Daily Archives: May 14, 2019

Vulnerability In Intel Processors Affected Millions of PCs

In early 2018, Intel and AMD processor researchers discovered two important security holes, Spectrum, and Meltdown. Although damage measures have since been released by Intel, AMD, Microsoft, and other major software and software vendors, the method of attack, based on a process called speculative execution, has led researchers to discover a series of four new attacks that affected Intel processors since 2008, reported by Wired.

Intel has flagged the “Microarchitect Data Sampling (MDS) attacks. And while all four attacks are similar to Meltdown and Specter, these new MDS attacks (ZombieLoad, Fallout, and RIDL) seem to be easier to execute.

In these new cases, researchers found that they could use speculative execution to trick Intel’s processors into grabbing sensitive data that’s moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.

The researchers found that speculative execution can be used to trick Intel processors to capture sensitive data being transferred from one component of a chip to another. Unlike Meltdown, which uses speculative execution to capture sensitive data in memory, MDS attacks focus on buffers between chip components, such as processor and its cache. The small portion of the memory is assigned to the processor to ensure frequent access.

Each variant of the attack can be used as a gateway to display raw data that traverse a processor’s cache before being rejected via the speculative execution process. With fast and successive execution, a hacker could collect enough random data to capture everything from passwords to keys used to decrypt disks.

“In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components,” VUSec, one of the firms that discovered the flaws, said in a paper set to be presented next week and seen by Wired.

Those who found the attack included researchers from Austrian universities TU Graz, Vrije Universiteit Amsterdam, University of Michigan, University of Adelaide, KU Leuven in Belgium, Polytechnic Institute, Worcester, Saarland University in Germany and Cyberus, BitDefender, Qihoo360 and Oracle.

Intel when speaking with Wired said their researchers discovered the vulnerability last year and now have fixes available at the hardware and software level. The company said that it fixed vulnerability in several processors that was sent last month.

Intel researchers, however, disagree on the severity of the vulnerability. While Intel described the attack as “low to moderate,” researchers at the institutions said, “If really dig through that raw output to find the valuable information they sought.”

Microsoft has sent patches for Windows PCs. In a statement to Wired, a Microsoft spokesperson said, “We’re aware of this industry-wide issue and have been working closely with affected chip manufacturers to develop and test mitigations to protect our customers.”

Although patches will become available, their applications on PCs and servers affected by four variables will take some time. This raises the concern that millions of computers worldwide is accessing sensitive data before it is repaired.

Source: https://www.zdnet.com/article/patch-status-for-the-new-mds-attacks-against-intel-cpus/

Related Resources:

Important Features of Vulnerability Scanners

7 Useful Android Vulnerability Scanners

Vulnerability Helps Researchers Expose Malware C&C Servers

TOP 10 PHP Vulnerability Scanners

The post Vulnerability In Intel Processors Affected Millions of PCs appeared first on .

Security spring cleaning: 5 tips for tidying up network safeguards

Networks need regular cleaning just like your home, car or garage. Why? The answer is simple – poor security hygiene can lead to major data breaches. If you don’t regularly review your network, potential weaknesses and vulnerabilities will stack up. As we enter into spring cleaning season, now is as good a time as any for IT administrators and security professionals to catch up on yearly security maintenance. Here are several tasks that should be … More

The post Security spring cleaning: 5 tips for tidying up network safeguards appeared first on Help Net Security.

Organizations dissatisfied with WAFs ineffective protection, time-consuming management, high cost

Only 40% of organizations are satisfied with their web application firewall (WAF), according to the Ponemon Institute report released by Cequence Security. The State of Web Application Firewalls report is based on data gathered from 595 organizations across the U.S. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. “The research clearly reveals WAF dissatisfaction in three areas,” said Dr. Larry Ponemon, chairman and founder of … More

The post Organizations dissatisfied with WAFs ineffective protection, time-consuming management, high cost appeared first on Help Net Security.

Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders

Cybersecurity, privacy and technologies—from mission-critical to digitally transformative—top the list of challenges IT audit teams and leaders grapple with every day, according to a study conducted by ISACA and Protiviti. An executive summary of the study notes the growing role and responsibilities of IT audit in digital transformation, partnerships between the IT organization and IT audit function, and differences in how IT audit leaders operate compared to other IT audit professionals. The 2019 IT Audit … More

The post Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders appeared first on Help Net Security.

Employees are aware of USB drive security risks, but don’t follow best practices

Employees are aware of the risks associated with inadequate USB drive security – yet their employers aren’t mandating following best practices, according to a report by Apricorn. “The State of USB Data Protection 2019: Employee Spotlight” survey report, which polled nearly 300 employees across industries including education, finance, government, healthcare, legal, retail, manufacturing, and power and energy, examined year-over-year trends of USB drive usage, policies and business drivers. The report reveals that while employees have … More

The post Employees are aware of USB drive security risks, but don’t follow best practices appeared first on Help Net Security.

Consumer spending on technology to reach $1.32 trillion in 2019

Consumer spending on technology is forecast to reach $1.32 trillion in 2019, an increase of 3.5% over 2018. Consumer purchases of traditional and emerging technologies will remain strong over the 2018-2022 forecast period, reaching $1.43 trillion in 2022 with a five-year compound annual growth rate (CAGR) of 3.0%, according to IDC. Consumer purchases of traditional and emerging technologies will remain strong over the 2018-2022 forecast period, reaching $1.43 trillion in 2022 with a five-year compound … More

The post Consumer spending on technology to reach $1.32 trillion in 2019 appeared first on Help Net Security.

Array’s APV Series ADCs to offer support for Office 365 hybrid infrastructures

Array Networks announced support for intelligent Microsoft Office 365 traffic identification and routing for the company’s APV Series Application Delivery Controllers (ADCs) with the latest ArrayOS version 10.3.0.2 software release. In addition, Array ADCs offer Security Assertion Markup Language (SAML) single sign-on to provide unified secure access across all Microsoft applications. As a Software-as-a-Service (SaaS) offering, Microsoft Office 365 presents a number of challenges for IT administrators. Direct connectivity to the cloud service is recommended, … More

The post Array’s APV Series ADCs to offer support for Office 365 hybrid infrastructures appeared first on Help Net Security.

WhiteHat and Rural Sourcing to offer one-stop solution to identify and fix app level exposures

WhiteHat Security, the leading application security provider committed to securing digital business, announced that it has partnered with Rural Sourcing, the leading provider of US-based IT outsourcing services, to offer the industry’s first one-stop solution to identify and remediate application level exposures. The two companies will combine the comprehensive, SaaS-based WhiteHat Application Security Platform with Rural Sourcing’s vulnerability remediation services to alleviate the challenges of DevSecOps and help organizations enjoy the benefits of digital transformation … More

The post WhiteHat and Rural Sourcing to offer one-stop solution to identify and fix app level exposures appeared first on Help Net Security.

Thirdwayv’s AppAuth software provides layers of security to mission-critical IoT apps

Thirdwayv, a leading provider of end-to-end connectivity and security solutions for IoT applications, announced it has added AppAuth software to its growing suite of patented products that provide essential layers of security-by-design protection in a wide variety of mission-critical commercial and enterprise Internet of Things (IoT) applications. Consisting of three software modules that bring trust to a system’s IoT devices, smartphone apps and cloud, AppAuth works seamlessly with Thirdwayv’s SecureConnectivity platform that is already being … More

The post Thirdwayv’s AppAuth software provides layers of security to mission-critical IoT apps appeared first on Help Net Security.

TrustArc Participates at Practicing Law Institute in San Francisco

TrustArc was honored to be invited to serve as faculty for the Practicing Law Institute (PLI)’s 20th Annual Institute on Privacy and Data Security Law on May 6-7 in San Francisco.  Before an audience of attorneys representing a wide array of industries and private practice, the days’ sessions covered topics ranging from complying with the California Consumer Privacy Act, to addressing cybersecurity readiness, to insights from regulators, to ethical considerations for privacy and info sec attorneys, to vendor risk management.   Hilary Wandall, SVP, Privacy Intelligence and General Counsel, presented on a panel entitled “Beyond GDPR – Privacy and Data … Continue reading TrustArc Participates at Practicing Law Institute in San Francisco

The post TrustArc Participates at Practicing Law Institute in San Francisco appeared first on TrustArc Blog.

The iOS Twitter Bug: 3 Tips to Protect Your Location Data

Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media company disclosed a bug that resulted in some Twitter users’ locations being shared with an unnamed Twitter partner.

So, how exactly did this bug disclose the locations of certain Twitter users? The social network accidentally sent advertising partners location data for a process called real-time bidding. This process lets advertisers pay for space based on certain users’ locations. Twitter intended to remove the location data from what it sent to its partners but failed to do so. Affected users include those who had more than one Twitter account on an iOS device. If the user chose to share their precise location on one account, Twitter says it may have collected and shared data for the other account on the same mobile device even if that account had opted out of location sharing. Although the location data was “fuzzed” to only show a ZIP code or city, it is still unclear as to how long this location sharing took place.

According to Twitter, the location data was not retained by the partner and they have fixed the problem to ensure that it doesn’t happen again. And while affected users have already been notified by the social network, there are some steps users can take to help protect their data:

  • Turn off location services. While social media is meant for sharing, there is some information, like your location, that ought to be kept private. If a cybercriminal knows where you are at a specific point in time, they could potentially use that information to your disadvantage. Consider your overall privacy and opt out of sharing your location data with social media platforms.
  • Update, update, update. No matter what type of bug might be affecting a certain platform, it’s always crucial to keep your software up-to-date. Turning on automatic updates will ensure that you are always equipped with the latest patches and security fixes.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection helps to add an extra layer of security in case a bug does expose your device or data.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The iOS Twitter Bug: 3 Tips to Protect Your Location Data appeared first on McAfee Blogs.

Millions of computers powered by Intel chips are affected by MDS flaws

Millions of computers powered by Intel processors are affected by a new class of vulnerabilities (MDS) that can leak potentially sensitive data.

Researchers from multiple universities and security firms discovered a new class of speculative execution side-channel vulnerabilities that could be exploited with new side-channel attack methods dubbed Fallout, RIDL (Rogue In-Flight Data Load), and ZombieLoad.

“On May 14, 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS).” reads a post published by Intel.

“Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see,” “MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.”

The new class of flaws, dubbed Microarchitectural Data Sampling (MDS attacks), includes four different flaws that could be triggered to leak arbitrary in-flight data from CPU-internal buffers, such as Line Fill Buffers, Load Ports, or Store Buffers.

“MDS may allow a malicious user who can locally execute code on a system to infer the values of protected data otherwise protected by architectural mechanisms.” reads the secuirty advisory published by Intel. “Refer to the MDS table in Deep dive: CPUID Enumeration and Architectural MSRs for a list of processors that may be affected by MDS. MDS only refers to methods that involve microarchitectural structures other than the level 1 data cache (L1D) and thus does not include Rogue Data Cache Load (RDCL) or L1 Terminal Fault (L1TF). “

Below the list of vulnerabilities in Intel processors:

  1. CVE-2018-12126—Microarchitectural Store Buffer Data Sampling (MSBDS), also known as Fallout attack.
  2. CVE-2018-12130—Microarchitectural Fill Buffer Data Sampling (MFBDS), also known as Zombieload, or RIDL (Rogue In-Flight Data Load).
  3. CVE-2018-12127—Microarchitectural Load Port Data Sampling (MLPDS), also part of RIDL class of attacks.
  4. CVE-2019-11091—Microarchitectural Data Sampling Uncacheable Memory (MDSUM), also part of RIDL class of attacks.
MDS flaws

The attacks are similar to the Meltdown and Spectre attacks disclosed in January 2018.

The attacks work against most of the systems running up to Intel CPUs made in the past decade, the methods can cause the leak of sensitive information, such as passwords, disk encryption keys and browser history.

The flaws can be exploited remotely via JavaScript code and rogue websites or using exploited using malware that infected the targeted devices.

Intel revealed that the flaws were initially discovered by its experts and partners, and later reported by third-party researchers, including academics from the University of Michigan, Worcester Polytechnic Institute, Graz University of Technology, imec-DistriNet, KU Leuven, University of Adelaide, Microsoft, the VUSec group at VU Amsterdam, Bitdefender, Oracle, and Qihoo 360.

Newer chips, including some 8th and 9th generation Core processors and 2nd generation Xeon Scalable processors, address the above flaws in hardware. Intel already provided for some products microcode updates that address the flaws.

Unlike security updated for Meltdown and Spectre, the security patches for the MDS flaws should have minimal impact on the performance of most of the PCs. We cannot exclude a performance degradation in the case of data center.

Researchers published several research papers (i.e. RIDL, Fallout, ZobieLoad), c) and set up a dedicated website for the attack methods. They also released working PoC code and Video PoC demonstrating the exploitation of the flaws.

Experts also released Windows and Linux tools to test systems against RIDL and Fallout attacks as well as other speculative execution vulnerabilities.

Tech giants already published security advisories for the vulnerabilities, including MicrosoftGoogleApple, and Linux distributions. Microsoft, Google, Apple, and HP have already announced the implementation of measures to mitigate potential attacks.

ARM and AMD processors are not affected. 

Pierluigi Paganini

(SecurityAffairs – MDS, Hacking)

The post Millions of computers powered by Intel chips are affected by MDS flaws appeared first on Security Affairs.

A Quick Glimpse On The WhatsApp “Spyware” Issue

The embattled Facebook is facing another huge setback this week, as their acquired iOS/Android app, WhatsApp is affected by a spy-like trojan on some version of the app available for download. The social media giant categorizes the issue as a “spyware” that was embedded to some variants of WhatsApp inserted by threat actors as they exploit a major vulnerability in the app. The alleged embedded “spyware” was planted by an alleged Spyware firm named NSO Group, which is based in Israel. The extent of its access to the mobile device-wide, from it, serving as a RAT (Remote Access Trojan), activation of front/back cameras, read emails/SMS/MMS and capability to access user’s contacts.

The trouble is cross-platform, as infected versions of WhatsApp for iOS and Android were seen in the wild. Even small players such as the already deprecated Windows Phone 10 platform and Samsung’s Tizen version of WhatsApp are also affected. The only visible indication that the user is “targeted” is frequent instances of dropped calls from the app. The spyware is said to have the capability to perform cyber espionage on the phone, making it unsafe for anyone to use WhatsApp as an instant messaging and voice call service.

Meanwhile, NSO Group is strongly denying the allegations, as its spokesperson went public saying: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.“ With the incident, Facebook is critically recommending all their 1.5 billion WhatsApp users to uninstall their current WhatsApp installed on their devices, redownload a fresh version of WhatsApp (clean version available for download) in the Google Play Store, log in to their account and specifically perform a password reset procedure. The United States law enforcement agencies are already in the case, as they try to help Facebook uncover more details of the spyware infection of WhatsApp.

The innocence of NSO Group is being challenged by Amnesty Tech, expressing concerns about this new type of attack vector that harms mobile users. “NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” emphasized Danna Ingleton, Amnesty Tech’s Deputy Director.

This WhatsApp trouble is happening on the wake of Facebook proudly announcing the “privacy first” end-to-end encryption initiative for their other instant messaging Facebook Messaging. The social media giant also recently announced the eventual infrastructure merger of WhatsApp, Instagram, and Facebook, which basically creates just 1-product for the entire organization.

Apple’s iOS and Google’s Android both have a default configuration to automatically download app updates from their respective app stores the moment the app publisher posted a new version of the app. This feature is usually only disabled by advanced users through the settings page of their respective app stores. Hackercombat.com strongly recommends the resetting for user password for all users of WhatsApp, and if convenient to the users, also the password for their Facebook and Instagram accounts. Though the merger of infrastructure is not yet complete, as the plan for it is still in the pipeline, it is better to be safe than sorry.

Source: https://gbhackers.com/whatsapp-hacked-iphone-or-android/

Also, Read:

WhatsApp Launches Service to Fight Fake News in India

The WhatsApp Gold Scam is Back, in a New Form!

All WhatsApp Users Must Update: Zero Day Bug Found in WhatsApp

WhatsApp’s Founder Accused Facebook of “Sold My Users’ Privacy”

Checkpoint Research Released Video Demo of a Nasty WhatsApp flaw

 

 

The post A Quick Glimpse On The WhatsApp “Spyware” Issue appeared first on .

VERT Threat Alert: May 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s May 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-830 on Wednesday, May 15th. In-The-Wild & Disclosed CVEs CVE-2019-0863 Windows Error Reporting (WER) incorrectly handles certain files and, when exploited, could lead to the execution of code in kernel mode, providing full […]… Read More

The post VERT Threat Alert: May 2019 Patch Tuesday Analysis appeared first on The State of Security.

San Francisco Votes to Ban Facial Recognition

San Francisco Votes to Ban Facial Recognition

Lawmakers in San Francisco will vote today on legislation that would ban the use of facial recognition technology among city departments, according to NPR.

If approved, the law would make San Francisco the first city to ban the technologies use, a ban that would extend to police body cameras. “Governments have used the technology for several years, and the software can assist with efforts to find missing children, for example, or prevent driver's license fraud,” NPR reported.

That the technology is so widely used is evidence of what happens when the pace of adoption moves too swiftly. “It’s good to see legislators and others taking technological innovations seriously – especially in terms of this one-to-many use case where facial recognition might be used to pick a face out of a crowd,” said Sam Bakken, senior product marketing manager at OneSpan.

“It’s important to remember though that one-to-one use cases such as that facilitated by Apple Face ID and other technology whereby a user willingly enrolls in the system to allow them to unlock their phone or log into other accounts using their face makes it easy and convenient for consumers to add an additional layer of security to their mobile devices and accounts.”

The proposed legislation is intended to address those instances where individuals are not consenting to have their images included in a database, but not all experts agree that the move to ban the technology is a step in the right direction.

“This is backwards thinking when it comes to public safety and an equally illogical argument could be made against using fingerprints and DNA evidence, which are also left behind without intent or permission but are instrumental in providing leads that solve countless crimes and bring violent criminals to justice. We have a constitutional presumption of innocence that protects us. If facial recognition or fingerprint matching or DNA testing provides clues to law enforcement agencies, they should not be barred from following up on them," John Gunn, CMO, OneSpan.

Speculators Look to ID AVs Hacked by Russia

Speculators Look to ID AVs Hacked by Russia

Last week Infosecurity Magazine reported on threat intelligence published by Advanced Intelligence (AdvIntel) claiming that three US antivirus companies had been hacked by a top-tier Russian hacking collective.

While the original research did not identify the impacted companies, both Gizmodo and Bleeping Computer have reported that McAfee, Symantec and Trend Micro are the three companies in question.

Though it does try to adhere to the general rule of not discussing victim entities, an AdvIntel spokesperson said in an email, “Given the latest independent corroboration and publication, we can confirm that Trend Micro and McAfee were two of the companies that were claimed to be breached by the actor group with their internal access and data for sale.”

Trend Micro has confirmed that an unauthorized third party accessed a single testing lab network. “We have an active investigation underway related to recent claims, and while it is not complete, we want to transparently share what we have learned. Working closely with law enforcement, our global threat research and forensic teams are leading this investigation,” a Trend Micro spokesperson wrote in an email.

“Some low-risk debugging related information was obtained. We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated. Immediate action was taken to quarantine the lab and additionally secure all corresponding environments. Due to the active nature of the investigation, we are not in a position to share any additional information, but we will provide an update when additional insights become available and can be disclosed.”

A McAfee spokesperson wrote, “McAfee has been conducting a thorough investigation into these claims. To date, we’ve found no indication that McAfee products, services or networks have been impacted by the campaign described.”

AdvIntel said that it had reached out to all of the purported victims, as well as the law enforcement, regarding Fxmsp well before its initial blog was released. Though the company did not comment on whether Symantec was one of the breached companies, there has been speculation that Symantec is the third victim.

Symantec said it is aware of recent claims that a number of US-based antivirus companies were breached, and a spokesperson said, “We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned.”

*AdvIntel admitted in a message to Computer Business Review that Fxmsp had not provided “sufficient evidence to support this allegation [that Symantec was hacked].” The company added: “We believe with a high degree of confidence that Symantec’s assessment of risks and their statement that ‘there is no reason for our [Symantec] customers to be concerned currently’ is correct.”

*Updated May 15 to include statement from CBR shared with Infosecurity by Symantec.

Over 460,000 E-Retailer User Accounts Hacked

Over 460,000 E-Retailer User Accounts Hacked

Fast Retailing Co., Asia’s largest retailer, released a statement acknowledging that hackers likely gained access to the personal information of nearly half a million Uniqlo and GU brand e-commerce portal users.

“It was confirmed on May 10, 2019 that an unauthorized login by a third party other than the customer occurred on the online store site operated by our company. Although the number of targets and the situation may change according to the progress of the future survey, we will report the facts confirmed at present and our response,” according to a translation of the company's statement.

“This fraudulent login was performed from April 23 to May 10, 2019 by the method of 'list-type account hacking (list-type attack),' and the number of accounts logged-in illegally as of the present is 461,091. We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”

Not only are the password owners at risk, but e-commerce businesses with user login pages are also at risk of being the next company to suffer a breach, according to Rami Essaid, co-founder of Distil Networks.

“Data breaches like Uniqlo create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” Essaid said.

First there is “the massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website," Essaid continued. "While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”

Insecure web applications continue to plague e-commerce businesses because retailers limit their application security efforts and often overlook the most obvious risks and threats, said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Cyber-criminals will now increasingly target retailers from developed countries within the APAC region, as Western retailers are better protected and are also suffering from an economic slowdown.

“Application security should start with a holistic inventory and risk assessment to enable well-informed decisions. Afterwards, continuous security monitoring is vital to ensure agile development processes and timely addressing of any new security and privacy issues.”

The Guardian view on hacking: a dangerous arms trade | Editorial

Cyberweapons are dangerous in themselves. Their proliferation makes them much more harmful

NSO Group, an Israeli firm that has risen to a billion-dollar valuation on the strength of the aggressive hacking tools it sells to authoritarian governments across the Arab world, is being sued by lawyers and activists who claim to be victims of its software. One of the lawyers involved in the suit was targeted some weeks ago by mysterious WhatsApp calls to his phone in the middle of the night. When he contacted technical experts, they discovered Pegasus 3, an aggressive virus that can apparently install itself on a phone without the victim taking any action at all. Once installed, it takes control of the device, recording conversations and video. It can destroy the evidence of its own arrival and existence, and control any files on the device. In effect, it turns a smartphone into the perfect spying device, which the victim will carry everywhere with them.

Similar programs are widely available to abusers of all sorts, which is one reason why many domestic violence shelters ban the use of smartphones. But the ones that can easily be bought require some action from the victim, usually a misplaced click, or else a few moments’ access to their phone. The NSO malware targeting WhatsApp is different in that it could install itself without the victim doing anything at all. To discover and exploit the programming mistakes that opened this vulnerability would take years and cost millions of dollars. That is why it’s assumed that only states, or state-backed actors, have the resources to produce them.

Continue reading...

Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003

Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a “wormable” flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.

The May 2017 global malware epidemic WannaCry affected some 200,000 Windows systems in 150 countries. Source: Wikipedia.

The vulnerability (CVE-2019-0708) resides in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.

Microsoft said the company has not yet observed any evidence of attacks against the dangerous security flaw, but that it is trying to head off a serious and imminent threat.

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” wrote Simon Pope, director of incident response for the Microsoft Security Response Center.

“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”

The WannaCry ransomware threat spread quickly across the world in May 2017 using a vulnerability that was particularly prevalent among systems running Windows XP and older versions of Windows. Microsoft had already released a patch for the flaw, but many older and vulnerable OSes were never updated. Europol estimated at the time that WannaCry spread to some 200,000 computers across 150 countries.

CVE-2019-0708 does not affect Microsoft’s latest operating systems — Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

More information on how to download and deploy the update for CVE-2019-0708 is here.

All told, Microsoft today released 16 updates targeting at least 79 security holes in Windows and related software — nearly a quarter of them earning Microsoft’s most dire “critical” rating. Critical bugs are those that can be exploited by malware or ne’er-do-wells to break into vulnerable systems remotely, without any help from users.

One of those critical updates fixes a zero-day vulnerability — (CVE-2019-0863) in the Windows Error Reporting Service — that’s already been seen in targeted attacks, according to Chris Goettl, director of product management for security vendor Ivanti.

Other Microsoft products receiving patches today including Office and Office365, Sharepoint, .NET Framework and SQL server. Once again — for the fourth time this year — Microsoft is patching yet another critical flaw in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).

“Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability,” to deliver a malicious payload, notes Jimmy Graham at Qualys.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

Note that Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As per usual, Adobe has released security fixes for Flash Player and Acrobat/Reader. The Flash Player update fixes a single, critical bug in the program. Adobe’s Acrobat/Reader update plugs at least 84 security holes.

Microsoft Update should install the Flash fix by default, along with the rest of this month’s patch bundle. Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

ZombieLoad: Researchers discover New Hardware Vulnerability in Modern Intel Processors

A brand new processor hardware vulnerability affecting modern Intel CPUs has been uncovered by Bitdefender researchers  Coined "ZombieLoad side-channel processor", the vulnerability defeats the architectural safeguards of the processor and allows unprivileged user-mode applications to steal kernel-mode memory information processed on the affected computer.


A Concerning Impact on Cloud Services
The new vulnerability can be exploited by attackers to leak privileged information data from an area of the processor's memory meant to be strictly off-limits. This flaw could be used in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system. The flaw has an extremely large impact on cloud service providers and within multi-tenant environments, as potentially a 'bad neighbour' could leverage this flaw to read data belonging to other tenants.

The proof of concept code has been shared privately with the vendor, was said to have been successfully tested on Intel Ivy Bridge, Haswell, Skylake and Kaby Lake microarchitectures by the researchers.


Remediation
Since this vulnerability revolves around a hardware design flaw, microcode patches have been available to remediate the flaw. Currently, Bitdefender and industry partners are working on fixes implemented at the hypervisor level.

Industry Security Patches
Similarities with Meltdown and Spectre
Side channel attacks based on speculative execution was in the news with the identification of Meltdown and Spectre CPU vulnerabilities back in early 2018. Since then, variants of side-channel attacks have been occasionally discovered and partially mitigated via microcode and operating system patches. However, as this is a flaw that stems from a hardware design issue, a general fix to plug the hardware vulnerability is impossible.


Picking and Choosing Your Online Privacy

I’ll admit it. I am old enough that my younger adult days have not been recorded for all to access on the internet. Many of my generation – the X’ers – relish this lucky position when it comes to the intersection of life and the technological innovation time line. Not that the choice was mine, […]

The post Picking and Choosing Your Online Privacy appeared first on Privacy Ref Blog.

Executing on the vision of Microsoft Threat Protection

Over the last several months, we’ve provided regular updates on the rapid progress we’re making with Microsoft Threat Protection, which enables your organization to:

  • Protect your assets with identity-driven security and powerful conditional access policies which ensure your assets are secured from unauthorized users, devices, or apps.
  • Connect the dots between disparate threat signals and develop threat incidents by grouping alerts from different parts of your environment, stitching together the elements of a threat.
  • Empower your defenders, providing in-depth analysis to identify the full scope and impact of a threat.

We support these capabilities by offering you intelligent automation as well as human expertise to quickly resolve situations and keep your business running. I recently shared our vision of Microsoft Threat Protection with Jeremy Chapman in a Microsoft Mechanics video broadcast:

We strongly believe in our vision and are confident our customers will benefit from enhanced security with Microsoft Threat Protection as we continue adding capabilities with unstoppable momentum. Today, I want to spend time highlighting what Microsoft Threat Protection can already do for you. While we’re very excited about the vision and pushing towards releasing more features, it’s important to share the significant advantages which are already available with Microsoft Threat Protection today. I’m going to use a real example of a common, yet lethal, threat type to showcase how Microsoft Threat Protection already makes your organization more secure.

Executing on our vision

The more threats we see, the more we can stop. This virtual cycle means that each threat we see helps further enhance our machine learning models, which in turn improves our ability to stop subsequent threats. As we’ve shared in the past, the Microsoft Intelligent Security Graph (Figure 1) enables us to see billions of threats and assess 6.5 trillion signals daily. Importantly, we don’t only see a large quantity of threats, but we also see threats from a wide variety of sources. Through the Intelligent Security Graph, threat signals are seamlessly shared across all the services in Microsoft Threat Protection, providing comprehensive security across multiple attack vectors.

Infographic of the strength of signal offered by the Microsoft Intelligent Security Graph.

Figure 1. The strength of signal offered by the Microsoft Intelligent Security Graph.

A great example of how Microsoft Threat Protection is already executing on its promised vision is how we address phishing campaigns. Phishing has been on a steady rise over the last few years. As the provider of one of the largest email services on the planet, we expect to be a primary target for attacks. In 2018 alone, Microsoft’s analysts analyzed (Figure 2) over 300,000 phishing campaigns and 8 million business email compromise (BEC) attempts.

Infographic showing data from Office 365 security analysts on the phishing campaigns and BEC attempts from 2018.

Figure 2. Data from Office 365 security analysts on the phishing campaigns and BEC attempts from 2018.

While these numbers can be worrisome, Microsoft Threat Protection is designed to secure your organization from phishing, whether the campaign attacks the endpoint, email, or through the web. In a recent campaign, anomaly detection algorithms in Microsoft Defender Advanced Threat Protection (ATP) next-generation protection pointed to multiple PDF files that  Microsoft could detect. We were the only organization able to detect these phish PDFs because we leveraged the knowledge from multiple security services operating on various attack vectors. In this example, the malicious PDF files (Figure 3) were blocked by machine learning models, enhanced by assimilating signals from multiple services of Microsoft Threat Protection.

Image of one of several PDF files that only Microsoft was detecting (as Trojan:PDF/Sonbokli.A!cl) at the time it was first observed (Source: VirusTotal).

Figure 3. One of several PDF files that only Microsoft was detecting (as Trojan:PDF/Sonbokli.A!cl) at the time it was first observed (Source: VirusTotal).

Through the Microsoft Intelligent Security Graph, the detection algorithm was enriched with URL and domain reputation intelligence from Microsoft Defender SmartScreen, the service powering the anti-phishing technology in Microsoft Edge, as well as the network protection capability in Microsoft Defender ATP.

Additionally, Office 365 Advanced Threat Protection (ATP) provided rich optics from PDF phish files distributed via email. When Office 365 ATP detects a suspicious file or URL in emails, it can detonate the file and apply heuristics and sophisticated machine learning to determine a verdict. This verdict is shared with other services in Microsoft Threat Protection. In the case of these PDF files, all the services in Microsoft Threat Protection could immediately block the corrupted PDF files because the original signal from Office 365 ATP was shared with all the other services in Microsoft Threat Protection.

Microsoft Threat Protection also stops threats quickly because of its unique attributes. Every day, Microsoft sees millions of new attacks that run for just 60 minutes or less. This fast pace requires security to be automatic, in real-time, and accurate. The signal sharing and mitigation across Microsoft Threat Protection is robust and comprehensive. Below (Figure 4) is an actual timeline showing how the threat originally identified by SmartScreen provided signal to both Office ATP and Microsoft Defender ATP, which both blocked the threat.

Image of a threat timeline of a campaign from the first identification with SmartScreen to mitigations by Office ATP/Exchange Online Protection (EOP) and Microsoft Defender ATP.

Figure 4. Threat timeline of this campaign from the first identification with SmartScreen to mitigations by Office ATP/Exchange Online Protection (EOP) and Microsoft Defender ATP.

Great intelligence enables great security

Our unparalleled intelligence, seamless integration, and best-of-breed solutions for multiple attack vectors leads to the staggering numbers of threats we can detect and mitigate across multiple threat vectors. Below are statistics of the threats which Microsoft Threat Protection mitigated in 2018 (Figure 5). What’s important is not only the number of threats we’ve detected and blocked, but also the fact that we do so for threats across multiple, disparate attack vectors. This is the same strength of security you will benefit from when you implement Microsoft Threat Protection.

Image of Microsoft Threat Protection in action. Some of the detections and mitigations already offered with the solution.

Figure 5. Microsoft Threat Protection in action. Some of the detections and mitigations already offered with the solution.

Revamped website to keep you up to date

Today, we’re excited to launch our new Microsoft Threat Protection website, where you’ll find great collateral summarizing the full scope of capabilities offered by Microsoft Threat Protection. On the site, you’ll find three new webcasts where our engineers offer details and examples of:

  • Automated Incident Response—Unique SecOps capabilities only available with Microsoft.
  • Azure Sentinel—Our newly launched SIEM-as-a-service.
  • Microsoft Threat Experts and Threat and Vulnerability Management—For endpoints.

The new site also links to all the services which are part of Microsoft Threat Protection with great collateral offering details on how the individual services help secure specific attack vectors.

Experience the evolution of Microsoft Threat Protection

Hopefully, I gave you a glimpse of how Microsoft Threat Protection has already started executing on the vision of securing the modern organization. Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit our new website.

Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin a trial of Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution available to your organization.

The post Executing on the vision of Microsoft Threat Protection appeared first on Microsoft Security.

WhatsApp Releases Update Following Breach via Remote Code Execution Vulnerability

Veracode WhatsApp Vulnerability May 2019

On Monday, The Financial Times reported that attackers have been exploiting a buffer overflow vulnerability in the popular messaging service WhatsApp. The vulnerability has been fixed, and updates were released on Friday. WhatsApp, owned by Facebook, is urging both iPhone and Android users to update the app as soon as possible.

Veracode’s State of Software Security Volume 9 found that buffer overflow was the 25th most common vulnerability, found in 3 percent of applications. Although not as prevalent as some other flaw categories (like XSS or SQL injection), it is a highly exploitable flaw, and organizations should be aware of it and addressing it quickly. Yet our data also reveals that organizations are taking a troubling amount of time to fix buffer overflow flaws – it took organizations an average of 225 days to address 75 percent of these flaws.

According to theWhatsApp, the vulnerability (CVE-2019-3568) in the VOIP stack allows remote code execution. The RCE vulnerability on WhatsApp is exploited by sending malicious codes to targeted phone numbers. Attackers can exploit the vulnerability by using the WhatsApp calling function to call a user’s mobile phone and then install surveillance software on the device. According to The Financial Times, a user doesn’t need to answer the call to be infected, and the calls seem to disappear from logs.

NSO Group, part-owned by private equity firm Novalpina Capital, is an Israeli company that created Pegasus, the software that is believed to be an integral element for successfully pulling off the attacks. The BBC reports that NSO’s flagship software can gather personal data from a targeted device using the microphone and camera, as well as capturing location data.

WhatsApp has reported the vulnerability to its lead regulator in the Europe Union, Ireland’s Data Protection Commission (DPC), though it is still investigating whether or not any EU user data has been affected as a result of the incident. The company also reported the vulnerability to the US Department of Justice last week.

WhatsApp is one of the most popular messaging tools in the world, with a sizeable 1.5 billion monthly users. It’s favored for its high level of security and privacy, as messages are encrypted end-to-end. This news adds to a turbulent period at Facebook, which bought WhatsApp in 2014 for $19 billion. Last month, a security research firm revealed 540 million Facebook accounts were publicly exposed, and a co-founder, Chris Hughes, recently advocated in The New York Times that the company should be broken up for fear that it has too much influence and power.

10 Ways How To Avoid Being A Phishing Scams Victim

Nobody wants to be a victim of phishing. We have seen so many instances of phishing, and looks like the scams are continuing for a good reason: it allow cybercriminals to make huge profits. Phishing scams have been around since the inception of the Internet and will not disappear anytime sooner. Fortunately, there are ways you avoid being a victim yourself. Here are 10 basic guidelines to protect yourself:

1. Be updated about phishing techniques

New phishing methods are constantly being developed. Without you knowing these new phishing techniques, you could accidentally fall prey to one of them. Keep your eyes open for new phishing attacks. If you are not aware of minimum techniques your risk of getting caught is much higher. For IT administrators, ongoing phishing security and phishing awareness training are strongly recommended so that all users can monitor the security within the organization.

2. Never click on a suspicious link

You can click on links when you are on trusted sites. However, clicking on links that appear in random emails and instant messages is not a wise decision. Hover your mouse over the link and it will show you where the link really goes. Do they lead where they should lead? A phishing email can come from a reputable company. If you click on the link to the website, it may look like the real website. The e-mail may ask you to enter the information, but your e-mail address may not include your name. Most phishing emails begin with “Dear Customer,” so be careful when you see them. If in doubt, go directly to the source instead of clicking on a potentially dangerous link.

3. Install Phishing Toolbar

Most web browsers can be customized using phishing toolbars. Such toolbars quickly examine websites visited and compare them to lists of known phishing websites. If you encounter a malicious website, you will be notified via the toolbar. This is just another layer of protection against phishing scams and it is totally free.

4. Check for website security

Needless to say, you should be a little cautious when providing sensitive financial information online. But as long as you are on a secure website, you should not have any problems. Before submitting information, make sure that the site URL begins with “https” and that there is a lock icon next to the address bar. Also, check the site’s security certificate. If you receive a message that a particular website may contain malicious files, do not open the website. Never download suspicious email files or websites. Even search engines can display specific links that lead users to a phishing website offering low-cost products. When the user buys on such a website, cybercriminals extract the details of their credit card.

5. Login into your account regularly

If you do not visit your online account for a long time, it is possible for someone to spend a day working with them. Even if you do not need it technically, log in to each of your online accounts regularly. Also, make a habit of changing your passwords regularly. To avoid bank phishing and credit card phishing, you should regularly check your bank statements personally. Get monthly statements for your financial accounts and carefully review each entry to make sure no fraudulent transactions have been made without your knowledge.

6. Keep your browser up-to-date

Most of the popular browsers releases security patches. They do this in order to thwart security vulnerabilities, so that phishers and hackers discover and exploit it inevitably. If you usually do not know about updates to your browsers, stop it. Now, don’t wait for that moment, when an update is available, download and install it.

7. Use Firewalls

High-quality firewalls act as a shield between you and your computer, even hackers continue to spam you. So you must use two different types: a desktop firewall and a network firewall. The first option is a type of software and the second option is a type of hardware. When used together, they greatly reduce the risk of hackers and phishing attacks on your computer or network.

8. Beware of pop-ups

Pop-ups are masquerading as a legitimate part of a website. Too often, these are phishing attempts. Many popular browsers allow you to block pop-ups. You can authorize them on a case-by-case basis. If you manage to sneak in, do not click the “cancel” button; these buttons often lead to phishing sites. Instead, click on the small “x” in the upper corner of the window.

9. Closely guard your personal Information

In general, you should never share sensitive personal or financial information on the Internet. This rule dates back to the days of America Online, where users had to be constantly warned about the success of the first phishing scams. If in doubt, go to the main website of the company in question, get its number and call it. Most phishing emails will direct you to pages where personal or financial information is needed. An Internet user must never make confidential registrations using the links provided in emails. Never send an email with sensitive information to anyone Make it a habit to check the website address. A secure website always starts with “https”.

10. Use antivirus software

There are many reasons to use antivirus software. The special signatures included with the antivirus software protect against workarounds and known technological flaws. Just make sure you keep your software up to date. New definitions are added all the time because new scams are also constantly invented. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update programs regularly. Firewall protection prevents access to malicious files by blocking attacks. Antivirus software scans each file sent over the Internet to your computer. This helps to prevent damage to your system.

Source: https://gbhackers.com/phishing-attacks-prevention/

Related Resources: 

HackerCombat Guide on How to Prevent Phishing Attacks

Check Out The Most Disastrous New Phishing Scams of 2018

How to Stay Vigilant Against Phishing Scams

The post 10 Ways How To Avoid Being A Phishing Scams Victim appeared first on .

Thrangrycat flaw could allow compromising millions of Cisco devices

Security firm Red Balloon discovered a severe vulnerability dubbed Thrangrycat, in Cisco products that could be exploited to an implant persistent backdoor in many devices.

Experts at Red Balloon Security disclosed two vulnerabilities in Cisco products. The first issue dubbed Thrangrycat, and tracked as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second vulnerability, tracked as
CVE-2019-1862, is a remote command injection issue that affects Cisco IOS XE version 16 and that could allow remote attackers to execute code as root.

By chaining the flaws an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component.” reads the advisory published by Cisco. “This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. “

The Trust Anchor module (TAm) is a hardware-based component the allows to check that Cisco hardware is authentic and also implements additional security services.

Cisco Secure Boot helps ensure that the code running on Cisco hardware platforms is authentic and unmodified, it is available in Cisco devices since 2013.

The researchers discovered that an attacker with root privileges can make a persistent modification to the Trust Anchor module via FPGA bitstream modification and load a malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory.” reads the analysis published by the experts.

“Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”

Thrangrycat flaw Cisco devices

Cisco classified the flaw as high severity, it received a CVSS Score Base 6.7 because the exploitation of the flaw requires root privileges. Anyway, Red Balloon pointed out that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other vulnerabilities that could allow them to gain root access or, at least, execute commands as root.

“An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA.” continues the advisory published by Cisco. “A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. “

Summarizing, the attackers first exploit the RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell with root privileges.

Then, once gained root access, the attacker can remotely bypass Trust Anchor module (TAm) on a targeted device triggering the Thrangrycat vulnerability and install a malicious backdoor.

The flaws are very concerning because they reside in the hardware and cannot be addressed with a software patch.

“Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.” concludes the advisory published by Red Balloon.

The experts successfully tested the flaw against Cisco ASR 1001-X routers, but hundreds of millions of Cisco units featuring an FPGA-based TAm implementation are vulnerable.

Red Balloon experts reported the flaws to Cisco in November 2018 and publicly disclosed some details to the public after Cisco released firmware patches to address the vulnerabilities.

The good news is that Cisco in not aware of attacks in the wild exploiting the two vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Thrangrycat, Cisco)

The post Thrangrycat flaw could allow compromising millions of Cisco devices appeared first on Security Affairs.

Law firms report increase in staff-related security incidents

Staff can jeopardise a firm’s security with a single moment of carelessness. 2018 saw a significant rise in the number of law firms reporting security incidents concerning their own staff, up from 33% in 2017 to 46% in 2018 according to research by PwC. These incidents included the loss or leakage of confidential information, highlighting the need for better information security management within the legal sector.

Look closer to home – insider threats

Law firms may regard external cyber criminals as the key threat and be tempted to focus their resources on protecting against them, but it is also imperative to look closer to home.

Staff pose one of the biggest security threats, so firms should ensure that their employees receive appropriate training to prevent them making mistakes. Learning to recognise phishing emails is essential; while technology plays an important role, no spam filter is 100% effective, meaning your staff are the last line of defence.

Staff need to know how to respond if they mistakenly click a link in an email, including who to notify to escalate the issue and minimise the firm’s exposure. Combining this with a device-level backup process that prevents the spread of malware will ensure your firm has robust cyber resilience.

Get your firm on track with staff awareness training

Educate your employees on information security and cyber security with staff awareness training, which will teach them the basics of data security and how to deal with threats. Interactive e-learning courses are a cost-effective way to educate staff on key issues in a structured manner.

Train your team with e-learning from IT Governance

We offer e-learning courses on cyber security, the GDPR (General Data Protection Regulation), appropriate use of Cc and Bcc in emails, secure social media use and how to spot phishing scams. These can be purchased off-the-shelf or customised to offer bespoke e-learning solutions to larger firms.

To find out more about our staff training solutions for the legal sector, complete an enquiry form to contact our experts or call our team on +44 (0)333 800 7000 to discuss your firm’s requirements.

The post Law firms report increase in staff-related security incidents appeared first on IT Governance Blog.

Episode 492 – If It Sounds Too Good To Be True On The Internet, It Is

If it sounds too good to be true on the Internet, it is. Scammers are preying on the success of a major movie promising downloads but in reality they are collecting your data. This epsiode goes into the details.  Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi […]

The post Episode 492 – If It Sounds Too Good To Be True On The Internet, It Is appeared first on Security In Five.

North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal

The North Korea-linked APT group ScarCruft (aka APT37 and Group123) continues to expand its arsenal by adding a Bluetooth Harvester.

North Korea-linked APT group ScarCruft (aka APT37, Reaper, and Group123) continues to expand its arsenal by adding a Bluetooth Harvester.

ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

FireEye linked the APT37 group to the North Korean government based on the following clues:

  • the use of a North Korean IP;
  • malware compilation timestamps consistent with a developer operating in the North Korea time
    zone (UTC +8:30) and follows what is believed to be a typical North Korean workday;
  • objectives that align with Pyongyang’s interests(i.e. organizations and individuals involved in Korean
    Peninsula reunification efforts);

Researchers from FireEye revealed that the nation-state actor also targeted entities in Japan, Vietnam, and even the Middle East in 2017. The hackers targeted organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

Past attacks associated with the ScarCruft APT group involved zero-day vulnerabilities, anyway Kaspersky researchers pointed out that threat actors also used public exploits in its campaigns.

On April 2018, ScarCruft APT added a more advanced variant of an Android Trojan, dubbed KevDroid, to its arsenal.

Now Kaspersky Lab experts discovered that ScarCruft is using a “rare” Bluetooth device harvester.

Kaspersky found several victims of a recent campaign in investment and trading companies in Vietnam and Russia.

“We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea.” reads the analysis published by Kaspersky Lab. “It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.”

scarcruft bluetooth harvester 2

“The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration.” continues the analysis.

“We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information.”

The Bluetooth Harvester is delivered by a downloader, it leverages the Windows Bluetooth APIs to collect information on the devices connected via Bluetooth to the compromised system.

The tool gathers several data including device name, address, class, and whether the device is connected, authenticated and remembered.

The dropper used to deliver the Bluetooth Harvester exploits a privilege escalation (CVE-2018-8120) or leverage the UACME method to bypass the Windows User Account Control (UAC) feature. Then the malware executes an installer that creates another downloader that retrieves a final payload hidden inside an image file.

“The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.” continues Kaspersky.

scarcruft bluetooth harvester

The final payload was a backdoor tracked by Cisco as ROKRAT that is used to download and execute other malware, execute commands, and exfiltrate data.

Kaspersky experts also discovered some overlaps with other APT groups, DarkHotel and KONNI. One of the devices infected with ScarCruft malware was previously compromised by a variant of KONNI and a few days earlier by the GreezeBackdoor, a malware belonging to DarkHotel’s arsenal.

“The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe.” concludes Kaspersky. “Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve.”

Pierluigi Paganini

(SecurityAffairs – ScarCruft, Bluetooth Harvester)

The post North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal appeared first on Security Affairs.

WhatsApp spyware attack was attempt to hack human rights data, says lawyer

NSO Group technology reportedly used against lawyer involved in civil case against the Israeli surveillance firm

The UK lawyer whose phone was targeted by spyware that exploits a WhatsApp vulnerability said it appeared to be a desperate attempt by someone to covertly find out the details of his human rights work.

The lawyer, who asked not to be named, is involved in a civil case brought against the Israeli surveillance company NSO Group whose sophisticated Pegasus malware has reportedly been used against Mexican journalists, and a prominent Saudi dissident living in Canada.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Related: Mexico accused of spying on journalists and activists using cellphone malware

Continue reading...

Upcoming Webinar – “Putting your Data Inventory to Work: Getting a Return on your Investment”

TrustArc is proud to present the next Privacy Insight Series webinar “Putting your Data Inventory to Work: Getting a Return on your Investment” with TrustArc Senior Privacy Consultant, Beth Sipula, FIP, CIPM, CIPP. This webinar will take place on Wednesday, May 22nd at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn best practices on how to leverage your data inventory – register today! GDPR forced companies to invest in building a data inventory and developing a fundamental understanding of how data flows through their organization. But what’s next? How can you use the inventory … Continue reading Upcoming Webinar – “Putting your Data Inventory to Work: Getting a Return on your Investment”

The post Upcoming Webinar – “Putting your Data Inventory to Work: Getting a Return on your Investment” appeared first on TrustArc Blog.

WhatsApp urges users to update app after massive security failure

If you’ve recently had a missed call on WhatsApp from a number you didn’t recognise, cyber criminals might be spying on you.

The Facebook-owned app has admitted that cyber criminals have exploited a major vulnerability in its voice call function and are planting spyware on users’ phones. This enables crooks to turn on devices’ cameras and microphones, read emails and instant messages, and collect users’ location data.

The breach was discovered earlier this month, and WhatsApp released an update addressing the issue on Friday. The messaging service is now urging users to install the patch to ensure they don’t fall victim. Updates are often installed automatically, but it’s worth checking that this feature is enabled.

Who is responsible for the attack?

The technology behind the attack was developed by the Israeli cyber surveillance organisation NSO Group, but the firm has denied playing a part in the breach. It said that the Pegasus spyware is licenced to authorised government agencies “for the sole purpose of fighting crime and terror” and that it doesn’t use it itself.

WhatsApp believes the “attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems”.

The identity of that company is currently unclear, but we would guess the attack was politically motivated. The spyware has been planted on a relatively small number of devices, which wouldn’t be the case if crooks were trying to obtain personal information for financial gain, and those who have reported being targeted hold politically and socially important roles, such as human rights activists, journalists and lawyers.

The severity of the breach means an investigation is bound to be launched, but we doubt that the perpetrators’ identity will ever be discovered. It’s incredibly difficult to investigate sophisticated attacks like this, and it’s even harder to find the necessary evidence to bring about a conviction.

Things should improve as new technologies become available to cyber crime investigators like the National Crime Agency, the FBI and Europol. They will also be helped by organisations paying greater attention to cyber security and engaging in threat intelligence sharing, but it’s always worth remembering that the best defence is prevention. By making it harder for crooks to breach your systems, you’ll make cyber crime a less prosperous endeavour and reduce the likelihood of being targeted.

Subscribe to our weekly newsletter for all the latest cyber security news and advice >>

The post WhatsApp urges users to update app after massive security failure appeared first on IT Governance Blog.

Cryptanalysis of SIMON-32/64

A weird paper was posted on the Cryptology ePrint Archive (working link is via the Wayback Machine), claiming an attack against the NSA-designed cipher SIMON. You can read some commentary about it here. Basically, the authors claimed an attack so devastating that they would only publish a zero-knowledge proof of their attack. Which they didn't. Nor did they publish anything else of interest, near as I can tell.

The paper has since been deleted from the ePrint Archive, which feels like the correct decision on someone's part.

Equifax Has Spent Nearly $1.4bn on Breach Costs

Equifax Has Spent Nearly $1.4bn on Breach Costs

Equifax has incurred losses so far of over $1.35bn from a devastating 2017 breach which affected more than half of all Americans and millions of UK consumers, the firm revealed in its latest financials.

The credit agency claimed in its Q1 2019 earnings statement that the figure “related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.”

The firm has recouped the maximum possible $125m, minus $7.5m, from an insurance policy, and claims that breach costs for the rest of this year will be less than those for 2018.

However, the first three months of 2019 saw the company shell out $82.8m for “technology and data security,” $12.5 for “legal and investigative fees,” and $1.5m for product liability. The largest sum ($690m) was listed as “accrual for legal matters” related to the 2017 breach.

As well as the $786.8m listed for Q1 2019, the firm detailed $68.7m it spent in Q1 2018.

Its technology and data costs “include incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert,” it explained. These include people, services and direct product costs.

The legal costs relate to payments to lawyers and professional services companies to investigate the incident and respond to legal, government, and regulatory investigations and claims. Product liability costs relate to its paying for free credit monitoring for customers.

The latest revelations can be seen as a cautionary tale of what happens when organizations fail to implement adequate cybersecurity.

The 2017 breach itself stemmed from exploitation of a known Apache Struts 2 flaw which was left unpatched. The subsequent exfiltration of data over several months compromised highly sensitive credit and personal information on over half of all American adults (148m) and 15 million UK consumers, as well as around 20,000 Canadians.

Although the UK’s ICO fined the firm the maximum £500,000 under the old regime, Equifax could have been hit with a penalty orders of magnitude greater if the incident had occurred after May 2018, when the GDPR came into effect.

Bad Actors Using MitM Attacks against ASUS to Distribute Plead Backdoor

Researchers believe bad actors are using man-in-the-middle (MitM) attacks against ASUS software to distribute the Plead backdoor. Near the end of April 2019, researchers at ESET observed several attack attempts that both created and executed the Plead backdoor using “AsusWSPanel.exe,” a legitimate process which belongs to the Windows client for the cloud-based storage service ASUS […]… Read More

The post Bad Actors Using MitM Attacks against ASUS to Distribute Plead Backdoor appeared first on The State of Security.

Malware Training Sets: FollowUP

The popular expert Marco Ramilli provided a follow up to its Malware classification activity by adding a scripting section which would be useful for several purposes.

On 2016 I was working hard to find a way to classify Malware families through artificial intelligence (machine learning). One of the first difficulties I met was on finding classified testing set in order to run new algorithms and to test specified features. So, I came up with this blog post and this GitHub repository where I proposed a new testing-set based on a modified version of Malware Instruction Set for Behavior-Based Analysis, also referred as MIST. Since that day I received hundreds of emails from students, researchers and practitioners all around the world asking me questions about how to follow up that research and how to contribute to expanding the training set.

malware

I am so glad that many international researches used my classified Malware dataset as building block for making great analyses and for improving the state of the art on Malware research. Some of them are listed here, but many others papers, articles and researches have been released (just ask to Google).

Today I finally had chance to follow-it-up by adding a scripting section which would be useful to: (i) generate the modified version of MIST files (the one in training sets) and to (ii) convert the obtained results to ARFF (Attribute Relation File Format) by University of Waikato. The first script named mist_json.py is a reporting module that could be integrated into a running CuckooSandBox environment. It is able to take the cuckoo report and convert it into a modified version of MIST file. To do that, drop mist_json.py into your running instance of CuckooSandbox V1 (modules/reporting/) and add the specific configuration section into conf/reporting.conf. You might decide to force its execution without configuration by editing directly the source code. The result would be a MIST file for each Cuckoo analysed sample. The MIST file wraps out the generated features as described into the original post here. By using the second script named fromMongoToARFF.py you can convert your JSON object into ARFF which would be very useful to be imported into WEKA for testing your favorite algorithms.

Now, if you wish you are able to generate training sets by yourself and to test new algorithms directly into WEKA. The creation process follows those steps:

  • Upload the samples into a running CuckooSanbox patched with
    mist_json.py
  • The mist_json.py produces a MIST.json file for each submitted sample
  • Use a simple script to import your desired MIST.json files into a MongoDB. For example for i in */.json; do; mongoimport –db test –collection test –file $i; done;
  • Use the fromMongoToARFF.py to generate ARFF
  • Import the generated ARFF into Weka
  • Start your experimental sessions

If you want to share with the community your new MIST classified files please feel free to make pull requests directly on GitHubEverybody is using this set will appreciate it.

The original post along many other interesting analysis are available on the Marco Ramilli blog:

https://marcoramilli.com/2019/05/14/malware-training-sets-followup/

About the author: Marco Ramilli, Founder of Yoroi

This image has an empty alt attribute; its file name is ramilli.jpeg

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

This image has an empty alt attribute; its file name is yoroi.png

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – malware, artificial intelligence)

The post Malware Training Sets: FollowUP appeared first on Security Affairs.

Twitter Bug Carelessly Shared Location Data of Some iOS Users

According to Twitter, a bug that revealed the user’s location information, and shared it with an unnamed Twitter partner has been fixed.

“We have discovered that we inadvertently collect and shared iOS location data with one of our trusted partners in certain circumstances,” the company said.

According to the blog posts, the bug only affects iOS users who are using the Twitter app who had a second account on their phone. If a user allows Twitter to access the accurate location information for an account, the settings will automatically be applied to other account, even if they do not share location data

Twitter also finds that the information collected is passed on to trusted partners to serve ads through a process known as real-time bidding. However, privacy issues have been resolved by stating that site data is “fuzzed” to reduce accuracy to the nearest zip code or city.

“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” it stated on the help site.

Although Twitter did not announce when the data exchange took place, the social media company said it had notified affected users and asked users to review their privacy settings in the face of security incidents.

It should also be noted that this security issue is Twitter’s fourth mistake in the past year.

Last September, a bug in the Twitter API accidentally published a private message and protected tweets for developers who were not allowed to read.

In December, it was said that government-sponsored actors could have exploited the vulnerability in an online support form to retrieve the user’s country code and determine whether the Twitter account was suspended or not.

In January this year, Twitter found a security flaw in its Android app causing private tweets of an unspecified number of users to be publicly available since 2014.

In January of this year, Twitter experienced a vulnerability in its Android application that caused personal tweets to be publicly available to a number of unspecified users since 2014.

Source: https://www.zdnet.com/article/twitter-bug-shared-location-data-for-some-ios-users/

Related Resources:

Twitter Rolls Out Key Cybersecurity Improvement Vs. Hacking

Twitter to Stop Hackers from Spreading Secrets of 9/11 Attacks

Twitter’s Mobile Phone Integration Is Insecure

The post Twitter Bug Carelessly Shared Location Data of Some iOS Users appeared first on .

Nine Charged in $2m SIM Swap Conspiracy

Nine Charged in $2m SIM Swap Conspiracy

Nine men have been charged for their alleged role in a major SIM swapping operation designed to bypass log-in security to steal millions in cryptocurrency from their victims.

Dubbed “The Community” by investigators, the group of individuals in their teens and 20s includes six alleged cyber-criminals and three former employees of mobile phone companies who are said to have helped them.

The former are charged with conspiracy to commit wire fraud, wire fraud and aggravated identity theft, while the latter are charged with wire fraud in relation to the conspiracy.

They all hail from the US, apart from Conor Freeman, 20, of Dublin.

The SIM swapping conspiracy they are said to have been involved in will be familiar to industry watchers.

First, the group gains control of a victim’s mobile phone number, either by bribing an employee of a carrier, or posing as the victim and tricking a customer service operative into swapping the number to a SIM controlled by the group.

They then use control of the phone to unlock digital currency accounts, for example by intercepting the 2FA codes often send by SMS.

The defendants are alleged to have executed seven attacks that resulted in the theft of cryptocurrency valued at around $2.4m.

“Mobile phones today are not only a means of communication but also a means of identification,” stated US attorney Matthew Schneider. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

SIM swapping cases are becoming increasingly common. Last November, a Manhattan man was charged with allegedly stealing over $1m from various business executives.

In August last year, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly helped fraudsters steal $24m of his digital funds, in another SIM swap attack.

WhatsApp Finds and Fixes Targeted Attack Bug

WhatsApp Finds and Fixes Targeted Attack Bug

WhatsApp is urging its global users to update their app after fixing a serious remote code execution (RCE) vulnerability which was being exploited in a highly targeted attack, potentially by a nation state.

The Facebook-owned mobile comms giant, which has over 1.5 billion users, rolled out a fix on Friday for the buffer overflow vulnerability in WhatsApp VOIP stack. It claimed the flaw allowed RCE “via specially crafted series of SRTCP packets sent to a target phone number.”

In effect, this means a user could be infected with the spyware payload simply by being phoned by the attacker. They don’t even have to pick up.

“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15,” a technical note revealed.

WhatsApp’s own security team is said to have found the bug, although it has been reported that it was initially discovered and monetized by notorious Israeli firm NSO Group, whose Pegasus spyware has been sold to governments in the past to help them monitor individuals.

The firm refused to name who it suspected, saying only that it was the work of an “advanced cyber actor,” that attacks exploiting the flaw had targeted a “select number” of users, and that it bore “all the hallmarks” of a private firm that works with governments to deliver spyware targeting mobiles.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up-to-date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a statement sent to Infosecurity.

For its part, NSO Group reiterated in reports that its wares are only licensed to governments for the purpose of fighting crime and terror.

Chris Boyd, Malware Intelligence Analyst at Malwarebytes, argued the findings were “enormously worrying for anyone using WhatsApp on a phone alongside sensitive information.”

“The really impressive thing here is that the WhatsApp team discovered this attack at all, given no click to install is required,” he added.

WhatsApp has briefed NGOs to share any useful information, presumably to protect citizens from countries that may have been affected, and it has informed US law enforcers.

WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware

Facebook fixed a critical zero-day flaw in WhatsApp that has been exploited to remotely install spyware on phones by calling the targeted device.

Facebook has recently patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.

WhatsApp did not name the threat actor exploiting the CVE-2019-3568, it described the attackers as an “advanced cyber actor” that targeted “a select number of users.”

“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” reads the description provided by Facebook.

The WhatsApp zero-day vulnerability is a buffer overflow issue that affects the WhatsApp VOIP stack. The flaw could be exploited by a remote attacker to execute arbitrary code by sending specially crafted SRTCP packets to the targeted mobile device.

Facebook fixed the issue with the release of WhatsApp for Android 2.19.134, WhatsApp Business for Android 2.19.44, WhatsApp for iOS 2.19.51, WhatsApp Business for iOS 2.19.51, WhatsApp for Windows Phone 2.18.348, and WhatsApp for Tizen 2.18.15. Any prior version of the popular instant messaging app is vulnerable. The company also implemented a server-side patch that was deployed at the end of last week.

WhatsApp zero-day

The bad news is that experts are aware of attacks exploiting the WhatsApp zero-day to deliver surveillance software.

The Financial Times reported that the WhatsApp zero-day has been exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.

The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenals, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android). Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage 

In September, a report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Now The Financial Times described a scaring scenario in which attackers were able to exploit the WhatsApp zero-day vulnerability by just making a call to the target device via WhatsApp. The exploitation of the vulnerability doesn’t require the victim’s interaction. In fact, the victim does not need to answer for the vulnerability to be exploited, and it seems that after the attack there is no trace on the device of the malicious incoming calls.

The Financial Times cites the case of an unnamed attorney based in the United Kingdom that was targeted on May 12. The lawyer is involved in a lawsuit filed against NSO by individuals that were targeted with the surveillance software of the company.

“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” reads a briefing document note for journalists cited by BBC and other media outlets.

Of course, the NSO Group denied any support to government agencies that could have targeted the UK lawyer with its surveillance software.

“NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual,” states NSO group.

Pierluigi Paganini

(SecurityAffairs – WhatsApp Zero-day, Hacking)

The post WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware appeared first on Security Affairs.

WhatsApp urges users to update app after discovering spyware vulnerability

The spyware, developed by Israeli cyber intelligence company, used infected phone calls to take over the functions of operating systems

WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function.

The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.

Related: WhatsApp 'deleting 2m accounts a month' to stop fake news

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Continue reading...

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE

 

The post Security roundup: May 2019 appeared first on BH Consulting.

Unprotected DB exposed PII belonging to nearly 90% of Panama citizens

Personally identifiable information belonging to roughly 90% of Panama citizens were exposed on a poorly configured Elasticsearch server.

Security researcher Bob Diachenko discovered an unprotected Elasticsearch server exposing personally identifiable information belonging to nearly 90% of Panama citizens.

Exposed data includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.

The database contained 3.4 million records related to Panamanian citizens, labeled as “patients,” and 468,086 records labeled as “test-patient.”

“On May 10th I identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser).” reads the blog post published by Diachenko.

“This database contained 3,427,396 records with detailed information on Panamanian citizens (labeled as ‘patients‘), plus 468,086 records with records labeled as ‘test-patient‘ (although, this data also appeared to be valid and not purely test data).”

Panama Citizens data leak

The expert reported his discovery to CERT Panama, and within 48 hours the database has been secured.

At this time, it is unclear who was running the poorly secured server, anyway the exposed information appears to be authentic.

Querying the Shodan search engine service, the researcher discovered that the IP address associated with the unprotected server has been indexed since April 24th, 2019. Of course, it is impossible to determine if anyone else has accessed the data.

“The danger of having an exposed Elasticsearch or similar NoSql databases is huge.” concludes Diachenko. “I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.” “Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Pierluigi Paganini

(SecurityAffairs – Panama, data leak)

The post Unprotected DB exposed PII belonging to nearly 90% of Panama citizens appeared first on Security Affairs.