Daily Archives: September 11, 2018

New Address Bar Spoofing Trick preys upon Apple’s Safari


An unpatched vulnerability that sits in the Safari web browser lets cybercriminals have the command over the content that gets displayed in the browser’s address bar, this pattern of attack permits expertly designed phishing attacks which are unlikely to be noticed by the users with an average IT IQ.
The bug discovered by a security researcher – later scrutinized to be of race condition type and the cause of its occurrence is said to be the action of JavaScript being allowed by the browser to update the address bar before a web page is done loading completely.

Fix- Owners are taking their time

Reportedly, the vulnerability was only susceptible to reproduction in Safari and Edge web browsers as done by Rafay Baloch (Security researcher), who immediately brought the  risk to the notice of the makers of aforementioned browsers, but it was only Microsoft which responded with a patch on 14th August which came as a part of its periodic security updates release.
On 2nd June, Apple received a report regarding the bug, and a time span of 90 days to fix it before public disclosure which expired more than a week ago and there exists no patch for Safari yet.

Intellect and vision deluded

As of now, the vulnerability is tracked as CVE-2018-8383 and hasn’t received a severity score yet. In order to exploit it, tricking the victim in accessing a specially designed web page is a mandate and seemingly accomplishable.  
"Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing,"   Rafay further explains in a blog post.
 The attacker delays the update on the address bar which allows him to impersonate any webpage, meanwhile the address bar continues displaying the legitimate domain name to the victim, complete and equipped with the authentication marks at all the right places.
BleepingComputer tested the bug on iOS with a proof-of-concept (PoC) page set up by the researcher. The page is designed to load content from gmail[.]com that is hosted on sh3ifu[.]com, and it all works seamlessly.
Even an expert’s eye can be befooled despite the presence of certain elements that are likely to deceive suspicious activity. For example, the webpage loading wheel and the bar both are visible, signifying the unfinished process.
However, a lot of websites witness this as the background components have a lower priority score while the page is being loaded. Users tap into ‘log in’ field without reading anything into that.
The users of Safari cannot access the typing field while the status of the page is still ‘loading’ and this is where the whole problem is based. Similar to what banking Trojans did for years, Baloch said that he along with his team made past this hurdle by injecting a fake keyboard on the screen.
According to the reports, a fix would be released by Apple in their next set of security updates.

Security Evolution Is Not Good Enough. It’s Time for a Security Revolution!

“Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion.” That’s good, right? Well maybe-not-so-much. The current dystopian cyber-crime landscape […]… Read More

The post Security Evolution Is Not Good Enough. It’s Time for a Security Revolution! appeared first on The State of Security.

CVE-2018-16949

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several data types used as RPC input variables were implemented as unbounded array types, limited only by the inherent 32-bit length field to 4 GB. An unauthenticated attacker could send, or claim to send, large input values and consume server resources waiting for those inputs, denying service to other valid connections.

CVE-2018-16946

LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.

CVE-2018-16947

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume's content with arbitrary data.

CVE-2018-16948

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. For example, RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory.

Cisco Umbrella Enterprise Roaming Client and Enterprise Roaming Module Privilege Escalation Vulnerability

A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated, local attacker to elevate privileges to Administrator. To exploit the vulnerability, the attacker must authenticate with valid local user credentials.

This vulnerability is due to improper implementation of file system permissions, which could allow non-administrative users to place files within restricted directories. An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv


Security Impact Rating: High
CVE: CVE-2018-0437

Cisco Umbrella Enterprise Roaming Client Privilege Escalation Vulnerability

A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated, local attacker to elevate privileges to Administrator. To exploit the vulnerability, the attacker must authenticate with valid local user credentials.

This vulnerability is due to improper implementation of file system permissions, which could allow non-administrative users to place files within restricted directories. An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read


Security Impact Rating: High
CVE: CVE-2018-0438

SN 680: Exploits & Updates

This week we discuss Windows 7's additional three years of support life, MicroTik routers back in the news (and not in a good way), Google Chrome 69's new features, the hack of MEGA's cloud storage extension for Chrome, Week 3 of the Windows Task Scheduler 0-day, a new consequence of using '1234' as your password, Tesla makes their white hat hacking policies clear... just in time for a big new hack!, our PCs as the new malware battlefield, a dangerous OpenVPN feature is spotted, and Trend Micro, caught spying, gets kicked out of the MacOS store.

Hosts: Steve Gibson and Jason Howell

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Risky Business #513 — The DPRK indictment, BA gets owned, Webauthn issues and more [CORRECTED]

[**PLEASE SEE BELOW FOR A CORRECTION**]

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • The DPRK indictment and subsequent fall out
  • British Airways gets owned
  • Webauthn hits some roadblocks
  • The latest action from Washington DC
  • Trend Micro has a bad time
  • Tesla pays out for key-fob clone attack
  • Tor browser 0day hits Twitter
  • Much, much more

We’ve got a great sponsor interview for you this week – we’ll be joined by Haroon Meer of Thinkst Canary. They did something unusual over the last couple of weeks – they removed a feature in their Canary product. We’ll be talking about that, and also about the tendency for security software to be too complicated and configurable.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

CORRECTION:

The original release of this podcast included discussion of some rumours that turned out to amount to nothing. We had mentioned three data points:

  • The CISO of American Airlines, Dan Glass, departing a few weeks ago
  • Someone I know had their AA/Citi credit card re-issued, despite saying they only ever used that card to buy AA fares
  • A rumour an FBI computer crime investigator is on site at American Airlines

Well, it turns out Dan Glass is a listener, and he got in touch with us after the podcast ran to clear this up. He says the reason he left is actually because AA was offering some very attractive redundancy packages. Following AA’s merger with US Airways the combined group eventually found itself in the position of having too many executives. As many listeners will know, being a CISO is a pretty hardcore job so Dan jumped at the chance to bounce out and have some time off.

As for the FBI being on-site, Dan says that’s not unusual. They’re one of the largest airlines in the world so they’re frequently liaising with LE. As for my pal’s card getting re-issued… who knows?

The point is it looks like these rumours and data points don’t actually add up to much. This is why I rarely run rumour in the podcast and at least try to do some verification. In this case I just didn’t have time, but still, I just should have just held it over until I’d had a chance to make some basic enquiries. It was sloppy. Sorry.

In particular I’d like to apologise to the fraud teams who may have been asked to follow this up, the PR teams who’ve no doubt been fielding questions about this and also to Dan Glass. Although, it must be said Dan and I had a very nice chat and he didn’t seem upset. Thanks for being a chiller, Dan!

Again, I’m sorry. I’ll do better in the future.

Pat

Show notes

U.S. charges North Korean hacker over Sony, WannaCry incidents
US indicts North Korean agent for WannaCry, Sony attacks [Updated] | Ars Technica
Analysts expect Lazarus Group to evolve, clean up opsec
Don't Punish A North Korean Hacker Just For Following Orders
The North Korean Hacker Charges: Line-Drawing as a Necessary but not Sufficient Part of Deterrence - Lawfare
British Airways breach caused by the same group that hit Ticketmaster | ZDNet
Card-Skimming Malware Campaign Hits Dozens of Sites Daily
Worries arise about security of new WebAuthn protocol | ZDNet
A call for principle-based international agreements to govern law enforcement access to data - Microsoft on the Issues
Exclusive: Trump to target foreign meddling in U.S. elections with sanctions order - sources | Reuters
House passes deterrence bill that would call out nation-state hackers
First IoT security bill reaches governor's desk in California | ZDNet
DHS supply chain and CDM bills pass the House
Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’ | TechCrunch
Alex Stamos: Pretty clear GRU's goal was to weaken a future Clinton presidency | ZDNet
'We simply haven't done enough': Facebook and Twitter execs testify on foreign influence campaigns
Trend Micro blames data collection issue on code library re-use
Apple Removes Top Security App For Stealing Data and Sending it to China
Tesla offers 'goodwill' to security researchers hacking its cars
Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob | WIRED
U.S. extradites Russian accused in hack of JPMorgan Chase
Standard to protect against BGP hijack attacks gets first official draft | ZDNet
Exploit Affecting Tor Browser Burned In A Tweet
Exploit vendor drops Tor Browser zero-day on Twitter | ZDNet
Tor launches official anonymous Android browser
US government releases post-mortem report on Equifax hack | ZDNet
GAO-18-559, DATA PROTECTION: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach
Thinkst Canary on Twitter: "This week we totally announced an un-feature. We are removing SNMP as an available service on Canaries. (Turns out its signal to noise ratio is terribad, and everyone we’ve ever caught through SNMP also tripped over other services too)… https://t.co/kiNx6GZPtj"

Security firm uses Twitter to disclose critical zero-day flaw in Tor Browser

By Waqas

Zerodium, an infosec and premium zero-day acquisition platform tweeted about the flaw in Tor browser on Monday. The infamous exploit vendor and buyer/seller of popular software vulnerabilities, Zerodium has revealed a critical flaw in Tor browser software. According to a tweet posted by Zerodium, the zero-day vulnerability is present in the NoScript browser plugin and can […]

This is a post from HackRead.com Read the original post: Security firm uses Twitter to disclose critical zero-day flaw in Tor Browser

Google Releases Security Update for Chrome

Original release date: September 11, 2018

Google has released Chrome version 69.0.3497.92 for Windows, Mac, and Linux. This version addresses vulnerabilities, one of which an attacker could exploit to take control of an affected system.

NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.


CVE-2018-15898

The Subsonic Music Streamer application 4.4 for Android has Improper Certificate Validation of the Subsonic server certificate, which might allow man-in-the-middle attackers to obtain interaction data.

Taking Stock: The Internet of Things, and Machine Learning Algorithms at War

It’s in the news every day; hackers targeting banks, hospitals, or, as we’ve come to fear the most, elections.

Suffice to say then that cybersecurity has, in the last few years, gone from a relatively obscure industry – let’s qualify that: not in the sense of importance, but rather how folks have been interacting with it – to one at the forefront of global efforts to protect our data and applications.

 A decade ago, cybersecurity researchers were almost as caliginous as the hackers they were trying to defend folks against, and despite the lack of fanfare, some people still chose it as a career (*gasp).

We spoke to one of our whizz-kids, Gilad Yehudai, to find out what makes him tick and why, of all the possible fields in tech, he chose cybersecurity at a time when it might not have been the sexiest of industries.

Protecting data and applications, a different beast altogether

One of the major challenges facing the industry is the ability to attract new talent; especially when competing against companies that occupy the public sphere from the moment our alarm wakes us up to the moment we lay our phones to rest. Gilad, who has a master’s degree in mathematics and forms part of our team in Israel, offers a pretty interesting perspective,

“The world of cybersecurity is a fascinating one from my point of view, especially when trying to solve machine learning problems related to it. Cybersecurity is adversarial in nature, where hackers try to understand security mechanisms and how to bypass them. Developing algorithms in such environments is much more challenging than algorithms where the data doesn’t try to fool you.”

Never a dull moment

Additionally, our industry is one in flux, as more threats and vulnerabilities are introduced, and hackers find new ways to bypass security mechanisms. The latter was a pretty big draw for Gilad, whose experience in mathematics and serving in the Israeli Army’s cyber defense department made him a great candidate for the Imperva threat research team.

“The research group at Imperva seemed like the perfect fit, as large parts of my day to day job is to develop machine learning algorithms in the domain of cybersecurity, and the data I use is mostly attacks on web applications.”

Speaking of attacks, Gilad and the rest of our research team sure have their hands full.

“In my opinion, the Internet of Things (IoT) security is one of the biggest challenges out there. More and more devices are connected to the internet every day and these devices may be put to malicious use. Hackers may enlist these devices to their botnet in order to launch attacks like DDoS, ATO (account takeover), comment spam and much more.”

Worse still, our growing network of ‘micro-computers’ (smartphones, tablets etc.) could be manipulated and their computational power used to mine cryptocurrencies.

“Protecting these devices the same way we protect endpoint PCs will be one of the biggest challenges.”

Change brings new challenges, and opportunities

On the topic of change, the cybersecurity industry, according to Gilad, is headed increasingly towards machine learning and automation; which serves us well.

“If in the past most security mechanisms were based on hard-coded rules written by security experts, today more and more products are based on rules that are created automatically using artificial intelligent algorithms. These mechanisms can be much more dynamic and adapt better to the ever-changing world of cybersecurity.”

That said, the more the industry relies on machine learning algorithms for defense, the higher the likelihood that hackers will look to manipulate those same algorithms for their own purposes.

“Hackers may try to create adversarial examples to fool machine learning algorithms. Securing algorithms will require more effort, effort that will intensify as these algorithms are used in more sensitive processes. For example, facial recognition algorithms that authorize access to a specific location may be fooled by hackers using an adversarial example in order to gain access to an unauthorized location.”

While the cyber threat landscape continues to evolve, and the bad actors looking to nick our data and compromise our applications get increasingly creative, it’s good to know that there are experts whose sole purpose it is to ‘fight the good fight’, so to speak.

“Research is a bit like walking in the dark, you don’t know in which direction to go next, and you never know what you are going find. Sometimes you begin to research in some direction, and in the process you find a completely other direction which you haven’t even though about at the beginning. Research is not for everybody, but I get really excited about it.

VERT Threat Alert: September 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s September 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-796 on Wednesday, September 12th.  In-The-Wild & Disclosed CVEs CVE-2018-8440 This vulnerability was disclosed on Twitter on August 27th, and a high level analysis was published on August 28th. More recently, ESET published […]… Read More

The post VERT Threat Alert: September 2018 Patch Tuesday Analysis appeared first on The State of Security.

Microsoft Releases September 2018 Security Updates

Original release date: September 11, 2018

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Microsoft's September 2018 Security Update Summary and Deployment Information and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


NIST Launches Privacy Framework Effort

On September 4, 2018, the Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced a collaborative project to develop a voluntary privacy framework to help organizations manage privacy risk. The announcement states that the effort is motivated by innovative new technologies, such as the Internet of Things and artificial intelligence, as well as the increasing complexity of network environments and detail of user data, which make protecting individuals’ privacy more difficult. “We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.

The goals for the framework stated in the announcement include providing an enterprise-level approach that helps organizations prioritize strategies for flexible and effective privacy protection solutions and bridge gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation. To kick off the effort, the NIST has scheduled a public workshop on October 16, 2018, in Austin, Texas, which will occur in conjunction with the International Association of Privacy Professionals’ “Privacy. Security. Risk. 2018” conference. The Austin workshop is the first in a series planned to collect current practices, challenges and requirements in managing privacy risks in ways that go beyond common cybersecurity practices.

In parallel with the NIST’s efforts, the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) is “developing a domestic legal and policy approach for consumer privacy.” The announcement stated that the NTIA is coordinating its efforts with the department’s International Trade Administration “to ensure consistency with international policy objectives.”

CVE-2018-11078

Dell EMC VPlex GeoSynchrony, versions prior to 6.1, contains an Insecure File Permissions vulnerability. A remote authenticated malicious user could read from VPN configuration files on and potentially author a MITM attack on the VPN traffic.

CVE-2018-11070

RSA BSAFE Crypto-J versions prior to 6.2.4 and RSA BSAFE SSL-J versions prior to 6.2.4 contain a Covert Timing Channel vulnerability during PKCS #1 unpadding operations, also known as a Bleichenbacher attack. A remote attacker may be able to recover a RSA key.

CVE-2018-11069

RSA BSAFE SSL-J versions prior to 6.2.4 contain a Covert Timing Channel vulnerability during RSA decryption, also known as a Bleichenbacher attack on RSA decryption. A remote attacker may be able to recover a RSA key.

Microsoft Patch Tuesday – September 2018

Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated "critical," 43 that are rated "important" and one that is considered to have "moderate" severity.

The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.

This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.



Critical vulnerabilities


Microsoft released coverage for 17 critical bugs. Cisco Talos believes 16 of these are of special importance and need to be addressed by users immediately.

CVE-2018-0965 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. An attacker can exploit this vulnerability by running a specially crafted application on a guest system that would cause the system operating Hyper-V to execute arbitrary code. The flaw lies in the way that Hyper-V validates inputs from an authenticated user on a guest OS.

CVE-2018-8367 is a remote code execution vulnerability in the Chakra scripting engine. The engine improperly handles objects in memory in the Microsoft Edge web browser that could allow an attacker to corrupt the system's memory and execute arbitrary code with the user's credentials.

CVE-2018-8420 is a remote code execution vulnerability in Microsoft XML Core Services MSXML. An attacker could trick the user into visiting a specially crafted, malicious website designed to invoke MSXML through a web browser, allowing the attacker to eventually run code and take control of the user's system.

CVE-2018-8461 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user. A user would need to visit a specially crafted, malicious website to trigger this vulnerability.

CVE-2018-8475 is a remote code execution vulnerability in Windows OS, which exists due to the image-loading functionality improperly handling malformed image files. An attacker could exploit this bug by convincing a user to load a malformed image file from either a web page, email or other method.

CVE-2018-8332 is a remote code execution vulnerability in the Windows font library. There are multiple ways in which an attacker could exploit this flaw, including convincing the user to click on a malicious web page or providing the user with a specially crafted, malicious document.

CVE-2018-8391 is a remote code execution vulnerability in the Chakra scripting engine. An attacker can exploit this flaw if a user is logged on with an administrative account.

CVE-2018-8439 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. The bug exists in Hyper-V's validation on a host server. An attacker can exploit this flaw by running a specially crafted application on a guest operating system that could lead to the machine running Hyper-V executing arbitrary code.

CVE-2018-8447 is a remote code execution vulnerability in Internet Explorer. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted web page while using the Internet Explorer browser, or by taking advantage of a compromised website through advertisements or attachments that the user would have to click on.

CVE-2018-8456 and CVE-2018-8459 are remote code execution vulnerabilities that exist in the Chakra scripting engine's handling of objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user.

CVE-2018-8457 is a remote code execution vulnerability that exists in the way Microsoft web browsers' scripting engines handle objects in memory. An attacker could host a specially crafted website to exploit this vulnerability, and then convince the user to visit the website while using a Microsoft web browser, or they could embed an ActiveX control that is marked "safe for initialization" in a Microsoft Office file or an application that hosts the browser's rendering engine.

CVE-2018-8464 is a remote code execution vulnerability in Microsoft Edge's PDF reader that exists in the way the reader handles objects in memory. An attacker could exploit this bug by convincing a user to click on a web page that contains a malicious PDF, or by hosting the PDF on websites that host user-provided content.

CVE-2018-8465, CVE-2018-8466 and CVE-2018-8467 are remote code execution vulnerabilities in the Chakra scripting engine that lie in the way it handles objects in memory in the Microsoft Edge web browser. An attacker can exploit these bugs by tricking the user into opening a malicious web page, or an advertisement that is hosted on a website that allows user-provided content.

The other critical vulnerability is:

    Important vulnerabilities


    There is also coverage for 43 important vulnerabilities, 11 of which we wish to highlight.

    CVE-2018-8354 is a remote code execution vulnerability that exists in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. A user would need to visit a specially crafted, malicious website in order to trigger this vulnerability.

    CVE-2018-8392 and CVE-2018-8393 are buffer overflow vulnerabilities in the Microsoft Jet Database Engine. To exploit these bugs, a user must open a specially crafted Excel file while using an at-risk version of Windows. An attacker could exploit these vulnerabilities to execute code on the victim's machine at an administrator's level.

    CVE-2018-8430 is a remote code execution vulnerability in Microsoft Word 2013 and 2016. An attacker can exploit this by tricking a user into opening a specially crafted, malicious PDF.

    CVE-2018-8447 is an elevation of privilege vulnerability that lies in the way Windows processes calls to Advanced Local Procedure Call (ALPC). An attacker would need to log onto the system directly in order to exploit this vulnerability, and then run a specially crafted application.

    CVE-2018-8331 is a remote code execution vulnerability in Microsoft Excel that exists when the software fails to correctly handle objects in memory. A user could trigger this bug by opening a specially crafted, malicious file in an email or on a web page.

    CVE-2018-8315 is an information disclosure vulnerability in Microsoft's scripting engine that could expose uninitialized memory if exploited. An attacker could access this information by convincing a user to visit a malicious website and then leveraging the vulnerability to obtain privileged data from the browser process.

    CVE-2018-8335 is a denial-of-service vulnerability in the Microsoft Server Block Message (SMB). An attacker can send a specially crafted request to the server to trigger this vulnerability.

    CVE-2018-8425 is a spoofing vulnerability in the Microsoft Edge web browser. The bug lies in the way the browser handles specific HTML content. If an attacker correctly exploits this bug, a user could be tricked into thinking they are visiting a legitimate website when they are actually on a malicious page.

    CVE-2018-8440 is an elevation of privilege vulnerability that occurs when Windows incorrectly handles calls to Advanced Local Procedure Call (APLC). An attacker needs to log onto the system directly to exploit this vulnerability, and then run a specially crafted application to take over the system. This vulnerability has been spotted in the wild as part of several pieces of malware.

    The other vulnerabilities that are rated "important" are:


      Coverage


      In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

      Snort Rules: 45142-45143, 47702-47703, 47717-47718, 47730-47741, 47745-47748


      Microsoft Issues Software Updates for 17 Critical Vulnerabilities

      Times to gear up your systems and software. Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for September 2018, patching a total of 61 security vulnerabilities, 17 of which are rated as critical, 43 are rated Important, and one Moderate in severity. This month's security updates patch vulnerabilities in Microsoft Windows, Edge, Internet Explorer, MS Office,

      British Airways hackers used same tools behind Ticketmaster breach

      The British Airways web hack wasn't an isolated incident. Analysts at RiskIQ have reported that the breach was likely perpetrated by Magecart, the same criminal enterprise that infiltrated Ticketmaster UK. In both cases, the culprits used similar virtual card skimming JavaScript to swipe data from payment forms. For the British Airways attack, it was just a matter of customizing the scripts and targeting the company directly instead of going through compromised third-party customers.

      Via: The Verge

      Source: RiskIQ

      New Zero-Day Vulnerability for Windows Tweeted, Immediately Exploited

      A new zero-day vulnerability that was disclosed on Twitter and GitHub two weeks ago has already been weaponized for use in the wild.

      As reported by We Live Security, the tweet posted on Aug. 27 linked to a GitHub repository containing proof-of-concept code for the exploit, which affects Windows operating systems 7 through 10, along with its source code. The tweet was subsequently deleted, but a group known as PowerPool used the link to create its own version of this zero-day attack and infect computers in Chile, Germany, India, the Philippines, Poland, Russia, the U.K., the U.S. and Ukraine.

      By leveraging a flaw in the advanced local procedure call (ALPC) process, specifically the SchRpcSetSecurity application programming interface (API) function, attackers can grant restricted users the power to view and change the contents of write-protected files. PowerPool’s developers have been using a combination of typical spear phishing emails and spamming symbolic link (.slk) files that open Microsoft Excel and then execute PowerShell scripts.

      Why Leaked Source Code Poses a Threat

      Along with the quick uptake of this threat vector as part of PowerPool’s tool set and the ever-present use of phishing emails, companies should also be aware of the risk presented by the dissemination of source code. Because the GitHub link contained both a compiled version of the exploit and its source code, threat actors can quickly modify and recompile the zero-day vulnerability to streamline its functionality, integrate it into a larger malware package and evade detection.

      Security teams should also take note of PowerPool’s use of multiple backdoors. The first-stage backdoor conducts basic reconnaissance, such as collecting proxy information and screenshotting the victim’s display, then sending this data back to the command-and-control (C&C) server. A second-stage backdoor is then installed on devices that hold more data, allowing malicious actors to execute commands, kill processes, upload and download files, and list folders. In addition, lateral movement tools — such as PowerDump and PowerSploit — are installed along with second-stage backdoors.

      How Can Companies Zero In on Zero-Day Flaws?

      Since “zero-day flaws are just vulnerabilities for which there is no patch,” according to IBM X-Force threat intelligence expert Michelle Alvarez, IT asset management (ITAM) is crucial to handling this type of exploit. While it’s impossible to predict the occurrence of zero-day threats, effective management of IT assets makes it easier to identify potential risk vectors and critical points of entry.

      Cybersecurity adviser Michael Melore, meanwhile, recommends developing “cybersecurity muscle memory” by creating and regularly testing incident response plans (IRPs) for zero-day attacks and other threats. That way, even if unexpected disclosures occur, security professionals are ready to react.

      Source: We Live Security

      The post New Zero-Day Vulnerability for Windows Tweeted, Immediately Exploited appeared first on Security Intelligence.

      British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected

      On Friday (7th September 2018), British Airways disclosed between 21st August 2018 and 5th September 2018, 380,000 BA customer's payment card transactions were compromised by a third party through its website and mobile app. This data included the customer's full name, email address, debit\credit card 16 digit number (PAN), expiry date and card security code i.e. CVV, CV2

      Details of how the hack was orchestrated have now come to light. In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

      In this case, once the customer has entered their payment card details and then submits the payment either on a PC or on a touchscreen device, the malicious script executes and captures their payment card data, sending it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it appear legit within the website html (code). The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the domain registration could have been picked up by a threat intelligence service.

      Other Researchers have also claimed the BA website wasn't PCI DSS compliant. Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn't isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. The Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which accept, process, store and/or transmit debit and credit cards.

      Here is the advice from CEO of global cybersecurity specialist SonicWall, Bill Conner:

      "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

      My view mass credit\debit card data (cardholder data) complete with the security code has always been targeted by cyber crooks as it is very easily sellable on the dark web, as the data only can be used in cardholder-not-present transaction fraud, where credit card holder is not physically present i.e. online, app, phone. The finger can be pointed at lack of PCI DSS compliance by merchants like BA, however, I think it is about time technology was used to improve the security of all cardholder-not-not present transactions, namely Multi-factor authentication (MFA).  While MFA on all cardholder-not-present is not a silver bullet, there is no 100% security, enforced usage across all industries would certainly devalue debit\credit card data considerably.

      New Guide on How to Use the Sucuri WordPress Security Plugin

      New Guide on How to Use the Sucuri WordPress Security Plugin

      Sucuri has always been active in the WordPress community. We’ve attended WordCamps around the world, created tools and features specifically for WordPress, and have maintained a free WordPress security plugin with over 400k installations.

      If you don’t already have it, you can download the Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin directly from the official WordPress repository.

      Recently, we launched a guide on How to Use the WordPress Security Plugin.

      Continue reading New Guide on How to Use the Sucuri WordPress Security Plugin at Sucuri Blog.

      Legal AI: How Machine Learning Is Aiding — and Concerning — Law Practitioners

      Law firms tasked with analyzing mounds of data and interpreting dense legal texts can vastly improve their efficiency by training artificial intelligence (AI) tools to complete this processing for them. While AI is making headlines in a wide range of industries, legal AI may not come to mind for many. But the technology, which is already prevalent in the manufacturing, cybersecurity, retail and healthcare sectors, is quickly becoming a must-have tool in the legal industry.

      Due to the sheer volume of sensitive data belonging to both clients and firms themselves, legal organizations are in a prickly position when it comes to their responsibility to uphold data privacy. Legal professionals are still learning what the privacy threats are and how they intersect with data security regulations. For this reason, it’s critical to understand security best practices for operations involving AI.

      Before tackling the cybersecurity implications, let’s explore some reasons why the legal industry is such a compelling use case for AI.

      How Do Legal Organizations Use AI?

      If you run a law firm, imagine how much more efficient you could be if you could train your software to recognize and predict patterns that not only improve client engagement, but also streamline the workflow of your legal team. Or what if that software could learn to delegate tasks to itself?

      With some AI applications already on the market, this is only the beginning of what the technology can do. For example, contract analysis automation solutions can read contracts in seconds, highlight key information visually with easy-to-read graphs and charts, and get “smarter” with each contract reviewed. Other tools use AI to scan legal documents, case files and decisions to predict how courts will rule in tax decisions.

      In fact, the use of AI in the legal industry has been around for years, according to Sherry Askin, CEO of Omni Software Systems. Askin has deep roots in the AI field, including work with IBM’s Watson.

      “AI is all about increasing efficiency, and is being touted as the next revolution,” she said. “We’ve squeezed as much as we can from human productivity through automation. The next plateau from productivity and the next threshold is AI.”

      Why Machine Learning Is Critical

      Law is all about words, natural language and the coded version of an unstructured version, said Askin. While we know how to handle the coded versions, she explained, the challenge with legal AI is that outputs are so tightly tailored to past results described by their inputs. That’s where machine learning comes in to predict how these inputs might change.

      Askin compared machine learning to the process of intellectual development by which children soak up news words, paragraphs, long arguments, vocabulary and, most importantly, context. With deep learning, not only are you inputting data, but you’re giving the machine context and relevance.

      “The machine is no longer a vessel of information,” Askin explained. “It figures out what to do with that information and it can predict things for you.”

      Although machines can’t make decisions the same way that humans can, the more the neural processing and training they conduct, the more sophisticated their learning and deliverables can become. Some legal AI tools can process and analyze thousands of lease agreements, doing in seconds what humans would do in weeks.

      How Do Privacy Regulations Impact Legal Firms?

      For any industry, protecting privileged client data is a paramount concern. The American Bar Association, which requires practitioners to employ reasonable efforts to prevent unauthorized access to client data, has implemented periodic changes and updates to address the advances of technology. In addition, the Legal Cloud Computing Association (LCCA) issued 21 standards to assist law firms and attorneys in addressing these needs, including testing, limitations on third-party access, data retention policy, encryption, end user authentication and modifications to data.

      Askin urged legal organizations to evaluate strategies impacting security and privacy in the context of what they modify or replace.

      “I believe this is a major factor in legal because the profession has a deep legacy of expert-led art,” she said. “Traditional IT automation solutions perform best with systematized process and structured data. Unfortunately, systematization and structure are not historically compatible with the practice of law or any other professional disciplines that rely on human intelligence and dynamic reasoning.”

      How to Keep Legal AI Tools in the Right Hands

      Legal organizations are tempting targets for malicious actors because they handle troves of sensitive and confidential information. Rod Soto, director of security research for Jask, recommended several key strategies: employ defense in depth principles at the infrastructure level, train personnel in security awareness and use AI to significantly enhance security posture overall. To protect automated operations conducted by AI, Soto warned, we must understand that while these AI systems are trained to be effective, they can also be steered off course.

      “Malicious actors can and will approach AI learning models and will attempt to mistrain them, hence the importance of feedback loops and sanity checks from experienced analysts,” he said. “You cannot trust AI blindly.”

      Finally, it’s crucial for legal organizations to understand that AI does not replace a trained analyst.

      “AI is there to help the analyst in things that humans have limitations, such as processing very large amounts of alarms or going through thousands of events in a timely manner,” said Soto. “Ultimately, it is upon the trained analyst to make the call. An analyst should always exercise judgment based on his experience when using AI systems.”

      Because the pressure to transform is industrywide, profound changes are taking shape to help security experts consistently identify the weakest link in the security chain: people.

      “It’s nearly impossible to control all data and privacy risks where decentralized data and human-managed processes are prevalent,” Askin said. “The greater the number of endpoints, the higher the risk of breach. This is where the nature of AI can precipitate a reduction in security and privacy vulnerabilities, particularly where prior IT adoption or data protection practices were limited.”

      The post Legal AI: How Machine Learning Is Aiding — and Concerning — Law Practitioners appeared first on Security Intelligence.

      3 Ways Threat Intelligence Saves Time and Money

      Key Takeaways

      • A new IDC white paper found that organizations saw significant time and money savings after incorporating Recorded Future into their already existing security systems.
      • Organizations grew more efficient in three main areas: security teams had more time to react to threats, staff productivity increased, and businesses avoided costly penalties and fines resulting from security breaches.
      • Threat intelligence gave the organizations surveyed by IDC more time and context to react to threats and helped them raise their security posture across teams.

      When IT security teams already rely on a vast number of security systems — sometimes nearly two dozen — to keep their organizations secure, the thought of keeping up with yet another system, like a threat intelligence solution, might sound like a headache.

      But the reality is, organizations that know how to apply valuable insights from threat intelligence to their cybersecurity decision-making process are able to work faster and smarter.

      That’s what IDC determined in a recent survey of organizations who incorporated Recorded Future’s threat intelligence solution into their already existing security systems. Rather than threat intelligence being just an added bonus (or even a distraction), organizations of all sizes consistently found that it saved them time and money while improving their security posture.

      3 Key Results of Using Threat Intelligence

      IDC’s research uncovered significant cost savings across IT security teams — $39,638 per team member per year, to be exact. Considering that the average starting salary of an IT security analyst is roughly twice that, in cost savings alone, that’s like hiring a free third analyst for every two your organization already has.

      Those quick figures illustrate how IDC found that organizations saw their threat intelligence investment paid back after only four months on average. But in what ways, exactly, are the organizations who started using threat intelligence seeing their costs reduced?

      IDC found that the cost savings come in three main areas: security teams have more time to react to threats, staff productivity goes up, and organizations more easily avoid costly penalties and fines resulting from security breaches.

      1. Security teams have more time to react to threats.

      One statistic that demonstrates how fast cybersecurity threats move is that, on average, new vulnerabilities will either be exploited within the first two weeks of being found or not at all. That means you often have a matter of only days to react when a new vulnerability affecting the systems you use is identified.

      IDC found that organizations identified threats 10 times faster and resolved them 63 percent quicker when they started using threat intelligence.

      It’s how these statistics break down that reveals the significant difference threat intelligence makes. Before using Recorded Future, organizations identified threats only 0.4 days on average before they became impactful, and took 15.6 hours on average to resolve them.

      With Recorded Future threat intelligence, the average time that threats were identified before becoming impactful stretched to 4.1 days — 10 times faster — and the time it took security teams to resolve them was lowered to only 5.7 hours on average — 63 percent quicker.

      Productivity Impact Table

      Source: IDC, 2018

      Security teams are also able to identify 22 percent more threats before they become impactful. That’s especially consequential when a recent Cisco study showed that security teams ignore almost half of all alerts they see daily and only a third of those they do look at are legitimate. The huge slog of manually sorting through mountains of data and avoiding false positives is one reason why security analysts struggle to keep up with risks in a timely manner.

      Automating the collection and processing of threat data is a scalable solution to this problem, helping organizations more quickly and accurately assess their risk profile. “As we have grown and acquired new technologies and expanded into new areas,” one organization surveyed by IDC noted, “[threat intelligence] allows us to monitor for threats in areas where we are fairly new entrants and where we might not have the same security infrastructure as we would have in our existing business.”

      2. Staff productivity increases.

      Every team, including staff responsible for operations, investigation, report compilation, and threat resolution, saw their work made easier by incorporating threat intelligence into their already existing security systems, with 32 percent lower costs overall.

      Organizations that started using threat intelligence also reduced unplanned downtime due to security breaches or last-minute, critical updates needing to be applied.

      Handling threats before they became critical issues let security teams reduce unplanned downtime by 86 percent — not a small number when considering that the average cost for every minute of downtime is around $9,000, depending on the size of your organization.

      Unplanned Downtime Impact Chart

      Source: IDC, 2018

      3. Organizations avoid more damaging penalties and fines resulting from security breaches.

      With most organizations keeping the personally identifiable information of their customers on file — things like credit card numbers, dates of birth, and so on — data breaches represent huge risks, incurring not only expensive fines and penalties, but also less quantifiable damage, such as a tarnished reputation and loss of public trust.

      Threat intelligence helps mitigate that risk, to the order of $1,033,300 dollars per breach on average among the organizations surveyed by IDC.

      Threat Intelligence Mitigates Risk

      It’s a huge challenge trying to make sense of the vast amounts of raw data and alerts that teams face today across multiple unconnected security platforms. Making sense of it all takes a threat intelligence solution that aggregates all of that data automatically and provides additional context.

      To learn more about how threat intelligence can help your organization achieve significant time and cost savings, download your free copy of the recent IDC white paper, “Organizations React to Security Threats More Efficiently and Cost Effectively With Recorded Future.”

      The post 3 Ways Threat Intelligence Saves Time and Money appeared first on Recorded Future.

           

      Uber Data Breach Class Action Must Proceed to Arbitration

      On September 5, 2018, the U.S. District Court for the Central District of California held that a class action arising from a 2016 Uber Technologies Inc. (“Uber”) data breach must proceed to arbitration. The case was initially filed after a 2016 data breach that affected approximately 600,000 Uber drivers and 57 million Uber customers. Upon registration with Uber, the drivers and customers entered into a service agreement that contained an arbitration provision. Based on this provision, the defendants moved to compel arbitration. They argued that the provision’s express language delegated the threshold issue of whether the case should be arbitrated (also called an issue of “substantive arbitrability”) to an arbitrator, not to the court. The plaintiffs countered, arguing that the arbitration clause was both inapplicable to the 2016 data breach and unconscionable, and that Uber customers did not receive reasonable notice of the electronic terms agreement when they registered.

      The court rejected each of the plaintiffs’ arguments. First, citing Mohammed v. Uber Techs., Inc., 848 F.3d 1201, 1209 (9th Cir. 2016), the court held that the agreement’s language “clearly and unmistakably” delegated to the arbitrator the threshold and substantive issue of whether the 2016 breach was one that should be arbitrated. Second, whether the arbitration provision was unconscionable was similarly a question of substantive arbitrability “expressly delegated to the arbitrator.” Third, the court noted that the plaintiffs offered no evidence of confusion or lack of notice, and that many other courts had found similar electronic notice to be reasonable.

      The case has been stayed pending completion of the arbitration.

      CVE-2016-0715

      Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5, 1.5.0 through 1.5.11 and 1.6.0 through 1.6.11 is vulnerable to a remote information disclosure. It was found that original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and could leave PHP Buildpack, Staticfile Buildpack and potentially other custom Buildpack applications vulnerable to remote information disclosure. Affected applications use automated buildpack detection, serve files directly from the root of the application and have a buildpack that matched after the Java Buildpack in the system buildpack priority when Java Buildpack versions 2.0 through 3.4 were present.

      Adobe Issues ColdFusion Software Update for 6 Critical Vulnerabilities

      Adobe has released September 2018 security patch updates for a total of 10 vulnerabilities in Flash Player and ColdFusion, six of which are rated as critical that affected ColdFusion and could allow attackers to remotely execute arbitrary code on a vulnerable server. What's the good news this month for Adobe users? This month Adobe Acrobat and Reader applications did not receive any patch

      Tesla Hails Researchers To Hack Cars Without Fear

      Tesla Hails Researchers To Hack Its Cars Without Fear

      The security-conscious Tesla Motors have declared to the researchers that they are welcome to hack into their cars for research’s sake, without the dread of voiding any warranty, a non-running vehicle and any sort of legal obligation.


      Before doing researchers such a huge favour, Tesla mentioned that there are certain requirements that are mentioned in the company’s vulnerability reporting programme, that need to be met.  To begin with, the enterprise must be sincere and valid, the registration of the vehicle, as well as the researcher,  is a must and of course, there must be an approval for carrying out the said tests.

      Only after ensuring about the requisites will the company provide over-the-air (OTA) assistance to the researchers to get their cars up-to-date. Tesla standard tools including some other suitable ways make it possible for the car’s firmware to ‘reflash’ when used at service centres. 

      According to the company’s warning, the requests for assistance must be narrowed down to a limit, expenditure for towing the vehicle is not to be expected and that the company's goodwill is not to be maltreated.

      The researchers and their cars will be impervious to charges under the Computer Fraud and Abuse Act (CFAA).
      If no other codes or binaries are approached by the pre-approved researchers, copyright infringement claims would not be put under the Digital Millennium Copyright Act (DMCA).

      Megamos Crypto Transponder, which is used in anti-theft devices in key-less cars, had a major weakness to it, and researchers were impeded from revealing it by the help of a court order, back in 2013.  Volkswagen, Bentley, Audi and Porsche all of these celebrated brands had this system installed in their cars. Volkswagen sued the researchers and was able to hold back their work until 2015 when they finally exhibited it at the USENIX security conference.

      With its head held high, Tesla fathoms the need for any such research work that makes its products better and refined in any way possible. In fact, the company has stated that if someone succeeds to report a confirmed vulnerability, the name of that researcher would be listed in the Tesla’s hall of fame.

      Adobe Releases Security Updates

      Original release date: September 11, 2018

      Adobe has released security updates to address vulnerabilities in Adobe Flash Player and ColdFusion. An attacker could exploit some of these vulnerabilities to take control of an affected system.

      NCCIC encourages users and administrators to review Adobe Security Bulletins APSB18-31 and APSB18-33 and apply the necessary updates.


      This product is provided subject to this Notification and this Privacy & Use policy.


      CVE-2018-16836

      Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.

      CVE-2018-10937

      A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim.

      Twenty Years of Network Security Monitoring: From the AFCERT to Corelight

      I am really fired up to join Corelight. I’ve had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast the future.

      Twenty years ago this month I joined the Air Force Computer Emergency Response Team (AFCERT) at then-Kelly Air Force Base, located in hot but lovely San Antonio, Texas. I was a brand new captain who thought he knew about computers and hacking based on experiences from my teenage years and more recent information operations and traditional intelligence work within the Air Intelligence Agency. I was desperate to join any part of the then-five-year-old Information Warfare Center (AFIWC) because I sensed it was the most exciting unit on “Security Hill.”

      I had misjudged my presumed level of “hacking” knowledge, but I was not mistaken about the exciting life of an AFCERT intrusion detector! I quickly learned the tenets of network security monitoring, enabled by the custom software watching and logging network traffic at every Air Force base. I soon heard there were three organizations that intruders knew to be wary of in the late 1990s: the Fort, i.e. the National Security Agency; the Air Force, thanks to our Automated Security Incident Measurement (ASIM) operation; and the University of California, Berkeley, because of a professor named Vern Paxson and his Bro network security monitoring software.

      When I wrote my first book in 2003-2004, The Tao of Network Security Monitoring, I enlisted the help of Christopher Jay Manders to write about Bro 0.8. Bro had the reputation of being very powerful but difficult to stand up. In 2007 I decided to try installing Bro myself, thanks to the introduction of the “brolite” scripts shipped with Bro 1.2.1. That made Bro easier to use, but I didn’t do much analysis with it until I attended the 2009 Bro hands-on workshop. There I met Vern, Robin Sommer, Seth Hall, Christian Kreibich, and other Bro users and developers. I was lost most of the class, saved only by my knowledge of standard Unix command line tools like sed, awk, and grep! I was able to integrate Bro traffic analysis and logs into my TCP/IP Weapons School 2.0 class, and subsequent versions, which I taught mainly to Black Hat students. By the time I wrote my last book, The Practice of Network Security Monitoring, in 2013, I was heavily relying on Bro logs to demonstrate many sorts of network activity, thanks to the high-fidelity nature of Bro data.

      In July of this year, Seth Hall emailed to ask if I might be interested in keynoting the upcoming Bro users conference in Washington, D.C., on October 10-12. I was in a bad mood due to being unhappy with the job I had at that time, and I told him I was useless as a keynote speaker. I followed up with another message shortly after, explained my depressed mindset, and asked how he liked working at Corelight. That led to interviews with the Corelight team and a job offer. The opportunity to work with people who really understood the need for network security monitoring, and were writing the world’s most powerful software to generate NSM data, was so appealing! Now that I’m on the team, I can share how I view Corelight’s contribution to the security challenges we face.

      For me, Corelight solves the problems I encountered all those years ago when I first looked at Bro. The Corelight embodiment of Bro is ready to go when you deploy it. It’s developed and maintained by the people who write the code. Furthermore, Bro is front and center, not buried behind someone else’s logo. Why buy this amazing capability from another company when you can work with those who actually conceptualize, develop, and publish the code?

      It’s also not just Bro, but it’s Bro at ridiculous speeds, ingesting and making sense of complex network traffic. We regularly encounter open source Bro users who spend weeks or months struggling to get their open source deployments to run at the speeds they need, typically in the tens or hundreds of Gbps. Corelight’s offering is optimized at the hardware level to deliver the highest performance, and our team works with customers who want to push Bro to the even greater levels. 

      Finally, working at Corelight gives me the chance to take NSM in many exciting new directions. For years we NSM practitioners have worried about challenges to network-centric approaches, such as encryption, cloud environments, and alert fatigue. At Corelight we are working on answers for all of these, beyond the usual approaches — SSL termination, cloud gateways, and SIEM/SOAR solutions. We will have more to say about this in the future, I’m happy to say!

      What challenges do you hope Corelight can solve? Leave a comment or let me know via Twitter to @corelight_inc or @taosecurity.

      Apple Removes Several Trend Micro Apps For Collecting MacOS Users’ Data

      Apple has removed almost all popular security apps offered by well-known cyber-security vendor Trend Micro from its official Mac App Store after they were caught stealing users' sensitive data without their consent. The controversial apps in question include Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, App Uninstall, Dr. Battery, and Duplicate Finder for Mac computers. The apps

      Busting the VDI Security Myth

      Many CISOs and security pros see Virtual Desktop Infrastructure (VDI) and other remote application solutions as security barriers. They think VDI isolates sensitive resources from the user's device, making it impossible for hackers to bust through. But that’s a dangerous myth. In reality, VDI is only a minor hurdle for cyber-criminals.

      It doesn’t matter whether your business is using VDI so employees can access server-hosted desktops from thin clients or personal laptops, or giving third-parties “controlled” access to corporate assets, or allowing IT admins and other privileged users to use VDI servers as “jump hosts” for managing the enterprise crown jewels. Whatever the VDI use case, corporate assets are still exposed. Here’s why:

      • Thin clients

      An employee using a thin client to connect to a remote VDI desktop running Windows is no better off security-wise than any other Windows laptop user. The remote desktop is still exposed to a variety of standard attack vectors, including email, web, external media, user-installed applications, and many others.

      • Unmanaged employee devices

      In many companies, employees are allowed to connect to corporate VDI desktops from unmanaged devices such as personal laptops. But what happens when those end-user devices are already compromised? In these scenarios, the attacker first gains control over the user’s personal laptop. He then impersonates the user and interacts with the remote VDI desktop. This doesn’t require attacker sophistication. It’s as simple as installing commoditized, off-the-shelf remote control software on the user’s personal laptop, waiting for the user to authenticate, and then controlling the VDI session in the user’s name.

      Some people think that by preventing clipboard operations between the user’s personal laptop and the remote VDI desktop, you can thwart attacks. But that doesn’t really work. Attackers can stealthily and instantly send an entire script via emulated keystrokes, and then launch the script on the remote VDI desktop. From there, the path to complete control of the VDI desktop is short. This kind of attack doesn’t require any zero-day vulnerability and can be executed by any determined attacker.

      • Third-party connections

      Third-party vendors and contractors who use VDI to access your corporate resources make your business just as vulnerable as employees with unmanaged devices. As seen in the recent Target, and Equifax breaches, cyber-criminals only need to infect one of the vendor’s machines. After that, they can gain control of sensitive resources via VDI. Two-factor authentication for VDI sessions doesn’t help mitigate this risk because the attacker, already present on the machine, simply waits for a successful authentication and then launches the attack.

      • Privileged users

      Some enterprises let their IT administrators connect to privileged management consoles via jump hosts or jump boxes hosted on VDI terminal servers. While jump hosts are often a healthy practice, problems begin when the device used to access the privileged host is a compromised personal device – which is often the case. The bad guys look for IT administrators and target them personally. Once they infect an IT administrator’s personal device, they can literally control the entire organization over VDI.

      The VDI Isolation Problem

      Why doesn’t VDI work for security? It all comes down to this: VDI is not an isolation solution. It does not isolate the remote sensitive resources from the device used to access them. If hackers control the end-user’s device, they control the VDI resources. 

      Anything short of a full isolation approach leaves you vulnerable. That’s why local or remote access of sensitive resources should never be mixed with any corporate or personal usage that is exposed to the outside world. This guidance is being recommended more and more by security vendors like Microsoft and financial industry institutions like SWIFT (PDF), which propose using a separate instance of an operating system (OS) for accessing sensitive resources, including those residing on VDI.

      Isolation in Action

      So what would this look like in practice? A new, hypervisor-based approach entails turning end-user devices into software-defined endpoints, in which each endpoint has multiple isolated VMs. This approach fully isolates access to sensitive resources, without limiting the user’s freedom or requiring multiple laptops or desktops. 

      Everything a user does runs in one of their endpoint’s VMs, including OSes and all applications. One OS can be used for personal, unlocked usage, and the other for accessing sensitive resources, either locally or via VDI. Attackers controlling the personal VM cannot see or control the sensitive VM. They’d have to break out of the VM to be able to breach the security of the system. This provides the assured protection businesses need and the high productivity users crave.

      VDI on its own provides a false sense of security that is misleading, at best, and can be devastating to business, at worse. It’s paramount that enterprises realize this risk and take appropriate isolation measures to protect their business.

      About the author: Tal is a passionate entrepreneur and veteran R&D leader with 15 years of experience in the cyber and IT domains. Tal started his official career in the Israeli Ministry of Defense, in which he pioneered multiple mission-critical cyber products. He then joined the leadership team of Wanova – a desktop virtualization startup that was later acquired by VMware. He holds multiple US patents as well as an M.Sc. degree in Computer Science from the Technion.

      Copyright 2010 Respective Author at Infosec Island

      Red Hat Security Advisory 2018-2669-01

      Red Hat Security Advisory 2018-2669-01 - Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, path sanitization, and traversal vulnerabilities.

      Ubuntu Security Notice USN-3762-2

      Ubuntu Security Notice 3762-2 - USN-3762-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the VirtIO subsystem in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to possibly expose sensitive information. Various other issues were also addressed.

      IDG Contributor Network: Start preparing today for the future of quantum computing

      As an IT security professional, you have a number of issues that demand your attention today. Protecting against data breaches, securing IT infrastructures that are growing more complex and distributed, the steady stream of new devices attaching to your networks thanks to the rise of the Internet of Things, artificial intelligence, etc. So, the as-yet-unknown arrival of quantum computing is probably not on your radar. But it should be.

      There are two main factors that will influence how you proceed. First, ask yourself what your lead time will be for changing and updating your systems. The more compliance and regulatory obligations you have, the harder that gets and the longer it takes. For example, if you’re with an international bank with complex PKI and cryptography on a large scale, well, get started now.

      To read this article in full, please click here

      Why Admin Rights Removal Is only the First Step towards Data Protection

      When it comes to protecting data, removing admin rights is one of the most effective methods at an organisation’s disposal. Doing so minimises the likelihood that a successful attack on an individual’s account will be able to affect widespread system changes or install malware. 

      But many organisations still overlook the fact that restricting user admin rights represents just one cog in the data protection machine. Risks can never be completely removed but, by complementing the removal of admin rights with additional security measures, businesses can go a long way towards reducing the impact of any attacks. 

      More security means less privilege across the board

      In 2017, our Microsoft Vulnerabilities Report showed that 80 per cent of all vulnerabilities in core applications, such as Word, Excel and PowerPoint, can be eliminated by restricting the number of individuals who hold admin rights within an organisation. 

      Although it is a strong starting point, organisations must view this as a platform to build their data security on, rather than a silver bullet to end all concerns around potential attacks. For example, a default setup of user accounts that hold the lowest possible level of privilege needed for staff to carry out their roles can bolster security by:

      • Minimising the parameters of an attack: Attackers will only be able to access areas of a business related to that user's role, further reducing the type and amount of information they can access.  
      • Reducing the spread of malicious software: Should an account become compromised, embedded malware will only be able to disseminate across a small part of a network, again minimising an attacker’s impact. 
      • Reducing insider threat: Attacks can originate from inside an organisation through aggrieved employees. By creating an environment of least privilege, businesses can reduce these users’ access solely to the data and systems pertinent to their roles, again enhancing data protection. 
      • Increasing network stability: Unsolicited changes can be identified more quickly and easily when the scope of systems and files affected is reduced, giving organisations a timely advantage when it comes to resolving them.  

      The advantages of least privilege adoption are seen most prominently when organisations are faced with a successful assault on their systems. In cases where attackers can breach a company's outer defences, the level of access they will be granted on the inside is significantly reduced. 

      Although it is often only when an organisation suffers a successful assault on its systems that it is able to appreciate the benefits of this approach, being prepared for this situation is invaluable. Under least privilege adoption, attackers that breach a company’s outer defences will find that they are granted a significantly reduced level of access to its data and systems. 

      Layering your security with application control

      To better defend themselves against malicious attacks, organisations should be actively introducing application control.This important additional layer of security makes certain that unauthorised applications are unable to execute in a way that compromises the security of data. 

      The process is managed through a process of whitelisting and blacklisting all applications, ensuring administrators have full visibility and control over their IT systems. The advantages of application control include gaining the ability to:  

      • Monitor and adjust applications within a network: Provides a clear and complete picture of all active and inactive applications and systems. 
      • Prevent unauthorised execution: Only authorised applications can execute. All executions that are not approved on a whitelist are automatically prevented from doing so. 
      • Better understand data traffic: Companies operating application control can more easily monitor the flow of data within their systems, providing details on users’ access requirements and activities.
      • Improve network stability: By limiting the extent to which changes can be made, administrators can promote greater stability and better mitigate adverse changes. 
      • Protection against known exploits: Vulnerabilities in unpatched operating systems and third-party applications can be reduced. 

      By controlling applications in this way, businesses can reduce their vulnerability to attacks by gaining more control and visibility over the way in which their systems interconnect with applications. This provides greater visibility over the transfer of data throughout their organisation as a result.  

      Those that are committed to developing stronger safeguards against cyber threats shouldn’t rely on just one method to keep their data safe. Instead, they should proactively combine methods to bolster the security setup of their business and reduce the risk of damaging data breaches as a result. 

      About the author: Andrew has been a fundamental part of the Avecto story since its inception in 2008. As COO, Andrew is responsible for Avecto's end-to-end customer journey, leading the global consultancy divisions of pre-sales, post sales and training, as well as customer success, support and IT.

      Copyright 2010 Respective Author at Infosec Island

      CVE-2018-2465

      SAP HANA (versions 1.0 and 2.0) Extended Application Services classic model OData parser does not sufficiently validate XML. By exploiting, an unauthorized hacker can cause the database server to crash.

      CVE-2018-2463

      The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6.*, is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC.

      CVE-2018-2459

      Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user.

      CVE-2018-1127

      Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.

      CVE-2018-10893

      Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code.

      CVE-2018-2454

      SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_2) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

      CVE-2018-2452

      The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

      CVE-2018-2455

      SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6.18, 8.0 (in business function EAFS_BCA_BUSOPR_SEPA) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

      Defense is Your Best Offense: Understanding the Fundamentals of Risk-Based Security

      Successful strategists in the security arena face the same kind of tactical issues as football coaches. Attackers are skillful, resourceful and motivated success. Football coaches can’t deploy a “one-size-fits-all” strategy, and neither can security leaders. On a macro level, this is called “Risk-Based Security.”

      5 safe ways to get back at spammers: a guide to wasting time

      Everyone hates spam (apart from the people who send it). While many people simply report spam and delete, a few look for ways to get back at the spammers wasting their time. In fact, a common question we’re asked is, “How can we waste their time?”

      My own opinion on this is a little loaded with caution; simply striking up conversations with spammers and scammers with no prior experience is a good way to get yourself into trouble.

      Maybe you replied from your work mail, and now they’re sending missives to your boss. Perhaps you used a mail service revealing your IP address, and now they’re making empty yet terrifying-sounding threats about hacking you. How about responding to their request for ID and accidentally sending them the real thing, instead of a humorously-constructed image built from MS paint?

      There’s a lot to think about before embarking on this path, but if you still want to waste some spammer’s time (and in a much safer fashion), read on.

      The basics

      1) NO GENUINE INFORMATION EVER. Yes, I realize all caps is a bit shouty but it’s important enough information to warrant shouting. No matter what you do, or which method you use to waste a scammer’s time, revealing things about you and yours is always a bad idea.

      2) Use an anonymous email address. And don’t tie it to something you use daily. Avoid work email, personal email, email tied to anything “business critical” (websites/domain registrations, or other sensitive logins).

      Worried that a spammer won’t reply if you reply to them with your new-fangled anonymous/throwaway account instead of the one they sent it to? Don’t be. They don’t care, they’ll reply to anything. Mail, voicemail, love letter painted on the side of a cow, anything at all. One common spammer trick is to direct you to alternate email addresses to reply to because their main one is liable to be shut down at any moment anyway, so they really won’t care where your time-wasting antics come from.

      3) Don’t tell people to do dangerous things. There is a popular form of 419 scam-baiting called “Going on safari,” where the pretend victim manipulates the scammer into a long, potentially dangerous trek into parts unknown. While some of these tales are humorous in an “Oh no, you did what?” fashion, you really don’t want to get yourself involved in any situation where somebody falls off a cliff and they have a printout in their pants with your “There’s buried treasure 500 miles this way, honest” mail in them.

      Outside of that, how you waste their time is really up to you. One word answers to all of their missives tend to aggravate them in spectacular fashion, if that helps. If you’re not comfortable with the direct approach, there’s more than a few ways to keep your hands clean (so to speak) while gobbling up more of their precious time.

      Let someone else do the dirty work

      As it turns out, a little automation goes a long way. There’s a variety of tools online for you to make use of in the fight against spammers, and the best part is they won’t have any idea about your involvement.

      4) Use a chatbot app, such as Spamnesty, to automate email spam exchanges. All you must do here is strip out any personal information of your own from any email exchange, forward the spam on to the Spamnesty email address, and then sit back and giggle a lot as a chatbot pretending to be a CEO endlessly frustrates a scammer. Bonus: you can read through some of the conversations. Everyone can enjoy that.

      Re:Scam gets an honorable mention because although currently offline, it has the promise of eventually coming back to life. Another chatbot, it cycles through various personalities to get the job done and has (according to their stats) replied to more than a million emails and wasted roughly five years of their time in total, which is spectacular.

      5) Use a spam blocker app with automated responses for telemarketers. Not all spam is email-based, and significant volumes continue to land on our mobile devices in the form of phone calls. If you’re really unlucky, it’s a nonstop barrage of missed calls, unknown callers, and premium rate call-back scams just waiting to get their teeth into your cash. Several apps exist that will block cold callers and add them to spam lists (which isn’t always straightforward to figure out on a vanilla phone), but there’s not many wasting the time of the scammers with chatbots.

      Robokiller is one of the first to deploy a variety of (hopefully?) humorous chatbots to choose from, then set them loose in calls with unwanted telemarketers. As with the mail-based equivalents, wasting time is the name of the game because wasted time equals wasted money on the part of the spammer. While I don’t believe this approach is ever going to prevent phone spammers from giving up their day job, one wasted call is another person not losing a ton of money or personal information to a con artist. That can only be a good thing.

      The future of time wasting

      Burning out scammers isn’t just an occasional pastime for forum goers anymore. You can turn it into an actual occupation with a little bit of outlay and hard work. The future is YouTube scam baiting gone mainstream. Just remember before you start punking your next scammer that (depending on the method of outreach and how much of your information might be lurking in breach dumps), they could well have your real information. It’s really not pleasant to hear “We’ll have our people at your home address, watch your back.”

      If in doubt, stick to non-identifiable automation or leave things to the professionals. It’s generally a lot safer that way, and you’ll probably get to watch a humorous YouTube video in the bargain. That’s a win for everybody—except perhaps for the spammer on the receiving end.

      The post 5 safe ways to get back at spammers: a guide to wasting time appeared first on Malwarebytes Labs.

      FIN6 Hackers Update Arsenal of Techniques

      A cybercriminal group focused on stealing payment card data records has been using new tactics, techniques and procedures (TTPs) in attacks observed in 2017 and 2018, IBM X-Force security researchers report.

      First detailed in April 2016, the group has been initially observed in 2015, when it was compromising the point-of-sale (PoS) systems of organizations in the retail and hospitality sectors. At the time, FireEye determined that the hackers possessed valid credentials for each of the targeted companies’ networks.

      In a new report detailing the group’s whereabouts, IBM reveals that recently seen FIN6 attacks combine previously known TTPs with new ones, such as the abuse of IT management software for malware deployment or the use of Windows Management Instrumentation Command (WMIC) for the automation of PowerShell command and script remote execution.

      The cybercriminal group was observed deploying FrameworkPOS via an enterprise software deployment application and employing Metasploit-like behaviour, such as randomly generating service names in Windows event logs, dynamically generating file names for binaries on disk and hostnames in event logs.

      The hackers would also inject malicious Meterpreter code into legitimate Windows processes, use PowerShell commands obfuscated using base64 encoding and gzip compression, and exclude specific processes from targeting.

      Other changes in the group’s techniques include the use of a new DLL filename for the FrameworkPOS malware, the use of a .dat file as a cover filename for the malicious PowerShell script that injects FrameworkPOS, the use of specific PowerShell parameters to avoid detection, and the use of “1.txt”, “services.txt” and “.csv” files as reconnaissance output names.

      “While some of these TTPs may be side effects of tools FIN6 actors were using or specific to the environment in which the actors were operating, we believe many represent new TTPs that could become characteristic of evolved FIN6 standard operating procedures,” IBM says.

      Despite the use of new techniques, the security researchers are confident that the attacks were performed by FIN6, due to the use of TTPs already associated with the group. In fact, they reveal that 90% of the tactics had been previously associated with the hackers.

      The security researchers also warn that the hackers have demonstrated the ability “to gain systemic footholds in targeted networks, advance laterally and eventually achieve its objective of exfiltrating valuable data from the victim organization’s infrastructure.”

      The group uses publicly available tools for reconnaissance and lateral movement, including the FrameworkPOS that allows it to harvest payment card data from POS endpoints’ memory. Not only are most of the group‘s tools simplistic or publicly available, but their encoding mechanisms are relatively easy to decipher as well.

      “FIN6’s skill lies in its ability to bypass security controls and employ stealthy techniques, which allows the group to steal large amounts of data and sell at least some of it for a profit in dark web markets,” IBM notes.

      Related: "FIN6" Cybergang Steals Millions of Cards From PoS Systems

      Copyright 2010 Respective Author at Infosec Island

      CVE-2018-6976

      The VMware Content Locker for iOS prior to 4.14 contains a data protection vulnerability in the SQLite database. This vulnerability relates to unencrypted filenames and associated metadata in SQLite database for the Content Locker.

      CVE-2018-10853

      A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.

      CVE-2016-7066

      It was found that the improper default permissions on /tmp/auth directory in JBoss Enterprise Application Platform before 7.1.0 can allow any local user to connect to CLI and allow the user to execute any arbitrary operations.

      Fuji Electric V-Server

      This advisory includes mitigations for use-after free, untrusted pointer dereference, heap-based buffer overflow, out-of-bounds write, integer underflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities in the Fuji Electric V-Server software.

      Researchers demonstrate how to unlock Tesla wireless key fobs in 2 seconds

      By Waqas

      Vulnerabilities and security flaws in vehicle security systems aren’t as surprising for us as it is that even the most renowned car manufacturers aren’t able to provide consumers with fool-proof systems. Wired reports that Tesla recently fixed a vulnerability in the security systems of its cars after a group of researchers in Belgium proved that the […]

      This is a post from HackRead.com Read the original post: Researchers demonstrate how to unlock Tesla wireless key fobs in 2 seconds

      What is a botnet? And why they aren’t going away anytime soon

      Botnets act as a force multiplier for individual attackers, cyber-criminal groups and nation-states looking to disrupt or break into their targets’ systems. By definition, they are a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.

      CVE-2016-7073

      An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check of the TSIG time and fudge values was found in AXFRRetriever, leading to a possible replay attack.

      CVE-2018-16832

      CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header.

      CVE-2016-7074

      An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature.

      CVE-2016-7047

      A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access.

      CVE-2016-7068

      An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour.

      CVE-2016-7069

      An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client. On a 32-bit system, the pointer arithmetic used when parsing the received response to remove that record might trigger an undefined behavior leading to a crash.

      CVE-2016-7070

      A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database.

      CVE-2016-0750

      The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

      GDPR lands at British Airways: How did the hackers manage to get in?

      Data Breach GDPR

      A few days after British Airways suffered the worst cyberattack in its history, the airline still hasn’t revealed any technical details about the breach – beyond the official apology – to the over 380,000 users whose data was compromised after making purchases on BA’s website. As well as the ensuing official notification to the appropriate authorities and all the affected clients

      Names, email addresses, and credit card details – including numbers, expiry dates and CVV security codes – have been stolen. A few hints that have allowed cybersecurity experts, such as Professor Alan Woodward, to get an idea of how the hackers were able to sneak onto BA’s website and app between August 21 and September 5. This was an attack similar to the one recently suffered by Ticketmaster, after a customer service chatbot was labeled as the potential cause of an infraction that affected over 40,000 users in the UK. In fact, in the last few hours, information has emerged that suggests that the perpetrators of this attack may also be behind the British Airways hack.

      Money has wings…

      Until a few months ago, companies would shrug their shoulders when faced with attacks of this type. The greatest concern during previous cyberattacks was the potential damage to reputations. But now, with the new General Data Protection Regulation and the fines that infringing it can lead to, there is a new threat for the coffers of companies that fall victim to security breaches like this, affecting both clients’ and investors’ pockets. And BA’s case has been no exception.

      The most immediate consequence? Shares in IAG, the parent company of British Airways, fell around 3% on the Ibex and on the FTSE after the attack and its scope were revealed. This meant a 456 million Euro drop in in its market value on Friday, after it emerged that hackers had stolen the payment details of 380,000 clients.

      British Airways’ chairman and CEO, Álex Cruz, hasn’t explained how the data was stolen, though he has denied that the attackers had managed to breach the company’s encryption. “There were other methods, very sophisticated methods, that criminals used to obtain that data,” he said in an interview with the BBC

      However, Professor Woodward, in his statements, said, “You can put the strongest lock you like on the front door, but if the builders have left a ladder up to a window, where do you think the burglars will go?” The controversy is here.

      How to avoid the fines

      While it can’t be 100% categorically stated that it was a script attack that compromised British Airways’ security services, it does seem to be the most likely cause. However, other theories even talk about an expert within the company manipulating the website with malicious intent. The fact is that the airline is going through a rough patch as far as its IT system is concerned.

      This incident has been a lesson, and has also underlined the need to invest in cybersecurity in order to demonstrate that enough is being done to safeguard sensitive data. Because the only way to avoid paying economic sanctions is to keep these security breaches from happening.

      It has recently been shown that the difficulty experienced by large companies when it comes to locating the unstructured data in their systems could be a question of volume. In fact, 65% of companies collect so much data that they’re unable to categorize or analyze it.  If we take into account the nature of British Airways, the largest European airline, we can get an idea of the sheer amount of personal data managed by their systems.

      These days, there are advanced cybersecurity solutions specifically designed to provide support for the whole IT team, with the aim of avoiding situations like the one that BA has gone though. One such solution is Panda Data Control.

      What will happen with those clients who decide to request to have their data permanently deleted from one of these platforms? In this case, the companies must have a highly detailed inventory of where all their data is, a perfect chart of this information, and almost notarial control in order to be able to prove the complete deletion of the data from all systems. All of this is offered by Panda Data Control, to ensure that users can exercise their right to be forgotten with total transparency and be able to certify it.

      This data protection solution, which is integrated into Panda Adaptive Defense, allows you to discover, audit and monitor unstructured personal and sensitive data on your company’s endpoints: from data at rest, to data in use and data in motion.

      It identifies the files that contain personal data (PII) and records any kind of access to it, alerting in almost real time about leaks, use, and suspicious or unauthorized traffic.

      Total visibility of files, users, devices and servers that access this information, so you can supervise any action carried out on the personal information that you store.

      Because the most important thing when it comes to mitigating the risks related to data is to be extremely careful with how personal information is dealt with, and it is vital to know where data is stored and to know who has access to it.

      The post GDPR lands at British Airways: How did the hackers manage to get in? appeared first on Panda Security Mediacenter.

      Top 10 Trending Keywords in .Com and .Net Registrations in August

      With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.

      Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.

      August 2018 TRENDING KEYWORDS

      Here are the top 10 trending keywords registered in August 2018. Any surprises?

      .COM

      .NET

      fan hotels
      grid  hard
      grad  apps
      email canna
       shorting bull
       bets  pink
      orthodontists guy
      fabric pocket
       goose gifts
      cryptocurrency  professional

       

      Click here to see other domain trends blog posts, and make sure you check back the second Tuesday of each month for the latest keyword registration trends in .com and .net. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.


      Note: Each list was developed by examining keyword registration growth relative to the preceding month, such that those keywords with the highest percentage of registration growth are being reported on. This method is used to eliminate commonly registered keywords, such as “online” and “shop,” to provide a true look at monthly trends. In order to be included, a keyword must experience a minimum threshold in registration growth month over month. Qualifying keywords with the highest volume of registrations are then ranked and included in the list.

      The post Top 10 Trending Keywords in .Com and .Net Registrations in August appeared first on Verisign Blog.

      How Can Media Companies Be More Confident in Their Cybersecurity Strategy and Policy?

      While many industries have matured their cybersecurity strategy and policy as the digital landscape has evolved, others — such as media companies — remain unsure how to advance.

      With more consumers relying on the internet for their entertainment and information consumption, media enterprises are tasked with providing a flawless user experience and continuous content delivery. But the industry is prey to a growing number of predators. As a result, a recent Akamai study titled “The State of Media Security” found that only 1 percent of media companies are “very confident” with their cybersecurity efforts.

      What Challenges Do Media Companies Face?

      The threat of a distributed denial-of-service (DDoS) attack, which could slow services or result in downtime, is only one of the many security challenges media companies face. Also of concern is the potential for malicious actors to steal content or breach systems and access customer networks.

      “It’s not surprising that media companies aren’t confident about their security levels,” said Elad Shapira, head of research at Panorays. “They are an ongoing target, whether by political activists or nation states … Then there are those hackers just trying to leverage their skills to make money from the content they steal.”

      SQL injections, Domain Name System (DNS) attacks, content pirating and DDoS attacks are among the greatest threats to the media industry. The dynamic nature of the digital ecosystem, where digital partners can change by the day, enables bad actors to optimize the reach of their malicious campaigns.

      “Media organizations in particular should be afraid of their heavily trafficked digital assets, which not only serve as touch points to prospects and customers, but also provide entry points to bad actors,” said Chris Olson, CEO of The Media Trust. “These miscreants often target third-party code providers and digital advertising partners, who tend to have weaker security measures in place.”

      In the past, security discussions at media companies focused largely on piracy, said Shane Keats, director of global industry strategy, media and entertainment at Akamai. It’s now incumbent upon media companies to recognize that security has extended far beyond digital rights management.

      Why Do Cybercriminals Target Media Companies?

      Cybercriminals rarely discriminate when it comes to their targets — which means that in the eyes of a criminal, media companies look an awful lot like retailers and banks.

      “With the rise of subscription-based monetization, media companies are now increasingly capturing personally identifiable information (PII) and payment card information (PCI) that [looks] no different from the PII and PCI captured by an e-commerce company,” said Keats. “Successfully stealing a streaming video on demand (SVOD) customer database with a million customer records yields the same ROI as one stolen from an online retailer.”

      Whether protecting against credentials-stuffing from malicious bots or careless contractors in the vendor landscape, media companies need to practice good security hygiene and be wary of the security practices of partners who have access to their customers’ networks. As has been the case in so many major breaches, all an attacker has to do is compromise one of those partners to gain access to the firewall and steal content, customer data and executive communications.

      How Can Medial Companies Improve Cybersecurity Strategy and Policy?

      In addition to acquiring a reputable cloud security firm to help investigate the attack surfaces exposing their businesses, media companies also need to ensure that they have solutions to protect each of those points.

      “Find a firm that has enough scale to be able to see a ton of threats, both traditional and emerging, and ask the firm to help you understand how to best secure your apps and architecture beyond buzzwords,” Keats advised. “When you do this information session, get your different stakeholders in the room so that you can look at your security posture as a team. This is not the time for turf wars.”

      By taking the following steps, media companies can enhance their security strategy and feel more confident that they are protected against current and emerging threats:

      • Discover and prioritize impacts of assets. Not all assets are created equal. An online release of a video prior to its debut screening may create reputational and financial damage to a company, but the credit card details of subscribers are under regulatory control. Each company needs to consider its assets and how they impact the business.

      • Collaborate with direct and indirect third parties. Websites have an average of 140 third parties who execute anywhere from 50 to 95 percent of their code. Most website owners only know, at most, half of the third parties with whom they do business.

      • Vet third parties. Media companies should ask their third and downstream parties the hard questions about security and follow up with frequent audits of security measures. Companies should enforce their digital policies through service-level agreements (SLAs) and contract clauses.

      • Place safety measures around these assets. Safety measures should span various levels, including networks and IT to prevent a DDoS attack, as well as on applications to avoid account breaches. Consider the human element to prevent disgruntled employees from exposing sensitive and proprietary data. Media companies should continuously scan assets in real time to identify and terminate any threats.

      • Create an incident response plan. This is not just a technological approach, but a step that must involve various teams and processes. In case of an attack against the company, there should be an advanced, detailed and well-rehearsed plan to respond.

      A data breach poses a significant financial and reputational risk to media companies. To avoid becoming the next headline, businesses need to thoroughly understand not only their own risks, but also the risks that their suppliers pose.

      Once media companies understand those risks, they can take measures to continuously protect against emerging threats. Collaboration throughout the organization, as well as with extended partners, will help to enforce strong digital policies and remediate unauthorized activities within the digital ecosystem.

      The post How Can Media Companies Be More Confident in Their Cybersecurity Strategy and Policy? appeared first on Security Intelligence.

      IRS Call Scammers Sentenced in Texas

      Back in 2016 we blogged about a major set of arrests in India and the United States related to a call center scam imitating the IRS.  (See "Major Call Center Scam Revealed - 56 Indicted")

      This post is to just share an update on that case.  There have been so many arrests made and yet the fraud continues every day!  I received two IRS calls myself in the past week!

      To begin, the IRS is NEVER going to call you and threaten arrest.  If you receive such a call, the investigative agency for IRS scams is TIGTA, the Treasury Inspector General for Tax Administration. You can call their scam hotline to report at 1.800.366.4484, or share details online at the IRS Impersonation Scam Reporting form.  All of the arrests below started because someone reported their scammers.  Although the form seems to be focused on people who actually lost money, even non-loss reports can be helpful.

      The biggest round of arrests came in October 27, 2016, which was the focus of that "Major Call Center Scam" blog post.  The DOJ press release was titled "Dozens of Individuals Indicted in Multimillion-Dollar Indian Call Center Scam Targeting U.S. Victims
      Over the next several months, many of the criminals pled guilty.  All but two were from India, although several were now American citizens.  Each has now been sentenced for their crimes in a mass sentencing before Judge Hittner in Houston, Texas.  Below, we show their guilty plea date, where they were living and/or conducting their crime, and what the DOJ/TIGTA press release said about their guilty plea.  We feel that the sentences were fair, ranging from just over four years to 188 months (15 1/2 years).  

      Just wanted to share that EVENTUALLY, Justice is served.

      However, PLEASE KEEP REPORTING!  There certainly are more IRS-imitating criminals who need to go to prison!

      Bharatkumar Patel (April 13, 2017) - a resident of Midlothian, Illinois - sentenced to 50 months in prison and removal to India. 


      According to his plea, beginning in or about July 2013, Patel worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country. Patel admitted to purchasing reloadable cards or retrieving wire transfers and using the misappropriated personal identifying information of U.S. citizens. Patel also admitted to opening personal bank accounts in order to receive scam proceeds and payments from defrauded victims as well as creating limited liability companies in his name to further the conspiracy. According to his plea, Patel opened one bank account that received more than $1.5 million in deposits over a one-year period and another bank account that received more than $450,000 in deposits over a five-month period.

      Ashvinbhai Chaudhari (April 26, 2017) - a resident of Austin, Texas. - sentenced to 87 months in prison.


      According to his plea, since in or about April 2014, Chaudhari worked as a member of a crew of runners operating in Illinois, Georgia, Nevada, Texas and elsewhere throughout the country. At the direction of both U.S. and India-based co-conspirators, often via electronic WhatsApp text communications, Chaudhari admitted to driving around the country with other runners to purchase reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Chaudhari admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Chaudhari also admitted to shipping money orders purchased with victim funds to other U.S. based co-conspirators, receiving fake identification documents from an India-based co-conspirator and using those documents to receive victim scam payments via wire transfers.


      Harsh Patel (May 11, 2017) - a resident of Piscataway, New Jersey. - sentenced to 82 months in prison and deportation after his sentence.


      According to his plea, since around January 2015, Patel worked as a runner operating primarily in New Jersey, California and Illinois. At the direction of India-based co-conspirators, often via electronic WhatsApp text communications, Patel admitted to purchasing reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Patel admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Patel also admitted to receiving fake identification documents from an India-based co-conspirator and other sources and using those documents to receive victim scam payments via wire transfers.


      Nilam Parikh (May 18, 2017) - a resident of Pelham, Alabama - sentenced to 48 months in prison 


      Since around December 2013, Parikh worked as a runner operating in Alabama.  In connection with her plea, Parikh admitted that, at the direction of an India-based co-conspirator, often via electronic WhatsApp text communications, Parikh purchased reloadable cards registered with misappropriated personal identifying information of U.S. citizens.  Once victim scam proceeds were loaded onto those cards, Parikh admitted that she liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts, while keeping part of the victim funds for herself as payment.  Parikh also admitted to sending and receiving scam proceeds to and from her co-conspirators via Federal Express.


      Information on the next five all came from the same DOJ Press Release: "Five More Defendants Please Guilty for their Roles in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims


      Dilipkumar A. Patel (May 26, 2017) - a resident of Corona, California - sentenced to 108 months in prison and removal to India. 


      Based on the admissions made in his May 26 guilty plea, since late 2013, Dilipkumar A. Patel operated as a runner in and around Southern California, along with other co-defendants based in the region. At the direction of India-based co-conspirators, often via electronic WhatsApp communications, Patel admitted to participating in the purchase of reloadable cards registered with the PII of U.S. citizens, and the subsequent liquidation of victim scam funds loaded to those cards by co-conspirators, while keeping a percentage of the victim funds on the cards for himself. 


      Fahad Ali (May 26, 2017) - a resident of Dyer, Indiana (from Pakistan) - sentenced to 108 months in prison 


      According to his guilty plea, also on May 26, beginning in or around 2013, Fahad Ali worked as a member of a crew of runners operating in the Chicago, Illinois area, the Southern District of Texas and elsewhere throughout the country. Ali admitted that he first served as a driver for an Illinois-based co-defendant engaging in activities in furtherance of the conspiracy. Ali later operated at the direction of that co-defendant and others, via various means of communication, including text messages, to purchase reloadable cards, and then liquidate victim scam proceeds placed on those cards by India-based co-conspirators, in exchange for recurring payments. Ali also admitted to using false identification documents to receive wire transfers from victims of the fraud.


      Hardik Patel (June 2, 2017) - a resident of Arlington Heights, Illinois - sentenced to 188 months in prison and removal to India upon completion of the sentence.

      Based on the statements in his June 2 guilty plea, beginning in August 2012, Hardik Patel owned and managed the day-to-day operations of an India-based scam call center before later leaving for the U.S. While in India, in his capacity as a manager, Hardik Patel communicated extensively via email, text, and other means with various India-based co-defendants to operate the scheme and exchange scripts used in the scheme, coordinate the processing of payments from scammed victims, obtain and exchange lead lists used by callers to target U.S. victims, and exchange spreadsheets containing the personal identifying information (PII) of U.S. persons misappropriated by the scammers to register reloadable cards used in the scheme. Hardik Patel also managed worker payroll and kept detailed records of profits and expenses for various associated scam call centers. Hardik Patel continued to communicate with India-based co-defendants about the scheme and assist with the conspiracy after he moved to the U.S. 



      Rajubhai Patel (June 2, 2017) - a resident of Willowbrook, Illinois - sentenced to 151 months in prison 


      According to his June 6 guilty plea, Rajubhai Patel operated as a runner and assisted a co-defendant in managing the activities of a crew of other runners, based primarily out of Illinois, who liquidated victim funds in various locales in the U.S. for conspirators from India-based call centers. Rajubhai Patel communicated about the liquidation of scam funds via electronic WhatsApp communications with domestic and India-based co-defendants, purchased reloadable cards registered using the misappropriated PII of U.S. citizens that were later used to receive victims’ funds, and used those cards to purchase money orders and deposit them into various bank accounts of co-defendants and others as directed. Rajubhai Patel also admitted to creating and maintaining spreadsheets that detailed deposits, payments to co-conspirators, expenses and profits from the scheme.


      Viraj Patel (June 2, 2017) - a resident of Anaheim, California - sentenced to 165 months in prison and removal to India.


      According to admissions made in his June 2 guilty plea, Viraj Patel first became involved in the conspiracy between April and September 2013, prior to entering the U.S., when he worked at and assisted with overseeing the operations of a call center in India engaging in scam activity at the behest of a co-defendant. After entering the U.S., beginning in December 2014 Viraj Patel engaged in additional activities in support of the scheme in exchange for a cut of the profits, including serving as a processor of scam victim payments and as a runner engaging in the purchase and liquidation of cards loaded with victim scam funds. Viraj Patel communicated with various India-and U.S.-based co-defendants in furtherance of the conspiracy, and also obtained and circulated lead lists to his co-conspirators containing the PII of U.S. citizens for use by the call centers in targeting victims of the various fraud schemes and to register reloadable cards used to launder the proceeds of the schemes.  


      Bhavesh Patel (July 7, 2017) - a resident of Gilbert, Arizona and Alabama - sentenced to 121 months in prison.


      According to Bhavesh Patel’s guilty plea, beginning in or around January 2014, Bhavesh Patel managed the activities of a crew of runners, directing them to liquidate victim scam funds in areas in and around south and central Arizona per the instructions of conspirators from India-based call centers. Patel communicated via telephone about the liquidation of scam funds with both domestic and India-based co-defendants, and he and his crew used reloadable cards containing funds derived from victims by scam callers to purchase money orders and deposit them into various bank accounts as directed, in return for percentage-based commissions from his India-based co-defendants. Patel also admitted to receiving and using fake identification documents, including phony driver’s licenses, to retrieve victim scam payments in the form of wire transfers, and providing those fake documents to persons he managed for the same purpose.


      Asmitaben Patel (July 7, 2017) - a resident of Willowbrook, Illinois - (previously sentenced to 24 months) 


      Based on admissions in Asmitaben Patel’s guilty plea, beginning in or around July 2013, Asmitaben Patel served as a runner liquidating victim scam funds as part of a group of conspirators operating in and around the Chicago area. At the direction of a co-defendant, Patel used stored value cards that had been loaded with victim funds to buy money orders and deposit them into various bank accounts, including the account of a lead generating business in order to pay the company for leads it provided to co-conspirators that were ultimately used to facilitate the scam.


      The next seven criminals guilty pleas were announced by the Department of Justice on November 13, 2017 in their press release:  "Last Defendant in the United States Pleads Guilty in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims"


      Miteshkumar Patel (November 13, 2017) - a resident of Willowbrook, Illinois - sentenced to 240 months.


      Based on admissions in Miteshkumar Patel’s plea, beginning in or around 2013, Miteshkumar Patel managed a crew of a half dozen domestic runners involved in the criminal scheme, liquidating as much as approximately $25 million in victim funds for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Patel communicated about the fraudulent scheme with various domestic and India-based co-defendants via email, text messaging and WhatsApp messaging.  Miteshkumar Patel and his runners purchased reloadable GPR cards that were registered using the misappropriated personal identifying information (PII) of unsuspecting victims that were later used to receive victims’ funds, and used those reloadable cards containing victims’ funds to purchase money orders and then deposit those money orders into bank accounts, as directed, while keeping a portion of the scam proceeds as profit.  Miteshkumar Patel also trained the runners he managed on how to conduct the liquidation scheme, provided them with vehicles to conduct their activities in Illinois and throughout the country, and directed a co-defendant to open bank accounts and limited liability companies for use in the conspiracy.  Miteshkumar Patel further admitted to using a gas station he owned in Racine, Wisconsin to liquidate victim funds, and possessing and using equipment at his Illinois apartment to make fraudulent identification documents used by co-defendant runners in his crew to receive wire transfers directly from scam victims and make bank deposits in furtherance of the conspiracy.


      Raman Patel (age 82) (November 13, 2017) - a resident of Gilbert, Arizona - (previously sentenced in Phoenix, Arizona to probation, in consideration of his age and his cooperation.)

      According to admissions in Raman Patel’s guilty plea, from in or around 2014, Patel served as a domestic runner in and around south-central Arizona, liquidating victim scam funds per the instructions of a co-defendant.  Patel also served as a driver for two co-defendants in furtherance of their GPR liquidation and related activities and sent bank deposit receipts related to the processing of victim payments and fraud proceeds to an India-based co-defendant via email and document scan services offered at various retail stores.

      Sunny Joshi of Sugar Land, Texas - sentenced to 151 months in prison for money laundering conspiracy, and 120 months in prison for naturalization fraud.

      Rajesh Bhatt of Sugar Land, Texas - sentenced to 145 months in prison and removal to India.


      Based on admissions in Joshi and Bhatt’s guilty pleas, beginning in or around 2012, Joshi and Bhatt worked together as runners in the Houston, Texas area along with a co-defendant.  They admitted to extensively communicating via email and text with, and operating at the direction of, India-based conspirators from organizational co-defendant CALL MANTRA call center to liquidate up to approximately $9.5 million in victim funds, including by purchasing GPR cards and using those cards, funded by co-conspirators with scam victim funds, to purchase money orders and deposit them in third party bank accounts, while keeping a percentage of the scam proceeds for themselves as profit.  Joshi has also agreed to plead guilty to one count of naturalization fraud pursuant to a federal indictment obtained against him in the Eastern District of Louisiana, based on fraudulently obtaining his U.S. citizenship.


      Jagdishkumar Chaudhari of Montgomery, Alabama - sentenced to 108 months in prison and removal to India.


      Jagdishkumar Chaudhari admitted in his plea that between April 2014 and June 2015, he worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country, at the direction of Miteshkumar Patel and others.  In exchange for monthly cash payments, Jagdishkumar Chaudhari admitted to driving to hundreds of retail stores to purchase GPR cards to be loaded with victim funds by co-conspirators in India, purchasing money orders with GPR cards that had been funded with victim proceeds, depositing money orders purchased using victim scam proceeds at various banks, and retrieving wire transfers sent by victims of the scheme.  Jagdishkumar Chaudhari is an Indian national with no legal status in the United States, and has agreed to deportation after he serves his sentence as a condition of his guilty plea.


      Praful Patel of Fort Myers, Florida - sentenced to 60 months in prison 


      In his plea, Praful Patel admitted that between in or around June 2013 and December 2015, he was a domestic runner who liquidated funds in and around Fort Myers, Florida for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Praful Patel communicated extensively via WhatsApp texts with his conspirators.  For a percentage commission on transactions he conducted, Praful Patel admitted to purchasing reloadable GPR cards that were registered using the misappropriated PII of unsuspecting victims that were later used to receive victims’ funds, using those reloadable GPR cards containing victims’ funds to purchase money orders and depositing those money orders into bank accounts as directed, and using fake identity documents to receive wire transfers from victims.


      Jerry Norris of Oakland, California - sentenced to 60 months in prison 


      According to Norris’ guilty plea, beginning in or around January 2013 continuing through December 2014, he was a runner who worked with conspirators associated with India-based call center and organizational co-defendant HGLOBAL, and was responsible for the liquidation of victim scam funds in and around California.  Norris admitted he communicated extensively via WhatsApp and email with India-based co-defendants including Sagar “Shaggy” Thakar, purchased GPR cards used in the scheme, sent lead lists to conspirators in India that were then used by callers located in the call centers to target potential victims in the telefraud scheme, received scam proceeds via wire transfers using fictitious names, and laundered scam proceeds from GPR cards via ATM withdrawals.


      Others sentenced whose guilty pleas were not mentioned above include: 


      Montu Barot - 60 months in prison and removal to India after sentence

      Rajesh Kumar - 60 months in prison 


      Nilesh Pandya - sentenced to three years probation 


      Dilipkumar R. Patel of Florida - sentenced to 52 months in prison 


      Nisarg Patel of New Jersey - sentenced to 48 months in prison and removal to India.


      Dipakkumar Patel, of Illinois, was sentenced to 51 months by Judge Eleanor Ross in Atlanta, Georgia.



      The 3 Most Powerful Types of Threat Information Sharing – and How to Stay Compliant

      By: Paul Kraus, CEO, Eastwind Networks

      When it comes to IT security, the unknowns impose the greatest threat. Luckily, many types of threats are very much on the cybersecurity radar. Institutions and organizations who pay attention and take advantage of available threat information sharing are more likely to succeed in keeping their networks secure from hackers and attacks. Unfortunately, threat sharing isn’t a prevalent common practice and much available information isn’t the most complete or accurate. To discover potential threats, IT security teams need to dig deeper.

      Threat information sharing – the sharing of threat intelligence – is an increasingly important method to thwarting hacker’s attack plans. But for many, compliance issues can seem like roadblocks to effective collaboration both pre- and post-intrusion. Openly communicating with others in information-sensitive industries presents legal obstacles, but navigating this landscape is increasingly worth the effort as the complex threat environment escalates.

      The Power of Shared Information

      Getting hacked can feel like failure and sharing that information is a vulnerability not high on anyone’s to-do list. But as the black hats are increasingly out there sharing information about hacks, vulnerabilities and zero-day threats, it only makes sense that the people on the other side of the equation need to share as well. Unfortunately, mountains of paperwork and notifying customers of a breach turns most financial institutions off from being open about any information security events. Then there are the PR troubles and lawyer fees for the potential lawsuits on top.

      While the negatives of sharing information regarding a breach seems overwhelming, many industries do itself no favors by holding to the old habit of silence. After network security and breach detection is in place, the best way to counter hackers is learn from each other’s experience. In the world of IT security, shared beats scared every time. Here are three ways to engage with threat information sharing that will pay off for security and compliance.

      Closed Communities

      Many chatrooms and other discussion boards can provide advice and feedback for security issues, but for those who have been breached a deeper layer of support is now available. A number of closed communities have developed for mutual support in dealing with the fallout of being hacked. Tightly controlled and monitored because of the legal repercussions of sharing such delicate information, these could be likened to 12-step support groups for hacking victims. Examples include the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Cyber-Forensics and Training Alliance (NCFTA). Corporate counsel has the final say in what is disclosed, but these groups can offer helpful advice and strategies for moving through the disclosure and compliance process.

      The Threat Information Market

      Every intrusion leaves a trace. Indicators of compromise (IoC) like IP addresses linked to viruses, domain names associated with botnets and other out of the ordinary network activity are precursors to an attack. While every network should have active breach detection in place, buying threat intel helps identify network traffic that falls outside the normal range.

      A lot of free information can be gleaned from the Internet, but the companies that monitor threats and compile salable intel are often a step ahead of any unpaid source. File and IP reputation services are great resources as well as an updated list of threats maintained by the FBI.

      The Power of Shared Experience

      Many companies are finding that sharing experiences is a powerful tool against hackers. Whether a company has been breached or not, it can be helpful engaging with others doing the same job. Reading about threats is important, but hearing someone’s first hand account of how they first noticed symptoms and then investigated only to find someone lurking in their system brings home the risks and solutions more powerfully than anything else.

      Like the closed communities above, these resources can present challenges from a legal aspect, but the benefits often outweigh the risks. Many companies find it worthwhile to navigate the hassle, liability and compliance issues to successfully build community and, in the end, create smarter defenses. If hindsight is 20/20, victims of hacks need only ask themselves how much they would have given to have been warned ahead of time about the risk that turned into their reality.

      The Information Age

      People generally think of the information age being all about data. For those who manage public and private networks, it also needs to be about breaking down silos and sharing information through effective relationships and community. Whether through closed, subscription-based groups or a wider threat intel sharing channel, IT security personnel need more contact than a yearly conference can provide. The integrity of their network may depend on it. After the initial damage of a breach is addressed, the power to mobilize stronger cybersecurity defenses lies in the ability to share threat information.

      The post The 3 Most Powerful Types of Threat Information Sharing – and How to Stay Compliant appeared first on IT SECURITY GURU.

      City of Stockholm Selects MobileIron Threat Defense to Detect and Mitigate Mobile Threats

      MobileIron, the secure foundation for modern work, today announced that City of Stockholm has selected MobileIron Threat Defense to detect and mitigate mobile threats. MobileIron Threat Defense will be deployed on 30,000 mobile devices used by the employees of the City of Stockholm.

      MobileIron Threat Defense provides unparalleled mobile threat protection, securing mobile devices from device, network, and app threats. Organizations can protect sensitive data by detecting and remediating known and zero-day threats on mobile devices with no need for the users to take any action to activate or deploy the app.

      “City of Stockholm employees rely on their mobile devices to increase their work efficiency,” said Constantinos Amiridis, solution architect, City of Stockholm. “With MobileIron Threat Defense, we can give our employees the peace of mind to safely use their devices without any data being compromised.”

      “City of Stockholm has always been at the forefront of technology, deploying innovative solutions that help its many departments perform with agility and efficiency,” said Simon Biddiscombe, CEO, MobileIron. “Today, through its selection of MobileIron Threat Defense, City of Stockholm has yet again shown its commitment to working with best-in-class technology to keep its workforce secure and productive.”

      The post City of Stockholm Selects MobileIron Threat Defense to Detect and Mitigate Mobile Threats appeared first on IT SECURITY GURU.

      RiskIQ implicates Magecart in breach of British Airways

      RiskIQ, the global leader in digital risk management, today revealed that its researchers traced the breach of 380,000 sets of payment information belonging to customers of British Airways to Magecart, the credit-card skimming group made infamous for its July breach of Ticketmaster.

      Because the attack was reported by British Airways to be web-based and targeting credit card data, RiskIQ researchers strongly suspected Magecart was behind it. Leveraging the company’s global web-crawling network, which maintains a map of the internet and enables security practitioners to analyse web pages and their components as they appear through time, they confirmed that assumption.

      The attack was similar to the one leveled against Ticketmaster with one key difference: instead of compromising commonly used third-party functionality to gain access to hundreds of sites at once, Magecart operatives compromised the British Airways site directly and planned their attack around the site’s unique structure and functionality. RiskIQ’s data shows that scripts supporting the functionality of the payment forms on the British Airways’ website were copied and modified to deliver payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection.

      The attackers were also aware of the way the British Airways mobile app was constructed, leveraging the fact that it used much of the same functionality as the web-app and could, therefore, victimise users in the same way.  

      “This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, head researcher at RiskIQ. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”

      The researchers also found evidence that Magecart operatives may have breached the British Airways site several days before the skimming began. RiskIQ web-crawling data shows that a certificate used on the attacker’s command and control server was issued on August 15, nearly a week before the reported start date of the attack on August 21.

      RiskIQ, which detects internet-scale threats, is alerted to new Magecart breaches hourly, a clear indication that the group is extremely active and a very real threat to all organisations offering online payment facilities. For a full analysis of this campaign, including a list of compromised components and IOCs, visit the report here: https://www.riskiq.com/blog/labs/magecart-british-airways-breach/

      The post RiskIQ implicates Magecart in breach of British Airways appeared first on IT SECURITY GURU.

      Cyber Security City Ranking reveals the cities best placed to attract cyber talent

      Cyber security training facility Crucial Academy has released the 2018 Cyber Security City Ranking, revealing the best cities for cyber security professionals, with Reading, Leeds and Cardiff topping the table.

      Analysing four factors, including salary, affordability, job availability and tech sector growth potential, the ranking sought to uncover which cities may be most attractive to those already working in or considering cyber security as a career path.

      Reading in Berkshire, home to a wide variety of major international tech companies, topped the ranking, performing particularly well for job availability and salary. Leeds closely followed, gaining big points for the potential growth of its tech sector, whilst Cardiff ranked in third place, scoring top points for affordability.

      With the predicted future shortfall of cyber security professionals, Crucial was keen to research the factors which may render some cities more attractive to this much needed specialist talent. A 2016 skills gap analysis from ISACA estimated a global shortage of 2 million cybersecurity professionals by 2019, according to the UK House of Lords Digital Skills Committee.

      Tom Marcus, former MI5 spy and best-selling author of Soldier Spy, and who partners with Crucial Academy, said: “Cyber security is one of the most serious issues UK business faces today. For young people leaving education, ex-military people looking to transition to civilian life or those looking for a career change, there is no career no more Brexit-proof than cyber security.”.

      The top 10 cities can be seen below:

      Rank City Salary Score Affordability Score Job Availability Score Tech Growth Potential Score TOTAL SCORE
      1 Reading 8.3 7.3 10 8.1 33.7
      2 Leeds 7.7 7.9 7.5 9.7 32.8
      3 Cardiff 9.3 10 4.2 8 31.5
      4 Edinburgh 8.5 8.2 4.7 9.7 31.1
      5 Manchester 7.8 7.5 6.6 8.9 30.8
      6 London 10 5.9 5.2 8.2 29.3
      7 Glasgow 8.1 8.4 4.2 8.5 29.2
      8 Newcastle 8.4 9.2 3.2 8 28.8
      9 Brighton 7.8 6.5 4.7 9.7 28.7
      10 Bristol 7.5 6.7 4.6 9.3 28.1

      Neil Williams, CEO of Crucial Academy, added: “The cyber security skills gap is a growing issue across the UK. Every city in the ranking is a tech hub within its own right, however, it is fascinating to see which cities, based on these factors, may be more attractive to the much-needed talent pool of cyber security professionals.”

      Other findings from the top 10 included:

      Best cities for salaries: London followed closely by Cardiff and Edinburgh.

      Best cities for affordability: Cardiff closely followed by Newcastle and Glasgow.

      Best cities for job availability: Reading followed by Leeds and Manchester.

      Best cities for tech sector growth potential: Leeds, Edinburgh and Brighton all placed highest with the same score.

      Crucial Academy is run by a team of former Royal Marines Commandos and provides free cyber security training, accredited qualifications and careers for ex-servicemen and women looking for a path back to Civvy Street.

      For further information please visit https://academy.crucialgroup.co.uk.

      The post Cyber Security City Ranking reveals the cities best placed to attract cyber talent appeared first on IT SECURITY GURU.

      Exploit vendor Zerodium releases zero-day for old version of Tor

      Exploit vendor Zerodium, which made headlines in September last year by offering a million-dollar bounty for any zero-day exploits in the Tor browser running on Tails Linux or Windows, has itself released a zero-day exploit for the browser.

      View full story

      ORIGINAL SOURCE: IT Wire

      The post Exploit vendor Zerodium releases zero-day for old version of Tor appeared first on IT SECURITY GURU.

      ‘Web hackers held my data hostage,’ says Wiltshire police commissioner

      The revelation came as Wiltshire Police plans to this week shine a light on its digital investigations team. Angus Macpherson, who has acted as police and crime commissioner for Swindon and Wiltshire since 2012, said: “I was actually subject to a ransomware attack on my personal computer two years ago. The criminals demanded money and effectively held some of my personal data and photographs hostage.”

      View full story

      ORIGINAL SOURCE: Swindon Advertiser

      The post ‘Web hackers held my data hostage,’ says Wiltshire police commissioner appeared first on IT SECURITY GURU.

      A group of researchers showed how a Tesla Model S can be hacked and stolen in seconds using only $600 worth of equipment

      A savvy car thief could drive off with a Tesla Model S by using just a few, relatively inexpensive pieces of computing hardware and some radios — at least, the thief could have until recently, when Tesla fixed an overlooked vulnerability in its cars’ security systems.

      View full story

      ORIGINAL SOURCE: Business Insider

      The post A group of researchers showed how a Tesla Model S can be hacked and stolen in seconds using only $600 worth of equipment appeared first on IT SECURITY GURU.

      Making an Impact with Security Awareness Training: Continuous Contextual Content

      Posted under: Research and Analysis

      As we discussed in the first post of our Making an Impact with Security Awareness Training series, organizations need to architect training programs around a clear definition of success, both to determine the most appropriate content to deliver, and also to manage management expectations. The definition of success for any security initiative is measurable risk reduction, and that applies just as much to security awareness training.

      We also covered the limitations of existing training approaches – including weak generic content, and a lack of instrumentation & integration, to determine the extent of risk reduction. To overcome these limitations we introduced the concept of Continuous, Contextual Content (3C) as the cornerstone of the kind of training program which can achieve security initiatives.

      We described 3C as:

      “It’s giving employees the necessary training, understanding they won’t retain everything. Not the first time anyway. Learning requires repetition, but why repeat training to someone that already gets it? That’s a waste of time. Thus to follow up and focus on retention, you want to deliver appropriate content to the employee when they need it. That means refreshing the employee about phishing, not at a random time, but after they’ve clicked on a phishing message.”

      Now we can dig in to understand how to move your training program toward 3C.

      Start with Users

      Any focus on risk reduction requires first identifying employees who present the most risk to the organization. Don’t overcomplicate your categorization process, or you won’t be able to keep it current. We suggest 4-6 groups categorized by their access to critical information.

      1. Senior Management: These individuals have the proverbial keys to the kingdom, so they tend to be targeted by whaling and other adversary campaigns. They also tend to resist extensive training given their other responsibilities. That said, if you cannot get senior management to lead by example and receive extensive training, you have a low likelihood of success with the program overall.
      2. Finance: This team has almost the same risk profile as senior management. They access financial reporting systems and the flow of money. Stealing money is the objective of many campaigns, so these folks need a bit more love to prepare for the inevitable attacks.
      3. HR and Customer Service: Attackers target Human Resources and Customer Service frequently as well, mostly because they provide the easiest path into the organization; attackers then continue toward their ultimate goal. Interacting with the outside world makes up a significant part these groups’ job functions, so they need to be well-versed in email attacks and safe web browsing.
      4. Everyone else: We could define another dozen categories, but that would quickly pass the point of diminishing returns. The key for this group is to ensure that everyone has a baseline understanding of security, which they can apply when they see attacks.

      Once you have defined your categories you design a curriculum for each group. There will be a base level of knowledge, for the everyone else group. Then you extend the more advanced curricula to address the most significant risks to each specific group, by building a quick threat model and focusing training to address it. For example senior management needs a deep understanding of whaling tactics they are likely to face.

      Keep in mind that the frequency of formal training varies by group. If the program calls for intensive training during on-boarding and semi-annual refreshers, you’ll want more frequent training for HR and Customer Service. Given how quickly attack tactics change, updating training for those groups every quarter seems reasonable to keep them current.

      Continuous

      Just as we finish saying you need to define the frequency for your different user groups, the first “C” is continuous. What gives? A security training program encompasses both formal training and ad-hoc lessons as needed. Attackers don’t seem to take days off, and the threat landscape changes almost daily. Your program needs to reflect the dynamic nature of security and implement triggers to initiate additional training.

      You stay current by analyzing threat intelligence looking for significant new attacks that warrant additional training. Ransomware provides a timely example of this need. A few years ago when the first ransomware attack hit, most employees were not prepared to defend against the attack and they certainly didn’t know what to do once the ransomware locked their devices. For these new attack vectors, you may need to put together a quick video explaining the attack and what to do in the event the employee sees it. To be clear, speed matters here so don’t worry about your training video being perfect, just get something out there to prepare your employees for an imminent attack. Soon enough your security training vendor will update existing training and will introduce new material based on emerging attacks, so make sure you pay attention to available updates within the training platform.

      Continuous training also involves evaluating not just potential attacks identified via threat intel but also changes in the risk profile of an employee. Keep on top of the employee’s risk profile, integrate with other security tools, including email security gateways, web security proxies and services, web/DNS security tools, DLP, and other content inspection technologies, security analytics including user behavior analytics (UBA), etc. These integrations set the stage for contextual training.

      Contextual

      If any of the integrated security monitors or controls detects an attack on a specific user, or determines a user did something which violates policy, it provides an opportunity to deliver ad hoc training on that particular attack. The best time to train an employee and have the knowledge stick remains when they are conscious of its relevance. People have different learning styles, and their receptivity varies, but they should be much more receptive right after making a mistake. Then their fresh experience which puts the training in context.

      Similar to teaching a child not to touch a hot stove after they’ve burnt their hand, showing an employee how to detect a phishing message is more impactful right after they clicked on a phishing message. We’ll dig in with a detailed example in our next post.

      To wrap up our earlier frequency discussion, you have a few different options for training delivery:

      • Scheduled: As described above, you provide materials during onboarding and as part of the ongoing training program. Periodic refreshers and updated training on new attacks are likely the bare minimum to meet your compliance requirements.
      • Preemptive: In this model you deliver training when triggered by threat intel or a change in risk profile, as determined by security analytics/UBA. The emergence of a new ransomware variant is an example of a likely trigger for preemptive training.
      • Reactive: This model triggers delivery of training when an employee makes a mistake. For example, train on how to protect customer data after the DLP system blocks an outgoing email with a customer’s social security number in the body.

      Metrics

      Assuming risk reduction is the overall objective of your security awareness training program, you need a way to assess its effectiveness. How can you measure your security training program? It starts by defining a baseline of security effectiveness. We all understand that assessing security goes well beyond training, but you need to understand your current security posture before starting a new training program.

      That means tracking attacks against the organization, particularly the types of attacks most impacted by security training – including phishing, drive-by downloads, customer data leakage, etc. Obtain this information via integration with your email and web security tools and your SIEM or UBA system. If you cannot establish a baseline before the program starts, we recommend you initiate data collection immediately. It’s decidedly suboptimal, but you can trend improvement over time from the start of your program.

      As far as metrics to track, you can use these buckets to get started:

      • Micro: Here you monitor employee-specific risk, such as how many times an employee clicks on a phishing simulation and how many times you’ve had to clean up the employee’s device after malware outbreaks.
      • Macro: These indicators include benchmark data from organizations of similar size and sector. You’ll want to know how many successful attacks hit your peers. Your training vendor likely has benchmark data you can use, and we increasingly see this kind of information in training dashboards and reports to provide insight into effectiveness.
      • Organizational: Based on micro and the macro data, how does your organization stack up? Here you’ll want to make an overall assessment of the organization, based on results from tests and other risk metrics/analytics.
      • Qualitative: You’ll also want to understand what employees think of your training program. We recommend organizations perform 360° evaluations via employee surveys to gauge the effectiveness of training content, and for a sense of their general understanding of security.

      For each of these metrics/assessments, you should be able to access the data quickly and easily via both a dashboard and results. The dashboard should clear reflect both the micro and macro effectiveness of your efforts. Which employees need additional training because they make the same mistake over and over again? Which employees can’t seem to find the time to complete scheduled training? Are the number of bad clicks during phishing simulations trending in the right direction?

      The documentation from the program will substantiate (or not) your training efforts, which will make the difference between expanding the program or sending it to the dustbin. We’ll wrap up this series in our next post, working through a detailed example of setting up the program – and, more importantly, adapting it as you learn what works and doesn’t.

      - Mike Rothman (0) Comments Subscribe to our daily email digest

      LuckyMouse Group is back and using a legitimate certificate to sign Malware

      The Kaspersky Lab Global Research and Analysis Team (GReAT) has discovered several infections from a previously unknown Trojan, which is most likely related to the infamous Chinese-speaking threat actor – LuckyMouse. The most peculiar trait of this malware is its hand-picked driver, signed with a legitimate digital certificate, which has been issued by a company developing information security-related software.

      View full story

      ORIGINAL SOURCE: Engineering News

      The post LuckyMouse Group is back and using a legitimate certificate to sign Malware appeared first on IT SECURITY GURU.

      CVE-2018-1571

      IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 143121.

      Using Hacked IoT Devices to Disrupt the Power Grid

      This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid":

      Abstract: We demonstrate that an Internet of Things (IoT) botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid. We study five variations of the MadIoT attacks and evaluate their effectiveness via state-of-the-art simulators on real-world power grid models. These simulation results demonstrate that the MadIoT attacks can result in local power outages and in the worst cases, large-scale blackouts. Moreover, we show that these attacks can rather be used to increase the operating cost of the grid to benefit a few utilities in the electricity market. This work sheds light upon the interdependency between the vulnerability of the IoT and that of the other networks such as the power grid whose security requires attention from both the systems security and power engineering communities.

      I have been collecting examples of surprising vulnerabilities that result when we connect things to each other. This is a good example of that.

      Wired article.

      Mac app ‘Adware Doctor’ stores’ users’ data and send it to China




      Apple has removed a  top-rated paid anti-malware app Adware Doctor from its Mac App Store after it was found collection users browsing histories and other sensitive details, and sending it to China.

      According to a well-known Apple security researcher Patrick Wardle, the app collected users web login history, app logs, and other security data from the devices it was installed on. The app collected data from Chrome, Firefox, or Safari, and converts it into a zip file, and then send it to a server in China.

      “We tore apart Adware Doctor - one of the top grossing apps in the official Mac App Store. This research (original credit: @privacyis1st) uncovered blatant violations of users' privacy and complete disregard of Apple's App Store Guidelines,” Wardle wrote in a blog. “There is rather a massive privacy issue here. Let’s face it, your browsing history provides a glimpse into almost every aspect of your life.”

      Although, unlike other apps, Adware Doctor ask for permission to access users' files.

      “Once the user has clicked ‘allow,’ since Adware Doctor requested permission to the user’s home directory, it will have carte blanche access to all the user’s files,” Wardle said.

      However, Apple took over a month to remove the app from the store. Even though Wardley informed Apple about Adware Doctor’s breach of MacOS security protocols, it remained ranked fourth paid app on the App Store.

      “The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up! Beyond its mistreatment and blatant disrespect of user data, the fact that Adware Doctor "dances around" the Mac App Sandbox seems to clearly be another violation as well,” Wardle added.

      Trend Micro apologises after Mac apps found scooping up users’ browser history

      Trend Micro apologises after Mac apps found scooping up users' browser history

      Trend Micro has confirmed reports that some of its Mac consumer products were silently sending users’ browser history to its servers, and apologised to customers for any “concern they might have felt.”

      But apparently it’s the users’ fault anyway for not reading the EULA.

      Beware the Homeless Homebuyer Real Estate Scam!

      Security professionals are warning users who are or soon will be engaged in real estate transactions to watch out for the “homeless homebuyer” scam. On 10 September, Verdict built upon its coverage of account takeover attacks found in its threat insight magazine Verdict Encrypt to discuss this particular scam. The homeless homebuyer ruse first begins […]… Read More

      The post Beware the Homeless Homebuyer Real Estate Scam! appeared first on The State of Security.

      How to bridge the cybersecurity skills gap

      By 2021, there will be more than 3.5 million unfilled jobs in the cybersecurity sector.

      The statistic from Cybersecurity Ventures published in June 2017, highlighted the growing structural deficit of security professionals. The cybersecurity skills gap continues to grow – but just how large and severe is it? And what can businesses do to mitigate the problem?

      Bridging the cybersecurity skills gap is one of the biggest challenges organisations face today – and many are already struggling. Few organisations have the resources to deal with the growing threat posed by cyber criminals and advanced attacks. Viruses, malware and other threats are increasingly diverse and complex, and most organisations lack the staff and skill to deal with the threats appearing now, let alone the ones that will appear in the future.

      • Hire and train more talent

        Organisations need to acquire the best cybersecurity analysts and use them as mentors for talented but inexperienced cybersecurity trainees.

        The benefit is twofold. On the one hand, organisations benefit from the expertise that trained analysts can provide, and on the other, cybersecurity trainees learn from the best and can quickly get up to speed.

      Only 1 in 10 organisations have cybersecurity experts on their teams

      A study conducted earlier this year by Forrester Consulting for Hiscox, revealed that only 11% of the organisations reviewed actually had ‘experts’ on their security teams and were, therefore, well prepared to face cybersecurity challenges. On the other hand, nearly three-quarters of organisations (73%) fell into the novice category, suggesting they had a long way to go before they were ‘cyber ready’.

      With skilled cybersecurity professionals in short supply, it’s expected that organisations will continue to struggle to fill cybersecurity positions with the right employees.

      • Outsource endpoint security management to specialist service providers or managed detection and response teams

        Gartner estimates that, by 2020, 50% of managed security service providers (MSSPs) will offer Managed, Detection and Response (MR) services.

        For organisations unable to hire or train cybersecurity analysts as quickly as possible, outsourcing cybersecurity management (or elements of it) to specialist service providers, or MDR teams is a viable option. This should reduce the risk with 24/7 threat monitoring, detection and response capabilities, and also give organisations access to the best cybersecurity professionals.

        With such an approach, organisations can augment their existing cybersecurity network, providing an additional layer of protection, as well as use the expertise provided by MDR teams to get insight, actionable advice, threat context and coverage.

      Almost half of security alerts are not investigated

      According the Cisco 2017 Security Capabilities Benchmark Study, 44% – almost half – of security alerts are not investigated.

      The study found that, due to “various constraints”, such as resource, budget and lack of trained personnel, organisations can only investigate 56% of the security alerts they receive. Of the alerts investigated, only 46% are remediated, leaving 54% of those alerts unresolved.

      The main problem is that security alerts need to be reviewed and remediated manually. Cybersecurity systems can flag threats, yes, but those threats also need to be manually verified and prioritised by analysts. As a result, the process takes significantly longer – and with so many threats being received on a daily basis, it’s no surprise that many go unchecked.

      • Invest in more robust and accurate cybersecurity systems

        A major challenge for organisations is the remediation and reprioritisation of threats. Cybersecurity systems can detect issues, but often those issues need to be resolved manually. According to our own research, more than half of the cybersecurity professionals we reviewed estimated that half of threat alerts are improperly reprioritised by systems and had to be fixed manually.

        With many organisations’ security teams stretched thin and responding to an overwhelming number of threats on a daily basis, systems need to be honed and adapted as threats evolve and increase. That is the only way to truly be cyber resilient.

      Don’t make the mistake of treating cybersecurity as a “technical problem” and delegate it to the IT department. The reality is that cybersecurity is a business-wide issue. Defending an organisation from cyber-attack requires an understanding of what is at stake.

      The IT department can resolve the issue, sure, but what’s the point if poor employee practice means that they face another problem as soon as one is fixed?

      Wider business context and an appreciation of business risk, exposure and priorities is needed. Departments within organisations need to work together with the IT department, not as a separate entity.

      If you want to learn more about the cybersecurity skills gap, the threats facing modern businesses, and how best to prepare for and combat those threats, download our report by clicking the button below.

      Download the PandaLabs Anual Report 2017

      The post How to bridge the cybersecurity skills gap appeared first on Panda Security Mediacenter.

      The Effectiveness of Publicly Shaming Bad Security

      Presently sponsored by: Netsparker - dead accurate web application security scanning solution - Scan websites for SQL Injection, XSS & other vulnerabilities

      The Effectiveness of Publicly Shaming Bad Security

      Here's how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation and express their outrage at the stated position. Where it gets interesting (and this is the whole point of the post), is when another group of folks pop up and accuse the outraged group of doing a bit of this:

      The Effectiveness of Publicly Shaming Bad Security

      Shaming. Or chastising, putting them in their place or taking them down a peg or two. Whatever synonym you choose, the underlying criticism is that the outraged group is wrong for expressing their outrage towards the organisation involved, especially if it's ever construed as being targeted towards whichever individual happens to be the mouthpiece of the organisation at the time. Shame, those opposed to it will say, is not the way. I disagree and I want to explain - and demonstrate - precisely why.

      Let's start with a few classic examples of the sort of behaviour I'm talking about in terms of those ludicrous statements:

      The Effectiveness of Publicly Shaming Bad Security

      See the theme? Crazy statements made by representatives of the companies involved. The last one from Betfair is a great example and the entire thread is worth a read. What it boiled down to was the account arguing with a journalist (pro tip: avoid arguing being a dick to those in a position to write publicly about you!) that no, you didn't just need a username and birth date to reset the account password. Eventually, it got to the point where Betfair advised that providing this information to someone else would be a breach of their terms. Now, keeping in mind that the username is your email address and that many among us like cake and presents and other birthday celebratory patterns, it's reasonable to say that this was a ludicrous statement. Further, I propose that this is a perfect case where shaming is not only due, but necessary. So I wrote a blog post..

      Shortly after that blog post, three things happened and the first was that it got press. The Register wrote about it. Venture Beat wrote about it. Many other discussions were held in the public forum with all concluding the same thing: this process sucked. Secondly, it got fixed. No longer was a mere email address and birthday sufficient to reset the account, you actually had to demonstrate that you controlled the email address! And finally, something else happened that convinced me of the value of shaming in this fashion:

      A couple of months later, I delivered the opening keynote at OWASP's AppSec conference in Amsterdam. After the talk, a bunch of people came up to say g'day and many other nice things. And then, after the crowd died down, a bloke came up and handed me his card - "Betfair Security". Ah shit. But the hesitation quickly passed as he proceeded to thank me for the coverage. You see, they knew this process sucked - any reasonable person with half an idea about security did - but the internal security team alone telling management this was not cool wasn't enough to drive change. Negative media coverage, however, is something management actually listens to. Exactly the same scenario played out at a very similar time when I wrote about how you really don't want bank grade security with one of the financial institutions on that list rapidly fixing their shortcomings after that blog post. A little while later at another conference, the same discussion I'd had in Amsterdam played out: "we knew our SSL config was bad, we just couldn't get the leadership support to fix it until we were publicly shamed".

      I wanted to set that context because it helps answer questions such as this one:

      What public shaming does is appeals to a different set of priorities; if, for example, I was to privately email NatWest about their lack of HTTPS then I'd likely get back a response along the lines of "we take security seriously" and my feedback would go into a queue somewhere. As it was, the feedback I was providing was clearly falling on deaf ears:

      And now we have another perfect example of precisely the sort of response that needs to be shamed so NatWest earned themselves a blog post. How this changed their priorities was to land the negative press on the desk of an executive somewhere who decided this wasn't a good look. As a result, their view on the security of this page is rather different than it was just 9 months ago:

      The Effectiveness of Publicly Shaming Bad Security

      Now I don't know how much of this change was due to my public shaming of their security posture, maybe they were going to get their act together afterward anyway. Who knows. However, what I do know for sure is that I got this DM from someone not long after that post got media attention (reproduced with their permission):

      Hi Troy, I just want to say thanks for your blog post on the Natwest HTTPS issue you found that the BBC picked up on. I head up the SEO team at a Media agency for a different bank and was hitting my head against a wall trying to communicate this exact thing to them after they too had a non secure public site separate from their online banking. The quote the BBC must have asked from them prompted the change to happen overnight, something their WebDev team assured me would cost hundreds of thousands of pounds and at least a year to implement! I was hitting my head against the desk for 6 months before that so a virtual handshake of thanks from my behalf! Thanks!

      Let me change gear a little and tackle a common complaint about shaming in this fashion and I'll begin with this tweet:

      Notwithstanding my civic duty as an Aussie to take the piss out of the English, clearly this was a ridiculous statement for Santander to make. Third party password managers are precisely what we need to address the scourge of account takeover attacks driven by sloppy password management on behalf of individuals. Yet somehow, Santander had deliberately designed their system to block the ability to use them. Their customer service rep then echoed this position which subsequently led to the tweet above. That tweet, then led to this one:

      Andy is concerned that shaming in this fashion targets the individual behind the social media account (JM) rather than the organisation itself. I saw similar sentiments expressed after T-Mobile in Austria defended storing passwords in plain text with this absolute clanger:

      In each incident, the respective corporate Twitter accounts got a lot of pretty candid feedback. And they deserved it - here's why:

      These accounts are, by design, the public face of the respective organisations. Santander literally has the word "help" in the account name and T-Mobile's account indicates that Käthe is a member of the service team. They are absolutely, positively the coal faces of the organisation and it's perfectly reasonable to expect that feedback about their respective businesses should go to them.

      This is not to say that the feedback should be rude or abusive; it shouldn't and at least in the discussions I've been involved in, that's extremely rare to see. But to suggest that one shouldn't engage with the individuals controlling the corporate social media account in this fashion is ludicrous - that's exactly who you should be engaging with!

      A huge factor in how these discussions play out is how the organisations involved deal with shaming of the likes mentioned above. Many years ago now I wrote about how customer care people should deal with technical queries and I broke it down into 5 simple points:

      1. Never get drawn into technical debates
      2. Never allow public debate to escalate
      3. Always take potentially volatile discussions off the public timeline
      4. Make technical people available (privately)
      5. Never be dismissive

      Let me give you a perfect example of how to respond well to public shaming and we'll start with my own tweet:

      Business as usual there, just another day on the internet. But watch how Medibank then deals with that tweet:

      And in case you're wondering, yes, I did give them an e-pat on the back for that because they well and truly deserved it! The point is that shaming, when done right, leads to positive change without needing to be offensive or upsetting to the folks controlling the social accounts.

      The final catalyst for finishing this blog post (I've been dropping example into it since Xmas!) was a discussion just last week which, once again, highlighted everything said here. As per usual, it starts with a ridiculous statement on security posture:

      Shaming ensues (I mentioned my Aussie civic duty, right?!):

      Once again, the press picks it up and also once again, people get uppity about it:

      And just to be clear, stating that "Non HTTPS pages are safe to use despite messages from some browsers" is not a very bright position to take whether you're on minimum wage or you're the CEO. Income doesn't factor when you make public statements as a company representative. Predictably, just as with all the previous example, positive change followed:

      The Effectiveness of Publicly Shaming Bad Security

      That whole incident actually turned out to be much more serious than they originally thought and once again, the issue was brought to the forefront by shaming. I've seen this play out so many times before that frankly, I've little patience for those decrying shaming in this fashion because it might hurt the feelings of the very people charged with receiving feedback from the public. If a company is going to take a position on security either in the way they choose to build their services or by what their representatives state on the public record, they can damn well be held accountable for it:

      Whether those rejecting shaming of the likes I've shared above agree with the practice or not, they can't argue with the outcome. I'm sure there'll be those that apply motherhood statements such as "the end doesn't justify the means", but that would imply that the means is detrimental in some way which it simply isn't. Keep it polite, use shaming constructively to leverage social pressure and we're all better off for it.