Daily Archives: January 13, 2020

Developing a Data Protection Compliance Program – Verizon’s 9-5-4 Model

In a previous post, I wrote about my key take-aways from Verizon’s 2019 Payment Security Report. While it’s no surprise it was full of interesting and useful data, (Verizon’s yearly Data Breach Investigation Report (DBIR) has become required reading.) I was delighted to find an excellent guide on the the 9-5-4 model, a means by […]… Read More

The post Developing a Data Protection Compliance Program – Verizon’s 9-5-4 Model appeared first on The State of Security.

Las Vegas Successfully Averted a Cyberattack

The City of Las Vegas successfully averted what could have been a disastrous cyberattack earlier this month.

City officials detected a cyberattack January 7, and in response immediately took several services offline, including its public-facing website. 

“We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications,” the city announced on its Twitter feed.

The cyberattack coincided with this year’s Consumer Electronics Show, or CES, which is the world’s largest showcase for technology products.

While city officials have declined to specify the nature of the attack, municipal governments have been a frequent target for ransomware-based malware. The city of Las Vegas is a regular target for hackers, facing 279,000 attempts to breach its systems, according to city spokesman David Riggleman. 

The post Las Vegas Successfully Averted a Cyberattack appeared first on Adam Levin.

US officials meet UK peers to remark the urgency to ban Huawei 5G tech

U.S. officials responsible for national security and telecommunications were meeting their peers in Britain ahead of the final decision on Huawei 5G technology.

U.S. officials responsible for national security and telecommunications were meeting their peers in Britain in the attempt to convince U.K. Prime Minister Boris Johnson’s government to ban Huawei 5G technology from its networks.

“The security and resilience of the U.K.’s telecoms network is of paramount importance,” spokesman Slack James Slack told reporters. “We have strict controls for how Huawei equipment is currently deployed in the U.K. The government is undertaking a comprehensive review to ensure the security and resilience of 5G and fiber in the U.K.”

Slack confirmed that the government is still investigating the security of the 5G network.

Senator Tom Cotton (R-Arkansas) has introduced last week a new bill that would ban the sharing of intelligence with countries that use Huawei equipment on their fifth-generation (5G) networks.

Since November 2018, the US Government has invited its allies to exclude Chinese equipment from critical infrastructure and 5G architectures over security concerns.

The United States always highlighted the risks to national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy, and Japan.

Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.


The U.S. has banned the use of Huawei products in federal agencies and In November Federal Communications Commission voted to cut off funds for Chinese telecom equipment from Huawei and ZTE. The US regulators consider the Chinese equipment in US telecommunications networks a threat to homeland security.

According to U.K. security minister Brandon Lewis, the British government would make the final decision on the adoption of Huawei technology for its 5G networks “relatively soon.”

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)

The post US officials meet UK peers to remark the urgency to ban Huawei 5G tech appeared first on Security Affairs.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Update 7:49 p.m. ET: Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. The company also said it does “not release production-ready updates ahead of regular Update Tuesday schedule. “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments,” Microsoft said in a written statement. “Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”

Original story:

Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?” Dormann declined to elaborate on that teaser.

It could be that the timing and topic here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a heads up from the U.S. National Security Agency (NSA) stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

The NSA’s public affairs folks did not respond to requests for more information on the nature or purpose of the discussion. The invitation from the agency said only that the call “reflects NSA’s efforts to enhance dialogue with industry partners regarding its work in the cybersecurity domain.”

Stay tuned for tomorrow’s coverage of Patch Tuesday and possibly more information on this particular vulnerability.

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.

Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.

Securing Interactive Kiosks IoTs with the Paradox OS

Article by Bernard Parsons, CEO, Becrypt

Whether it is an EPOS system at a fast food venue or large display system at a public transport hub, interactive kiosks are becoming popular and trusted conduits for transacting valuable data with customers.

The purpose of interactive kiosks, and the reason for their increasing prevalence, is to drive automation and make processes more efficient. For many businesses and government departments, they are the visible and tangible manifestations of their digital transformation.

Kiosks are information exchanges, delivering data and content; ingesting preferences, orders and payments. With so much data going back and forth, there is huge value, however, wherever there is value you’ll find malicious and criminal activities seeking to spoil, subvert or steal it

Three categories of Cyber Threat
Kiosks are just the latest in a long line of data-driven objects that need protecting. At stake is the very heart (and public face) of digitally evolved organisations.

Threats to kiosks come in three principal forms:
  • Threats to system integrity – where kiosks are compromised to display something different. Losing control of what your kiosks look like undermines your brand and causes distress to customers. A recent example is of a well-known sportswear store in New Zealand, where a kiosk displayed pornography for 9 hours before employees arrived the next morning to disconnect it. 
  • Threats to system availability – where kiosks are compromised to display nothing. In other words, they go offline and, instead of displaying some kind of reassuring ‘out of order’ message, give the appearance of a desktop computer with frozen dialogue boxes or raw lines of code. Examples of this are all too common, but are typically characterised by ‘the blue screen of death’. 
  • Threats to system confidentiality – where kiosks show no outward signs of compromise, but are in fact collecting data illegally. Such attacks carry significant risk over and above creating nuisance or offence. Examples include one of the largest self-service food vending companies in the US suffering a stealthy attack whereby the payment card details and even biometric data gleaned from users at kiosks may have been jeopardised.
The challenge of curbing these threats is compounded by interactive kiosks’ great virtue: their connectedness. As with any Internet of Things (IoT) endpoint architecture, the potential routes for attack are numerous and could spread from attacks on a company’s internal network, stem from vulnerabilities in kiosk application software, or even result from a direct assault on the kiosk itself.

How Best Practice Regulatory Standards Apply to Kiosks
Regulatory compliance plays a part here, with the EU GDPR and NIS directive (ably supported by comprehensive guidance proffered via the UK NCSC Cyber Assessment Framework) compelling organisations to consider all parts of their endpoint estates with appropriate operational controls, processes and risk management approach in respect of – for example – patch management, privileged user access and data encryption.

Regulatory reforms are all well and good, but technology (AI, machine learning, blockchain, etc.) is evolving rapidly and organisations must be as proactive about the cybersecurity challenge as possible or risk falling behind the digital innovation curve.

Becrypt work with the UK Government and the National Cyber Security Centre (NCSC), to develop solutions in line with core objectives sought by NIS and other regulations, for use in public sector environments. At the same time, we are seeing private sector businesses increasingly coming under the sorts of cyberattacks more commonly associated with the public sector.

Paradox: The Secure, Linux-based OS for Interactive Kiosks
Government research has determined that the best way to mitigate threats to interactive kiosks, and safeguard wider digital transformation objectives, is to secure the kiosk operating system (OS).

Becrypt have developed in collaboration with NCSC, Paradox, a secure Linux-based OS and management platform for kiosks. Paradox incorporates a secure-by-design architecture, ensuring kiosks remain in a known healthy state, free of malware. For organisations concerned about the potential for attack, this provides absolute certainty that every time a machine is switched on, its OS and all its applications have not been compromised.

Likewise, another common concern with kiosks is managing hundreds or even thousands of geographically dispersed devices without being able to check on or remediate system health. Should it detect anything unusual, Paradox will automatically rollback to the last known good state, presenting a functioning system rather than an offline/unavailable one. This avoids the onset of ‘bluescreen’ failures and allows administrators to visualise and manage kiosks in an easy and low-cost way. Automated security and patch management further ensures that devices are always kept up-to-date.

Paradox is also a very lightweight OS, which shrinks the potential attack surface and ensures the entire kiosk estate is not susceptible to common exploits. It also carries a number of advanced security controls that make it more difficult to attack, such as a sandboxed user account for privilege escalation prevention. OS components are also mounted as ‘read-only’, thereby preventing persistent, targeted attacks.

Spurred on by consumer demand for deeper interactions and easier, more personalised experiences, the exponential growth in interactive kiosks is plain to see in public spaces everywhere. And as this shift encourages more private and public sector organisations to do more with their data, the onus is on all of us to protect it.

BlackBerry adds Cylance to QNX, announces partnerships with AWS, Damon, and Renovo

LAS VEGAS–BlackBerry has merged its Cylance ML security solution into its QNX software suite for autonomous vehicles, the company announced Jan. 6th at CES 2020.

The integration is the first time BlackBerry has announced a major plan for Cylance since its acquisition last year.

Vehicles are becoming increasingly complex with added driver-assist functions. Certain assistive safety functions need high degrees of reliability. The controllers and processors that manage these functions need regular updates and therefore need security solutions to prevent tampering. The BlackBerry Cylance will be used to do exactly that.

Cylance will be used to ensure APK integrity and alert manufactures if it detects a faulty or malicious piece of software installed in the vehicle’s control system.

If it detects an anomaly, Cylance will alert the user and vehicle manufacturer. It will not, however, execute any mitigative measures – BlackBerry leaves the response up to the manufacturer and the user.

“The architecture of the cars is changing, and we’re happy to be powering the traditional systems and the new next-generation systems safety systems,” said Grant Courville, vice-president of product and strategy at BlackBerry QNX. “That brings in that need for reliability, obviously, but also a big need for security and resiliency…that’s where BlackBerry comes in with Cylance.”

Cylance was able to successfully block a malicious piece of software from loading into the vehicle during a firmware update process.

A real-time demo at the booth demonstrated the detection process using the Range Rover Defender, which integrates QNX technologies into its systems. It was shown that Cylance was able to intercept a real-world malicious software before it was able to be uploaded into the car’s systems.

Cylance will also enable identity and persona detection based on the driver’s driving patterns.

In parallel with the Cylance announcement, BlackBerry also announced a new partnership with Damon motorcycles, which will integrate QNX safety technology into motorcycles.

Damon’s all-electric motorcycle can reach a 200 mph top speed and has a 200-mile range on a full charge.

A marquee feature is a collision detection warning. A strip of LED on the motorcycle’s windshield will blink in different colours and patterns when it detects an imminent threat. It operates in the rider’s peripheral so the rider can keep their eyes on the road. This solution does not take any steering action on the rider’s behalf and only serves as an advanced warning system.

The white LED strip at the top of the Damon motorcycle’s windshield.

“We could have written it ourselves, but that takes years and millions and millions of dollars,” said Jay Giraud, Damon Motorcycles CEO. “More than anything, it’s the testing time and the amount of data that QNX has probably collected off of its vehicle performance, and debugs with dozens and dozens of car OEMs to come up with a system as robust as theirs (BlackBerry) is no small thing for us to have undertaken as a startup. We couldn’t have done it.”

Giraud said that Damon’s partnership with BlackBerry is a multi-year journey and that they’re planning on more features down the road.

Renovo was another partner that merged QNX technology into its products. Through their partnership, the Renovo’s Insight automotive data management platform combined with QNX to generate more valuable data that will be used to improve advanced driver assistance systems (ADAS).

The Renovo Pacifica generates over 4TB of data per hour from its various sensors.

To handle data collection, BlackBerry turned to Amazon Web Services’ (AWS) IoT network to transport data. Amazon will also be powering the cloud computing portion of the QNX platform.

An example of how data flows from the battery health monitor in an IoT sensor through the AWS cloud.

BlackBerry says QNX is being used in over 150 million vehicles today world-wide. In addition, the company is working as an advisor to the Canadian government to establish regulations surrounding autonomous vehicles. BlackBerry received $40 million from the Ontario provincial government last year to accelerate autonomous vehicle innovation as part of the Autonomous Vehicle Innovation Network.

Numerous sensors in assistive vehicles generate vast loads of data. To prevent inundation, QNX vehicles parses most of it on the vehicle itself and only sends actionable insights.

Certain data can be inherently private. Insights into how drivers control their vehicles, where they frequent, and their breaking patterns can both help QNX fine-tune each vehicle to their primary handler and be very touchy.

“You’ll hear expressions like privacy by design,” noted Courville, “In other words: don’t design your vehicle just to be safe, secure, reliable, and then do the ‘oh yeah privacy’… no, decide it right from the beginning.”

New Snort rules protect against recently discovered Citrix vulnerability

By Edmund Brumaghin, with contributions from Dalton Schaadt.

Executive Summary

Recently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using CVE-2019-19781. A public patch has not yet been released, however, Citrix has released recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems.


The post New Snort rules protect against recently discovered Citrix vulnerability appeared first on Cisco Blogs.

Tour the RSA Conference 2020 Security Operations Center

Register now for your free tour of the RSA Conference Security Operations Center (SOC), where engineers are monitoring all traffic on the Moscone Wireless Network for security threats. The SOC is sponsored by RSA and Cisco. Sign up for a guided tour, where we’ll show real time traffic in NetWitness Packets, plus advanced malware analysis, sandboxing and threat intelligence from Cisco Threat Grid, Threat Response and Umbrella, and protection from Cisco Next-Gen Firewall.

At the SOC, you will receive a security briefing and have time for Q&A with RSA and Cisco engineers.

Advanced registration is highly recommended. Below are the available tour times. Please fill out the RSA SOC Tour Request Form to request your spot.

SOC Tours Offered Tues-Thurs (25-27 February 2020):

  • 10:30
  • 11:30
  • 1:00
  • 2:00
  • 3:00 (not on Thursday)

Please meet at the Cisco Threat Wall, which is located at the base of the escalator in the North Hall, where a Cisco team member will escort the group to the SOC (max. 25 persons per tour).

Also, plan to attend the official out briefing on the observations for RSAC 2020:

Abstract:  In this session we share our experience monitoring the RSAC network for stability, security, and stats of interest. We’ll talk about what changes we’ve seen over the years, informative and comical experiences from the trenches, and what we think it means for our industry going forward. So, if you’d like to see what a network looks like when its users know security, know its challenges, should know better, and choose to ignore all of that anyway; join us for the RSAC SOC report.

You may also be interested in reading The 1st Annual RSAC SOC Report.

The post Tour the RSA Conference 2020 Security Operations Center appeared first on Cisco Blogs.

Vulnerabilities found in Citrix and Pulse Secure products

Enterprise infosec teams are being warned to take action on serious vulnerabilities in products from Citrix and VPN manufacturer Pulse Secure.

First, about Citrix: According to The Hacker News, on Saturday multiple groups publicly released weaponized proof-of-concept exploit code for remote code execution vulnerabilities disclosed Dec. 17 in Citrix’s application delivery controller and Gateway products. These bugs could be leveraged to take full control over potential enterprise targets.

The company said a vulnerability was found in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway.

The vulnerability, called CVE-2019-19781, affects all supported product versions and all supported platforms including Citrix ADC and Citrix Gateway version 13.0 all supported builds; Citrix ADC and NetScaler Gateway version 12.1 all supported builds; Citrix ADC and NetScaler Gateway version 12.0 all supported builds; Citrix ADC and NetScaler Gateway version 11.1 all supported builds, and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.

There is no patch yet for this bug. Instead, infosec pros have to apply these mitigations until new firmware is released for various versions starting January 20.

Threat intelligence firm Bad Packets said that as of Saturday its scans found a total of 25,121 unique IPv4 hosts worldwide vulnerable to CVE-2019-19781. Of these, some 9,880 were in the U.S. and 682 were in Canada.

Meanwhile, on Friday the U.S. Department of Homeland Security warned that unpatched Pulse Secure VPN servers “continue to be an attractive target for malicious actors” although the company has been telling customers to install a patch for the past eight months.

The patch fixes a code execution (RCE) vulnerability known as CVE-2019-11510. If exploited a remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The DHS notice said an attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected versions include Pulse Connect Secure 9.0R1 – 9.0R3.3; Pulse Connect Secure 8.3R1 – 8.3R7; Pulse Connect Secure 8.2R1 – 8.2R12; Pulse Connect Secure 8.1R1 – 8.1R15;  Pulse Policy Secure 9.0R1 – 9.0R3.1; Pulse Policy Secure 5.4R1 – 5.4R7; Pulse Policy Secure 5.3R1 – 5.3R12; Pulse Policy Secure 5.2R1 – 5.2R12; and Pulse Policy Secure 5.1R1 – 5.1R15.

Banks challenge Canadian post-secondary students to create cyber solutions

Five of the country’s biggest banks are offering cash prizes to post-secondary students and recent graduates for creating possible solutions to improve the cyber security responses of financial institutions.

The Canadian Bankers Association today announced the CBA Cyber Security Challenge for creating solutions for strengthening mobile app security, network security and web security. The winner in each category will receive $2,000, the second-place winner will get $500 plus a virtual reality console and headset, while the third-place winner will get a $500 gift card.

Arguably one of the biggest benefits of the competition, however, will for finalists to meet IT officials from the sponsoring banks: RBC, CIBC, BMO, Scotiabank and TD Bank. Canadian banks are among the country’s biggest employers of IT graduates.

Those eligible are current students from universities and colleges in Canada and those who have graduated within the last two years. However, residents of Quebec aren’t eligible. In an email, Mathieu Labrèche, the CBA’s director of media strategy explained the association didn’t want to conflict with an innovation competition for students and startups announced late last year by Montreal-based National Bank.

Applications for the CBA contest don’t need to have degrees in computer science. Organizers hope this will result in a diverse number of participants.

“The CBA Cyber Security Challenge will harness the burgeoning expertise of Canada’s future workforce across diverse perspectives and skillsets,” association president Neil Parmenter said in a statement. “We’re excited to see what bold ideas students will bring to the banking industry.”

The CBA represents more than 60 domestic and foreign banks.

Applications by individuals or teams including a five slide proposal have to be submitted by March 1. They will be winnowed down to a list of 50 by March 15th. That group will hone their proposals and have until April 10th to make more detailed 10-slide submissions. A group of 30 finalists will be selected by April 24th, who will then prototype and pitch their solutions in Toronto on May 16 and 17.

Judges will consider submissions based on these criteria:

  • Innovation: How innovative is the solution in its use of new or existing technology to solve the problem described in the brief? Are there other solutions available and if so, how does this differentiate from them?
  • Relevancy: How well does the deliverable respond to the specific need set out in the competition brief?
  • Feasibility: How feasible is the solution to put into practice? Does the solution make sense financially? Will the solution be sustainable over the long term?
  • Impact: What is the scale of potential social impact? How broad is the impact? How many people will the solution reach? How significant is the impact?
  • Clarity: How well do presenters articulate their solution and the potential impact it will have on society?


Phishing for Apples, Bobbing for Links

Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.

KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com — which is most definitely not a legitimate Apple or iCloud link and is one of countless spoofing Apple’s “Find My” service for locating lost Apple devices.

While maps-icloud[.]com is not a particularly convincing phishing domain, a review of the Russian server where that domain is hosted reveals a slew of far more persuasive links spoofing Apple’s brand. Almost all of these include encryption certificates (start with “https://) and begin with the subdomains “apple.” or “icloud.” followed by a domain name starting with “com-“.

Here are just a few examples (the phishing links in this post have been hobbled with brackets to keep them from being clickable):


Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first forward slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name.

For instance, in the case of the imaginary link below, example.com is the true destination, not apple.com:


Of course, any domain can be used as a redirect to any other domain. Case in point: Targets of the phishing domains above who are undecided on whether the link refers to a legitimate Apple site might seek to load the base domain into a Web browser (minus the customization in the remainder of the link after the first forward slash). To assuage such concerns, the phishers in this case will forward anyone visiting those base domains to Apple’s legitimate iCloud login page (icloud.com).

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

State of Software Security v10: 5 Key Takeaways for Developers

SOSS X Developer Takeaways

In case you missed it, this year we launched our 10th annual State of Software Security (SOSS X) report! Armed with a decade of data, the Veracode team analyzed 85,000 applications to study trends in fix rates, mounting security debt, shifts in vulnerability by language, and more.

What did we uncover? At the core of our research, we found there’s still a need for better remediation processes and more frequent security scans. But we also uncovered some best practices that are leading to significant application security improvements. Read on for a snapshot of key takeaways that can help set you and your organization up for AppSec success in 2020.

Most apps still don’t pass crucial compliance tests

OWASP Top 10 vulnerabilities and SANS 25 software errors represent consensus listings of the most critical flaws in the industry, and while we’ve seen some changes in compliance rates across past editions of our SOSS report, the 10-year trend shows us that things haven’t shifted much as of late. Today, 68 percent of apps fail to pass OWASP on initial scan (down from 77 percent in volume one of SOSS), and 67 percent of apps fail to pass SANS on initial scan —the same figure in volume one as volume ten.

The fact that these common and serious vulnerabilities are still prevalent in code underscores the fact that we are not creating environments where developers can code securely. The absence of proper secure coding training, as well as the lack of access to the right tools, is clearly creating risk.

Android, PHP, iOS, and C++ have a high frequency of flaws

This year’s data analysis found that over 90 percent of Android, PHP, and iOS applications contain security flaws on initial scan. Ranking over 80 percent were C++, .NET, and Java, while Python and JavaScript came in with the lowest flaw rates.

Why do we see a higher rate of flaws in mobile languages? Perhaps the reason Android and iOS are two of the top offenders is that many mobile applications aren’t properly scanned before they’re uploaded to the Apple App Store and the Google Play Store. Ben Greenwald, Director of Software Engineering at Veracode, explains further: 

“One reason Android and iOS applications may tend to have more security flaws on first scan is because mobile developers believe they are already covered. Developers might assume that Apple and Google thoroughly test apps before they’re released, or they rely on Apple and Google for testing under the assumption that a security infrastructure is already in place.”

This issue only further highlights the need for thorough internal and third-party testing processes to ensure that your applications are secure.

Language also adds yet another layer to the issue of unfixed flaws piling up on developer plates; the average security debt for PHP and C++ is massive compared to that of .NET, Android, Java, and JavaScript.

As two of the top languages for flaw rates, it makes sense that unchecked issues in PHP and C++ can spin out of control for development teams. So, what’s their deal? PHP’s start in the mid 90s came with a basic design that works well for smaller applications and beginners learning to code, but it has since been so widely adopted and stretched beyond its means that it is left highly vulnerable to flaws.

C++ is an incredibly robust language that powers many of the operating systems, browsers, and productivity apps that we use in our daily life. But with that great power comes the great responsibility to manage memory, guard against use-after-free, and keep stacks from exceeding the fill line. These flaws tend to accumulate over time and are easier to introduce than in many of the today’s more commonly used higher-level languages.

While some applications are prone to debt buildup because they use multiple languages or a basic flaw-heavy language like PHP, it’s important to consider the steps your team can take to counterbalance the prevalence of flaws—like reprioritization. 

Remediation priorities are misaligned for top vulnerabilities

Out of the 85,000 applications tested (including 1.4 million individual scans), our data shows that 83 percent of apps have at least one flaw when they’re initially scanned. That’s an 11 percent increase from volume one to volume ten of the SOSS report - but the good news is we also saw an overall 14 percent decrease in applications with high-severity flaws.

The bad news? Focus is, it seems, not always placed on fixing the right flaws. For example, we found that A10-Logging is ranked the lowest in flaw prevalence but is at the top of the list for fix rate, the bottom of the list for incidents, and doesn’t rank for exploit risk. A5-Access Control is another mystifying trend. It ranks low in prevalence but towards the top of exploit and incident rankings, falling right in the middle of the list for fix rate.

Some flaws and fixes are consistent, though. Both A1-Injection and A2-Authentication sit toward the top of the list across the board, while A8-Deserialization is reliably stable in the bottom half of each category. This discrepancy sheds some light on which flaws are neglected, deferred, targeted, and prioritized, and how DevOps teams can more efficiently rank issues.

Flaws that can be remediated quickly on a small scope are naturally resolved ahead of flaws that are slightly more complicated, but often those severe issues are less difficult to fix, underscoring the need for a more comprehensive plan of attack.

Developers favor recency, adding to security debt

SOSS X shows us that developers typically follow a LIFO (Last In, First Out) method instead of a FIFO (First In, First Out) approach. With LIFO, developers run the risk of contributing to security debt when older flaws are stacked underneath newer issues. As time goes by, the probability of remediation drops significantly, and any unmitigated remnants slide into the land of security debt.

This trend highlights an ongoing battle with security debt across the industry and draws attention to how it muddies the waters of remediation. Fortunately, we have revealing data on scanning cadence that can help reduce an organization’s debt over time.

Bursty scans contribute to security debt—but it’s reversible

We mention security debt throughout the SOSS X report (and this post) because it can leave organizations vulnerable to attacks in the backlog of flaws, and slower to mitigate issues that arise out of the blue.

The good news is, this year we also uncovered evidence of practices that are chipping away at security debt. It’s all about scanning frequency. We know that “bursty” scanning cadences result in a higher prevalence of flaws over time, as opposed to steady and early scan processes with fewer flaws open at once. Sometimes bursty scanning simply fits your waterfall development cycle or pairs with testing schedules that are event-driven, but this can leave security holes where flaws are missed month to month.

Based on our data, we know that development teams can improve their median time to remediation (MedianTTR) by about 70 percent with established procedures and consistent testing schedules. Automating your processes to increase scanning tempo and improve prioritization reduces the security debt that your organization carries.

Read the report

Want to see all this data in one complete package? Read the full SOSS report to learn more about the state of DevSecOps, discover additional data highlights by industry, and more.

Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info

Facebook addressed last week a security flaw that exposed page admin accounts, the bug was exploited against several high-profile pages.

Last week Facebook has addressed a security issue that exposed page admin accounts, the bug was exploited in attacks in the wild against several high-profile pages.

The page admin accounts are anonymous unless the Page owner opts to make the admins public, but a bug allowed anyone to reveal the accounts running a Page.

“The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can’t see, for example, the names of the people who post to Facebook on WIRED’s behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one.” reads a post published by Wired.

The “View edit history” in Facebook allows Page admins to view any activity related to pages, including the name of users that made changes to a post. The bug allowed miscreants to reveal the account of the individual who made the changes, including page admins, with serious privacy implications.

Wired confirmed that on message boards like 4chan, people started posting screenshots that doxed the accounts behind prominent pages. The exploitation of the bug was simple, by opening a target page and checking the edit history of a post, it was possible to view the account or accounts that made edits to each post.

Facebook quickly addressed the issue after it was alerted by a security researcher.

“We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history,” Facebook said in a statement. “We are grateful to the security researcher who alerted us to this issue.”

The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.

In February 2018, the security researcher Mohamed Baset discovered a similar vulnerability on Facebook.

Baset explained that the flaw was a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post. The researchers analyzed the source code of the email sent by the social network and discovered it included the name of the administrator of the page and other info.

Pierluigi Paganini

(SecurityAffairs – Facebook, hacking)

The post Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info appeared first on Security Affairs.

Artificial Personas and Public Discourse

Presidential campaign season is officially, officially, upon us now, which means it's time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: artificial personas are coming, and they're poised to take over political debate. The risk arises from two separate threads coming together: artificial intelligence-driven text generation and social media chatbots. These computer-generated "people" will drown out actual human discussions on the Internet.

Text-generation software is already good enough to fool most people most of the time. It's writing news stories, particularly in sports and finance. It's talking with customers on merchant websites. It's writing convincing op-eds on topics in the news (though there are limitations). And it's being used to bulk up "pink-slime journalism" -- websites meant to appear like legitimate local news outlets but that publish propaganda instead.

There's a record of algorithmic content pretending to be from individuals, as well. In 2017, the Federal Communications Commission had an online public-commenting period for its plans to repeal net neutrality. A staggering 22 million comments were received. Many of them -- maybe half -- were fake, using stolen identities. These comments were also crude; 1.3 million were generated from the same template, with some words altered to make them appear unique. They didn't stand up to even cursory scrutiny.

These efforts will only get more sophisticated. In a recent experiment, Harvard senior Max Weiss used a text-generation program to create 1,000 comments in response to a government call on a Medicaid issue. These comments were all unique, and sounded like real people advocating for a specific policy position. They fooled the Medicaid.gov administrators, who accepted them as genuine concerns from actual human beings. This being research, Weiss subsequently identified the comments and asked for them to be removed, so that no actual policy debate would be unfairly biased. The next group to try this won't be so honorable.

Chatbots have been skewing social-media discussions for years. About a fifth of all tweets about the 2016 presidential election were published by bots, according to one estimate, as were about a third of all tweets about that year's Brexit vote. An Oxford Internet Institute report from last year found evidence of bots being used to spread propaganda in 50 countries. These tended to be simple programs mindlessly repeating slogans: a quarter million pro-Saudi "We all have trust in Mohammed bin Salman" tweets following the 2018 murder of Jamal Khashoggi, for example. Detecting many bots with a few followers each is harder than detecting a few bots with lots of followers. And measuring the effectiveness of these bots is difficult. The best analyses indicate that they did not affect the 2016 US presidential election. More likely, they distort people's sense of public sentiment and their faith in reasoned political debate. We are all in the middle of a novel social experiment.

Over the years, algorithmic bots have evolved to have personas. They have fake names, fake bios, and fake photos -- sometimes generated by AI. Instead of endlessly spewing propaganda, they post only occasionally. Researchers can detect that these are bots and not people, based on their patterns of posting, but the bot technology is getting better all the time, outpacing tracking attempts. Future groups won't be so easily identified. They'll embed themselves in human social groups better. Their propaganda will be subtle, and interwoven in tweets about topics relevant to those social groups.

Combine these two trends and you have the recipe for nonhuman chatter to overwhelm actual political speech.

Soon, AI-driven personas will be able to write personalized letters to newspapers and elected officials, submit individual comments to public rule-making processes, and intelligently debate political issues on social media. They will be able to comment on social-media posts, news sites, and elsewhere, creating persistent personas that seem real even to someone scrutinizing them. They will be able to pose as individuals on social media and send personalized texts. They will be replicated in the millions and engage on the issues around the clock, sending billions of messages, long and short. Putting all this together, they'll be able to drown out any actual debate on the Internet. Not just on social media, but everywhere there's commentary.

Maybe these persona bots will be controlled by foreign actors. Maybe it'll be domestic political groups. Maybe it'll be the candidates themselves. Most likely, it'll be everybody. The most important lesson from the 2016 election about misinformation isn't that misinformation occurred; it is how cheap and easy misinforming people was. Future technological improvements will make it all even more affordable.

Our future will consist of boisterous political debate, mostly bots arguing with other bots. This is not what we think of when we laud the marketplace of ideas, or any democratic political process. Democracy requires two things to function properly: information and agency. Artificial personas can starve people of both.

Solutions are hard to imagine. We can regulate the use of bots -- a proposed California law would require bots to identify themselves -- but that is effective only against legitimate influence campaigns, such as advertising. Surreptitious influence operations will be much harder to detect. The most obvious defense is to develop and standardize better authentication methods. If social networks verify that an actual person is behind each account, then they can better weed out fake personas. But fake accounts are already regularly created for real people without their knowledge or consent, and anonymous speech is essential for robust political debate, especially when speakers are from disadvantaged or marginalized communities. We don't have an authentication system that both protects privacy and scales to the billions of users.

We can hope that our ability to identify artificial personas keeps up with our ability to disguise them. If the arms race between deep fakes and deep-fake detectors is any guide, that'll be hard as well. The technologies of obfuscation always seem one step ahead of the technologies of detection. And artificial personas will be designed to act exactly like real people.

In the end, any solutions have to be nontechnical. We have to recognize the limitations of online political conversation, and again prioritize face-to-face interactions. These are harder to automate, and we know the people we're talking with are actual people. This would be a cultural shift away from the internet and text, stepping back from social media and comment threads. Today that seems like a completely unrealistic solution.

Misinformation efforts are now common around the globe, conducted in more than 70 countries. This is the normal way to push propaganda in countries with authoritarian leanings, and it's becoming the way to run a political campaign, for either a candidate or an issue.

Artificial personas are the future of propaganda. And while they may not be effective in tilting debate to one side or another, they easily drown out debate entirely. We don't know the effect of that noise on democracy, only that it'll be pernicious, and that it's inevitable.

This essay previously appeared in TheAtlantic.com.

EDITED TO ADD: Jamie Susskind wrote a similar essay.

National Lottery Hacker Theft £ 5, Land Prison Penalty

The brute-force account cracking tool of Sentry MBA has been used to compromise user accounts.

For nine months, an individual who was interested in a hack into the British National Lottery database and hijacking customer accounts was jailed.

Camelot, the UK national crime agency (NCA), said last week that Anwar Batson from Notting Hill, London, had helped and tuition to compromise the lotery operator.

The 29-year old, Idris Kayode Akinwunmi and Daniel Thompson and others, focused on fast cash from the auction, and Batson suggested the use of Sentry MBA to break and control user accounts.

“Even the most basic forms of cybercrime can have a substantial impact on victims,” said NCA senior investigating officer Andrew Shorrock. “No one should think cybercrime is victimless or that they can get away with it.”

Sentry MBA is a widely available digital cracking tool online. The software suite can be used when there are no anti-automation protections, taking into account the need for technical knowledge to smash a service online, with lists of weak passwords and device combos, and vulnerability account combinations exposed by data dumps and paste websites.

According to the 2019 survey of Verizon, 71% of data breaches currently are financially motivated, with about 70% containing defective and corrupted passwords.

The 29-year-old “told others that they could quickly make cash,” named Rosegold, with Sentry MBA, conversed “over hacking, purchasing and selling username and password lists, settings files and personally identifiable information,” UK prosecutions said.

Throughout 2016, the NCA was made aware that a cyber attack against the National Lottery has taken place. The company emphasized that the main drawing structures were not compromised, but the fire was on a site of millions of records.

The National Lotery reported then that around 27,000 player records could be compromised because of “suspicious activity,” and information could have been revealed including addresses, contact details, birth dates and restricted card data.

Batson used the tool to collect credentials, including those of one player from a lottery who had £ 13 stolen from Akinwunmi’s account, of which £ 5 had been shipped to Baston.

The payment was low, but still counted as theft and a crime under the Computer Misuse Act of Great Britain in 1990. Nevertheless, the National Lottery operator had to pay £ 230,000 for the attacks and 250 customers closed their accounts for the advertisement of the event, according to The Register.

Upon pleading guilty for four offences in the Southwark Crown Court and one charge of theft, Batson was sentenced to serve nine months behind bars. Initially, Batson refused to participate.

In 2018, Thompson and Akinwunmi were imprisoned for 8 months and four months respectively, after being charged with brute-force breaking efforts to attack the National Lottery Web site.

Over four years, the US Department of Justice (DoJ) jailed a US resident last week for large identity theft. Babatunde Olusegun Taiwo engaged in a scheme, which included the submission of false tax returns and compensation requests through the U.S. Internal Revenue Service (IRS) of the personal identification details of people exposed through a preliminary data breach.

In fact, Taiwo and co-defendants sought compensation for more than $12 million. The IRS paid $800,000 prior to the involvement of law enforcement.

The post National Lottery Hacker Theft £ 5, Land Prison Penalty appeared first on .

Texas School District Lost $2.3M to Phishing Email Scam

A school district in Texas announced that it lost approximately $2.3 million after falling victim to a phishing email scam. On January 10, the Manor Independent School District (MISD) published a statement on Twitter and Facebook in which it revealed that it was investigating a phishing email scam that cost it $2.3 million. January 10, […]… Read More

The post Texas School District Lost $2.3M to Phishing Email Scam appeared first on The State of Security.

The state of digital transformation in 2020

The past year has seen many businesses question exactly how transformational digital transformation really is. The answer, as with all IT initiatives, depends on the scope of the ambition, the skill of the leadership, and the ultimate degree of business impact.

Yet we’ve seen a pattern emerge: Those with transformational aspirations discover that boil-the-ocean schemes seldom meet their objectives, while carefully planned and targeted initiatives often have broader benefit than even the original instigators imagined.

The latter is particularly true of initiatives that reform fundamental processes. Transformation usually implies moving from one fixed state to another, yet digital transformation at its best involves a journey from inflexibility to a “permanently agile” condition. Getting there may involve the adoption of new programming, infrastructure, or internet-of-things advances. The biggest rewards, however, accrue from reimagining workflows to accommodate continuous change and establishing mechanisms that continuously measure results.

To read this article in full, please click here

Welcoming the Danish Government to Have I Been Pwned

Welcoming the Danish Government to Have I Been Pwned

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned for 2020 - Denmark! The Danish Centre for Cyber Security (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains.

As the year progresses, I'll keep onboarding additional governments to help consolidate existing searches their departments have been independently running and provide greater visibility at a national level.

Vulnerability Scanning vs. Penetration Testing

It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing, on its own, cannot secure the entire network. Both are important at their respective levels, needed in cyber risk analysis, and are required by standards such as PCI, […]… Read More

The post Vulnerability Scanning vs. Penetration Testing appeared first on The State of Security.