Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.
Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “Windows DHCP server.”
The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.
Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond has addressed such a critical flaw in the Windows DHCP client.
All told, only 15 of the 77 flaws fixed today earned Microsoft’s most dire “critical” rating, a label assigned to flaws that malware or miscreants could exploit to commandeer computers with little or no help from users. It should be noted that 11 of the 15 critical flaws are present in or are a key component of the browsers built into Windows — namely, Edge and Internet Exploder Explorer.
One of the zero-day flaws — CVE-2019-1132 — affects Windows 7 and Server 2008 systems. The other — CVE-2019-0880 — is present in Windows 8.1, Server 2012 and later operating systems. Both would allow an attacker to take complete control over an affected system, although each is what’s known as an “elevation of privilege” vulnerability, meaning an attacker would already need to have some level of access to the targeted system.
CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could be used to tie up system resources on an affected Windows 8 computer. It was publicly disclosed a month ago by Google’s Project Zero bug-hunting operation after Microsoft reportedly failed to address it within Project Zero’s stated 90-day disclosure deadline.
The other flaw publicly detailed prior to today is CVE-2019-0887, which is a remote code execution flaw in the Remote Desktop Services (RDP) component of Windows. However, this bug also would require an attacker to already have compromised a target system.
Mercifully, there do not appear to be any security updates for Adobe Flash Player this month.
Standard disclaimer: Patching is important, but it usually doesn’t hurt to wait a few days before Microsoft irons out any wrinkles in the fixes, which sometimes introduce stability or usability issues with Windows after updating (KrebsOnSecurity will endeavor to update this post in the event that any big issues with these patches emerge).
As such, it’s a good idea to get in the habit of backing up your system — or at the very least your data — before applying any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and decide for you when that should be done (often this is in the middle of the night). But that setting can be changed.
If you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a better-than-even chance that other readers have experienced the same and may even chime in with some helpful advice and tips.
Tenable [full disclosure: Tenable is an advertiser on this blog].
Security researchers have found that 11.2 million cyber-attacks hit organizations in Kenya in the first quarter of 2019, this is a 10.1 percent increase in the number of security incidents compared to the previous quarter. The Kenya Communications Authority (CA) reports that the Incident Response Center has detected an increase in malware, web application attacks, system configuration errors, and online abuse.
According to CA cyber intelligence, the cyber-attacks cost Kenya’s economy about 29.5 billion shillings. The CA cyber intelligence team has sent about 14,078 cyber-threat alerts to relevant organizations in the country, announcing an increase of 12,138 alerts last year.
The Central Bank of Kenya (CBK), Kenya’s banking supervisory authority, recently announced the introduction of new cyber security policies for the country’s financial services sector. According to Patrick Jorge, Governor (CBK), new cyber security guidelines for payment services will help reduce the threats to the financial sector.
“The regulatory and advisory initiatives are targeted towards safeguarding the Kenya’s financial sectors from cybercrime,” said Njoroge at the launch of Kenya Bankers Association (KBA) 2019 Card, Mobile, and Online Safety Awareness Campaign. “As a result, a single attack on any given commercial bank could have a devastating effect on the entire financial services system.”
Habil Olaka, the CEO of KBA said “While this is an inspiring development, financial fraud is among the challenges that threaten progress in the adoption of new technologies. As an industry, we firmly believe that it is through cross-sector collaborations that we can defeat fraud and ensure a sustainable environment for growth.”
Last year, the Central Bank of Kenya proposed new cybersecurity standards to combat bank fraud and to better understand the threats that payment service providers are facing. Under the new guidelines, banks and mobile service providers are required to submit cybersecurity reports to industry regulators. Companies are invited to inform the Central Bank of Kenya within 24 hours of suspicious activity and to provide CBK with quarterly information on incidents and their resolution.
The post Cases of Cyber-Attacks in Kenya Rise to 11.2 Million appeared first on .
Today’s VERT Alert addresses Microsoft’s July 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-839 on Wednesday, July 10th. In-The-Wild & Disclosed CVEs CVE-2019-0865 This vulnerability describes a denial of service that occurs when SymCrypt processes specially crafted digital signatures. This vulnerability was discussed by Forbes on […]… Read More
The post VERT Threat Alert: July 2019 Patch Tuesday Analysis appeared first on The State of Security.
The 2018 data breach of British Airways may prove to be a record-breaking data compromise with the announcement of a newly proposed $230 million fine.
The U.K. Information Commissioner’s Office (ICO) proposed the fine under the European Union General Data Protection Regulation (GDPR) following the compromise of over 500,000 customers, including their login information, credit card numbers, and addresses. The fine is equal to 1.5% of British Airways total 2017 revenue, and represents the largest GDPR penalty to date.
While British Airways alerted the ICO within the 72-hour mandatory disclosure period for data breaches, the company was accused of poor internal cybersecurity and lax protections for customer data on its website and mobile app.
“When an organization fails to protect [customer data] from loss, damage or theft, it is more than an inconvenience. The law is clear: When you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said UK information commissioner Elizabeth Denham.
“The ICO did what data protection and other regulatory authorities usually do–pick a large and easy target, make it an example, and hope everyone else gets in line. The fact that the fine was nearly 1.5% of BA’s global turnover speaks volumes about the willingness of the ICO to push the limits of their enforcement powers,” said CyberScout Global Privacy Officer Eduard Goodman.
“The fine being imposed by the UK ICO demonstrates that security failures are taken very seriously and organizations need to prioritize data protection, security, and privacy – or pay the price. While the largest fines are saved for those organizations particularly reckless with marketing efforts, consent and other core issues, ICO is signaling zero-tolerance for the failure to safeguard private information assets,” Goodman added.
British Airways is expected to contest the fine.
The times they have a-changed since the ICO could only slap fines worth a fraction of the current amounts
The post UK’s data watchdog hands out two mega‑fines for breaches appeared first on WeLiveSecurity
Summer’s longer days and slower pace invite us to pick up a book, follow our questions, and try our hand at something new.
At Veracode, I get the chance to talk with our developers about the experiences that led them to the work they do today. How did they begin to cultivate the security-mindedness that they bring to their coding? Was it a book they stumbled upon, a salient moment in the wake of a security incident, the guidance of a mentor, or a podcast that drew them in? What sparked their interest in doing things differently?
We think a lot about developers, curious but unsure, staring out at the sea of information security knowledge. It can feel overwhelming trying to orient yourself to something so wide and deep. To help developers begin, we put together some of the favorite books, podcasts, blogs, and hands-on exercises of Veracoders across our development, security, and product teams. From a just-published page-turner to classic Phrack articles, there’s something here for everyone who is interested in becoming more security-minded.
My favorites on the list include the hands-on exercises recommended by Sarah Gibson, one of our application penetration testers, and a walk through some information security classics with Senior Principal Software Engineer Dan Murphy (to read the full Dive Into the Classics, please see Dan's post.
So dip your toe in or take a deep dive—happy summer and happy learning!
As a U.S. cybersecurity company, McAfee supports legislation that aims to safeguard U.S. election security. After the 2016 election, McAfee sees the importance of improving and preserving election security; we even offered free security tools to local election boards prior to the 2018 elections and released educational research on how localities can best protect themselves in future elections. As the 2020 primary elections quickly approach, it is more important than ever that the federal government takes steps to ensure our election infrastructure is secure and that states and localities have the resources they need to quickly upgrade and secure systems.
The U.S. House of Representatives recently passed H.R. 2722, the Securing America’s Federal Elections (SAFE) Act, legislation introduced by Rep. Zoe Lofgren (D-CA) that would allocate $600 million for states to secure critical election infrastructure. The bill would require cybersecurity safeguards for hardware and software used in elections, prevent the use of wireless communication devices in election systems and require electronic voting machines to be manufactured in the United States. The SAFE Act is a key step to ensuring election security and integrity in the upcoming 2020 election.
Earlier this year, the House also passed H.R. 1, the For the People Act. During a House Homeland Security Committee hearing prior to the bill’s passage, the committee showed commitment to improving the efficiency of election audits and continuing to incentivize the patching of election systems in preparation for the 2020 elections. H.R. 1 and the SAFE Act demonstrate the government’s prioritization of combating election interference. It is exciting to see the House recognize the issue of election security, as it is a multifaceted process and a vital one to our nation’s democracy.
McAfee applauds the House for keeping its focus on election security and prioritizing the allocation of resources to states. We hope that Senate leadership will take up meaningful, comprehensive election security legislation so our country can fully prepare for a secure 2020 election.
The post House Actions on Election Security Bode Well for 2020 appeared first on McAfee Blogs.
Shakespeare. Brontë. Dickens. In literature, the classics have long been a staple of summer reading lists. Computer security has its own share of classics – reference points that serve as a foundation for understanding the field’s ever-changing chessboard of attack and defense. This list of computer security summer reading can be enjoyed either lounging on the beach with sand beneath your toes, or curled up in bed with your face lit by the blue-filtered midnight glow of a tablet. Whether you are a new developer interested in learning more about computer security, or a seasoned practitioner looking to revisit some of the seminal works in the field, I hope that you enjoy the articles below as much as I did when I first stumbled across them!
Smashing the Stack for Fun and Profit
Aleph One’s Smashing the Stack for Fun and Profit was truly eye-opening when it was first introduced. Sometimes the answer to “what does this block of code do?” can be “anything the caller wants it to!” This concept lives on in more modern incarnations like XSS and SQL injection, but Smashing the Stack is the granddaddy of code injection. I originally encountered it independently, and was pleasantly surprised years later when it resurfaced as legitimate assigned reading for a grad class. Taking the time to write some shell code is valuable to understanding the fundamentals of how code executes, and is a great puzzle. Check out https://travisf.net/smashing-the-stack-today for tips on recreating the environment today.
Under the inauspicious heading of “ODBC and MS SQL server 6.5,” this article explores a simple concept: what could happen if a web application copies the strings received from HTML form elements directly to SQL statements? We all know how that one ended. Twenty years later, there are more than 37 million Google hits for “sql injection.” By now, Bobby Tables is applying for his first job after graduating from “University’); DROP TABLE applicants; --”, and still getting results!
Dawn of XSS
CERT advisory CA-2000-02, since consigned to PDF archive, contains the following quote: “Because one source is injecting code into pages sent by another source, this vulnerability has also been described as ‘cross-site’ scripting.” The humble window.alert() function has been igniting developers’ limbic systems ever since with joy and terror, the latter being more common if you’re seeing it in prod. Of course, XSS is much more dangerous than simply popping modals – untold millions of cookies have been exfiltrated since the line “malicious exploitation of this vulnerability has not been reported” was written in the advisory.
Tick TOC Tick TOU
Another class of attacks worth some summer reading is Time-of-Check to Time-of-Use. Sometimes the security put in place to thwart an attack has a race condition that can still allow an attacker to circumvent it. TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study is a great introduction to the concept, with some specific examples. You can get a more hands-on appreciation by doing (spoiler alert!) Level 2 of overthewire.org’s Leviathan challenge at http://overthewire.org/wargames/leviathan/. While the specifics for these classes of attacks have changed, the concepts are still very relevant: this spring (May 2019), a high-profile Docker bug – attributed to a TOCTOU flaw – allowed containers to break out and overwrite any file on the host as root (see: https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system and https://seclists.org/oss-sec/2019/q2/131).
Once Upon a Free
The Geometry of Innocent Flesh on the Bone
With stacks smashed and buffers overflowing with shell code, vendors introduced techniques to make stacks non-executable and limit the impact of code injection. But what it if were possible to hijack execution without injecting actual code? In The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), Hovav Shacham shows how small gaps in the intended behavior of a system can be built upon to produce a system that produces dramatic results. There are signs in the Veracode restrooms that read “Employees must wash hands before returning to libc.” They still manage to make me grin every now and then.
After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.
Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.
Ransomware has been an evolutionary malware family that continues to shift and change over the years. From the first fakeAV, to police ransomware, to the now oft-used crypto-ransomware, this threat just will not go away. Based on the latest trends, we predict this threat will grow in the second half of this year.
At Trend Micro, we’ve been following and tracking the data around ransomware for years. Here are some of the changes we’ve been seeing:
Year-Over-Year Ransomware Detections from Trend Micro Smart Protection Network
Year-Over-Year Number of New Ransomware Families
You can see that ransomware actors were very busy in 2016 and 2017 both in launching attacks and in the development of new families and variants of ransomware. In 2018, we had a drop in both figures, which could be due to a number of factors:
However, in the first half of 2019 we have seen in the news some very high profile attacks against organizations with successful ransomware causing some victims to pay high ransom amounts or taking weeks to months to recover from the attacks. These attacks have shown that we still need to be very vigilant in protecting networks against this threat.
Trend Micro publishes a predictions report each year to help organizations understand what might occur, and while we did this for 2019, I would like to give you some ideas on where ransomware might go in the second half of 2019 as this threat seems to change very often. Let’s look at the different areas of the ransomware attack lifecycle and what we may see for the rest of the year.
Identifying a Victim
Ransomware actors are being much more targeted in their selection of victims they want to attack. This is due to the above 2 reasons behind why we saw ransomware drop in 2018. In response, actors are looking to target those organizations that are more likely to fall for an attack, but also those who are more likely to pay a higher ransomware. In the first half of 2019, you can see the industries we saw targeted most:
Government, manufacturing, and healthcare are the top 3 industries actors seem to be targeting more than any other. Ransomware actors will also do open source intelligence (OSINT) about each targeted victim to build a profile of them to identify the best way to successfully attack them. There are a number of reasons for this selection and OSINT process:
In the second half of 2019, actors will look to diversify into more industries that have critical business systems that could be compromised. This might include the legal, energy and critical infrastructure, transportation, and distribution industries.
Once they decide on a victim, they will then identify the ways to initially infect the organizations. This is the area that most changes based on the actors behind this threat.
A number of shifts have occurred in this area over time, and this will likely continue to change. Recently we’ve seen the actors using phishing, malvertising, malicious webpages, exploits and exploit kits to infect an organization. We will continue to see them look to initially infect and organization through their employees, as this still appears to be their best option. But, in the second half of 2019 I see the following scenario occurring:
As mentioned above, ransomware has been detected more effectively recently due to advances in machine learning and behavior monitoring technologies deployed across the network. As such, the actors have to improve their obfuscation of the malware to ensure it cannot be detected by today’s security applications.
We’ve been seeing improved anti-sandbox, anti-machine learning, fileless, and other techniques used in the past, and moving forward we will see advances in all of these areas. The use of compromised legitimate software, including those from security vendors themselves, will also continue as a method to circumvent security measures. As we saw recently with a compromised MSP, one company’s direct access to multiple organization’s networks can also be leveraged for attacks. Stolen certificates will also be used to sign malware to make it look legitimate.
I expect ransomware actors will continue to target high value, high quality victims in 2H’19, and as such, all organizations need to be vigilant in protecting against this threat. Unless we can ensure no ransoms are paid, we will see this threat persist. Improving your organization’s ability to detect, respond, and recover from any ransomware will help us minimize this threat moving forward. For more information on the latest trends in ransomware, you can watch my June 2019 Threat Webinar Series that covers the recent trends in ransomware.
Trend Micro will publish our 2020 predictions report later this year, but until then, stay rigorous in your defense against ransomware.
The post Where Will Ransomware Go In The Second Half Of 2019? appeared first on .
ESET researchers detected an ongoing malicious campaign by distributing backdoor torrents, using Korean TV content, and sometimes games like bait. The back door is spreading through torrent sites in South Korea and China. The Malware allows the attacker to connect a compromised computer to the botnet and remotely control it.
The malware concerned is a modified version of a publicly available backdoor named GoBot2; the modifications to the source code are mainly South Korea-specific evasion techniques. Due to the campaign’s clear focus on South Korea, ESET has dubbed this Win64/GoBot2 variant GoBotKR. With 80% of all detections, South Korea is the most affected, followed by China (10%) and Taiwan (5%). According to ESET telemetry, GoBotKR has been active since 2018.
According to researchers, GoBotKR has been active since 2018. The malicious software is a modified version of a publicly accessible backdoor called GoBot2. The modification of the source code is mainly a special evasion technique in South Korea. Due to the clearly defined goal of the campaign in South Korea. With 80% of all detections, South Korea is the most affected, followed by China and Taiwan.
ESET Researcher Zuzana Hromcova said: “The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions, and icons,” says, who analyzed the malware. “By directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might first encounter the malicious file mimicking it.”
The malware is technically not too complicated. However, the actors behind GoBotKR build a network of robots capable of handling DDoS attacks of various kinds. Therefore, after execution, GoBotKR first collects a list of installed antivirus software on the infiltrated computers, and also other system information like; network configuration, operating system version information, and CPU and GPU versions.
Hromcova further elaborates, “This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person.”
The bot has the capability to misuse compromised computers and enables botnet operators to control or extend botnets and avoid detection. Among other things, supported commands can be used to target DDoS attacks on specific victims, it can copy malware to removable connected media or public folders for cloud storage services (Dropbox, OneDrive, Google Drive); and create malicious file streams to further develop the bot network.
The very interesting thing about GoBotKR is its anti-detection techniques, which are extended to South Korea. In particular, malicious programs analyze processes running on vulnerable systems to detect certain antivirus products, including products of South Korean security companies. If a product is detected, it will shut down by itself. Other mitigation methods detect system analysis tools and use the same security company in South Korea. In the third method of escape, the attacker abusively used a legitimate South Korean online platform to determine the victim’s IP address. “In general, we are seeing changes allowing hackers to adapt their malicious programs to a specific audience because they are making extra efforts not to be detected in their campaigns.
The post Malicious Torrent GoBotKR Targets South Korean TV appeared first on .
Few seasons are more important to the parent-child bond than summer. The days are longer, fewer activities are crowding the family calendar, and if we’re lucky, we can grab a few more quiet moments with one another.
So how will you spend these last few, magical weeks of summer before the frenzy of a new school year arrives? We hope it includes a lot more fun and taking time to connect with your kids about what’s going on in their online world.
Thanks to the results of a recent survey, we have some clear and current insight into the digital issues most important to parents.*
Survey: Top digital concerns for parents
- Knowing which apps my children are using 66.67%
- Knowing which sites my children are visiting 65.83%
- Knowing what my children are posting online 62.50%
- Being able to put parental controls on my children’s smartphone, tablet and/or computers 62.50%
- Keeping photos of my children/ family safe 60.83%
- Monitoring and/or limiting the amount of time my children spend online 55.83%
- My children’s use of social media 55.00%
- My children’s use of texting 52.50%
Before summer slips away, we challenge you (as well as ourselves!) to bring up these critical conversations with your kids. Doing so will help to equip them and give you peace of mind as your family heads closer to the new school year.
5 Digital Concerns & Solutions
- App Safety: Look at the apps on your child’s phone (don’t forget to look for decoy apps). Also, ask your child questions about his or her favorite apps and download and explore the app yourself. Analyze the content and culture. Check app reviews for potential dangers. Are the accounts your child follows on the app age-appropriate? Are the comments and conversations positive? Does your child know his or her followers? Is your child posting appropriately? Follow your gut, parent: If you believe the app is harmful, discuss the reasons, and delete the app.
- Track Online Activity: One of the most common questions we get at McAfee from parents is, “Where do I go to find out information about what my kids are doing online?” Simply put: You go where they go. Start with their phones. Depending on the age of your child, you as a parent can determine how frequently and how deeply you want to dive into your child’s apps, direct messages, and texts. An invasion of privacy? Perhaps, depending on your point of view and parenting style. But if you are genuinely concerned about your child’s online activity, then some form of monitoring is a must. Let your kids know you are monitoring their activity and why — there’s no need to spy. A few basics: Google your child’s name, check their PC online history log, agree on weekly phone checks, and open and explore phone apps. Sound like a lot of work? It is. The more efficient way of tracking online activity is using parental controls, which helps you set limits on sites visited, apps used, hours online, and location tracking. A comprehensive software solution can be a game-changer for parents who are exhausted with phone tracking routines and arguments.
- Time Limits: We know that excess screen time can lead to physical and emotional issues in kids, but reducing family screen time online can be a challenge. Cutting back takes consistent effort such as family media use rules, establishing phone-free zones like dinnertime, movie time, and family outings. Turning off notifications, deleting tempting apps, and having a phone curfew can significantly impact online time as can the use of parental controls.
- Smart Photo Sharing: Be mindful of the risks of sharing photos online and discuss them with your kids. Remind your child to lock privacy settings on each app, to only share photos with known friends, to turn off geo as well as photo tagging, and to never share inappropriate images online.
- Safe Texting: When it comes to texting, parents often want to know how to curb the amount of texting, and if the content is harmful. To help curb texting: Teach kids self-control and remind them that they don’t have to respond to friends right away. Challenge them to turn off text notifications and only check their phone at set times. Reduce texting anxiety by enforcing a phone curfew, so kids don’t text into the night or wake up to text conversations. On the topic of content: If you know there’s an issue — get equipped so you can respond. Understand what’s going on with group chat conflict, cyberbullying, and the texting slag kids use.
While monitoring and parental controls are two of the best tools parents have, we know that equipping kids to be safe online comes down to two things: A strong parent-child connection and engaged parenting. This will look different in the context of every family but might include creating age-appropriate family ground rules for online activity (and enforcing them!), open communication, modeling a healthy digital balance, and taking the time to listen to your child and what’s going on in his or her life and heart.
* McAfee commissioned Response Marketing to conduct a survey in the U.S. in April 2019.
The post How to Help Kids Build Strong Digital Habits Before Summer Slips Away appeared first on McAfee Blogs.
Hot Dogs & Hacking is a wrap, and we are blown away by the number of people who spent time away from the beach and cookouts to attack our Shred Cyber Range. In the past we’ve highlighted top scorers and the occasional person who solves all of the challenges, but this time we have to take a different approach since a whopping SIX participants solved all 35 challenges! Congratulations to each!
Millions of IoT devices from security cameras to baby monitors contain severe security vunlerabilities. Many vendors are not reponding to the reports, patches are not being creates and in some cases the devices cannot be fixed. This epsiode talks about a shared recommendation from researchers on what to do if you have these devices on […]
The post Episode 532 – IoT Strikes Again – Insecure Devices Need To Be Discarded appeared first on Security In Five.
Since the early ‘90s, Linux has been a cornerstone of computer operating systems. Today, Linux is everywhere — from smartphones and streaming devices to smart cars and refrigerators. This operating system has been historically less susceptible to malware, unlike its contemporaries such as Windows or Mac OS. However, the widespread adoption of IoT devices has changed that, as security vulnerabilities within Linux have been found over time. These flaws have been both examined by researchers in order to make repairs and also exploited by hackers in order to cause disruption.
As recently as last month, a new strain of a Linux bricking worm appeared, targeting IoT devices– like tablets, wearables, and other multimedia players. A bricking worm is a type of malware that aims to permanently disable the system it infects. This particular strain, dubbed Silex, was able to break the operating systems of at least 4,000 devices. By targeting unsecured IoT devices running on Linux, or Unix configurations, the malware went to work. It quickly rendered devices unusable by trashing device storage, as well as removing firewalls and other network configurations. With this threat, many users will initially think their IoT device is broken, when really it is momentarily infected. To resolve the issue, users must manually download and reinstall the device’s firmware, which can be a time consuming and difficult task. And while this incident is now resolved, Silex serves as a cautionary tale to users and manufacturers alike as IoT devices continue to proliferate almost every aspect of everyday life.
With an estimated 75.4 billion IoT connected devices installed worldwide by 2025, it’s important for users to remain focused on securing all their devices. Consider these tips to up your personal device security:
- Keep your security software up-to-date. Software and firmware patches are always being released by companies. These updates are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
- Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security to ensure you’re always in the know.
- Change your device’s factory security settings. When it comes to IoT products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you are instantly upgrading your device’s security.
- Use best practices for linked accounts. If you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
- Set up a separate IoT network. Consider setting up a second network for your IoT devices that doesn’t share access with your other devices and data. You can check your router manufacturer’s website to learn how. You may also want to add another network for guests and their devices.
- Get security at the start. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
A sophisticated attacker has successfuly infiltrated cell providers to collect information on specific users:
The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records -- including times and dates of calls, and their cell-based locations -- on at least 20 individuals.
Cybereason researchers said they first detected the attacks about a year ago. Before and since then, the hackers broke into one cell provider after the other to gain continued and persistent access to the networks. Their goal, the researchers believe, is to obtain and download rolling records on the target from the cell provider's database without having to deploy malware on each target's device.
The researchers found the hackers got into one of the cell networks by exploiting a vulnerability on an internet-connected web server to gain a foothold onto the provider's internal network. From there, the hackers continued to exploit each machine they found by stealing credentials to gain deeper access.
Who did it?
Cybereason did say it was with "very high probability" that the hackers were backed by a nation state but the researchers were reluctant to definitively pin the blame.
The tools and the techniques - such as the malware used by the hackers - appeared to be "textbook APT 10," referring to a hacker group believed to be backed by China, but Div said it was either APT 10, "or someone that wants us to go public and say it's [APT 10]."
Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers.
The attack was aiming to obtain CDR records of a large telecommunications provider.
The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
The tools and TTPs used are commonly associated with Chinese threat actors.
During the persistent attack, the attackers worked in waves -- abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.
Boing Boing post.
A security researcher found a misconfigured ElasticSearch cluster that exposed over 90 million personal and businesses data records. On 1 July, GDI Foundation member and an independent security researcher Sanyam Jain found that the unprotected ElasticSearch server lacked proper configuration in that it sent anyone to the “Create index pattern page” once it loaded in […]… Read More
The post Misconfigured ElasticSearch Cluster Exposed Over 90 Million Records appeared first on The State of Security.
If you have installed Zoom, any website can turn on your Mac’s webcam without asking your permission.
Oh, and if you’ve since uninstalled Zoom – that doesn’t fix the problem.
What is common between Sarah Palin, George HW Bush, and John Podesta?
Apart from being important political figures in the United States, there’s another fact that unites them – they’ve all been victims of messy email hacks.
Sometimes, danger can often be hidden in plain sight. As cyber threats get increasingly sophisticated and complex, enterprises are constantly rushing to keep up by using a wide and varied range of cybersecurity solutions to fight cyber threats. However, sometimes, the simplest threat can often be overlooked – email is one such threat.
According to a survey, around 3 billion people use email. A staggering 246 billion emails are expected to be sent by the end of 2019. Considering the magnitude of email users around the world, this communication channel naturally becomes a lucrative target for hackers. Hence, the global populace and its biggest enterprises connecting through email must ensure that they take sufficient steps to protect this important tool.
Seqrite reveals simple measures to bolster email security.
The golden rule for any enterprise is enforcing and keeping strong passwords followed by educating and mandating its employees to do the same. There should be no grounds for confusion – proper, easy-to-understand policies must be circulated for compliance, outlining password strength and how often they have to be changed. This is not optional – in this day and age where hackers have thousands of sophisticated tools to guess passwords, keeping strong passwords is a must.
Preventing social engineering & phishing
Social engineering occurs when employees are tricked into giving up important information like their password. They may reply to fraudulent emails and/or enter their password on a fake website, designed to look like an authentic one. This is known as phishing and it is a major social engineering tool used by hackers. Education and timely training are the only defenses against phishing attacks. Enterprises should train employees on the negative business consequences that are bound to occur if critical passwords go in the wrong hands. Employees should also be educated about distinguishers that help them identify a fraudulent website from an authentic one.
Having strong anti-malware solutions
Keyloggers are a dangerous type of malware that cybercriminals secretly install on unsuspecting victims’ devices. This can be in the form of software or hardware and is used to track user keypresses on electronic gadgets. Targets can accidentally download keyloggers by clicking on malicious links. Hackers can sneak-in and install hardware keyloggers when the concerned person is not present. In either case, keyloggers can record all key presses on a system and transmit it to a third party who will have access to all information inputted into the system including passwords, credit card numbers, personal details, etc. To prevent this, enterprises must ensure they have strong solutions, both on the physical and digital front, backed by a robust anti-malware protection suite.
Preventing Business Email Compromise (BEC)
Business Email Compromise (BEC), also known as ‘Man-In-The-Email’ or ‘CEO Fraud’, is a sophisticated type of phishing attack, carried out through elaborate means and usually with devastating effects. Basically, attackers impersonate a key organization executive (often someone who is a senior figure at the organization like a CEO) to send emails to employees within the organization. These emails exactly replicate the chosen target’s style and ask for important financial details. It is extremely important for everyone in the organization, especially those who handle sensitive information, to exercise constant vigilance when receiving emails asking for sensitive data.
Cybersecurity experts like Seqrite have developed innovative features in their products to help keep business inboxes safe. Seqrite Endpoint Security is loaded with features that strengthen an organization’s defense against malware and phishing attacks. It offers superior phishing protection against attacks that originate from malicious codes over the internet by stopping them from entering the network and spreading across.
Other features included in their email security tool help identify the nature of emails coming from various email gateways as well as provide robust protection against suspicious messages. BEC data thefts can be avoided by integrating Seqrite’s Data Loss Prevention solution with the email marketing plans. Policy-based encryption allows information to be encrypted and accessible only to authorized personnel. BEC is a serious threat but with Seqrite as your security partner, it can be tackled with ease.
The post Email could be one of the simplest ways for hackers to breach your organization appeared first on Seqrite Blog.
The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data. The bill expands the definition of “Breach of the security […]… Read More
The post New York Passes a Law that Further Expands Cyber Protection appeared first on The State of Security.
Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: T&Cs, stronger security in Europe, and a birthday with bitter memories.
Policing policies to protect privacy
One of the greatest lies on the internet is “I have read the terms and conditions”. But maybe most people aren’t to blame when those same policies read like “an incomprehensible disaster”. That’s what a New York Times investigation found after reviewing 150 privacy policies. The European Commission came to a similar conclusion after surveying 27,000 citizens on their attitudes to data protection. Commissioner Věra Jourová noted that 60 per cent of Europeans read their privacy statements, but only 13 per cent read them fully. “This is because the statements are too long or too difficult to understand,” she said.
But not reading T&Cs could have unwitting consequences; like turning your phone into a spying tool. Spain’s Liga app activated a user’s smartphone audio function when it knew they were in a bar. Spain’s football administrators said the app’s terms made it clear this was to identify places that were streaming matches illegally. The Spanish data protection authority took a different view and slapped the league with a €250,000 fine.
In other privacy news, the UK Information Commissioner’s Office has published guidance providing clarity and certainty on correct cookie use. Cookie rules technically fall under the Privacy and Electronic Communications Regulations, but some of that regulation’s concepts derive from GDPR. As well as a reader-friendly myth-busting blog, there’s also more comprehensive guidance in a longer document.
Strengthening security across Europe
The EU Cybersecurity Act came into force on 26 June. For the first time, it introduces EU-wide cybersecurity certification rules for digital products, services and processes. It also strengthens the mandate for ENISA. The Union’s cybersecurity agency will set up the certification framework and it now has a remit to help Member States to handle cyber incidents.
BH Consulting is a contributor to ENISA and our CEO Brian Honan recently gave a presentation on threat intelligence at an ENISA industry event. The meeting also covered cybersecurity, internet regulation and Europe’s position in the race to a competitive ICT global industry. Brian also spoke to the Irish Times for a feature article about steps under way to improve security. Meanwhile Ireland’s second national cyber security strategy is expected in the coming weeks, as the Irish Examiner reports.
Déjà vu all over again
If working in information security can sometimes feel like Groundhog Day, then you might want to pause before reading further. Consider the following sentences, then guess when they were written (no peeking). “Paradoxically, the drive for business efficiency and globalism serves only to increase the potential damage which computer viruses and other malicious programs can cause… the more streamlined and interconnected computers become, the greater will be the penalties resulting from carelessness, recklessness and vandalism… no-one knows when or where a computer virus will strike. They attack indiscriminately. Virus writers, whether or not they have targeted specific companies or individuals, must know their programs, once unleashed, soon become uncontrollable.”
So how old is that text? Five years? Ten? Fifteen, at a push? Actually, it’s double that number. Edward Wilding penned them in the summer of ’89, for the very first edition of Virus Bulletin (PDF). Brain, the world’s first computer virus, appeared just three years before then.
It says a lot that Wilding could write these words and, without knowing, still have them resonate three decades later. The same issues he identified then have not gone away. (Side note: the same is true of attacks like SQL injection. Even today, they account for two-thirds of all web app attacks, according to new findings from Akamai.) The industry’s progress, or lack of it, is a point to ponder while security professionals (hopefully) enjoy some deserved downtime this summer.
Links we liked
NIST guidance on understanding and managing security risks with IoT devices. MORE
Demand for cybersecurity jobs in Ireland is growing, but supply can’t keep up. MORE
Controversial: you should think about paying to get data back from ransomware. MORE
An open letter to the security profession, from a privacy practitioner. MORE
You know that ‘padlock’ icon in your web browser? It could be a fake. MORE
The Irish privacy champion on a mission to clean up dirty adtech. MORE
A sceptical take on Facebook’s planned move into cryptocurrency. MORE
When BGP goes wrong, the whole internet feels it. MORE
How a trivial cell phone hack is ruining lives. MORE