Daily Archives: January 9, 2019

How Cybercriminals Are Getting Initial Access into Your System

This article covers the main techniques cybercriminals use at the initial stage of attacks against enterprise networks. There are several dangerous phases of cyberattacks targeting the corporate segment. The first one encountered by businesses boils down to getting initial access into their systems. The malefactor’s goal at this point is to deposit some malicious code […]… Read More

The post How Cybercriminals Are Getting Initial Access into Your System appeared first on The State of Security.

Global DNS Hijacking Campaign: DNS Record Manipulation at Scale

Introduction

FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success. We have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker. We have also worked closely with victims, security organizations, and law enforcement agencies where possible to reduce the impact of the attacks and/or prevent further compromises.

While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale. The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways. In this blog post, we detail the three different ways we have seen DNS records be manipulated to enable victim compromises. Technique 1, involving the creation of a Let's Encrypt certificate and changing the A record, was previously documented by Cisco’s TALOS team. The activity described in their blog post is a subset of the activity we have observed.

Initial Research Suggests Iranian Sponsorship

Attribution analysis for this activity is ongoing. While the DNS record manipulations described in this post are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers.

  • Multiple clusters of this activity have been active from January 2017 to January 2019.
  • There are multiple, nonoverlapping clusters of actor-controlled domains and IPs used in this activity.
  • A wide range of providers were chosen for encryption certificates and VPS hosts.

Preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.

  • FireEye Intelligence identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors.
  • The entities targeted by this group include Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value.

Details

The following examples use victim[.]com to stand in for the victim domain, and private IP addresses to stand in for the actor controlled IP addresses.

Technique 1 – DNS A Records

The first method exploited by the attacker is altering DNS A Records, as seen in Figure 1.


Figure 1: DNS A Record

  1. The attacker logs into PXY1, a Proxy box used to conduct non-attributed browsing and as a jumpbox to other infrastructure.
  2. The attacker logs into the DNS provider’s administration panel, utilising previously compromised credentials.
  3. The A record (e.g. mail[.]victim[.]com) is currently pointing to 192.168.100.100.
  4. The attacker changes the A record and points it to 10.20.30.40 (OP1).
  5. The attacker logs in from PXY1 to OP1.
    • A proxy is implemented to listen on all open ports, mirroring mail[.]victim[.]com.
    • A load balancer points to 192.168.100.100 [mail[.]victim[.]com] to pass through user traffic.
  6. certbot is used to create a Let’s Encrypt certificate for mail[.]victim[.]com
    • We have observed multiple Domain Control Validation providers being utilised as part of this campaign.
  7. A user now visits mail[.]victim[.]com and is directed to OP1. The Let’s Encrypt certificate allows the browsers to establish a connection without any certificate errors as Let's Encrypt Authority X3 is trusted. The connection is forwarded to the load balancer which establishes the connection with the real mail[.]victim[.]com. The user is not aware of any changes and may only notice a slight delay.
  8. The username, password and domain credentials are harvested and stored.
Technique 2 – DNS NS Records

The second method exploited by the attacker involved altering DNS NS Records, as seen in Figure 2.


Figure 2: DNS NS Record

  1. The attacker again logs into PXY1.
  2. This time, however, the attacker exploits a previously compromised registrar or ccTLD.
  3. The nameserver record ns1[.]victim[.]com is currently set to 192.168.100.200. The attacker changes the NS record and points it to ns1[.]baddomain[.]com [10.1.2.3]. That nameserver will respond with the IP 10.20.30.40 (OP1) when mail[.]victim[.]com is requested, but with the original IP 192.168.100.100 if it is www[.]victim[.]com.
  4. The attacker logs in from PXY1 to OP1.
    • A proxy is implemented to listen on all open ports, mirroring mail[.]victim[.]com.
    • A load balancer points to 192.168.100.100 [mail[.]victim[.]com] to pass through user traffic.
  5. certbot is used to create a Let’s Encrypt certificate for mail[.]victim[.]com.
    • We have observed multiple Domain Control Validation providers being utilised during this campaign.
  6. A user visits mail[.]victim[.]com and is directed to OP1. The Let’s Encrypt certificate allows browsers to establish a connection without any certificate errors as Let's Encrypt Authority X3 is trusted. The connection is forwarded to the load balancer which establishes the connection with the real mail[.]victim[.]com. The user is not aware of any changes and may only notice a slight delay.
  7. The username, password and domain credentials are harvested and stored.
Technique 3 – DNS Redirector

The attacker has also been observed using a third technique in conjunction with either Figure 1 or Figure 2 above. This involves a DNS Redirector, as seen in Figure 3.


Figure 3: DNS Operational box

The DNS Redirector is an attacker operations box which responds to DNS requests.

  1. A DNS request for mail[.]victim[.]com is sent to OP2 (based on previously altered A Record or NS Record).
  2. If the domain is part of victim[.]com zone, OP2 responds with an attacker-controlled IP address, and the user is re-directed to the attacker-controlled infrastructure.
  3. If the domain is not part of the victim.com zone (e.g. google[.]com), OP2 makes a DNS request to a legitimate DNS to get the IP address and the legitimate IP address is returned to the user.

Targets

A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates. They include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities.

Root Cause Still Under Investigation

It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above. FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.

Prevention Tactics

This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization’s network. Some steps to harden your organization include:

  1. Implement multi-factor authentication on your domain’s administration portal.
  2. Validate A and NS record changes.
  3. Search for SSL certificates related to your domain and revoke any malicious certificates.
  4. Validate the source IPs in OWA/Exchange logs.
  5. Conduct an internal investigation to assess if attackers gained access to your environment.

Conclusion

This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action.

Dynamic Content Acceleration in Imperva CDN Improves Enterprise Website Performance

Today we introduced a new dynamic content acceleration network enhancement feature designed to improve response times to the origin server by up to 30%.

Clients using the Imperva content delivery network (CDN) service are now able to more fully leverage the high-quality connectivity between PoPs in the Imperva network. The enhancement translates to an even better experience for our clients’ end users and increased conversion rates for e-commerce websites and alike. And it will especially allow clients who have distributed end users to see a boost to their website performance, with zero code changes required on their end.

How Dynamic Content Acceleration Works

The origin PoP is selected based on the network distance (according to latency, not geographic distance) between the client’s origin server and the Imperva PoP.

Origin PoPs have dedicated machines called forwarders, part of a preconfigured setting. The purpose of the forwarder is to serve as an access point to the origin server.

With this enhancement there’s no change to the traffic inspection process, as traffic will continue to be analyzed in the entry PoP (the access point for the end user’s request).

Example

Say www.example.com is located in a datacenter in New York City and is using the dynamic content acceleration service.

When a request to www.example.com reaches one of our proxy servers (e.g. Sydney) the proxy decides if the content is static or dynamic (A2).

If the content is dynamic, the proxy routes the traffic to the forwarder server in our New York City PoP (B2).

When the request reaches the forwarder in our New York City PoP, it sends the request forward to the origin server in New York City (C2).

When the origin sends a response, the forwarder receives it and sends it to the relevant proxy, which provides a faster response to the user. See our documentation for more information.

Improved Round-Trip Latency

Our improvements in round-trip latency are fueled by our cloud application security single stack architecture, PoPs strategically located to meet user demands, a broad peering footprint, and the fact that our entire network is tuned for DDoS mitigation, mandating the use of the same T1 transit providers across all our PoPs. A side effect of this IP engineering principle is a high-quality connection between PoPs.

Open connections are maintained between the PoPs which eliminates TCP slow start, an algorithm which balances the speed of a network connection. Connectivity to the origin from a nearby PoP also significantly reduces the latency required for the TLS handshake.

And when a packet moves from one PoP to another, it goes through fewer providers. In most cases it goes through just one provider. As a result, there is less packet loss and better latency.

Effect on Production Environment Analysis

As an additional benefit of dynamic content acceleration, clients utilizing XRAY will be able to have more visibility into requests to their origin and understand if a request passed through an origin PoP or not. This may come in handy in cases where there are potential connectivity improvements to the origin that need to be addressed.

The Development Process

We’ve been developing and testing this feature for about a year prior to release, measuring improvements in round-trip latency, time to first byte, and open connection time to the origin.

We found it takes much less time to open a connection to the origin from the forwarder compared to the origin from a faraway proxy (i.e. New York City <-> Tokyo). The forwarder can take 10 ms while a faraway proxy can take up to 300 ms).

Cedexis Testing

We use Cedexis to test different network optimization features. In the above testing we’ve set up two different networks to be monitored via Cedexis, both with origin servers in the same AWS EU-Central-1 Region in Frankfurt, Germany.

Then we applied dynamic content acceleration to one of the platforms by setting its origin PoP to the our Frankfurt PoP.

Lastly, we compared the latency of both networks as measured by eyeballs around the world.

The above results show an average latency of 308 ms vs 188 ms in the last 24 hours – a 120 ms decrease (which is also better than any other dynamic CDN vendor in Cedexis).

Performance improvement will vary based on the geographic traffic distribution of the site and the origin’s proximity to one of our PoPs. But our tests have shown an average improvement of 30% in round-trip time latency.

Considerations

It’s important to remember that dynamic content acceleration does add an additional hop, so in some cases if the origin server is not close to the origin proxy (forwarder), clients may not see an improvement in round-trip latency.

And since only a few proxy servers connect to the origin server with dynamic content acceleration, if a client implements rate limiting or load balancing based on IP only, the fact that all traffic reaches the origin from fewer proxies may trigger a rate threshold and result in dropped traffic.

However, in general we expect dynamic content acceleration to have a widespread, positive performance impact. And this enhancement is just one of many benefits to come as we continue to invest in our CDN service.

 

The post Dynamic Content Acceleration in Imperva CDN Improves Enterprise Website Performance appeared first on Blog.

Juniper Networks Releases Multiple Security Updates

Original release date: January 09, 2019

Juniper Networks has released multiple security updates to address vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Juniper’s Security Advisories webpage and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

For more information about these vulnerabilities, see the Details section of this security advisory.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss


Security Impact Rating: Medium
CVE: CVE-2018-15440,CVE-2018-15463

Cisco Policy Suite Graphite Unauthenticated Read-Only Access Vulnerability

A vulnerability in the Graphite web interface of the Policy and Charging Rules Function (PCRF) of Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access the Graphite web interface. The attacker would need to have access to the internal VLAN where CPS is deployed.

The vulnerability is due to lack of authentication. An attacker could exploit this vulnerability by directly connecting to the Graphite web interface. An exploit could allow the attacker to access various statistics and Key Performance Indicators (KPIs) regarding the Cisco Policy Suite environment.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-cps-graphite-access


Security Impact Rating: Medium
CVE: CVE-2018-15466

Cisco Jabber Client Framework Insecure Directory Permissions Vulnerability

A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges.

The vulnerability exists due to insecure directory permissions set on a JCF created directory. An authenticated attacker with the ability to access an affected directory could create a hard link to an arbitrary location on the affected system. An attacker could convince another user that has administrative privileges to perform an install or update the Cisco Jabber for Mac client to perform such actions, allowing files to be created in an arbitrary location on the disk or an arbitrary file to be corrupted when it is appended to or overwritten.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-jabr-mac-permissions


Security Impact Rating: Medium
CVE: CVE-2018-0449

Cisco Unified Communications Manager Digest Credentials Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view digest credentials in clear text.

The vulnerability is due to the incorrect inclusion of saved passwords in configuration pages. An attacker could exploit this vulnerability by logging in to the Cisco Unified Communications Manager web-based management interface and viewing the source code for the configuration page. A successful exploit could allow the attacker to recover passwords and expose those accounts to further attack.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-cucm-creds-disclosr


Security Impact Rating: Medium
CVE: CVE-2018-0474

Cisco Jabber Client Framework Instant Message Cross-Site Scripting Vulnerability

A vulnerability in Cisco Jabber Client Framework (JCF) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected system.

The vulnerability is due to insufficient validation of user-supplied input of an affected client. An attacker could exploit this vulnerability by executing arbitrary JavaScript in the Jabber client of the recipient. A successful exploit could allow the attacker to execute arbitrary script code in the context of the targeted client or allow the attacker to access sensitive client-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-jcf-im-xss


Security Impact Rating: Medium
CVE: CVE-2018-0483

Cisco Email Security Appliance URL Filtering Denial of Service Vulnerability

A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device.

The vulnerability is due to improper filtering of email messages that contain references to whitelisted URLs. An attacker could exploit this vulnerability by sending a malicious email message that contains a large number of whitelisted URLs. A successful exploit could allow the attacker to cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-url-dos


Security Impact Rating: High
CVE: CVE-2018-15460

Cisco IP Phone 8800 Series Arbitrary Script Injection Vulnerability

A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device.

The vulnerability exists because the software running on an affected device insufficiently validates user-supplied data. An attacker could exploit this vulnerability by persuading a user to click a malicious link provided to the user or through the interface of an affected device. A successful exploit could allow an attacker to execute arbitrary script code in the context of the user interface or access sensitive system-based information, which under normal circumstances should be prohibited.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-phone-script-injection


Security Impact Rating: Medium
CVE: CVE-2018-0461

Cisco IOS and IOS XE Software Secure Shell Connection on VRF Vulnerability

A vulnerability in the access control logic of the Secure Shell (SSH) server of Cisco IOS and IOS XE Software may allow connections sourced from a virtual routing and forwarding (VRF) instance despite the absence of the vrf-also keyword in the access-class configuration.

The vulnerability is due to a missing check in the SSH server. An attacker could use this vulnerability to open an SSH connection to an affected Cisco IOS or IOS XE device with a source address belonging to a VRF instance. Once connected, the attacker would still need to provide valid credentials to access the device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ios-ssh-vrf


Security Impact Rating: Medium
CVE: CVE-2018-0484

Cisco Prime Network Control System Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Network Control System could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected system.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-pnc-stored-xss


Security Impact Rating: Medium
CVE: CVE-2018-0482

Cisco Identity Services Engine Password Recovery Vulnerability

A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text.

The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-passwd


Security Impact Rating: Medium
CVE: CVE-2018-15456

Cisco IOS and IOS XE Software TCP Denial of Service Vulnerability

A vulnerability in the TCP socket code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a state condition between the socket state and the transmission control block (TCB) state. While this vulnerability potentially affects all TCP applications, the only affected application observed so far is the HTTP server.

An attacker could exploit this vulnerability by sending specific HTTP requests at a sustained rate to a reachable IP address of the affected software. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition on an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-tcp


Security Impact Rating: Medium
CVE: CVE-2018-0282

Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent Software Redis Server Unauthenticated Access Vulnerability

A vulnerability in the Redis implementation used by the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software could allow an unauthenticated, remote attacker to modify key-value pairs for short-lived events stored by the Redis server.

The vulnerability is due to improper authentication when accessing the Redis server. An unauthenticated attacker could exploit this vulnerability by modifying key-value pairs stored within the Redis server database. An exploit could allow the attacker to reduce the efficiency of the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software.

Cisco has released software updates that address this vulnerability for Cisco Policy Suite for Mobile.

Currently there is no software release available for Cisco Policy Suite Diameter Routing Agent software. There are no workarounds that address this vulnerability, but a mitigation for Cisco Policy Suite Diameter Routing Agent software exists. See the Workarounds section for more details.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-cps-redis


Security Impact Rating: Medium
CVE: CVE-2018-0181

Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-tms-xss


Security Impact Rating: Medium
CVE: CVE-2018-15467

Cisco Firepower Management Center Disk Utilization Denial of Service Vulnerability

A vulnerability in the Shell Access Filter feature of Cisco Firepower Management Center (FMC), when used in conjunction with remote authentication, could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition.

The vulnerability occurs because the configuration of the Shell Access Filter, when used with a specific type of remote authentication, can cause a system file to have unbounded writes. An attacker could exploit this vulnerability by sending a steady stream of remote authentication requests to the appliance when the specific configuration is applied. Successful exploitation could allow the attacker to increase the size of a system log file so that it consumes most of the disk space. The lack of available disk space could lead to a DoS condition in which the device functions could operate abnormally, making the device unstable.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-fpwr-mc-dos


Security Impact Rating: Medium
CVE: CVE-2018-15458

Cisco Webex Business Suite Cross-Site Scripting Vulnerability

A vulnerability in the MyWebex component of Cisco Webex Business Suite could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.

The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by convincing a user to click a crafted URL. To exploit this vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-webex-bs-xss


Security Impact Rating: Medium
CVE: CVE-2018-15461

Cisco Prime Infrastructure Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-cpi-xss


Security Impact Rating: Medium
CVE: CVE-2018-15457

Cisco ASR 900 Series Aggregation Services Router Software Denial of Service Vulnerability

A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient handling of certain broadcast packets ingress to the device. An attacker could exploit this vulnerability by sending large streams of broadcast packets to an affected device. If successful, an exploit could allow an attacker to impact services running on the device, resulting in a partial DoS condition.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-asr900-dos


Security Impact Rating: Medium
CVE: CVE-2018-15464

Cisco Email Security Appliance Memory Corruption Denial of Service Vulnerability

A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory. A successful exploit could cause the filtering process to unexpectedly reload, resulting in a denial of service (DoS) condition on the device.

The vulnerability is due to improper input validation of S/MIME-signed emails. An attacker could exploit this vulnerability by sending a malicious S/MIME-signed email through a targeted device. If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-dos


Security Impact Rating: Critical
CVE: CVE-2018-15453

In the 21st Century’s ‘Great Game,’ Third Party Risk Explodes

Third party risk explodes

The recent Shamoon attack on the Italian firm Saipem is a cautionary tale about the danger posed by metastasizing third party risks as the Internet becomes the stage for geopolitical power struggles.

By Paul F. Roberts

The Italian firm Saipem, which services the oil industry, was on the receiving end of a malware outbreak over the weekend of December 8, 2018, according to a company statement (PDF). The attack affected about 300 to 400 servers and 100 personal computers on the company’s corporate network, according to a report by Reuters.

While that might not be unusual, the malware used in the attack was. Analysis of the malicious file determined that it was a variant of the Shamoon malware, a destructive “wiper” program that has been linked to earlier attacks on oil firms in the Middle East including Saudi Aramco, a Saudi Arabian firm, and RasGas, headquartered in Qatar. In the case of the original Shamoon outbreak in 2012, the malware infected and erased data on some 30,000 systems on the Saudi Aramco network, forcing a months long recovery process at the firm. Shamoon popped up again in late 2016 in another round of attacks against oil firms in the Middle East- that attack was just ahead of a meeting of OPEC at which oil production cuts were to be introduced.

A friend of my enemy is…

Those earlier attacks and the Shamoon malware have been labeled “advanced persistent threat” (or APT) attacks and linked to hacking groups with ties to the Iranian government, a regional rival of Saudi Arabia. So why attack an Italian firm best known for deep sea oil drilling? There’s a three word answer: Third. Party. Risk. It turns out that one of Saipem’s biggest customers is – you guessed it – Saudi Aramco, a high profile target of the Shamoon APT group. In all likelihood, Saipem was not a direct target, so much as a vital link in Saudi Aramco’s supply chain that was also vulnerable to attack.

Welcome to the 21st Century’s equivalent of the “Great Game” – that (in)famous contest for geopolitical advantage between the British and Russian empires in the 19th century. Only these days, the theater of conflict and confrontation is not in the foothills of Afghanistan or Uzbekistan, but online: as the world’s great and emerging powers carry out operations with determination and – mostly – impunity all over the globe.

The Shamoon attack on Saipem shows how the growing clout and ambition of nation state actors online makes it more important than ever (and harder than ever) for organizations to understand the web of first-, second, and third party cyber risks they face.

Consider, for a moment, the long list of Fortune 500 firms affected by the NotPetya wiper malware, which appeared in June, 2017. Firms like Merck Pharmaceuticals, Federal Express, AP Moeller Maersk, the global shipping firm, and candy maker Modelez were crippled by the virulent malware, which erased the hard drives of systems it infected. Affected firms realized losses in the tens- and hundreds of millions of dollars. FedEx, alone, estimated its losses from NotPetya at $400 million.

What was their exposure? In many cases it was an obscure, Ukrainian financial software package known as MEDocs that provided the initial point of entry for NotPetya. In other cases, firms had yet to apply a patch for a critical vulnerability in Microsoft Windows that was exploited using an NSA-developed tool dubbed “EternalBlue.” While none of  the firms, themselves, were direct targets of the group behind the malware, they were all collateral damage in a long-running physical and cyber conflict between Ukraine and Russia.

Refiguring third party risk

But if the risk posed by third parties is growing more complex, is there anything companies can do to manage it? The short answer is, “Yes.”

Know your stuff

To start with, organizations of all sizes need a better grasp on the hardware, software, and services at use in their organization. Knowing what software and services are operating within your environment is the first and most important step to limiting your exposure to third party risk.

As the NotPetya incident indicates, even innocuous applications can become avenues for devastating attack. That’s especially true of cloud-based platforms that have blossomed in recent years, forming a kind of “shadow IT” deployment within your organization. Tools such as Slack, Salesforce.com, and Dropbox are powerful collaboration and sharing tools, but they can also be weaponized by an enterprising external actor or a malicious insider. So know that they’re there, make sure they’re deployed securely, and have a plan to manage any risks they present.

Know your data

Knowing what sensitive data your company owns is just as important as knowing the IT assets in your environment. Stolen personally identifying information has monetary value on the cyber underground. Even absent financial data like credit card numbers and proprietary customer data could be used as part of identity theft schemes or a larger, nation state operation. (For example: Marriott’s stolen guest data is believed to have been stolen by Chinese government hackers and could be used to map the movement of persons of interest.) Your sensitive intellectual property could be stolen and used to give competitors a leg up on you in the marketplace. Do a data audit of both on premises and (increasingly) cloud environments to make sure you’ve accounted for any sensitive and (especially) regulated data, then make sure you have adequate safeguards protecting that data, including encryption for data at rest and in transit, strict user access controls, adequate logging, and so on.

Put a human in the loop

Speaking of “managing the risks” of third party software and services: one recurrent theme in recent vendor compromise stories is the decision by downstream software users to enable automatic update or configuration features. In the case of NotPetya, sophisticated attackers were able to compromise the parent company MeDoc and disguise the malware as a signed software update. Companies that had configured their software to automatically download and install that update were infected. Organizations that didn’t enable the automatic update didn’t. Put a human in the loop for software updates and other changes so you don’t get caught off-guard.

Accept what you don’t know

Ultimately, you won’t always have direct visibility into all your nth-party risks. That’s why it is important to seek the counsel of those who can provide you insights into your most pressing risks and also notify you to unseen threats and dangers. Third party risk scorecards might help you grasp your security posture at a single moment in time, but that doesn’t address the bigger issue – alerting of dynamic and evolving risks or threats. That’s only something a continuous monitoring solution can offer.

If the events of the last two years have taught us anything, it’s that third party risk is real and growing, and no organization is perfect at combatting it. However, the process becomes more manageable by partnering with organizations that have the tools and services that can control third party risk in a comprehensive way: by continuously monitoring third party hardware, software, and service providers for the presence of malicious threats and other Indicators of Compromise (IOCs).

Third party threat monitoring isn’t a panacea. It won’t solve your digital risk problem alone. But it is something that every company has to make a priority – or be prepared to pay the price!

The post In the 21st Century’s ‘Great Game,’ Third Party Risk Explodes appeared first on LookingGlass Cyber Solutions Inc..

2019 is Here – Have You Made Any Digital Parenting Resolutions for The Year?

Hello parents! Welcome to 2019. I have a hunch you are feeling all charged up and ready to start the new year on a positive note. Are your resolutions for the year ready? Take a minute and check- have you included any digital parenting resolutions in your list? If yes, great! If no, worry not, McAfee Cybermum is here for you.

Parenting is not an easy job and the rapid progress of technology has added to it. In addition to teaching your kids values and life skills for the real world, you have to now do the same for the digital world too. At times, you don’t know whether you are doing too much or not enough; given the digital immigrants that we are- we have no resources to draw from. There is little time to step back and reflect over one’s own parenting style, leading to doubts and guilt. Wouldn’t it be lovely therefore if there was a ready reckoner on the subject?

Sharing my list of digital parenting resolutions with you. They are broadly aimed at helping us be more involved and evolved digital parents who are empowered to guide kids in the digital world. Feel free to add, delete or customize as per your family’s needs. Always keep in mind that each family is different, in terms of values and environment; and each child is different, in terms of ability and maturity.

Parents, presenting to you My Digital Parenting Resolution List for 2019:

  • Focus on digital media balance: There are several devices at home these days. The collective time spent working on a laptop, reading from an e-book and browsing social media on tabs or phones is considerable. To a young child, who can’t differentiate between work and pleasure, it may look like you can’t stay off digital devices the whole day and they may follow suit. You have to therefore fix your online schedule and practice digital balance.
  • Focus on having a positive digital media presence: What many parents fail to realize is that all social media users are media content creators and consumers. Each user is a newsmaker who can use digital media to create and share content, either negative or positive. As a consumer, a gullible user may accept the content as truth, without verifying. Fake news is rampant, and parents need to impress the need for fact-checking upon the kids.
  • Focus on values like empathy and mercy: The digital world brings the world to your homes and you connect with both strangers and acquaintances. There is therefore a greater need for kindness, tolerance and empathy. Posts may go viral and cause trouble or lead to cyberbullying. Children need to learn the importance of kindness and forgiveness to keep their digital world clean and happy. Parents can set an example by displaying these virtues in the real and the digital world.
  • Focus on self-control: One of the biggest issues nuclear families face today is that of work-life balance. Too many hours spent working, can lead to parents feeling guilty, who then try to compensate by gifting them expensive gifts. Set up a routine for games, chat and story time with kids to make up for long hours of absence.
  • Focus on being the perfect role model: As we know, children copy their parents. It’s like being a celebrity with the camera rolling 24/7. Modify your speech, actions, and digital actions so that children have the right guidance for their online behavior.
  • Focus on listening more: Parents generally tend to preach rather than listen. Plan to listen well in 2019. You will come to know a lot about your child’s life, aspirations and concerns if you do. The bonus is, they too will pay attention to you and your advice.
  • Focus on general health: You want your child to be healthy and active, right? The be the perfect role model, Exercise daily and play some games with your kids. Your kids too will then develop the same disciplined outlook towards health and sports. A healthy, active family usually prefer games to digital devices.
  • Focus on monitoring digital footprints and reputation: As your kids grow up, talk to them about the importance of exercising the right behavior online and the consequences of a poor digital reputation on academic and job prospects. Use examples from social media to differentiate between a desirable and an avoidable post or photo. Discuss what should be kept private and what can be shared.
  • Focus on cybersafety and privacy: With the rise in data breaches and ID theft via phishing attacks, it is imperative to discuss cyber safety regularly at home. Insist on the use of secured devices and scanning of every external device before use. Also, educate your children about malware and how apps, links and attachments are used to share them.
  • Focus on the monitoring and extent of parental supervision online: Though your children will have no problems with the installation of security tools like McAfee Total Protection, parental control is another matter altogether. Here, your diplomatic approach will stand in good stead. Share your concerns about strangers and cyber criminals and establish that you plan to monitor their online lives till they are mature enough to tackle issues themselves. Ensure that they understand you don’t mean to pry but protect

Start the year on a positive note. Take charge of your family’s digital life. Plan your parenting schedule, just like you plan your day. And yes, Happy New Year!!!

 

The post 2019 is Here – Have You Made Any Digital Parenting Resolutions for The Year? appeared first on McAfee Blogs.

CVE-2018-20067 (chrome)

A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.

CVE-2017-15401 (chrome)

A memory corruption bug in WebAssembly could lead to out of bounds read and write through V8 in WebAssembly in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Cisco Releases Security Updates

Original release date: January 09, 2019
Cisco has released security updates to address vulnerabilities in Cisco AsyncOS Software for Cisco Email Security Appliance. A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.
 
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.


How Artificial Intelligence Is Shaping the Future of Open Source Intelligence

Editor’s Note: The following blog post is a summary of a presentation from RFUN 2018 featuring OSINT subject matter expert Chief Warrant Officer 3 Nathan McKeldin of the U.S. Army.

Key Takeaways

  • The term artificial intelligence (AI) describes technologies that can make informed, non-random decisions algorithmically.
  • Open source intelligence (OSINT) is based exclusively on publicly available information such as the contents of the open web.
  • AI has many applications in OSINT, both for military and domestic purposes. In particular, it enables human analysts to collect, analyze, and interrogate huge data sets that would otherwise be insurmountable.
  • While AI is vital to the future of OSINT — and intelligence gathering in general — it can’t replace an analyst’s ability to determine the “so what” of intelligence outputs.

The term “artificial intelligence” (AI) has become ubiquitous in the security world. If you believe the sales brochures, practically every security product on the market has some level of AI functionality.

Many types of security solutions tout the benefits of AI, including threat intelligence. But what benefits does AI really bring to the intelligence gathering process?

Late last year, we held our seventh annual Recorded Future User Network (RFUN) conference in Washington, D.C. During the conference, attendees were treated to a presentation on AI applications for open source intelligence (OSINT) by subject matter expert CW3 Nathan McKeldin of the U.S. Army.

Over the past five years, Nathan has used OSINT extensively to inform operational planning, fuel counterintelligence investigations, and support tactical military units with insights, warnings, and targeting information. In his presentation, Nathan explained how AI fits into the intelligence gathering process and how we can expect it to evolve over the next two decades.

Demystifying 4 Key Terms

To get things started, Nathan took the audience through four key definitions.

1. Open Source Intelligence (OSINT)

Since OSINT is Nathan’s primary focus, that’s where things began. According to Public Law 109-163, Sec. 931, OSINT is:

  • Produced from publicly available information
  • Collected, exploited, and disseminated in a timely manner to an appropriate audience
  • Addresses a specific intelligence requirement

The key phrase here is “publicly available.” OSINT is founded on information that’s intended for general public consumption, which means no covert techniques or forced entry is required to collect it.

2. Publicly Available Information

The Department of Defense Manual 5240.01 (August 2016) defines publicly available information as information that is:

  • Published or broadcast for public consumption
  • Is available on request to the public
  • Is accessible online or otherwise to the public
  • Is available to the public by subscription or purchase
  • Could be seen or heard by any casual observer
  • Is made available at a meeting open to the public
  • Is obtained by visiting any place or attending any event that is open to the public

Simply put, if a regular person can access a piece of information without doing anything illegal, you can reasonably classify it as “publicly available.”

3. Artificial Intelligence (AI)

Nathan defines AI as “cognitive reasoning determined through data-driven analysis and algorithmic functions.”

Put another way, an information system can be described as intelligent if it makes an informed, non-random decision algorithmically.

Common subcategories of AI include:

  • Machine vision
  • Machine learning
  • Natural language processing (NLP) and machine translation
  • Robotics
  • Purpose-driven and autonomous machines

However, AI is not the same thing as automation, which is where a system automatically responds to an expected input (or set of inputs) by producing a desired output. The automated doors at your local Walmart may be helpful, but they aren’t intelligent.

4. Machine-Aided Analysis

One of the simplest applications of AI in intelligence gathering is to increase the efficiency of a human analyst. Machine-aided analysis describes the application of certain tenets of AI to a data set to execute tasks a human is capable of, but at a much greater volume and velocity.

Put another way, machine-aided analysis could be described as an “easy button” that takes away the heavy lifting from time-consuming, analytical tasks. For example, it could be used to digest a large volume of documents and automatically produce an output of people, places, and things.

How Does AI Fit Into War Fighting?

Once he’d covered the basic terminology of AI and OSINT, Nathan gave the audience an overview of how AI is being used to improve military operations.

As he explained, from a military perspective, there are five domains:

  • Land (Army)
  • Sea (Navy)
  • Air (Air Force)
  • Space
  • Cyber

Cyber Domains

Naturally, while each of these domains is important in its own right, all five domains are heavily interconnected. Airplanes fly, but they have to land on an airstrip or aircraft carrier. Troops are regularly moved around by air and sea. And, for obvious reasons, the cyber domain has become heavily intertwined with each of the other domains over the past few decades.

So where does AI fit into war fighting? Right at the center.

As AI has evolved, dozens of applications have been identified across each of the primary domains. Cyber is the most obvious candidate, since AI comes primarily from machines, networks, and computers connected to the internet, but there are also plenty of applications for AI in traditional military domains.

AI for the Land Domain

Over the next 10 to 20 years, we’ll see a huge increase in the use of AI technologies to improve army operations. Some of the most valuable advances will likely include:

  • The use of augmented reality devices with dialed-back stimuli to enable realistic, high-impact training
  • Autonomous route-clearing vehicles that can blow up mines and trip IUDs
  • “Amazon goes to Iraq” — Automated logistics processes that feed supply reports from the field to an autonomous warehouse system that can pull equipment such as MREs and bandages off the shelf, and deliver them to the front line via self-driving supply trucks

AI for the Air and Sea Domains

In addition to the use cases described above, AI will be used to control drones for a variety of military, foreign, and domestic purposes.

AI will also be used to control so-called “drone swarms” to overwhelm opposing forces. The AI involved would be similar to that used to control drones at the South Korean Winter Olympic opening ceremony.

AI for the Space Domain

There are plenty of applications for AI in space, but perhaps the most obvious will be systems designed to help space-based assets avoid asteroids, and the development of kinetic strike vehicles.

Empowering the Intelligence Cycle

Once he’d covered the frontline military applications of AI, Nathan took a step back to focus on how AI can be used to enhance intelligence operations.

Consider the intelligence cycle. In simple terms, it’s a feedback loop which starts with a set of requirements, and ends when those requirements are met with an actionable intelligence product.

Intelligence Cycle

This cycle has been going on, in some capacity, for as long as wars have been going on, and up until recently, it was a heavily manual process. However, over the last 50 years, a number of programs and capacities have been developed to automate portions of the process.

For example, here are some of the ways that AI can fit into the intelligence cycle:

Artificial Intelligence Cycle

Note that in the first phase of the cycle, Nathan has highlighted machine-aided analysis as the tool set of choice. This is because it’s important to retain human involvement in the loop, particularly when the outputs of the process will be used to inform real-world operations. We’ll look at how machine-aided analysis is enhancing OSINT practices shortly.

Beyond this, however, there are a huge number of applications for intelligent technologies throughout the intelligence cycle. From automated data collection via AI-powered drones and sensors (in the real world) and web crawlers and spiders (in the cyber domain), right through to automated and semi-intelligent dissemination mechanisms to the intended recipient, AI will increasingly be used to enhance and accelerate the intelligence cycle, particularly in a military context.

In fact, AI even has a role to play in improving the intelligence cycle itself.

Intelligence Cycle Reimagined

In the diagram above, note the addition of machine learning to the center of the cycle. As Nathan explained, in the traditional intelligence cycle, humans provide the feedback loop to ensure the process is refined over time. In the future, machine learning will perform this function automatically and iteratively train collection and analysis algorithms by figuring out what’s working and what isn’t based on AI-fueled analysis of massive data sets.

‘Like Trying to Find a Needle in a Stack of Needles’

That brings us to OSINT, a clear candidate for AI enhancement. The single greatest problem faced by OSINT collectors is the sheer volume of data available.

To give the audience an idea of scale, Nathan went over some stats on current global internet usage pulled from Internet Live Stats. In 2018 alone, internet users around the world have:

  • Sent 67,105,618,987,773 emails
  • Searched Google 1,648,103,202,209 times
  • Published 1,557,976,566 blog posts
  • Sent 193,923,407,330 tweets
  • Watched 1,787,898,764,637 videos on YouTube
  • Uploaded 20,581,035,026 photos to Instagram

As Nathan put it: “Because of the massive amount of data available, working with OSINT can be like trying to find a needle in a stack of needles. It can be very hard to get down to that one particular needle you need to find.”

For this reason, applying AI and machine-aided analysis to OSINT has a whole host of benefits. For example:

  • Data Aggregation: Taking unstructured data from the internet and putting it into a structured environment so it becomes queryable, filterable, sortable, and digestible
  • Visualization: Using technology to compare aspects of a data set (e.g., geographic, temporal, and so on)
  • Reasoning: Looking at news stories and tracking their propagation across the internet to determine whether they are likely to be true or false (this will become particularly important as fake news, propaganda, and so-called “deep fakes” increasingly become an issue)
  • Automated Alerting and Reporting: Taking intelligence outputs and making them rapidly available to their intended audience, either as a direct intelligence product or as a resource for AI-powered queryable technologies, such as heads-up displays (HUDs)

Although effusive about the power and value of intelligent technologies to enhance OSINT processes, Nathan was quick to point out that it will never be able to replace an analyst’s ability to determine the “so what?” of information — nor should it.

A (Hypothetical) Example of AI-Powered OSINT in Action

To help put everything into context, Nathan covered a hypothetical scenario of a military analyst using AI-powered OSINT to solve a real-world problem: tracking the activity of extremist groups.

The process could run as follows:

  1. An analyst receives automated outputs from a set of AI processes designed to highlight trends and information likely to be of interest.
  2. She notes the recurrence of a particular symbol associated with extremist activity and sets web crawlers to work finding other instances.
  3. Crawlers collect information from social media, publicly available code repositories, English-language media, foreign-language media, and thousands of other sources.
  4. The collected information is run through AI-powered systems that produce pre-defined outputs (like profiles of relevant actors and/or times and geographic locations associated with instances of the extremist symbol).
  5. Intelligence is automatically prepared into a report which can be utilized by commanders or in-field operators to inform military action.

In this example, the entire process, from collection to dissemination, is facilitated by AI. Threat intelligence solutions like the Recorded FutureⓇ Platform are already being used to fulfill intelligence processes very much like the one Nathan described, both for military and cybersecurity purposes.

AI Possibilities for the Future of OSINT

To round things off, Nathan covered some of the ways AI could impact OSINT in the coming years.

From a positive perspective, AI could power personal assistant technologies with access to open source or classified databases — essentially like Siri with a security clearance. Imagine an in-field operator asking, “Hey Siri, when was the last time [extremist organization] was active in this area?” and receiving an immediate, accurate response.

Similarly, AI could power wearable technologies such as a smart contact lens that tracks eye motion, reads documents, discovers relationships, makes recommendations, provides analyses, and pushes everything to a HUD — think next-generation Google Glass built into a tactical visor.

Of course, not all applications of AI will be forces for good.

From an adversarial perspective, fake news and “deep fakes” — the use of AI to quickly create relatively convincing fake audio or video, like a clip of the president giving a speech he never actually gave — will continue to be a huge concern. We’ve already seen this to some extent with Russian interference and propaganda during the 2016 U.S. presidential campaign, and things are only going to become murkier. In particular, fake videos are getting better all the time, and are already becoming very difficult to identify.

Fortunately, as Nathan pointed out during the presentation, there will also be applications for AI to distinguish between genuine and fake media by analyzing signatures and tracking their propagation online.

Ultimately, Nathan’s sentiment was clear. AI has a huge role to play in the future of intelligence gathering, both for military and domestic organizations, and it will become increasingly mainstream as time moves on.

The post How Artificial Intelligence Is Shaping the Future of Open Source Intelligence appeared first on Recorded Future.

     

Why we want users’ feedback on Snort rule documentation

Today, Talos is launching a new community survey to solicit feedback on SNORTⓇ documentation.

When Snort alerts the end user, the rule documentation is their first and possibly only avenue to find information on malicious traffic in their network. We know this can be better, and we want your help in determining what we can do to make Snort users more knowledgable and provide them more information.

So, we’re polling the community to find out what they need. To facilitate this, we’re sending out a five-minute survey to all users. We also plan to add feedback options to Snort documentation pages so users can communicate with us on an ongoing basis.

With the feedback we receive from the survey, our analysts can provide targeted information to communicate the most useful details on rule alerts. The more information we gather on customer frustrations, the better chance we have of finding ways to solve them to create a community and customer base with the right arsenal to overcome their security challenges.

For more information on this survey process, read the entire Snort blog post on this matter here. You can fill out the survey here.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

Senior analyst Ryan Sherstobitoff contributed to this report.

During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.

The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.

How McAfee approaches attribution

Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.

Ryuk attack: putting the pieces together

In October 2017, we investigated an attack on a Taiwanese bank. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term pseudo-ransomware to describe this attack. The malware was Hermes version 2.1.

One of the functions we often see in ransomware samples is that they will not execute if the victim’s system language is one of the following:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:

What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?

In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.

This post contains a link to an article in the Russian security magazine Xakep.ru (“Hacker”) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week’s attack on newspaper printing services.

Manga connection

Ryuk, according to Wikipedia, refers to a Japanese manga character from the series “Death Note.” Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.

Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.

The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.

Technical indicators

Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.

Let’s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:

We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables’ rich headers, they are also identical.

From a call-flow perspective, we notice the similarities and evolution of the code:

The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.

The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.

Attribution: analyzing competing hypotheses

In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim’s site.

Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.

The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.

Google Public DNS now supports DNS-over-TLS



Google Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.

The DNS environment has changed for the better since we launched Google Public DNS over eight years ago. Back then, as today, part of Google Public DNS’ mission has been to improve the security and accuracy of DNS for users all over the world. But today, there is an increased awareness of the need to protect users’ communication with their DNS resolvers against forged responses and safeguard their privacy from network surveillance. The DNS-over-TLS protocol specifies a standard way to provide security and privacy for DNS traffic between users and their resolvers. Now users can secure their connections to Google Public DNS with TLS, the same technology that protects their HTTPS web connections.

We implemented the DNS-over-TLS specification along with the RFC 7766 recommendations to minimize the overhead of using TLS. These include support for TLS 1.3 (for faster connections and improved security), TCP fast open, and pipelining of multiple queries and out-of-order responses over a single connection. All of this is deployed with Google’s serving infrastructure which provides reliable and scalable management for DNS-over-TLS connections.

Use DNS-over-TLS today

Android 9 (Pie) device users can use DNS-over-TLS today. For configuration instructions for Android and other systems, please see the documentation. Advanced Linux users can use the stubby resolver from dnsprivacy.org to talk to Google’s DNS-over-TLS service.

If you have a problem with Google Public DNS-over-TLS, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem!

IDG Contributor Network: Data Privacy Day 2019

January 28 is Data Privacy Day! Thanks to Europe’s GDPR we are all thinking data privacy these days.   

GDPR is the general data protection regulation It is an EU law on data protection and privacy for all individuals within the European Union (EU) It also addresses the export of personal data outside the EU and EEA areas.

The GDPR was a wakeup call for the US and its tech companies that not only serve US based customers, but you guessed it, EU customers as well. This law is as global as the internet itself.  If you are a global service or software provider like Google or Microsoft, chances are your customers are located all over the world and in the case of EU customers this law applies to them and their privacy on your systems wherever your servers are located.

To read this article in full, please click here

Why Zero Tolerance Is the Future for Phishing

Our Testing Data Shows You’re Letting Me Hack You Every Time

Phishing just doesn’t get the love it deserves in the security community. It doesn’t get the headlines, security staff time, or dedicated attention that other, more flashy threat vectors get. Certainly, high-impact malware variants that sweep the globe, get their own cool logos and catchy names command respect. But at the end of the day, phishing attacks are really the ones that bring most organizations to their knees and are at the very start of some of the most devastating cyberattacks.

From my experience as a penetration tester and social engineer, it seems that most customers view phishing campaigns as a requirement to deal with once a year, with some high-performing companies tossing in additional computer-based training. In most instances, this type of testing is just one mandatory component of an annual compliance test like FedRAMP, which means, in effect, that the enterprise hasn’t tested their phishing defenses since the last time an audit was performed. Yet the numbers tell an alarming story: phishing has been shown to be the first step in over 90% of recorded breaches. It is a formidable threat to every organization and typically not addressed adequately in cybersecurity strategies.

As security professionals, we are commonly asked “what is an acceptable failure rate for phishing?” (FedRAMP and other certifications address acceptable failure rates as well.) For years, the prevailing sentiment and some professional guidance has been that anything under 10% would be trending in the right direction. While this guidance is, in my view, misguided, many industry professionals and consultancies have given out the same improper (or perhaps we should say “very outdated”) guidance, however well intentioned.

We have gathered three years of phishing test data from multiple phishing campaigns launched at some of the top Fortune 500 companies all the way down to sole proprietorships. From the data, one metric stands above all the others: 62.5% compromise rate. We have tested over 100 companies that have, in their opinion, “stellar phishing programs,” those that have a single campaign once a year, and those that do relatively nothing from year to year. While the quality of phishing testing programs has a broad range, the fact of the matter is, if a person clicks on a phishing email link (and 26.2% do, on average, in our data), there is a 62.5% percent chance on average that person is either going to download a payload that will give the malicious actor control of the host, or that person will share working credentials to their account. While there are security measures that can help to a degree, the metrics are clear—even if the threat actor doesn’t compromise your host, over half the time an active username and password is now in the hands of a malicious actor.

These results should be a significant wake-up call for every organization. Using the “old” acceptable rate of a 10% click through, that leaves a 6% compromise rate. Let’s look at what that might look like for a large enterprise with, say, 50,000 employees. A 26.2% click rate equals 13,100 clicks. If this company were to fall into the “average” compromise rate, that would be 8,187 compromises! Even the industry-standard 10% click rate would yield 3,125 compromises. 

I believe that companies should be striving for zero clicks. While this may well be unattainable, we as humans tend to be complacent in coming close to our goals. A goal of 10% will likely mean 12%. A goal of 2% will likely achieve a result of 5%, and with a 62.5% compromise rate, will still likely open the enterprise network to an unacceptable level of risk. Granting not only the important role phishing plays as an entryway to significant breaches but the likelihood of compromise per click, the industry should be shouting “Zero Tolerance” for all to hear. The days of acceptable risk should be over.

We are unlikely to eliminate the human element and the risks that brings. There will always be mistakes or issues as long as humans are involved. But by setting far more aggressive goals and standing up progressively better phishing testing programs to train employees, reward them for improvement, incentivize them for doing the right thing, and demonstrate what “good” looks like, enterprises can both set and meet more aggressive targets to better protect the organization.

While phishing isn’t the most interesting, headline-worthy topic in cyber news today, it should be a top concern when relating to cybersecurity in nearly every company. The cultural norm needs to shift to zero tolerance, and until it does, as a social engineer and fake criminal by day, I would like to thank you. Every single phishing campaign I run is going to provide me access to your system. You are making access to your company so very easy.

About the author: Gary De Mercurio is senior consultant for the Labs group at Coalfire, a provider of cybersecurity advisory and assessment services.

Copyright 2010 Respective Author at Infosec Island

NSFAS students warned of online scams


National Student Financial Aid Scheme (NSFAS) has advised students to use My NSFAS Online Self-Service Portal to view their application status or any other information related to funding as it has stopped communicating with students via SMSes due to fraudulent activities that aims to access their personal information.

Applicants register to study at CPUT. There are concerns that few students are registering at technical and vocational education and training colleges.

Malicious cyber attackers have recently tried to gain access to students’ financial aid at multiple tertiary institutions in a scheme that involves sending fraudulent emails and SMSes to students.

Students who apply for NSFAS do so free of charge and are not required to pay for the application.

NSFAS spokesperson Kagisho Mamabolo said for the first-time over the past two weeks returning and continuing students had been targeted by the phishing mails.

Other scams identified by the scheme include fraudsters luring students into providing confidential information via a link or a site controlled by the suspects. The email or text message scam is designed to look like an official message issued by the scheme’s contact centre. Students receive mails requesting them to update their account information by clicking on a link. The scheme is warning all students to take extra care when sharing personal information online or on their cellphones.

NSFAS said it would never ask applicants for their account details, password, Pin or OTP over the phone or via email.

“Unidentified attackers are posing as NSFAS representatives and sending out emails requesting applicants and progressing students to update their account information by clicking on an embedded link. We would like to warn all the applicants, students and parents to be aware of these fraudsters and take extra care when dealing with their personal information online or over the phone,” read the NSAS notice.

Students should use the myNSFAS self-service at www.nsfas.org.za

Guide to Developing a National Cybersecurity Strategy—a resource for policymakers to respond to cybersecurity challenges

Nations from every corner of the world are increasingly leveraging digital transformation to grow their economies and empower businesses to improve services, including vital services provided by critical infrastructures. This adoption of new information communications technologies (ICT) has unfortunately been accompanied by a rapid expansion in the frequency and severity of cyberattacks, prompting government policymakers to seek solutions that address these new challenges. The recently released Guide to Developing a National Cybersecurity Strategy provides helpful guidance to support this work.

Developing effective policies to respond to cybersecurity challenges requires more than a whole-of-government response; it involves a whole-of-nation effort, with government ministries and experts from across sectors of the economy and from civil society collaborating to create approaches that simultaneously improve security and enable innovation. The Guide to Developing a National Cybersecurity Strategy is a comprehensive document for policymakers working to either establish, or update and evolve upon, their respective national cybersecurity strategies. It was developed in partnership with leading voices from government, civil society, academia, and industry.

Such authentic multi-stakeholder collaboration is essential, though too often absent, in the development of effective cybersecurity policies. This type of engagement takes time and commitment from all parties involved to engage in a deliberate and iterative processlistening to and valuing all perspectivesto reach agreement. While requiring greater time and careful balance, this type of inclusive process results in policies that are effective and enduring. We at Microsoft are grateful to have been included in the development of this guide and are proud of the result.

The Guide to Developing a National Cybersecurity Strategy should be used by policymakers tasked with developing or improving upon national strategies. It carefully lays out both the process for developing cyber strategies, as well as the essential content that needs to be included, based on international best practices, regardless of the cultural, social, or economic context of any particular country. The process and content provided in the guide are presented across four main sections, which include:

  • An essential overview of cybersecurity policymakingA bit of a summary, the overview includes clear definitions and explanations of associated topics and concepts that policymakers should keep top of mind when developing a national strategy.
  • The strategy development lifecycleOutlines the lifecycle of developing and then maintaining an effective national cybersecurity strategy, breaking down the essential steps along the way and explaining who needs to be included in the decision-making process, and then how the strategy is to be implemented and managed once it is complete.
  • Overarching principles of a strategyShifts the focus to the content of the strategy itself. The principles provide policymakers with high-level, fundamental considerations that must be taken into account during the development of effective strategies.
  • Focus areas and good practicesZooms in on specifics. It identifies the key elements and topics that should be addressed during the development of a strategy by walking through seven specific focus areas.

The guide truly is a valuable resource for policymakers in any context, whether a nations cybersecurity strategy is currently in place or still needs to be developed. Because that is perhaps the most important lesson of the guide itselfa national cybersecurity strategy is not simply a box to be checked and set aside, but rather an ongoing and recursive process of creating, implementing, and improving strategies to adapt to new opportunities and challenges associated with the ever-evolving world of technology.

The post Guide to Developing a National Cybersecurity Strategy—a resource for policymakers to respond to cybersecurity challenges appeared first on Microsoft Secure.

CVE-2018-20679 (busybox)

An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.

CVE-2019-5747 (busybox)

An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.

German Police Seek Help In Finding Parcel Bomber With MAC Address

German police are seeking your help in gathering information related to a MAC address that could lead to the cell phone device used by a DHL blackmailer who last year parceled out bombs at different addresses in Brandenburg and Berlin. Between November 2017 and April 2018, someone used German parcel delivery service DHL to sent out several so-called improvised explosive devices (IEDs) in

Malware Attack Compromises Titan’s System and Steals Customer Data


Titan Manufacturing and Distribution  Inc. and its computer framework was reported to be compromised by a malware that too for about a year around from November 23, 2017 until October 25, 2018 as per an IT security expert.

Given the fact that the company expressed that it doesn't store customer data, the malware installed in the company's framework could have gained access to the users' shopping cart including their data, for example, the users' full names, billing addresses, contact numbers, payment card details, like the card numbers, termination dates, as well as verification codes.

After finding out about the episode, Titan advised its customers about the occurrence and unveiled in a notice for the customers who have had purchased products from its online stores between November 23, 2017 and October 25, 2018, that they might have been influenced by the said incident.

 “Titan Manufacturing and Distributing, Inc. (“Titan”) values your business and recognizes the importance of the security of your information. For these reasons, we are writing to let you know, as a precautionary measure, that Titan has been the victim of a data security incident that may involve your information,” the notice read.

Titan is now working intimately with a 'third-party' IT security expert so as to research and investigate the incident carefully and is all set to provide one-year complimentary identity theft protection for all conceivably influenced customers.

By finding a way to upgrade their security framework and moving its computer framework to another server, deleting and resetting all authoritative login credentials the company has additionally asked for its users to remain cautious by frequently monitoring their financial records for any suspicious exercises and take immediate measures by reporting them.

Enterprise iPhones will soon be able to use security dongles

Enterprise security professionals will be pleased to learn that it will soon be possible to enhance the already considerable device security of Apple’s iPhones with hardware-based physical authentication dongles using the Lightning port.

A highly secure proposition

Announced at CES 2019, the key fits on a keyring and comes from the authorization experts at Yubico. The hardware connects to iOS systems using the Lightning connection and is also equipped with USB-C for Macs. This is quite a big deal.

To read this article in full, please click here

Phishing Kit Uses Custom Web Font to Impersonate Major US Bank

A new phishing kit uses a custom web font to implement a substitution cipher in its efforts to target customers of a major U.S. bank.

Researchers at Proofpoint first came across the unnamed phishing kit in May 2018. The landing page leverages stolen branding to steal users’ credentials for a major retail bank, and the source code includes encoded display text.

Digging further, the researchers determined that the base64-encoded woff and woff2 files were the only loaded fonts in the template. They then observed that the kit uses a custom web font file to render the ciphertext as plaintext, which helps it evade detection and conceals its activity from victims.

A Busy Year for Phishing Kits

Phishing kits were a prominent threat in 2018. Check Point came across a new phishing kit on the dark web in April 2018. The template provided would-be criminals with a backend interface for creating convincing fake retail product pages and managing their entire campaign. A few months later, Akamai analyzed a zip file containing phishing kits. One of the five directories analyzed by Akamai had code to target a bank located in the Southern and Midwestern states.

Several new malicious document builders have also emerged over the past two years. In October 2017, Proofpoint discovered ThreadKit, a Microsoft Office document exploit builder kit used for distributing Formbook, Loki Bot and other malware. Just a few months later, the security firm came across LCG Kit, another weaponized document builder service.

How to Defend Against Phishing Attacks

Security professionals can help defend their organizations against phishing attacks by proactively running phishing simulations to test their employees’ security awareness. They should also conduct penetration tests to analyze other aspects of their organizations’ email security.

The post Phishing Kit Uses Custom Web Font to Impersonate Major US Bank appeared first on Security Intelligence.

Red Hat Security Advisory 2019-0040-01

Red Hat Security Advisory 2019-0040-01 - .NET Core is a managed software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core 2.1.5 and 2.2.1. Issues addressed include a denial of service vulnerability.

Microsoft at NRF: Delivering on the promise of intelligent retail

A few days from now, retailers from around the world will converge in New York for the National Retail Federation (NRF) Big Show, the world’s largest retail conference. Every year, this event feels like a fresh beginning for retailers; just off their busiest time of year, they’re ready to not only celebrate but also reflect on what went well and improvements for next year. And every year, it feels like the stakes have never been higher – changing consumer demands combined with a retail model that’s constantly in flux creates an urgency to figure out what’s next.

I love coming to NRF. I joined Microsoft about five months ago, but I’m a retailer at heart. I literally grew up in retail, spending weekends at grocery stores with my dad rearranging coffee cans as part of our family business. Later I ran CRM and digital marketing for Gap Inc.’s brands. Now, I’m feeling even closer to retailers today than ever because I’m working for a company committed to building and maintaining retailers’ trust, working together to deliver intelligent solutions that help retailers delight shoppers, empower their employees, transform their supply chains and reimagine their businesses.

Given my retail background, I particularly appreciate Microsoft’s commitment to be a good partner by recognizing that retailers’ customers, employees and data belong to them. We want to put retailers in control of the pieces they need to make their businesses wildly successful for years to come.

So how is Microsoft delivering on that promise?

Bringing customer-first innovation to market

At Microsoft, we look to bring to market products and services that work seamlessly together to help retailers do more and take advantage of the latest technologies like AI, machine learning and IoT across the entire organization. Leading retailers are already using the Microsoft Cloud as a competitive differentiator, from using AI to create transformative customer and employee experiences, to embracing IoT to leverage their supply chains for maximum customer impact, to using cloud-based business applications to manage everything from the customer journey to operations. In an industry experiencing accelerating change, Microsoft and its partners are creating the solutions to help our customers keep up.

Empowering employees with the right tools is an area I think is especially ripe for innovation. For example, Firstline Workers, such as retail associates, are the first point of contact between a company and its customers or products, and are the lifeblood of the retail industry. They represent a retailer’s brand and need better access to resources and expertise to deliver great customer experiences and drive the bottom line. There’s also a huge opportunity to give these employees a more streamlined experience at work by modernizing some of the busy work that takes time away from customer service, such as scheduling and task management.

That is why I’m excited to announce new capabilities in Microsoft Teams for Firstline Workers. A new customizable mobile Teams experience makes it easy for them to connect with anyone in the organization and access just the apps and services they need while on the job. It includes features like the ability to share location and a smart camera.  We are also announcing a new API to connect Teams to workforce management systems so employees no longer need to login to different systems, but can access everything in Teams as a hub for their workday. Finally, a new Praise tool makes it easy for managers and employees to recognize their peers and build a culture of teamwork.

Microsoft built all this innovation to help retail employees and other Firstline Workers get out of the backroom and onto the store floor, interacting with customers, creating great experiences and building loyalty. As always, it all comes back to the customer.

Putting our trusted business model to work for our customers

I’m proud to say retailers are already realizing the value in working with us and our partners to drive success. Just in the past few months, we’ve announced incredible partnerships with some of retail’s biggest names, including Starbucks, Walmart and – one that’s particularly close to my heart – Gap, Inc. And just this week, we announced a partnership with Kroger to power a new connected-experience store pilot and jointly bring digital solutions to market that will empower other retailers to transform their own operations and create their own amazing customer experiences.

For each of these customers, we’re bringing to bear our technology and our brightest retail minds to help them build a foundation for success in this ever-changing market.

We don’t just sell another commodity to retailers. Our superpower is bringing together our global network of partners to work side-by-side with retailers and understand their greatest challenges and opportunities. Together, we go beyond simply finding solutions – we’re redefining categories and establishing new business models. This is how we’re enabling intelligent retail – by offering the best-in-class solutions and industry expertise that’s helping retailers know their customers better, empower their people in new ways, deliver on an intelligent supply chain and reimagine retail.

I’m excited to highlight many other retail brands in our booth at NRF that are working with Microsoft and our partners to embrace intelligent retail:

  • On the heels of this week’s news, I’m excited to showcase Kroger’s Microsoft Azure-powered Retail as a Service (RaaS) offering to NRF attendees. The solutions are not only enabling Kroger to transform the grocery experience for its customers with a personalized guided shopping experience, but are also opening a completely new revenue stream for Kroger, as they partner with us to market the solutions to other retailers. Centered around Kroger’s EDGE Shelf, which uses digital displays instead of traditional paper tags to indicate everything from prices and promotions to nutritional and dietary information, RaaS connects the shelf to the company’s Scan, Bag, Go® to create a unique guided shopping experience for customers.
  • Starbucks is using Azure Sphere within select equipment to enable its partners (employees) more opportunity to engage with customers. This includes everything from beverage consistency, waste reduction, the management of energy consumption and predictive maintenance.
  • Arts and crafts supply store Michaels is working with Microsoft partner TokyWoky to identify potential ambassadors online and leverage their knowledge and expertise to build a digital community of makers. Using Microsoft Azure, Azure AI and Power BI, TokyWoky’s 24/7 chat technology helps retailers like Michaels provide their customers with a human, personalized experience that’s not restricted by the size of its customer service workforce. TokyWoky’s platform encourages customers to assist and answer questions from other customers, all within the Michaels site, resulting in four- to six-times more questions being answered than before. The solution also creates continuous user-generated content across michaels.com, which helps to drive trust and conversion.
  • Goodwill of Central and Northern Arizona (GCNA) partnered with DXC Technology to implement Microsoft Dynamics 365 as its retail management and Point of Sale (POS) solution. DXC’s Dynamics-based solution enables GCNA to collect detailed information on the items it sells. This is combined with category detail on items its stores produce from donated goods (collected from a GCNA proprietary and custom application) to maximize revenue. This is especially important for GCNA, whose revenue directly funds its mission – to empower individuals, strengthen families, and build stronger communities, and move towards its vision – to end poverty through the power of work.
  • Italian luxury lifestyle brand Stefano Ricci is using partner SBSoft’s Dynamics-based CRM4Retail solution to give employees a high-level view of information to help them provide the white-glove experience its shoppers expect. Online, the database produces recommendations based on how customers are navigating the website. The application for stores helps retail employees understand and anticipate customer needs and answer customer questions in a matter of seconds. It also assists in the development of targeted, data-driven campaigns and promotions.
  • Wine and liquor store BevMo! has partnered with Fellow Inc. to use its Fellow Robots to connect supply chain efficiency with customer delight. Delivered using Power BI and powered by Microsoft Azure, Azure AI and Azure Machine Learning, the robot provides perfect product location using image recognition and utilizes suggestive selling to offer customers different types of products and integrate point of sale interactions. A new integration point from Fellow to the “My Retailer app” of each retailer helps customers locate their favorite items in the store and suggests other items the customer may like. BevMo! is also using Microsoft’s intelligent cloud solutions to empower its store associates for better customer service.
  • Retailers such as children’s clothing brand Polarn O Pyret is turning to the Unified Commerce Alliance(UCA) solution – powered by Azure AI and data platform and Dynamics 365 for Retail, in addition to partner-driven solutions from Avensia Storefront, Episerver and InRiver PIM – to help them reimagine retail by joining and sharing data and business logic from different systems and channels through a single, secure and scalable system in the Azure cloud. The UCA cloud solution provides one source of truth across all retail functionality – POS, pricing, campaign, stock and warehouse management. This one-stop shop provides everything a retailer needs to manage all digital store experiences, online and offline.

Connect with us at NRF

Microsoft will have a big presence at NRF including 20 solution demos in our booth, sessions led by our retail experts and tours of our own Microsoft Store to show how Microsoft runs on Microsoft – and if you plan to be there, come see us! Visit us in booth #3301 to experience for yourself the solutions and customer stories I mention above, or attend one of our sessions on the show floor – I’m leading a Big Ideas session where I’ll talk about what we learned over the holiday season and chat with retailers you know and love about how they’re working with Microsoft to create amazing experiences for their customers. In addition, myself and my colleague Alysa Taylor, Corporate Vice President for Business Applications and Industry Marketing, will be one of several “women rocking retail” to participate in The Girls’ Lounge at NRF (Microsoft is also a sponsor!) And don’t miss Chris Capossela, our Chief Marketing Officer, as he leads a session on Tuesday highlighting the importance of brand. And of course, you can visit Microsoft’s NRF page to keep up to date on the latest news developments.

Despite retail’s breakneck rate of change, there’s never been a more exciting time to be a retailer. I’m excited to be a part of it, bringing Microsoft’s solutions and trusted business model to my retail colleagues around the world. And I’m here to tell every retailer: if we don’t have a solution for your business, we – along with our hundreds of global partners – will build it for you. I can’t wait to see what we’ll create together.

 

The post Microsoft at NRF: Delivering on the promise of intelligent retail appeared first on The Official Microsoft Blog.

The State of Web Application Vulnerabilities in 2018

(Jan. 12 update:  Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)

As a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability’s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did last year, we took a look back at 2018 to understand the changes and trends in web application security over the past year.

The bad news is that in 2018, like 2017, we continued to see a trend of increasing number of web application vulnerabilities, particularly vulnerabilities related to injection such as SQL injection, command injection, object injection, etc. On the content management system (CMS) front, WordPress vulnerabilities continue to grow, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, Drupal vulnerabilities had a larger effect and were used in mass attacks that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry — the number of Internet of Things (IoT) vulnerabilities declined, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the number of PHP vulnerabilities continued to decline. In addition, the growth in API vulnerabilities also slightly declined.

2018 Web Application Vulnerabilities Statistics

The first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.

 


Figure 1: Number of web application vulnerabilities in 2016-2018

Vulnerabilities by Category

In Figure 2, you can find 2018 vulnerabilities split into OWASP TOP 10 2017 categories.

Most Common Vulnerability: Injections

The dominant category this year was by far injections, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.

Figure 2: Vulnerabilities into categories 2014-2018

No. 2 Vulnerability — Cross-Site Scripting

The number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.

IoT Vulnerabilities Decreased

It appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.


Figure 3: IoT vulnerabilities 2014-2018

API Vulnerabilities: Growing, but Slowing

API (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).


Figure 4: API vulnerabilities 2015-2018

Although API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.

Vulnerabilities in Content Management Systems: Attackers Focused on WordPress

The most popular content management system is WordPress, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by Joomla and Drupal. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).


Figure 5: Number of vulnerabilities by CMS platform 2016-2018

According to the WordPress official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.


Figure 6: Number of WordPress plugins

Despite the slowed growth in new plugins, the number of WordPress vulnerabilities increased. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.

Unsurprisingly, 98% of WordPress vulnerabilities are related to plugins  (see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.


Figure 7: WordPress third party vendor vulnerabilities in 2018

In Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year – and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins. This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report – such as ‘top attacked’ or ‘riskiest’ – which do not necessarily correlate with this measurement.



Figure 8: Top 10 vulnerable WordPress plugins in 2018

Server Technologies: PHP Vulnerabilities Fell

Since the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates – only one minor update was released, PHP 7.3, in December – could explain why.


Figure 9: Top server-side technology vulnerabilities 2014-2018

The Year of Drupal

Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 (’23-mar’ bar in Figure 10 below), and CVE-2018-7602 (’25-apr’ bar below, also known as Drupalgeddon2 and Drupalgeddon3), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.

The simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting blogs we wrote this year. There was another risky vulnerability, part of the Drupal security patch sa-core-2018-006, that published in October. However, since it was not easy to exploit, the number of attacks was small.

 

Figure 10: CVSS Score of Drupal vulnerabilities in 2018

Predictions for 2019

As a security vendor, we’re often asked about our predictions. Here are our vulnerability predictions for 2019:

  • PHP announced that versions 5.5, 5.6 and 7.0 reached their end of life. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to Shodan there are currently 34K servers with these unsupported PHP versions
  • Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)
  • More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing

How to Protect Your Apps and Data

One of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or a combination of both depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it’s important to think through your security requirements. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.

 

 

The post The State of Web Application Vulnerabilities in 2018 appeared first on Blog.

Canadian Telecom Firm Wants Permission to Collect, Monetize Customer Data, Online Activity

The largest telecom company in Canada wants to monetize its customers’ personal data, but not without getting their consent first, as required by Canadian privacy law, writes the CBC. Will users give in to the demand? Do they simply no longer care about online privacy?

In December 2018, Bell Canada started reaching out to customers to get their permission to track their personal data and digital activity patterns on all services they use through the provider. Think smartphone, TV and internet activity, online purchases, transactions, downloads and social media activity, besides the usual personal information such as age, gender and address: all the information needed and much more to create customer patterns.

The company claims it wants to follow in the footsteps of Google and Facebook, and use the information to enhance user experience, and for tailored marketing and advertising campaigns.

“Tailored marketing means Bell will be able to customize advertising based on participant account information and service usage patterns, similar to the ways that companies like Google and others have been doing for some time,” reads the notice Bell customers received.

Bell will also gather the “number of messages sent and received, voice minutes, user data consumption and type of connectivity when downloading or streaming.”

While some might hope consumers will get something out of this, chances are little to none. So far, Bell hasn’t clearly explained its plan to strengthen security or fend off threats now that it expects to store such large amounts of valuable information, leaving consumers’ privacy and security at risk.

HHS Publishes Healthcare Cyber Security Guidelines Based on NIST CSF

New HHS publication outlines top cyber threats & best practices for healthcare industry Noting that cyber security is “the responsibility of every health care professional, from data entry specialists to physicians to board members,” the U.S. Department of Health and Human Services (HHS) has published Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).… Read More

The post HHS Publishes Healthcare Cyber Security Guidelines Based on NIST CSF appeared first on .

Humana Informs Customers of Third-Party Security Incident

Humana has notified customers of a third-party security incident that might have exposed some of their personal information. According to a breach notification letter obtained by DataBreaches.net, the for-profit American health insurance company learned on 25 October 2018 that bad actors had gained access to the system credentials of some employees at Bankers Life, one […]… Read More

The post Humana Informs Customers of Third-Party Security Incident appeared first on The State of Security.

El phishing por SMS ha vuelto y es muy realista

El SMS, también conocido como mensaje de texto, puede parecer una tecnología de “ayer”, pero el phishing por SMS está vivo y nos sirve para recordar que KISS funciona a la perfección. Si no estás familiarizado con el acrónimo KISS, significa “keep it simple, stupid” (mantenlo sencillo, tonto). Pese al tono un poco insultante de […]

Preventing Cryptojacking Malware with McAfee WebAdvisor’s New Cryptojacking Blocker

By now, you’ve probably heard of cryptocurrency, but you may not know exactly what it is. To put it simply, cryptocurrencies are virtual currencies that have actual monetary value in today’s world. They are limited entries of transactions into a single database, or public ledger, that can’t be changed without fulfilling certain conditions. These transactions are verified and added to the public ledger through cryptocurrency mining. Cryptocurrency miners try to make money by compiling these transactions into blocks and solving complicated mathematical problems to compete with other miners for the cryptocurrency. While this process of mining for cryptocurrencies can be lucrative, it requires large amounts of computing power.

Unfortunately, the need for massive amounts of hardware has provoked cybercriminals to participate in cryptojacking, a method of using malware to exploit victims’ computers to mine for cryptocurrencies. Cybercrooks spread cryptojacking malware through sketchy mobile apps, flawed software, and malware-infected ads. They can even cryptojack your device during a browsing session while you’re perusing a website that appears completely harmless. Once a user’s device becomes infected, the malware drains the device’s CPU, causing the user’s computer fan to be loud while the malware mines for cryptocurrencies in the background. Unfortunately, symptoms of cryptojacking are usually pretty subtle, with poor device performance being one of the few signs of its presence.

Thankfully, McAfee WebAdvisor is here to help. This security solution, which helps block users from malware and phishing attempts, now includes Cryptojacking Blocker. This enhancement is a Windows-based browser add-on available for Google Chrome that helps stop malicious websites from mining for cryptocurrency. So far, our direct and retail McAfee WebAdvisor customers have already started receiving the update that adds Cryptojacking Blocker to their product, and the customers who have WebAdvisor through other partners should begin to see this update roll out during Q1. The same thing goes for those who own McAfee LiveSafe and McAfee Total Protection. Additionally, we’re aiming to add support for Firefox in the coming months. And if you don’t already have WebAdvisor, you can download it for free on our website, with Cryptojacking Blocker included in your download.

In addition to using a security solution like McAfee WebAdvisor, here are some other general tips to help you stay safe online:

  • Create a strong, unique password. Although it may be easier to remember, reusing passwords across multiple accounts puts all of your data at risk even if just one of your accounts is breached. Choosing a complex password for each individual online account will act as a stronger first line of defense. You can also use a password manager so all of your credentials are consolidated into one place.
  • Be careful where you click. If you come across a website that seems sketchy or notice that the URL address looks odd, avoid interacting with the site entirely. Stick to browsing websites you know are reputable.
  • Update, update, update! Cybercriminals can take advantage of old software to spread cryptojacking malware. Keeping your software updated with the latest patches and security fixes can help you combat this threat.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Preventing Cryptojacking Malware with McAfee WebAdvisor’s New Cryptojacking Blocker appeared first on McAfee Blogs.

Mingis on Tech: As blockchain hype cools, a ‘trough of disillusionment’ for 2019?

Ok, so maybe blockchain isn't ready yet to become the biggest new technology since the internet.

But the distributed ledger technology clearly made strides in 2018, when it was embraced by companies from Walmart to shipping bigwig Maersk to top tech venders like IBM, SAP, Oracle and Microsoft who see potential in blockchain-as-a-service. (Walmart's vice president in charge of food safety, Frank Yiannas, compared his embrace of blockchain to a "religious conversion.")

To read this article in full, please click here

Details, details

It's a few years after Y2K when the IT security team at this university gets a rude awakening, reports a pilot fish in the know.

"They discovered that persons unknown had hacked into a university server," fish says. "It was being used to launch denial-of-service attacks against a victim somewhere outside the university."

The team's first job is finding the server -- which turns out to be in the alumni office -- and taking it offline.

Then they start digging into the security logs. That's when they find out that the attackers have been making use of the server for more than a year.

And once they start checking on the IP addresses of whoever it is that has accessed the server, they discover it's not just one or two hackers. It seems people from all over the world have been using this server to launch attacks.

To read this article in full, please click here

Get 10 Popular Books To Learn Advanced Hacking [2018 Bundle]

It should come as no surprise that cybersecurity is one of the most important and lucrative fields in the world right now, and it’s becoming more important every day—thanks to a growing number of cyber attacks that are targeting everything from individuals and startups to Fortune 500 companies and entire government agencies. So it should also come as no surprise that demand for talented and

2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2)

In part 1 of this retrospective, we took stock of what happened in the first 6 months of 2018 and what we had to learn in terms of cybersecurity and privacy. Now, we review the second part of the year and inventory the most relevant insights and actionable advice.

Got anything else to add? Drop us a line.

July in cybersecurity review

The bad news:

This summer was more hot than usual for health care companies, with two of them losing incredible amounts of data and funds to malware attacks.

The same SamSam ransomware that hit the city of Atlanta and caused damages upwards of $10 million encrypted the machines of LabCorp, a major lab services provider.

In Canada, CarePartners found the medical histories and contact information of 80,000 of its patients stolen in a massive data breach and held for ransom. Some of those patients even had active credit card numbers and expiry dates on file.

“The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed,” highlighted a CBS News report.

The good news:

In July, Google took us all by surprise by announcing the end of phishing. Well, at least among Google’s ranks. The company reported it completely eliminated phishing among its employees by switching to physical keys for 2-factor authentication.

google titan security key

For those who missed this news, a physical key is simply a USB device that works the same as the codes online services text you or provide for you as an extra security layer after the password. With a physical key, to log in you input your password, then connect the device and it will authenticate you instead of that code.

Takeaways:


Why are physical keys better? Well, baring the hassle of having to buy a device, they work with most services and completely eliminate hackers’ ability to hijack your SMS messages to intercept the code.
Click To Tweet


That’s an easy thing to do for them and that’s why we always recommend using a dedicated app for 2FA, not SMS-based codes. Furthermore, with physical keys, you eliminate the hassle of having to open an app every time and putting in the unique code.

August in cybersecurity review

The bad news:

August kicked off with another big profile ransomware attack. A WannaCry strain hit TSMC (Taiwan Semiconductor Manufacturing Co.), one of Apple’s biggest suppliers of components for iPhones, Apple Watches and iPads.

TSMC traced the incident to a supplier who connected an infected device to a computer, without scanning it beforehand, which caused the ransomware to spread until it took down three plants.

Oh yes, and the Alaskan borough of Matanuska-Susitna was, as this outlet put it, “cast back to the dark ages” after BitPaymer ransomware took out almost 500 workstations and 120 out of 150 servers.

If ransomware wasn’t enough, the organization was also under fire from an external attacker, which gained access to the network and deployed the Emotet banking trojan. Everything from email to phones, doors and payment systems went down, which forced employees to actually pull out typewriters and pens to write receipts by hand.

“In 35 years in the business, this is the worst I’ve seen. It’s meant to disrupt our way of life,” said Eric Wyatt, the orgs’ IT director.

The good news:

While things were pretty dire during summer’s last month, there was one great thing that happened.

Apple removed Onavo Protect, a Facebook-owned VPN, from its app store. What for? Data collection, obviously. Apple wasted no time to tell Facebook that its Onavo Protect violated the App Store Guidelines, which specifically try to stop app developers from farming user data then selling it to third parties.

Why a VPN though?

Because Onavo Protect did more than just reroute users’ traffic to a Facebook-owned website, it also “improved” its service by “analyzing your use of websites, apps, and data.” It was a ham-fisted attempt by Facebook to collect even more information from those who, in theory, care about privacy. Fortunately, Apple continued their strategy of protecting user privacy and data security in their ecosystem.

As for Google, the company allowed the Onavo Protect to be available for download.

Takeaways:

If you truly care about privacy, not just accessing region-locked services or content, do your research on the VPN provider you pick. Otherwise, you’re paying for nothing, as some VPN services actually collect your data and sell it to third parties.

We put together a few tips on this here.

September in cybersecurity review

The bad news:

Summer ended with a big headache for 380,000 British Airways customers, after the company announced that, between August 21 and September 5, booking transactions were compromised in an attack.

Basic information like names and addresses were stolen but the travelers’ problems didn’t end there, because hackers also took off with payment card details. How did this happen?

The hackers performed a cross-site scripting attack which involves them targeting an unsecured web page component and injecting malicious Javascript code to hijack personal information.

Anyone who visited the baggage claim information page had their information stolen once they eventually used the payment form.

The good news:

After what seemed like endless months of waiting for perpetrators to be caught, the US Department of Justice announced that it had finally charged one of the hackers involved in the WannaCry attack.

hs-Do-you-know-what-antivirus-vendors-do-with-your-data_A90808

The fact that the hacker in question is North Korean and belongs to an organization also blamed for the massive Sony Breach and an $81 million robbery should surprise no one.  The positive takeaway here is that authorities managed to create a damning paper trail between the individual and the North Korean government, eliminating any doubt that WannaCry was a state-sponsored attack.

“The insight into how an adversary like this works can help defenders plan on what they might be up to,” explained Ben Read, senior manager of cyberespionage analysis at FireEye in a Wired article covering the event.

Takeaways:

The old “cybersecurity is a high-stake cat and mouse game” line comes to mind. This two news from September really do put into perspective hackers’ creativity (here is how they change tactics during attacks) and the challenges of apprehending them.

October in cybersecurity review

The bad news:

October showed that old tactics still work for new attacks.

Cyrptomining malware might be a 2018 “novelty”, but fake updates and installers are old as dirt. Combine them and you get fake Adobe installers that really do install a new version of Flash but also sneak a crypto jacking script that will enslave your PC to mine for the cryptocurrency.

We explained in this piece what cryptojacking really means, how you can secure your devices against it and what you need to be aware of. If you know the basics, it’s easier to avoid even more advanced attacks.

The good news:

The best news in October comes from Google, which released an important privacy app for all Android phones made in the last 7 years.

Called Intra, the free app encrypts Domain Name System (DNS) connections on mobile and covers an important gap in privacy measures.

In the past, visiting HTTPS-only websites is essential but still not totally private, as DNS is usually unencrypted and can be hijacked in order to steal your information. For journalists and other people operating in dangerous, surveillance-heavy areas, this tool is extremely valuable, as it protects from “DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.”

Takeaways:

If you have an older smartphone running Android, Intra is a free download.

If you have a newer Android device running Android 9 Pie, you can control these settings by going to this path: Settings > Network & Internet > Advanced > Private DNS.

To avoid cryptojacking, the most basic of measures would be to either make sure you’re downloading patches and software from the official site or simply use a trusted software installer that makes sure updates are legitimate and deployed immediately.

November in cybersecurity review

The bad news:

Japan’s cybersecurity minister said point blank that he had never used a computer. He also revealed that, since the age of 25, he has “instructed” his employees and secretaries to use computers on his behalf.

Seriously-Computer-Guy-Reaction-Gif

Seeing how November 30 was Computer Security Day and security experts around the world took to social media to share helpful cybersecurity tips, we hope at least Mr. Sakurada’s employees and secretaries took note.

In any case, the incident did not do wonders for public confidence in how the Government approaches data security.

The good news:

The last few days of November saw a major, yet funny hacking incident. One user was inspired by how many unsecured printers he found using a popular security tool and decided to start a funny awareness campaign. He sent out this message to be printed on those unsecured devices and, at the same time, promote his favorite streamer with hilarious results.

 

 

Takeaways:

Cases like Japan’s questionable leadership make it even more necessary to learn cybersecurity basics yourself and protect your valuable information. Don’t have time to go hunting for that knowledge?

This quick course delivers one easily doable (and memorable!) security tip in your inbox every day, for a whole year.

We’re classifying the Pewdiepie event as good news because the hacker in question only wanted to spread awareness over insecure IoT devices.

Even better, they did it by tying into the humongous popularity of an Internet influencer, reaching a lot of people who otherwise wouldn’t have been exposed to good security practices.
With so many troublesome reports and devices hijacked for nefarious purposes, old-fashioned pranks like these seem like a breath of fresh air.

Curious to find out what can happen with insecure devices? We explained more here.

December 2018 in cybersecurity review

The bad news:

As 2018 was hurtling to the finish line, there was a massive Google+ data breach (resist the urge to roll your eyes), a massive Quora hack (another major service compromised) and bitcoin scams evolving into bomb threats (we told you hackers are creative!).

SplashData released again a list of the most common passwords in the world and how they changed compared to last year, showing just how lax users are when it comes to protecting their own devices and accounts.

  1. 123456 Unchanged
  2. password Unchanged
  3. 123456789 Up 3
  4. 12345678 Down 1
  5. 12345 Unchanged
  6. 111111 New
  7. 1234567 Up 1
  8. sunshine New
  9. qwerty Down 5
  10. iloveyou Unchanged

At least two-factor authentication is more widespread nowadays, with services forcing users to rely more than a single password on, so the list above might not spell doom like in the past years. You could also smile at so many I love yous that unlock devices if you’re feeling optimistic.

However, good password practices are mandatory, so try to be a bit more creative with them or use a password manager.

The good news:

Though the weather report for security was frightful in 2018, privacy-oriented Mozilla (mother company of Firefox, one of the browsers we highly recommend) managed to send out a very valuable message to its user base and beyond.

Just in time for the holiday bonanza, when Christmas scams and other dangers multiply exponentially, Mozilla released a holiday shopping guide named “Privacy Not Included.

Not only is it useful on its own, showing the trendiest gadgets if you’re looking for a gift, but it also brings security and privacy front and center, pinpointing the IoT and smart devices insecure by design.

Takeaways:

No doubt about it, 2018 has not been an easy year, not for regular users and not for businesses.

Just how many data breaches happened?

This handy visualization tool will probably burn itself on your eyelids. Hopefully, it will also kick you into gear and consider spending a bit of time to review the information you share with services.

biggest data breaches 2018-min

This AI-powered tool can go into the legalese of privacy policies and give you a much better overview of what happens to your data.

You should also consider getting the right online security so your digital life won’t besieged by malware, cryptojacking, phishing, and other major threats.

We put together these guides for you, so take the opportunity to step into a more secure, more private 2019:

1. Here Are The Essential Security Tips To Stay Safe On Social Media

2. The Best Encrypted Messaging Apps You Should Use Today 

3. Today You’re Being Hacked – How To Choose Secure Settings

Do you have any other recommendations and tools for data privacy and security? Feel free to share below.

 

The post 2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2) appeared first on Heimdal Security Blog.

US Health Insurer Humana Announces Third Data Breach after Third-Party Hack

Kentucky-based health insurance provider Humana fell victim to a third data breach from December 2018, this time caused by a third-party vulnerability.

According to a detailed notice to the California Attorney General’s Office and affected customers, Humana was informed on Oct. 28 that its business partner, Bankers Life, had suffered an intrusion that allowed unauthorized access to select employee system credentials between May 30 and Sept. 13.

The intruder used employee credentials to hijack company websites used to apply for Humana insurance. An investigation determined that this may have given the intruder access to personal information of some policy holders. While data such as name, address, date of birth, last four digits of the Social Security number, and some information about policy type may have been compromised, critical information such as full Social Security number, banking and card information and details about medical care were not affected.

Bankers Life detected the breach on Aug. 7 and started an investigation. They informed law enforcement and contacted an external forensics team to help. Since then, they organized additional trainings for employees and implemented extra monitoring and security procedures.

While customers who may have been affected will received one year of identity repair and credit monitoring on behalf of Bankers Life, all are advised to keep a close eye on their account statements and insurance transactions to prevent fraud and identity theft attempts.