this article in full, please click here