Daily Archives: October 11, 2019

Friday Squid Blogging: Apple Fixes Squid Emoji

Apple fixed the squid emoji in iOS 13.1:

A squid's siphon helps it move, breathe, and discharge waste, so having the siphon in back makes more sense than having it in front. Now, the poor squid emoji will look like it should, without a siphon on its front.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Capital One Hacking Trial Delay Likely

Prosecutors, Defense Attorneys Ask Judge for Delay, Citing Massive Amounts of Data to Review
Defense and prosecution attorneys are asking for a delay in the trial of alleged Capital One hacker Paige A. Thompson, citing the overwhelming amount of digital evidence in the case and the ongoing forensics investigation. Prosecutors also expect to file additional charges.

Actually, it appears I broke Panasonic’s Toughbook 55

After battle-testing the Panasonic Toughbook 55 with a cup of hot coffee, the thing initially seemed fine but later stopped working. Examining the situation suggests both that my coffee test was foolish and unfair but also that Panasonic might want to reconsider one small but important detail of the Toughbook’s design.

Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics

SafeBreach experts discovered that the HP Touchpoint Analytics service is affected by a potentially serious vulnerability.

Security researchers at SafeBreach have discovered that the HP Touchpoint Analytics service is affected by a serious flaw tracked as CVE-2019-6333. The vulnerability received a CVSS score of 6.7 (medium severity).

The TouchPoint Analytics is a service that allows the vendor to anonymously collect diagnostic data about hardware performance, it comes pre-installed on most HP PCs.

HP Touchpoint Analytics

The service is based on the open-source tool Open Hardware Monitor and it is executed as “NT AUTHORITY\SYSTEM.”

The experts noticed that when the service is started, it attempts to load three missing DLL files. An attacker with administrative privileges on the targeted system can create malicious DLLs with the names of the missing files and place them in the locations where they were expected to be to get executed when the HP service starts.

The experts pointed out that the Touchpoint Analytics service would have high-permission-level access to the PC hardware, this means that a flaw affecting the could be exploited to escalate privileges to SYSTEM and bypass security features.

“The Open Hardware Monitor library provides a signed kernel driver named “WinRing0,” which is extracted and installed during runtime.” reads the analysis published by the experts.

“As you can see, the service was trying to load three missing DLL files, which eventually were loaded from the c:\python27 directory – our PATH environment variable:

  1. atiadlxx.dll
  2. atiadlxy.dll
  3. Nvapi64.dll

The researchers also published a PoC code to show how to use the Open Hardware Monitor library to read and write to physical memory.

The flaw could impact tens of millions of computers running the HP Touchpoint Analytics or Open Hardware Monitor.

“A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version” reads the security advisory published by HP. “This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.”

The experts reported the flaw to HP in early July and it was addressed this month with the release of version

Pierluigi Paganini

(SecurityAffairs – Touchpoint Analytics, hacking)

The post Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics appeared first on Security Affairs.

CanadianCIO of the Year finalist a bridge builder by nature

This is one in a series of profiles of tech leaders named as a finalist for the 2019 ITAC CanadianCIO of Year Award. Mr. Sanderson will be part of a Nov. 14 Town Hall discussion for finalists focused on the changing role of the CIO. The ITAC CanadianCIO of the Year winners will be announced…

I Have a New Book: We Have Root

I just published my third collection of essays: We Have Root. This book covers essays from 2013 to 2017. (The first two are Schneier on Security and Carry On.)

There is nothing in this book is that is not available for free on my website; but if you'd like these essays in an easy-to-carry paperback book format, you can order a signed copy here. External vendor links, including for ebook versions, here.

Mississippi Shows Flagrant Disregard for Cybersecurity

Mississippi Shows Flagrant Disregard for Cybersecurity

An audit of Mississippi government institutions has revealed an alarming lack of compliance with standard cybersecurity practices and with the state's own enterprise security program.

A survey of 125 state agencies, boards, commissions, and universities conducted by the Office of the State Auditor (OSA) revealed that only 53 had a cybersecurity policy in place. Eleven reported having no security policy or disaster recovery plan whatsoever. 

The true number of completely unprepared government entities may well be higher, however, since 54 of the institutions surveyed didn't even bother to respond to the 59-question survey, despite the OSA being authorized to verify compliance. 

"Many state agencies are operating as if they are not required to comply with cybersecurity law, and many refused to respond to auditors' questions about their compliance," wrote state auditor Shad White in a data services division brief dated October 1, in which the research findings were revealed.

In Mississippi it's a legal requirement for state institutions to have a third party perform a security risk assessment at least once every three years. Despite this law, 22 of the government entities admitted that they hadn't conducted a security risk assessment in the last three years. 

Asked about how they stored and sent sensitive information, 38% of respondents said that they do not protect sensitive data with encryption. 

The OSA also found that just over half of the government agencies that responded to the survey were less than 75% compliant with the Mississippi Enterprise Security Program. 

White said: "State government cybersecurity is a serious issue for Mississippi taxpayers and citizens. Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked."

White called for leaders of agencies to question their IT professionals to make sure that their agency is compliant, and to "consider ways to go above and beyond to prevent cyber breaches." 

Leading by example, the Office of the State Auditor requires all its employees to go through training to spot phishing attempts and learn best practices for preventing security incidents. 

The OSA also partnered with the federal Department of Homeland Security and arranged for the DHS to perform a penetration test of the OSA's computer system to identify any vulnerabilities.

"I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now," said White.

Most Americans Are Clueless About Private Browsing

Most Americans Are Clueless About Private Browsing

New research has found that only a quarter of Americans know that surfing the internet in private browsing mode only prevents other users of the same computer from seeing what you've been up to online.

A survey conducted in June by the Pew Research Center asked 4,272 adults living in the United States ten digital knowledge questions. When asked to identify the correct definition of private browsing, 24% of respondents got it wrong, and 49% admitted to being unsure. 

The overall findings of the research reveal that Americans’ understanding of technology-related issues varies greatly depending on the topic, term, or concept. While 67% knew that phishing scams can occur on social media, websites, email, or text messages, only 29% were in the know about WhatsApp and Instagram being owned by social media titan Facebook. 

Researchers wrote: "Just 28% of adults can identify an example of two-factor authentication—one of the most important ways experts say people can protect their personal information on sensitive accounts."

On average, survey respondents were able to correctly answer only four out of the ten questions they were asked. What caused the most confusion was when participants were asked to identify Twitter's co-founder and CEO, Jack Dorsey, from a picture.  

Interestingly, respondents were pretty savvy when it came to the commercial side of social media, with 59% recognizing that advertising is the largest source of revenue for most social media platforms. 

Most respondents were aware of what the kind of cookie that can't be dipped in milk is all about. While 27% said they were unsure what a cookie is for, 63% knew that they allow websites to track user visits and site activity.  

How much education an individual had obtained had an impact on the results. Adults with a bachelor’s or advanced degree answered a median of six questions correctly, compared with three answered by those who had, at most, a high school diploma.

Age, too, had an effect, with 18- to 29-year-olds correctly answering five out of 10 questions on average, while those aged 65 or older typically gave just three right answers.

US Homeland Security Wants to Subpoena ISPs to Hand Over Data

US Homeland Security Wants to Subpoena ISPs to Hand Over Data

The cybersecurity branch of the Department of Homeland Security has requested legal permission from Congress to demand data from internet services providers in a bid to prevent cyber-attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has chosen National Cybersecurity Awareness Month to seek administrative subpoena authority, which will give it the power to compel ISPs to hand over information. 

Currently, when the DHS identifies cybersecurity weaknesses in the private sector, it can obtain only the IP addresses of vulnerable systems. If granted administrative subpoena authority, the DHS will have the power to require ISPs to turn over the contact details of the owners of the vulnerable systems.

The department's plan is to use this information to directly contact the owners and warn them about the vulnerabilities in their cybersecurity. 

CISA assistant director for cybersecurity and communications Jeanette Manfra said: "We can see a lot of industrial control systems or potential industrial control systems, in particular, that have potential vulnerable systems that are accessible from the public internet.

"Over many years, we have tried many methods to be able to contact these entities. The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be."

Manfra said that while the DHS can often locate the vulnerable entity on its own with a spot of detective work, this process can take hours or even weeks, leaving the entity exposed to threat actors.

The logic of the request is easy to follow; however, it does raise some serious privacy concerns.  

"We're very aware of the concerns about overreach," said Manfra. "We have a long history of collecting similar types of data through voluntary programs and demonstrated ways of protecting that, as well to ensure that the information is used only for the purposes for which it was collected."

The proposal is currently being scrutinized by the House of Representatives and Senate Homeland Security panels. 

CISA was created in November last year with the mission to partner with both industry and government to understand and manage risks to America's critical infrastructure.

Canadian SMBs incur a potential productivity loss of CA$2 billion using older technology 

A recent study commissioned by Microsoft and Intel reported that the cost of using a PC older than four years is more than buying a new one.  As per StatsCanada, the country is home to around 1.2 million small and medium businesses. These businesses comprise 98.8 per cent of the total employee businesses in the…

Threat Roundup for October 4 to October 11

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 4 and Oct 11. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More


TRU10112019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Digital Innovation Thrives in Open Pastures

Openness and interoperability are long standing buzzwords in the digital ecosystem, but it is not always clear what it means, and why it is important. For McAfee, embracing these notions is critical to our success, and here’s why. Openness means that we share information, and interoperability means that this information is shared with our eco-system partners be they public and private entities all with the aim of fostering innovative solutions and services of benefit to all.  We all have a natural instinct to defend ourselves against free-loaders, but in the digital world, however counterintuitive it may seem at first glance, this mindset is harmful to both digital business and our capacity to innovate.

Put another way, the more we collaborate and share, the more our customers trust that we are at the top of our game. By being a cog in a vast and interdependent digital machine, McAfee’s services become more valuable. Conversely, locking ourselves out of this process has real risk.  This is because openness and interoperability cuts both ways. By giving others access to our expertise, we also gain access to theirs. This lets us focus on what we are good at, and we can leave it to others to create amazing new services that build on our innovation.

Of course, there is a bigger picture. An open and interoperable digital ecosystem is a cornerstone of competition. And ultimately, it is competition that drives innovation. Equally, devices or services that cannot interoperate will over time become less valuable.

That’s why we think the principles of openness and interoperability merit inclusion in the new  European Commission’s  technology and security policies, a point not lost on the Finnish Presidency, the current chair of EU ministerial meetings, who have made interoperability a priority objective for the next five years.

Openness has its drawbacks, of course. If we don’t excel and keep our products and services at the highest standard, someone else with a more robust solution could easily claim our place in the market. But being open and interoperable also acts as a rapid-alert system to let us know where we are falling short. Whether it is a bug in the code we produce, or a glitch in our interfaces, the community that we work with will let us know far sooner than if we were closed off to this scrutiny.

In relation to cyber security a lack of interoperability and cyber intelligence sharing across information systems can have serious consequences, including, for example, the limitation of response capability against cyber (or even, larger scale) terrorist attacks.  Today’s threats are no longer confined to a particular country, company or group of people and their impact is felt by the whole of society.

The best way to keep people safe today is to share and receive cyber threat intelligence within and beyond a company’s boundaries, fast detection of imminent attacks by cybersecurity experts, and collaboration on threat analysis, automated threat exchange, and detection and response. If we do not prioritise openness and interoperability in our policies, real people could suffer as a result.

The benefits of open and interoperable cloud security architectures to digital transformation should also not be overlooked.  Open and interoperable cloud security architectures provide a quick and comprehensive way of achieving higher security standards across governments and enterprises.

So, there is no question that openness and interoperability is the right way to go, and we’re proud the fact that McAfee and others use these as foundational principles.

As a case in point, on October 8th, McAfee and IBM Security kick-started an initiative to bring real interoperability and data sharing across the cybersecurity product landscape. The Open Cybersecurity Alliance (OCA) project is comprised of like-minded global cybersecurity vendors, end users, thought leaders, and individuals interested in fostering an open cybersecurity ecosystem, where products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated response, via commonly developed code and tooling, using mutually agreed upon technologies, standards, and procedures.

The Alliance’s founders, McAfee and IBM Security, are joined in the initiative by Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.

Formed under the auspices of OASIS, a respected consortium driving the development, convergence and adoption of open standards for the global information society, the Alliance was launched as an OASIS Open Project on October 8, 2019.

Its goal is to is to develop and promote sets of open source common content, code, tooling, patterns, and practices for operational interoperability and data sharing among cybersecurity tools. The Alliance aims to create an environment where cybersecurity vendors do not compete on plumbing; rather, the plumbing is the foundation – the common platform — upon which cybersecurity tools are built. Cybersecurity vendors have a real adversary they are trying to defeat, and vendors should not be distracted by each of us having to replicate different ways to provide product plumbing. (See OCA announcement blog)

Finally, if you are interested to learn more about why this agenda is important to European policy makers as the new European Commission is confirmed,  I would encourage you to look to the work of the European Committee for interoperable systems (ECIS) and its recent white paper on how interoperability and openness works in theory and practice, particularly in the field of cybersecurity an cloud services.


The post Digital Innovation Thrives in Open Pastures appeared first on McAfee Blogs.

Singaporean Unlawful Mining Indicted in the United States

A citizen of Singapore was arrested in the United States for a large-scale mining operation using robbed identity and credit card data.

The 14-count indictment notes that between October 2017 and February 2018 the man, Ho Jun Jia, also known as Matthew Ho, 29, ruled the illicit crypto-mining scheme after a rise in digital coin popularity and price.

The scheme has largely been driven by fraud and identity theft. It has supposedly opened accounts with various US cloud service providers using a popular California Video-game developer’s robbed identity and credit card data. He used these accounts for crypto-currencies like Bitcoin and Ethereum.

The prosecution also argues that Ho has built a network of fake e-mail accounts and used social engineering to manipulate Cloud Computing providers to accept the’ higher account rights’ and increased the ability and the power of the system to process and store them and delayed billing.’

According to the indictment, during the project, Ho accessed over $5 million in unpaid cloud computing services. For a short time he was one of the biggest consumers of information by amount for Amazon Web Services (AWS).

Before the scam was revealed, the accounting staff of the California game developer paid several bills.

In addition to the AWS accounts, the defendant opened accounts with Google Cloud Services that were discovered by a Texas resident and established a tech company in India.

Ho was arrested in Singapore on 26 September 2019 and charged for alleged crimes committed under Singapore law. Ho is now under investigation.

The Department of Justice states that if found guilty, Ho faces up to 20 years ‘ imprisonment for wire fraud and up to 10 years ‘ incarceration for access fraud because aggravated identity theft will make him have a two-year prison obligation to continue with any other punishment levied in that case.

The post Singaporean Unlawful Mining Indicted in the United States appeared first on .

CDM and the 2019 Billington Cybersecurity Summit

Recently, Billington hosted their 10th annual Cybersecurity Summit, one of the premier cybersecurity conferences where industry leaders and government officials join together to discuss the current state of cybersecurity. Several key themes presented themselves throughout the two-day summit, including cloud, cybersecurity legislation, and DHS’s Continuous Diagnostics and Mitigation program (CDM). Kevin Cox, the program manager of CDM at CISA, and private sector experts involved in the program discussed new developments and some of the benefits of CDM.

While updating the audience on CDM, Cox teased several important updates to the program expected soon, including a new dashboard system and an algorithm that will show agencies how they’re doing with basic cybersecurity measures — the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm. Cox said that 50 federal agencies are reporting data to the federal dashboard, 74 smaller agencies are using the CDM shared services dashboard, and 31 agencies are reporting AWARE scores.

CDM has largely been a success throughout the federal government. According to a recent MeriTalk report, 85% of federal and industry stakeholders said that CDM has improved federal cybersecurity, with its most helpful capability being the increased visibility about the federal government’s cybersecurity posture. Now the program should move ahead on a cloud initiative, as federal agencies and organizations have been moving to cloud for some time, and many are in multi- or hybrid-cloud environments.

Cox noted that the program office would begin to address cloud security, specifically, “work[ing] with the DHS team, agencies, system integrators, and DHS Cybersecurity Division partners to determine the right approach and scope for a cloud security proof of concept.”

Another speaker at Billington, McAfee SVP and CTO Steve Grobman, took part in a panel devoted to cloud security. The conversation focused on the differences between traditional computing and cloud computing, current cybersecurity issues, and how policy can change that landscape.

“Cloud has given us the ability to redefine the security architecture,” said Grobman. “Although we can secure our environment using a lot of new capabilities, we need to recognize that the scale that cloud operates and that the issues are going to be bigger.”

Moving applications and infrastructure to the cloud securely is something government agencies need to prioritize, and programs like CDM should give the workforce and federal agencies the tools they need to make this important transition. McAfee is working with federal, state and local governments to adopt cloud capabilities to better detect threats and establish procedures to work through how to recover.

Supporting CDM has been one of McAfee’s highest priorities for the past 10 years. We designed several products specifically to meet CDM requirements, and we remain committed to making the aims of CDM a reality both today and well into the future. We also appreciate that organizations such as Billington continue to advance the conversation on important topics like both CDM and cloud security. and look forward to assisting our federal partners on both.

The post CDM and the 2019 Billington Cybersecurity Summit appeared first on McAfee Blogs.

Cyber News Rundown: E-Scooters Vulnerable

Reading Time: ~ 2 min.

E-Scooter Security Vulnerability

A security researcher recently found an API vulnerability within the software of Voi e-scooters that allowed him to add over $100,000 in ride credits to his account. The vulnerability stems from a lack of authentication after creating an account which allows users to enter an unlimited number of promo codes offering ride discounts through several of the service’s partners. The writeup of steps to replicate flaw was temporarily taken down by the researcher until the company resolves the issue.

MageCart Strikes Volusion Sites

Thousands of sites using Volusion software have been affected by malicious MageCart scripts going back to mid-September. The scripts have been running from a non-descript API bucket and are using filenames that would appear benign to most security software and site admins. While victims will likely begin monitoring for stolen payment card data, it is still unclear how many sites have been compromised in total.

Brazilian Database for Sale

A database containing extremely sensitive information belonging to more than 92 million Brazilian citizens was found up for auction on several marketplaces on the dark web. Included in a sample of the data were driver’s license numbers and taxation info for the 93 million Brazilians currently employed within the country. Unfortunately for those involved, Brazil’s recently introduced data protection law won’t be in effect until halfway through next year.

Twitter 2FA Leak

Twitter announced earlier this week that many email addresses and phone numbers customers were using for two-factor authentication had been provided to third-parties for use in targeted advertisements. The company is still working to determine how many users are involved in this apparently unintentional misuse of their sensitive information. Twitter has fixed the main issue, though they still require a phone number for 2FA regardless of the method used to verify the account.

New Zealand Health Organization Hacked

Following a cyber attack in August of this year, officials discovered evidence of multiple intrusions into their systems going back nearly three years. The health organization has been working with law enforcement to determine the extent of the unauthorized access, as well as attempting to contact all affected individuals.

The post Cyber News Rundown: E-Scooters Vulnerable appeared first on Webroot Blog.

Bill McDermott steps down as CEO of SAP

After 10 years as the CEO of SAP SE, Bill McDermott has decided not to renew his contract and will be relinquishing his position. McDermott will be replaced by SAP executive boards members Jennifer Morgan and Christian Klein in a co-chief executive officer structure – as per the company’s long term succession plan – while…

Putting the ‘C’ in Gartner’s CARTA

As we get ready for the Gartner IT Symposium/Xpo in Orlando, we’ve been thinking more about every element and imperative in their CARTA model: Continuous Adaptive Risk and Trust Assessment. Since ‘C’ also stands for Cisco, let’s start there.

Gartner uses the word “continuous” in a lot of places, including in their seven imperatives. It’s a reaction to the former practice of using what they call “one-time security gates”: you made a decision based on a static set of information (such as a source IP address or a username and password combination), and then you never revisited it. We know that this practice isn’t sufficient to maintain the proper level of trust. Trust is neither binary nor permanent: you don’t trust something or someone to do everything, and you don’t trust forever. Based on the changing nature of risk and the environment, you have to check more than once.

How often do you need to check, and does “continuous” really mean “all the time”? It depends on what you’re checking, what actions you’re taking based on those checks, and how both of those actions affect the system itself (users, applications, devices, networks and so on). Let’s take a look at a chart that Sounil Yu, formerly at Bank of America, devised for the purposes of identifying all the different ways that authentication can happen:

As you can see, a device can authenticate to a network using network access control; to an application using a client-side certificate; and to data with an encryption key. There are many opportunities to authenticate, but should you use all of them? If you try to make a user do all of the steps in the bottom row — authenticate to the device, the application, the network, the data — then you’re going to have a very cranky user. Continuous authentication, if you want to use it, has to be hidden from the user except at times when your estimation of risk really needs the user’s active participation.

On the other hand, devices and systems don’t mind continuous authentication, so doing the continuous checking and verification isn’t as disruptive. And continuous monitoring is fine, as long as you know what you’re going to do with all the data that’s generated. Can you interpret and respond to an ongoing stream of event data? Can you automate that response? If so, great; if not, you’ll end up throttling that “continuous” monitoring to produce the key data that you can actually use.

Gartner’s CARTA Imperative Number Two says “Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively.” How often do you do all of these things? Near real-time discovery of users and assets is the ideal state, and there are various ways to accomplish it. Continuous monitoring is (hopefully) a given. The tricky parts are assessment and prioritization, which often need a human to incorporate business context. For example, getting a login request from an unusual location could be a high risk, unless you already know that the employee using that account is really traveling there.

An organization needs to design its monitoring, analysis and actions around risk, but with tradeoffs against what the humans in the equation can reasonably support. How long can you let a successfully authenticated application session last before you start worrying that the user is no longer who you thought they were? Two hours? Eight hours (a typical working day)? A week? Can you force the user to re-authenticate just once through a single sign-on system, or will they have to log back into several applications? The answers can determine how frequently you carry out that “continuous” verification.

What events will cause you to revise your risk estimation and require fresh verification? It might be a request for a sensitive or unusual transaction, in which case you might resort to step-up authentication and kick off an extra permission workflow. It could be the release of a new security patch, so that you want to force all users to update before they can renew their access. Or it could be contact with an asset that is now known to be compromised, and you have to reset everything you knew and trusted about the application and its processes.

Your risk and trust assessments should be adaptive, but they shouldn’t be gratuitously continuous. They should be as often as your risk models require, and only as frequent as you can handle. Balancing controls against usability is the great challenge before us today.

Learn more about Cisco’s Zero Trust approach during Wendy’s talk on October 21 at 1:00 p.m. ET at Gartner IT Symposium/Xpo in Orlando, FL, which takes place at Walt Disney World Swan and Dolphin Resort.

Hacked Off: Lawsuit Alleges CafePress Used Poor Security

23 Million Victims Across US, UK, EU and Australia Receive Breach Notifications
Personalized product retailer CafePress has been hit with a lawsuit alleging that it failed to notify 23 million customers about a data breach in a timely manner or follow security best practices. The company was allegedly still using outdated SHA-1 to hash passwords, which can be easily cracked.

Researchers released a free decryptor for the Nemty Ransomware

Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files.

I have great news for the victims of the recently discovered Nemty Ransomware, security researchers have released a free decryptor tool that could be used to recover files.

In mid-August, the Nemty ransomware appeared in the threat landscape, the name of the ransomware comes after the extension it adds to the encrypted file names. The malicious code also deletes their shadow copies to make in impossible any recovery procedure.

Below the ransom note dropped by the Nemty ransomware after the encryption process is completed. Attackers demand the payment of a 0.09981 BTC ransom (roughly $1,000) through a portal hosted on the Tor network.

Nemty ransomware

Crooks used multiple attack vectors to distribute the ransomware, according to the popular malware researcher Vitali Kremez, the ransomware is mainly dropped via compromised remote desktop connections.

Now researchers from the security firm Tesorion have developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

The security form is also working with Europol to get its decryptors included in their NoMoreRansom project.

“As 1.6 is the most recent version of the two, we have been focussing our efforts on this version first. We now have a working decryptor for version 1.6. Please contact Tesorion CSIRT to obtain our decryptor for free if you are a victim of Nemty 1.6. We are also finishing our decryptor for Nemty 1.5 and expect to release it soon as well.” reads the post published by Tesorion.

The decryptor currently supports only a limited number of file extensions, anyway, researchers are working to improve it and support other file types.

Tesorion is not allowing victims to generate the decryption keys with their client, instead, it is allowing victims to retrieve the decryption key by generating it on its own servers.

Victims can contact the Tesorion CSIRT and request help with the Nemty Ransomware, in turn the company will then send a link to the decryptor that will allow you to decrypt the files.

“Tesorion told BleepingComputer they went this route in order to prevent the ransomware developers from analyzing the decryptor and learning the weakness in their algorithm.” reported BleepingComputer.

Victims can upload their files on the Tesorion serves that will use it to calculate the decryption key, then the key is sent back to the victims that can load is in the decryptor.

Pierluigi Paganini

(SecurityAffairs – Nemty ransomware, malware)

The post Researchers released a free decryptor for the Nemty Ransomware appeared first on Security Affairs.

This Week in Security News: How a Partnership can Advance DevSecOps and Cybersecurity Issues in the Midwest and South U.S.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro’s partnership with Snyk will advance DevSecOps. Also, read about cyber attacks affecting hospitals in Alabama and Indiana as well as disregarded cybersecurity protocols in Mississippi.

Read on:

Trend Micro Partners with Snyk to Advance DevSecOps

Trend Micro announced an alliance with Snyk through which alerts about vulnerabilities in open source code will be passed on to the tools Trend Micro makes available to apply virtual patches to both monolithic and microservices-based applications.

Answering IoT Security Questions for CISOs

Given the permeating nature of IoT and Industrial IoT devices in our daily lives, from smart homes to smart cities, one cannot escape the growing cybersecurity risks associated with these devices. It might leave CISOs with a lot of questions about how this newer, growing attack vector could impact their business. Ed Cabrera, Trend Micro’s chief cybersecurity officer, answers a few of those questions here.

Tackling the BEC Epidemic in a New Partnership with INTERPOL

In just a few short years, Business Email Compromise (BEC) has gone from a peripheral threat to a major cyber risk for organizations. It’s making criminal gangs millions of dollars each month, hitting corporate profits and reputation in the process. In this blog, learn about the formidable array of resources that Trend Micro has built over the past few years to help protect our global customers from BEC.

Magecart Attack on Volusion Highlights Supply Chain Dangers

Magecart attackers have infiltrated cloud-based e-commerce provider Volusion to successfully infect at least 6,500 customer websites with malicious code designed to lift payment card information. This article also includes insights from Trend Micro researchers on Magecart actor groups.

Short October Patch Tuesday Includes Remote Desktop Client, Browser, and Authentication Patches

October’s Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Take a closer look at the notable vulnerabilities patched this month in this article.

CVE-2019-16928: Exploiting an Exim Vulnerability Via EHLO Strings

In September, security researchers from the QAX-A-Team discovered the existence of CVE-2019-16928, a vulnerability involving the mail transfer agent Exim. Exim accounts for over 50% of publicly reachable mail servers on the internet. What makes the bug particularly noteworthy is that threat actors could exploit it to perform denial of service (DoS) or possibly even remote code execution attacks (RCE).

Mississippi State Agencies Not Complying with Cybersecurity Laws

In a recent cybersecurity audit undertaken by the office of the state auditor of Mississippi, it was found that a sizable number of state’s agencies are regularly failing to comply with the cybersecurity protocols. These protocols, which were devised in 2018 and called the Mississippi Enterprise Security program, were aimed at building cooperation among agencies on defense and cybersecurity.

Ransomware Attack Disrupts Medical Care in 3 Alabama Hospitals

Three hospitals of the DCH Health System were hit by a ransomware attack on October 1, forcing the medical institutions to turn away noncritical patients while they work to securely restore their affected IT systems.

Phishing Attack Exposes the Data of 60K Patients in Indiana

A new attack on healthcare data has been reported in Gary, Indiana, involving a phishing campaign that possibly exposed medical and personal information of 68,039 patients of Methodist Hospitals, Inc. An investigation determined that two of its employees had fallen victim to a phishing campaign that gave an unknown threat actor unauthorized access to their email accounts.

Three Recommendations for Securing the Network from Targeted Attacks

Targeted attacks remain a serious threat to organizations despite the emergence of advanced security technologies. A recent study shows that the average cost of cybercrime for each company — where sophisticated attacks are at play — has increased from US$11.7 million in 2017 to US$13.0 million in 2018. Read up on three security recommendations that can protect networks from targeted attacks.

Organizations Need Tools that Support DevOps Security

Organizational silos create unnecessary security risk for global businesses. The lack of security involvement in DevOps projects was reportedly creating cyber risk for 72% of IT leaders, according to Trend Micro. The company commissioned a survey, which polled 1,310 IT decision makers in SMB and enterprise organizations across the globe about their organizational culture.

September Malicious Cryptocurrency-Mining Attacks Showcase Current Malware Techniques and Capabilities

A spate of cryptocurrency-mining malware that affected Windows systems, Linux machines, and routers have been identified last August to September of this year. The malware variants employed a variety of methods – from the use of rootkit to MIMIKATZ – to hide and spread their malicious mining activities.

RobbinHood Ransomware Banks on Bad Reputation to Extort Money from Victims

A RobbinHood variant was found employing a scaring tactic in its new ransom note, prodding victims to search online for news of previous RobbinHood ransomware victims and how they ended up paying a larger cost by not paying the cybercriminals up front. 

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

The McCombs School of Business at the University of Texas at Austin has launched America’s first professional cybersecurity certificate program specifically geared toward protecting healthcare providers from cyber-attacks. The Leadership in Healthcare Privacy and Security Risk Management program has been launched by the school in a bid to help close the 1.8-million-person info security gap.

Do you know how to protect your organization from falling victim to targeted attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.


The post This Week in Security News: How a Partnership can Advance DevSecOps and Cybersecurity Issues in the Midwest and South U.S. appeared first on .

Patches for Internet Explorer Zero-Day Causing Problems for Many Users

Microsoft released a new series of security patches in Internet Explorer for a zero-day bug, originally addressed on September 23. The original updates introduced some printing problems, but the new ones seem to be unstable too.

Tracked as CVE-2019-1367, the default was considered to be a memory error that could lead to execution of remote code. Internet Explorer 9, 10 and 11 have been found to be affected and vulnerability hackers had already been attacked, Microsoft said last month.

Adversaries who want to exploit the vulnerability must trick unsuspected victims to visit a malicious website using insecure Internet Explorer versions.

“The vulnerability can corrupt memory so that an attacker could run arbitrary code in the current user context,” states Microsoft in his advisory.

On 3 October, the technology giant decided to push a further package of bug fixes, stating that some users encountered some printing issues after the original patches were applied.

“To deal with known printing issues, customers can experience a new security update or IE Cumulative update released on 23 September 2019 for CVE-2019-1367 by Microsoft for all existing Internet Explorer 9, 10, or 11 installs on Microsoft Windows,” says the company.

Although Microsoft claims that the cumulative fixes are meant to address issues that users have encountered with their printers since installing the initial CVE-2019-1367 update, many argue that it actually causes problems with the out – of-band Update.

Users have complained to BornCity and other websites that cumulative changes have caused problems with printing and booting and, in some cases, caused a crash in the start menu.

According to Microsoft, the cumulative changes to IE are different from the Tuesday Release of October, scheduled for tomorrow, October 8.

The post Patches for Internet Explorer Zero-Day Causing Problems for Many Users appeared first on .

Top cybersecurity certifications to consider for your IT career

With the right cybersecurity certifications, you can attain your goals seamlessly and in a fast way and speed up your career.

Cyber attacks are making headlines almost every day in today’s era. The attacks have increased both in number and complexity. Because of this natural demand, it is now crucial for companies and specialized firms to reinforce and invest in professionals to face a problem that technology can’t solve.

Being a professional within the field, a curious person, or even someone that wishes to work in the field, there are a lot of cybersecurity certifications you need to consider in order to improve your skills. Earning a certification in this field is an excellent way to boost your career potentials. With the right cybersecurity certifications, you can attain your goals seamlessly and in a fast way.

From my point of view, one of the ways you can make gown your career is by investing your time and money and getting a certification that will truly improve your skills, knowledge and, thus, developing a new mindset to face everyday challenges.

There are exceptional cybersecurity certifications you should check out as they can be the golden ticket to your next job role.

Certified Ethical Hacker – CEH

A Certified Ethical Hacker is a skilled professional who understands and knows how to find weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

Certified Information Security Manager – CISM

ISACA®’s Certified Information Security Manager® (CISM®) certification instantly validates your skills and expertise in information security management. It proves you can plan and institute information security programs and practices that prevent security breaches and quickly mitigate damage should a breach occur. That’s why hiring managers and clients look for it and many businesses and government agencies require it.

CompTIA Security+

CompTIA Security+ is the first security certification IT professionals should earn. This certification establishes the core knowledge required by any cybersecurity role and provides a springboard to intermediate-level cybersecurity jobs. Security+ incorporates best practices in hands-on trouble-shooting to ensure security professionals have practical security problem-solving skills. Cybersecurity professionals with Security+ know how to address security incidents – not just identify them.

SANS GIAC Security Essentials – GSEC

The GIAC Security Essentials (GSEC) certification validates a practitioner’s knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.

Offensive Security Certified Professional – OSCP

The OSCP examination consists of a virtual network containing targets of varying configurations and operating systems. At the start of the exam, the student receives the exam and connectivity instructions for an isolated exam network that they have no prior knowledge or exposure to. The successful examinee will demonstrate their ability to research the network (information gathering), identify any vulnerabilities and successfully execute attacks. This often includes modifying exploit code with the goal to compromise the systems and gain administrative access.

The candidate is expected to submit a comprehensive penetration test report, containing in-depth notes and screenshots detailing their findings. Points are awarded for each compromised host, based on their difficulty and level of access obtained.

Certified Cloud Security Professional – CCSP

Earning the globally recognized CCSP cloud security certification is a proven way to build your career and better secure critical assets in the cloud.

The CCSP shows you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud using best practices, policies and procedures established by the cybersecurity experts at (ISC)².

Certified Information Systems Security Professional – CISSP

The Certified Information Systems Security Professional (CISSP) certification is considered the gold standard in the field of information security. This CISSP certification training course is aligned with (ISC)² CBK 2018 requirements and will train you to become an information assurance professional who defines all aspects of IT security, including architecture, design, management, and controls. Most IT security positions require or prefer a CISSP certification, so get started with your CISSP training today.

Cybersecurity, like many other areas of IT, has grown to the point where certifications have been proliferating in recent years. As in other areas in IT, security is crucial and certifications can help you verify your high-end skill set.

About the Author

cybersecurity certifications

Pedro Tavares is a cybersecurity professional and a founding member and Pentester of CSIRT.UBI and the founder of seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks.  He is also a Freelance Writer.

Pierluigi Paganini

(SecurityAffairs – cybersecurity certifications)

The post Top cybersecurity certifications to consider for your IT career appeared first on Security Affairs.

What is the kill chain and the seven steps involved in it?

Estimated reading time: 2 minutes

The term ‘kill chain’ originated in the military as a concept to outline and define each stage of an attack. It has found its way into cybersecurity as well as a means to understand the structure of a cyber attack and disrupt it. There are seven defined phases of the kill chain with each phase having a specific utility to the attacker.

For enterprises waging a relentless war against cyber attackers, it is essential to understand each stage of the kill chain to make guided interventions when required and block the attack. In 2013, Lockheed Martin, the global American military giant, used this model to stop a SecurID attack.

Here are the seven phases that comprise the kill chain:

Phase 1: Reconnaissance

This phase involves both, passive and active reconnaissance on the part of the attacker. Identification of a vulnerable target is the most important objective of this phase and in pursuit of the objective, attackers will try and gather as much data and knowledge they can on their targets. This is a preparation phase before the launching of a cyber attack.

Phase 2: Weaponization

Once the Reconnaissance phase is complete, the attacker will move on to the next phase which is Weaponization. In this phase, the attacker will decide on the best type of tool they have at their disposal to carry out their attack on the target. This decision will be based on the findings of the Reconnaissance phase. The attacker could use methods like a Distributed Denial of Service (DDoS) attack, a botnet attack or malware to attack unpatched systems.

Phase 3: Delivery

The Delivery phase involves the attacker to deliver the attack through a malicious payload. This payload can be delivered through a variety of means: a phishing email, a drive-by-download attack or spear phishing.

Phase 4: Exploitation

At the Exploitation phase, the attacker exploits the vulnerability that has been discovered to carry out their attack. The targeted system is typically compromised and the attack enters the system. At this stage, the attacker has already gained a foothold and may try to make further intrusions by installing other malware.

Phase 5: Installation

After the Exploitation phase, the Installation phase involves the malicious software being installed and multiplying inside the breached system. Users may unknowingly install and spread the malware on their systems by taking actions such as sending infected emails to other users. The breaches may multiply across the affected network.

Phase 6: Command & Control

At this stage, the attacker is in full control. After successfully gaining entry and breaching an enterprise’s defenses, the malware can be fully commanded and controlled by the attacker who can use it for any malicious purposes. This can include sending back confidential information, passwords, emails or anything else the attacker seeks.

Phase 7: Action on Objectives

This is the seventh and the final stage of a cyber attack. This phase is defined as the ‘Action on Objectives’ phase and refers to the final actions which an attacker takes on conducting a successful attack. An attack could have various goals – to extract a ransom through a ransomware attack, to sell data on the Dark Web or to leak confidential information to a rival enterprise.

It is important for enterprises to understand and remain prepared for each phase of a cyber attack. As outlined above, every phase is different and requires the corresponding action.

Seqrite’s solutions enable better protection at every stage and ensure enterprises stay secure against cyber attacks.

The post What is the kill chain and the seven steps involved in it? appeared first on Seqrite Blog.

Details on Uzbekistan Government Malware: SandCat

Kaspersky has uncovered an Uzbeki hacking operation, mostly due to incompetence on the part of the government hackers.

The group's lax operational security includes using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure; installing Kaspersky's antivirus software on machines it uses to write new malware, allowing Kaspersky to detect and grab malicious code still in development before it's deployed; and embedding a screenshot of one of its developer's machines in a test file, exposing a major attack platform as it was in development. The group's mistakes led Kaspersky to discover four zero-day exploits SandCat had purchased from third-party brokers to target victim machines, effectively rendering those exploits ineffective. And the mistakes not only allowed Kaspersky to track the Uzbek spy agency's activity but also the activity of other nation-state groups in Saudi Arabia and the United Arab Emirates who were using some of the same exploits SandCat was using.

SecTor 2019: Experts say more resources needed to meet cybersecurity skills shortage

Governments and the private sector have to do more if Canada wants to overcome the shortage of cybersecurity talent needed to meet online threats, experts stressed during a security conference.

While universities and colleges have in the past five years greatly boosted the number of cybersecurity-related courses they offer from 400 to 1,300, it’s still not enough, Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo, told the annual SecTor conference in Toronto.

One group alone in Germany is funding 150 university faculty-level research positions in cyber security, he noted.

Meanwhile in Canada there is a lot of spending on what he calls “projects.” For example, the federal Innovation department recently announced the availability of $80 million in cybersecurity spending, which includes money for training.

Michele Mosca, University of Waterloo

“It’s a good start,” said Mosca, “but we need a lot more.”

The Information Technology Association of Canada, an industry trade group, has started a new talent alliance, and recently Rogers Communications, the Royal Bank and Ottawa’s FedDev Ontario agency announced a $30 million fund to create the Rogers Cybersecure Catalyst for training and research in Brampton, Ont.

“The bottom line is … we have to create more capacity,” Mosca said. “There’s no way we can keep up with what’s needed with the current investment.”

He emphasized that this has to change rapidly” so post-secondary institutions can do more training and R&D.

“The handful of us in Canada in this space are working hard, we’re busy starting companies, mentoring startups, advising government — you can’t squeeze much more out of the people we have.”

Mosca was one of four people on a panel discussing the security industry in Canada.

Leah Macmillan, Ottawa-based senior vice-president of global marketing for Trend Micro, said companies have to expand their search for talent, and nurture them when they’re found.

“We can’t wait for people to magically graduate,” she said.

Leah Macmillan, Trend Micro

For example, Trend Micro Canada has created its own seven-week certification training programs for recent graduates, some of whom may not know a lot about cybersecurity, and hires those with the most potential. That includes graduates from Queen’s University’s commerce program for business-related positions in cybersecurity.

Industry needs to encourage diversity on cyber teams, she added.

Stephan Jou, chief technology officer at Interset (recently bought by U.K. giant MicroFocus), a user behaviour analytics firm, said his company tries too contribute cyber and data science education material to Ottawa-area post-graduate schools. Other firms could do the same, he said, to raise the next generation of graduates.

Leo Lax, executive managing director of an Ottawa early-stage accelerator called L-Spark, said post-secondary institutions could also help increase talent by offering more continuing education and professional courses.

“We have to figure it out as an ecosystem,” he suggested.

The panel had nothing but effusive praise for the skill of cybersecurity talent here.

Jou raved about the number of Canadian experts in artificial intelligence. It’s one reason why the U.S government chose his firm — even when it was small and young — to be a supplier to “three-letter” agencies, he said.

MicroFocus bought Interset for its talent, not the number of customers, he said. And Interset is being turned into the centre of focus for analytics for all MicroFocus products, he added.

He described Ottawa, Toronto, Montreal as an “incredible nexus of [AI] talent not available anywhere else.”

Leo Lax, L-Spark

Lax, who urged Canadian firms to help support startups, noted L-Spark has found several big companies — Telus, BlackBerry Limited, Solace and G+D Mobile Security — to back a proof of concept secure Internet of Things wireless platform for testing applications. Four startups have been provided with software development kits to create secure IoT products that can run on the stack.

Mosca noted the race to build quantum computers is providing many opportunities for companies to build quantum-resistant solutions.

As for whether that alleged Canadian trait of being nice is a help or a hindrance to cybersecurity careers, Trend Micro’s Macmillan argued Canadians have risen in the international firm in part because we “aren’t threatening.”

“I’ve been told we are politely aggressive,” said Jou. “That seems to have worked.”

UNIX Co-Founder Ken Thompson’s BSD Password Has Finally Been Cracked

A 39-year-old password of Ken Thompson, the co-creator of the UNIX operating system among, has finally been cracked that belongs to a BSD-based system, one of the original versions of UNIX, which was back then used by various computer science pioneers. In 2014, developer Leah Neukirchen spotted an interesting "/etc/passwd" file in a publicly available source tree of historian BSD version 3,

#SecTorCa: Finding a New Route to Solve Tomorrow’s Cyber-Attacks

#SecTorCa: Finding a New Route to Solve Tomorrow’s Cyber-Attacks

For modern security systems to succeed, it’s important for organizations to expect that security systems will fail. By expecting failure and planning for it, it’s possible to be more resilient and deliver better security outcomes, according to Solomon Sonya, assistant professor of computer science at the United States Air Force Academy.

Sonya delivered his message during a keynote at the SecTor security conference in Toronto, Canada on October 10, where he emphasized the need for employing what is known as a Byzantine Failure approach, rather than relying on a detection-only approach for IT security attacks. The Byzantine Failure approach in computer science is all about understanding that failure is something that will happen and as such, a strategy needs to be put in place for the eventuality.

“Tomorrow’s attacks will be worse than today’s,” Sonya said. “Malware continues to increase in sophistication, prevalence and proliferation across the enterprise.”

Malware has changed over the past two decades, but the basic approach employed by many organizations has not, in Sonya’s opinion. He noted that a key challenge is the fact that many of today’s security paradigms are predicated on a false belief that detection is key to success. Sonya detailed how malware has changed from the early days of SQL Slammer in 2003 to the modern threats of ransomware and fileless attacks. A key part of malware’s evolution is how it has become increasingly sophisticated and difficult to always detect or immediately block.

“Some people will argue that attacks won’t happen tomorrow because AI will better protect us,” Sonya said. “AI is good, but it’s not sufficient.”

Rather, Sonya emphasized that what is needed is for organizations to identify the weakness in systems and networks. With the weak links identified, Sonya said it’s important to understand what should be done to actually secure the assets and data that are critical to the organization.

“So if you look at the attack surface from a Byzantine perspective, you start by taking the system that you want to protect, you draw a circle around it and you say which failures can lead to compromise,” Sonya explained.

What ‘Right’ Looks Like

Rather than relying on existing approaches and expecting to be able to detect incursions, Sonya suggested that organizations should “take the road less travelled” and instead of just buying a product, invest the time to understand and discover what can fail and lead to exploitation.

For Sonya, the ‘right’ approach also involves making use of Software Defined Network (SDN) technology, to segment networks and reduce the potential impact of a failure. While detecting threats alone isn’t a winning strategy, he emphasized that having actionable threat intelligence is a valuable component.

“Many vendors will say they have threat intelligence, but what they actually provide is just data,” he argued. “Intelligence is useful only in order to help us get some kind of action and actually make a decision based on the intelligence.”

Looking beyond just basic passwords, Sonya suggested that organizations consider new forms of secure access protection systems that can validate users based on activity as well as other attributes. Additionally, there is a need for organizations to rethink how Digital Loss Prevention (DLP) technologies are used and deployed. In his view, DLP needs to be deployed in a stack for data at rest and in motion, such that if data is lost or stolen, it can’t be used by an attacker.

To conclude, Sonya noted that security professionals need to constantly question the security paradigm, be curious and explore the possibilities that an unconventional attack might introduce into an organization.

“In our scheme of protecting machines, our initial response should not rely on detection, because if we wait until we detect, it could be too late,” Sonya said.

Running the last mile in analytics

A recent report by McKinsey noted that 40,000 exabytes of data will be collected worldwide in 2020. If just five exabytes is equal to all the words ever spoken by mankind, it’s not an understatement to suggest there is a prodigious amount of material for a data scientist to process to glean insights. To tackle…

Imperva explains how their recent security incident happened

In late August, Imperva suffered a security incident, resulting in the compromise of sensitive information of some of their Cloud WAF (formerly Incapsula) customers. On Thursday, Imperva CTO Kunal Anand finally explained how it all happened. What happened? The first indication that something went wrong was when, on August 20, 2019, the company received a data set from an unnamed third-party requesting a bug bounty. The notification triggered an investigation and they discovery that, in … More

The post Imperva explains how their recent security incident happened appeared first on Help Net Security.

BAE Systems Pilots Tech to Support Child Protection Agencies

BAE Systems Pilots Tech to Support Child Protection Agencies

BAE Systems has announced details of a technology pilot aimed at supporting child protection agencies. The initial project, run in partnership with Gloucestershire Constabulary Police Force, seeks to improve speed and accuracy for identifying potentially vulnerable children.

BAE Systems has adapted technology normally used to protect and safeguard businesses against fraudulent activity, to quickly and accurately bring together data relating to an individual and reveal the full picture of a vulnerable child’s reported issues.

As well as creating a faster, more efficient process for identifying and sharing key indicators of potentially harmful situations, it also allowed child protection practitioners to delve into more incidents, in more detail and implement urgent care plans where needed. The successful pilot achieved results 10-times faster than under existing processes, solving the challenge of sharing data, linking it together, analysing it and identifying what further investigation is required.

Ravi Gogna, principal consultant at BAE Systems Applied Intelligence, said: “After the tragic case of Baby P, we identified the need to overcome the data problem and adapted our existing technology and data science techniques, which helps banks and insurers tackle fraud, to amalgamate key historic pieces of data across agencies. This provided child protection officers with access to a more in-depth and comprehensive data profile of each child in the quickest possible time.”

The challenge is that we are looking for red flag events – such as a child self-harming or coming into A&E with multiple broken bones, she added. “We have an opportunity to help improve the way the child protection system identifies risk, by bringing together all the information about a child and quickly giving a holistic view of what is happening.”

The UK’s current system makes use of Multi-Agency Safeguarding Hubs (MASHs), which aim to provide a single point of contact for all safeguarding concerns regarding children and young people. 

However, the NSPCC currently estimates that one in 10 children in the UK has suffered some form of abuse or neglect, and the figure continues to grow. With resources continually stretched due to the ever-rising number of cases of neglect in Britain, the current manual processes are becoming strained, with the potential to miss vulnerable children.

“The pilot proves that, with increased information, we have a greater chance of intervening early and preventing catastrophic events from happening down the line,” said Kath Davis, head of the Child Protection Unit, Gloucestershire Constabulary. “To work with people from a completely different sector sheds a whole new light on things. Things that we thought were impossible, became possible.” 

Hashtag Trending – Apple removes police tracker app; global PC shipment rising; Apple reactivates voice data collection

Apple removes app that tracks Hong Kong police movement, global PC shipment hits a seven-year high, Apple reinstates voice data collection. That’s all the tech news that’s trending today. It’s Friday, Oct. 11th, and I’m your host, Tom Li. Trending everywhere, Apple has approved, then immediately removed, an app that tracks Hong Kong Police. The…

#SecTorCa: Millions of Phones Leaking Information Via Tor

#SecTorCa: Millions of Phones Leaking Information Via Tor

There is a privacy threat lurking on perhaps hundreds of millions of devices, that could enable potential attackers to track and profile users, by using information leaked via the Tor network, even if the users never intentionally installed Tor in the first place.

In a session at the SecTor security conference in Toronto, Canada on October 10, researchers Adam Podgorski and Milind Bhargava from Deloitte Canada outlined and demonstrated previously undisclosed research into how they were able to determine that personally identifiable information (PII) is being leaked by millions of mobile users every day over Tor.

The irony of the issue is that Tor is a technology and a network that is intended to help provide and enable anonymity for users. With Tor, traffic travels through a number of different network hops to an eventual exit point in the hope of masking where the traffic originated from. Podgorski said that there are some users that choose to install a Tor browser on their mobile devices, but that’s not the problem. The problem is that Tor is being installed by mobile applications without user knowledge and potentially putting users at risk.

The researchers explained that they set up several Tor exit nodes, just to see what they could find, and the results were surprising. The researchers found that approximately 30% of all Android devices are transmitting data over Tor.

“You’re probably scratching your head now, like we were a couple of months ago, because that doesn’t make any sense,” Podgorski said. “There's no way a third of Android users know what Tor is and are actually using it.”

What the researchers determined is that Tor is being bundled, embedded and installed in other applications and users are not aware of its existence. It was not entirely clear to the researchers why Tor was being bundled with so many applications. Podgorski said that it could be due to a misunderstanding of the technology and how it can be used. Tor was also found on Apple IOS devices, but the numbers were smaller with only approximately 5% of devices sending data.

Tracking Users

In a series of demonstrations, including live dashboards shown by Bhargava, the researchers showed what data they had collected from mobile users that were inadvertently using Tor. The data included GPS coordinates, web addresses, phone numbers, keystrokes and other PII.

“This data can be used to build a robust profile of an individual,” Podgorski said.

Bhargava explained that the exit nodes the researchers set up intentionally attempted to force browsers to not use encrypted versions of websites, forcing the devices to regular HTTP when possible. With data coming to the exit node without encryption, it was possible for the researchers to see the user data. Bhargava noted that for sites that force HTTPS encryption and do not offer any fallback option to regular un-encrypted HTTP, they wouldn’t be able to see the users data.

Also of note, Bhargava admitted that he found his own phone number in the data, which was a surprise to him, as he had not installed Tor on his device. The only applications on his phone were applications installed by the carrier.

There are several things that need to happen to fix the issue. Podgorski said that the first is awareness that there is a problem, which is what the research is intended to highlight for legislators, government and organizations. For users, Podgorski emphasized that good operational security practices need to be employed, by using encryption everywhere.

In Podgorski's view, there is already a legal compliance risk that the mobile application PII data leaks expose.

“We’re pretty sure what we found breaches GDPR on multiple levels,” he said, “but the issue is that governments can’t enforce the law if they’re not aware.”

Hacker breached escort forums in Italy and the Netherlands and is selling user data

Popular prostitution and escort forums in Italy and the Netherlands have been hacked and data have been offered for sale in the cybercrime underground.

A Bulgarian hacker known as InstaKilla has breached two online escort forums and stole the user information that he is now offering for sale on a hacking forum.

The two escort forums are EscortForumIt.xxx and Hookers.nl, it is used by sex workers and their customers in Italy and the Netherlands, both websites have confirmed the breaches.

Experts reports that also a forum for the Zooville zoophilia and bestiality fans was hacked and data offered for sale.

The Dutch news site NOS revealed that a hacker is selling the Dutch hookers.nl forum database for $300 on online forums. The exposed data includes user names, hashed passwords, and IP addresses for roughly 250,000 members.

The account details of the 250,000 users of the Dutch website Hookers.nl have been leaked. This includes e-mail addresses. The website is popular among visitors to prostitutes and escorts, who exchange experiences and tips.” reported the NOS website.

“A hacker has captured the data from the members and offers it for sale, according to a study by the NOS after reporting an anonymous source.”

The hacker is also selling 33,000 records stolen from the Italian forum.

Both escort forums were running outdated versions of the popular vBulletin forum software. At the end of September, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in vBulletin (CVE-2019-16759). A few days later, the security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. Likely, the Bulgarian hacker has exploited the same flaw to compromise the escort forums that were not updated by their admins.

“According to a sample of the data obtained by ZDNet, in the case of the Dutch forum, the hacker also appears to have gained access to the site’s internal paid subscription system, although there was no financial information included in the sample we received.” reported ZDNet.

InstaKilla is the same hacker who stole data from millions of Bulgarians in July and sent it to local media, the hacker is now offering for sale data from tens of other vBulletin-based forums.

Users of the escort forums are potentially exposed to extortion phishing campaigns similar to what has happened after the Ashley Madison hack.

Pierluigi Paganini

(SecurityAffairs – escort forums, vBulletin)

The post Hacker breached escort forums in Italy and the Netherlands and is selling user data appeared first on Security Affairs.

Security Affairs 2019-10-11 00:14:11

A vulnerability in Sophos Cyberoam firewalls could be exploited by an attacker to gain access to a target’s internal network without authentication.

Sophos addressed a vulnerability in its Cyberoam firewalls that could be exploited by an attacker to gain access to a company’s internal network without providing a password.

“A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher.” reads the advisory published by Sophos.

“The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.”

Cyberoam firewall

The vulnerability is a critical shell injection vulnerability that could allow a remote attacker to gain “root” permissions on vulnerable equipment, it could be exploited by sending malicious commands across the internet.

The vulnerability, tracked as CVE-2019-17059, was discovered by the security expert Rob Mardisalu that reported it to Sophos. The expert also reported the issue to Techcrunch that first reported the news.

“We’ve been working hard with internal and external security researchers to uncover serious remotely exploitable loopholes in SSL VPNs and Firewalls like Cyberoam, Fortigate and Cisco VPNs.” reads the security advisory published by the expert. “This Cyberoam exploit, dubbed CVE-2019-17059 is a critical vulnerability that lets attackers access your Cyberoam device without providing any username or password. On top of that, the access granted is the highest level (root), which essentially gives an attacker unlimited rights on your Cyberoam device.”

Cyberoam firewalls are used in large enterprises, they offer stateful and deep packet inspection for network, application and user identity-based security. Cyberoam Firewall protects organizations from DoS, DDoS and IP Spoofing attacks.

Mardisalu revealed that according to Shodan there are more than 96,000 internet-facing Cyberoam devices worldwide, most of them in enterprises, universities and banks.

The flaw is similar to the recently disclosed vulnerabilities in Palo Alto Networks, Pulse Secure and Fortinet VPN solutions.

“It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password.” reported TechCrunch “Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.”

The flaw affects Cyberoam Firewalls running CROS 10.6.6 MR-5 and earlier, Sophos plans to include a fix in the next update of its CyberoamOS operating system.

“There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.” said the spokesperson.

The researcher will release the proof-of-concept code in the coming months.

Pierluigi Paganini

(SecurityAffairs – Cyberoam firewalls, hacking)

The post appeared first on Security Affairs.

DevSecOps role expansion has changed how companies address their security posture

While organizations shift their applications to microservices environments, the responsibility for securing these environments shifts as well, Radware reveals. The rapid expansion of the Development Security Operations (DevSecOps) role has changed how companies address their security posture with approximately 70% of survey respondents stating that the CISO was not the top influencer in deciding on security software policy, tools and or implementation. This shift has likely exposed companies to a broader range of security risks … More

The post DevSecOps role expansion has changed how companies address their security posture appeared first on Help Net Security.