Daily Archives: January 14, 2020

Companies increasingly reporting attacks attributed to foreign governments

More than one in four security managers attribute attacks against their organization to cyberwarfare or nation-state activity, according to Radware. Nation-state intrusions soaring In 2018, 19% of organizations believed they were attacked by a nation-state. That figure increased to 27% in 2019. Companies in North America were more likely to report nation-state attribution, at 36%. “Nation-state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of … More

The post Companies increasingly reporting attacks attributed to foreign governments appeared first on Help Net Security.

Cyber attackers turn to business disruption as primary attack objective

Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals. Another notable finding in the new CrowdStrike Services Report shows a large increase in dwell time to an average of 95 days in 2019 — up from 85 days in 2018 — meaning that adversaries were able to … More

The post Cyber attackers turn to business disruption as primary attack objective appeared first on Help Net Security.

Budgetary, policy, workforce issues influencing DOD and intelligence community IT priorities

Information Technology spending by Department of Defense (DOD) and Intelligence Community (IC) agencies will continue to grow as they work to keep pace with the evolution of both the threat landscape and technology development, according to Deltek. Intelligence community The increasing sophistication of adversaries, expanding threat landscape, rapid pace of technology advancement and data proliferation continue to fuel the IC’s demand for tools and resources to meet mission objectives. IT solutions such as cloud computing, … More

The post Budgetary, policy, workforce issues influencing DOD and intelligence community IT priorities appeared first on Help Net Security.

Masergy Shadow IT Discovery: Automatically identify unauthorized SaaS applications

Masergy launched its Masergy Shadow IT Discovery solution. Shadow IT Discovery exposes enterprises to significant cybersecurity risks. Building on its mission to make security intrinsic to its SD-WAN platform and to offer the most robust real-time visibility and control, Masergy is empowering enterprises to immediately identify and appropriately address unauthorized SaaS applications. The proliferation of SaaS applications continues to compound each year, exposing businesses to ever-increasing cloud threats and cybersecurity vulnerabilities. According to one study, … More

The post Masergy Shadow IT Discovery: Automatically identify unauthorized SaaS applications appeared first on Help Net Security.

Cynerio offers hospitals free Windows 7 risk assessment

To prepare for the transition into Windows 7 End of Life, Cynerio is offering hospitals a complementary risk assessment until February 14, 2020. Connected medical devices are the weakest link in healthcare security and the prevalence of devices running on the Windows 7 operating system puts hospitals at even greater risk of cyber attack. The assessment will provide hospitals with a comprehensive inventory of their healthcare IoT ecosystems, and a detailed analysis of unsupported operating … More

The post Cynerio offers hospitals free Windows 7 risk assessment appeared first on Help Net Security.

Android Banking Trojans: History, Types, Modus Operandi

One sunny morning, my breakfast was interrupted by a phone call from a friend who is an entrepreneur engaged in the transportation of various goods. He said that $11,000 disappeared from his bank account during the night. The bank support service could not help. They advised my friend to report this incident to the police. […]… Read More

The post Android Banking Trojans: History, Types, Modus Operandi appeared first on The State of Security.

STEALTHbits StealthINTERCEPT 7.0 strengthens enterprise passwords and AD security

STEALTHbits released StealthINTERCEPT 7.0, their real-time Active Directory (AD) policy enforcement solution that audits and blocks unwanted and unauthorized changes, authentications, and queries within the world’s most complex AD infrastructures. With 95 million AD accounts attacked daily and 56% of breaches taking a month or longer to discover, attackers still have the upper the hand on security. While many organizations do some general monitoring, auditing, and threat detection, it’s not enough to slow down the … More

The post STEALTHbits StealthINTERCEPT 7.0 strengthens enterprise passwords and AD security appeared first on Help Net Security.

GTT expands portfolio with Fortinet’s FortiGate Secure SD-WAN solution

GTT Communications, a leading global cloud networking provider to multinational clients, announced it has expanded its SD-WAN service offering by adding Fortinet Secure SD-WAN as a technology option. GTT delivers Fortinet Secure SD-WAN as a managed service and supports any last-mile access solution to meet specific client requirements for advanced security, application performance and cost efficiency. The addition of Fortinet enhances GTT’s existing managed SD-WAN service offerings for enterprise clients. The GTT SD-WAN offering that … More

The post GTT expands portfolio with Fortinet’s FortiGate Secure SD-WAN solution appeared first on Help Net Security.

Citrix Analytics for Performance: Identifying performance issues at the individual user level

In the old days, analyzing system performance was all about monitoring speeds and feeds. Today, understanding the user experience (UX) is critical. And to help companies do this, Citrix Systems announced the launch of Citrix Analytics for Performance, a next-generation service that goes beyond monitoring server-side infrastructure, and enables IT administrators to identify performance issues at the individual user level and proactively address them to deliver a superior experience that engages employees and keeps them … More

The post Citrix Analytics for Performance: Identifying performance issues at the individual user level appeared first on Help Net Security.

Patch Tuesday, January 2020 Edition

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.

As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”

Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.

Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.

“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”

Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.

“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”

Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon.

According to security vendor Qualys, only eight of the 50 flaws fixed in today’s patch roundup from Microsoft earned the company’s most dire “critical” rating, a designation reserved for bugs that can be exploited remotely by malware or miscreants to seize complete control over the target computer without any help from users.

Once again, some of those critical flaws include security weaknesses in the way Windows implements Remote Desktop connections, a feature that allows systems to be accessed, viewed and controlled as if the user was seated directly in front of the remote computer. Other critical patches include updates for the Web browsers and Web scripting engines built into Windows, as well as fixes for ASP.NET and the .NET Framework.

The security fix for the CVE-2020-0601 bug and others detailed in this post will be offered to Windows users as part of a bundle of patches released today by Microsoft. To see whether any updates are available for your Windows computer, go to the Start menu and type “Windows Update,” then let the system scan for any available patches.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Today also marks the last month in which Microsoft will ship security updates for Windows 7 home/personal users. I count myself among some 30 percent of Windows users who still like and (ab)use this operating system in one form or another, and am sad that this day has come to pass. But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.

That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer. If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer. Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Advisory 2020-002: Critical Vulnerabilities for Microsoft Windows Announced, Patch Urgently

On 15 January 2020 (AEDT), Microsoft released security patches for three critical and one important vulnerabilities in the Microsoft Remote Desktop Client, Remote Desktop Gateway and the Windows operating system. The ACSC recommends that users of these products apply patches urgently to prevent malicious actors from using these vulnerabilities to compromise your network.

What is the CMMC and How Can You Prepare for It?

English

Later this month, the U.S. Department of Defense (DoD) will release version 1.0 of the Cybersecurity Maturity Model Certification (CMMC). The CMMC will be a mandatory third-party certification for any DoD contractors and subcontractors, intended to help protect the government’s sensitive, unclassified data against cyber threats. How did the CMMC come together and what will it entail? Read on to find out other cyber threat mitigation standards, how they inspired the CMMC, and what to expect when the CMMC goes live.

Inspiration for the CMMC: Cyber Mitigation in the UK

One of the primary inspirations for the CMMC and an early example of successful mitigation frameworks are the United Kingdom Cyber Essentials. Since 2014, the Cyber Essentials certification has been a requirement for any current or bidding contractors or subcontractors for any part of the UK central Government.

Currently, the Cyber Essentials certification requirements fall under five technical control themes: firewalls, secure configuration, user access control, malware protection, and patch management. Organizations need to meet and prove they’ve met the minimum requirements for each of the controls before being approved for certification. There are two levels of certification: Cyber Essentials, which involves an independent verification from an Accreditation Body of a thorough self-assessment, and Cyber Essentials Plus, which involves an Accreditation Body performing the assessment to ensure the requirements are in place.

While no official research has been done by the government, they have felt this certification process has been greatly beneficial, with none of the 30,000 certified systems experiencing a major breach. Recently, the National Cyber Security Centre launched an initiative to revise the Essentials to reflect the evolution of cybersecurity, add tangible benefit measurements, and help even more organizations become certified.

While there are other cybersecurity mitigation strategies elsewhere, like the Essential Eight of Australia, they aren’t necessarily mandated. This is makes CMMC even more interesting, since it may indicate a trend in cybersecurity requirements for different organizations, particularly those dealing with sensitive government data.

The Basics of the CMMC

While the CMMC will be unveiled in January, it is not expected to be enforced until June, giving ample time for organizations to prepare and take measures to update their security program. Additionally, it will give time to certify third party accreditation parties, who will face an onslaught of organizations needing evaluation. So what are the components of this framework that these parties will be evaluating?

Levels

Similar to the Cyber Essentials model, the CMMC will also have progressive levels of certification. Instead of two, the CMMC has five, with level one only requiring basic cyber hygiene. These levels are cumulative, so level five must demonstrate good cyber hygiene, meet NIST requirements, have a substantial and proactive cybersecurity program in place, and show optimization capabilities to ward off advanced persistent threats. They must meet these requirements in all domains, which will be discussed below.

Maturity

These levels also incorporate the key concept of maturity. While level one has no maturity requirements, beginning at level two, there is an expectation to create and adhere to a cybersecurity policy within the organization. As the different levels progress, maturity requirements grow, including establishing procedures, goals, project plans, and stakeholder agreement. The highest levels require revisiting, evaluating, and refining this policy, as well as having enough resources including staff, funding, and tools, to implement it.

Domains

The CMMC is much more specific than both the Cyber Essentials and the Essential Eight. It has 17 domains, mostly taken from the Federal Information Processing Standards (FIPS) and NIST. These domains cover the full range of cybersecurity needs—they aren’t just aimed at malware prevention, but also deal with limiting the damage of a breach, as well as data backup and recovery.  

The domains, as of the latest draft, are:

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Protection
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. System Communications and Protections
  17. System and Information Integrity

 

The domains also break down into capabilities, further refining the requirements of what is expected of organizations wanting to be certified. For example, Access Control breaks down into four capabilities: establishing system access requirements, controlling internal system access, controlling remote system access, and limiting data access to authorized users and processes.

Building a Universal Framework

While the CMMC will only apply to organizations that work with the DoD, it serves as a crucial step in creating a universal framework of cybersecurity standards. For now, even those who are not required to follow the CMMC should view it as an essential list of best practices that they should also prioritize.

 

cs-what-is-cmmc-blog-700x350.jpg

What is the CMMC
Penetration testing
Big text: 
Blog
Resource type: 
Blogs
Will you need to be CMMC compliant?

Learn how our broad suite of federal government security solutions can meet your needs.

VERT Threat Alert: January 2020 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s January 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-866 on Wednesday, January 15th.  In-The-Wild & Disclosed CVEs CVE-2020-0601 While there are no in-the-wild and disclosed CVEs in the January patch drop, there is a lot of discussion around CVE-2020-0601. The vulnerability […]… Read More

The post VERT Threat Alert: January 2020 Patch Tuesday Analysis appeared first on The State of Security.

Update Windows 10 Immediately to Patch a Flaw Discovered by the NSA

After Adobe today releases its first Patch Tuesday updates for 2020, Microsoft has now also published its January security advisories warning billions of users of 49 new vulnerabilities in its various products. What's so special about the latest Patch Tuesday is that one of the updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019

January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager

Adobe released its January 2020 Patch Tuesday updates that address several flaws in Illustrator and Experience Manager products.

Adobe releases its first 2020 patch Tuesday software updates that address several vulnerabilities in Illustrator and Experience Manager products.

“Adobe has published security bulletins for Adobe Experience Manager (APSB20-01) and Adobe Illustrator (APSB20-03). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the security advisory.

The security updates for Illustrator CC 2019 for Windows addresses five critical memory corruption issues (CVE-2020-3710, CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714) that can lead to arbitrary code execution in the context of the targeted user.

All the vulnerabilities were reported to Adobe by Honggang Ren of Fortinet’s FortiGuard Labs.

While the vulnerabilities have been assigned a severity rating of critical, their priority rating is 3, which means Adobe does not expect any of them to be exploited in attacks.

Adobe also releases security updates for Adobe Experience Manager (AEM) that addresses four issues rated as important and moderate (CVE-2019-16466, CVE-2019-16467, CVE-2019-16468, CVE-2019-16469).

The flaws rated important are Reflected Cross-Site Scripting cross-site scripting (XSS) or Expression Language injection and could lead to the disclosure of sensitive information. The security hole rated moderate has been described as a user interface injection issue and it can also lead to the disclosure of sensitive information.

The flaws tracked as CVE-2019-16466 and CVE-2019-16468 were reported to Adobe by the security expert Lorenzo Pirondini of Netcentric.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday, hacking)

The post January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager appeared first on Security Affairs.

Microsoft rolls out Windows 10 security fix after NSA warning

US agency revealed flaw that could be exploited by hackers to create malicious software

Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.

The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.

Related: Skype audio graded by workers in China with 'no security measures'

Continue reading...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I'm speaking at Indiana University Bloomington on January 30, 2020.
  • I'll be at RSA Conference 2020 in San Francisco. On Wednesday, February 26, at 2:50 PM, I'll be part of a panel on "How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei." On Thursday, February 27, at 9:20 AM, I'm giving a keynote on "Hacking Society."
  • I'm speaking at SecIT by Heise in Hannover, Germany on March 26, 2020.

The list is maintained on this page.

Infosec pros urged to quickly deploy today’s Windows 10 patch

Windows administrators are being urged to install today’s Patch Tuesday updates for Win10 as soon as they can after the Washington Post reported that it fixes a major flaw in the operating system.

The news service said the U.S. National Security Agency, which quietly hunts for and tries to leverage software flaws it finds for spying, recently alerted Microsoft of the problem in Win10’s ability to verify digital signatures used to confirm if updates are legitimate, as well as signed files and emails.

If attackers can infiltrate Windows by using this hole it would mean computers around the world could be at risk.

Affected versions are Windows 10, Windows Server 2016 and Windows Server 2019.

The federal government Canadian Centre for Cyber Security issued an alert saying an ‘improper certificate validation’ vulnerability, tracked as CVE-2020-0601, prevents Windows from accurately verifying cryptographic trust and may allow an actor to impersonate a trusted entity. “Exploitation of this vulnerability would defeat systems that rely on the use of valid certificates to ensure cryptographic trust, allowing full access to encrypted communications and for the ability to execute any code with permissions reserved for trusted software.”

The security update ensures that Windows CryptoAPI completely validates certificates.

After installing the update administrators will know if an attacker is trying to exploit the vulnerability if a system generates Event ID 1 in the Windows Event Viewer after each reboot under Windows Logs/Application.

The NSA also issued a rare alert, advising administrators that if enterprise-wide, automated patching is not possible priority for manual patching should go to endpoints that provide essential or broadly replied-upon services such as Windows-based web appliances, web servers, proxies that perform TLS validation, machines that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation), machines directly exposed to the internet and those regularly used by privileged users

 

Also:

Time running out for support on these Microsoft products


Industry experts immediately praised the NSA for disclosing the flaw rather than exploiting it. The NSA has been widely criticized for apparently keeping secret a hacking tool for exploiting Windows bug in all versions dubbed EternalBlue. That vulnerability was unknown until the NSA was hacked and a number of exploits were stolen.

The NSA quietly told Microsoft of the bug and it issued a fix in March 2017.  Shortly afterward a group calling itself the Shadow Brokers released the EternalBlue code, which led to others exploiting it.

“For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented,” said Amit Yoran, CEO of security vendor Tenable. “It underscores the criticality of the vulnerability and we urge all organizations to prioritize patching their systems quickly. The fact that Microsoft provided a fix in advance to the U.S. government and other customers that provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organizations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”

On Monday there were early but unconfirmed reports of the problem.Security reporter Brian Krebs said unnamed sources told him the vulnerability is in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.”

The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography and includes functionality for encrypting and decrypting data using digital certificates.

Webcast: Sacred Cash Cow Tipping 2020

Want to learn how attackers bypass endpoint products? Download slides: https://www.activecountermeasures.com/presentations/ 3:41 – Alternate Interpreters 9:19 – Carbon Black Config Issue 15:07 – Cisco AMP EDR – Quick and Easy Bypass 18:24 – PowerShell AMSI Bypass – Rhino 19:07 – CylancePROTECT Bypass 24:14 – Windows Defender and Carbon Black Bypass 30:36 – Windows Subsystem for Linux […]

The post Webcast: Sacred Cash Cow Tipping 2020 appeared first on Black Hills Information Security.

LastPass releases its 3rd Annual Global Password Security report

Graham Cluley Security News is sponsored this week by the folks at LastPass. Thanks to the great team there for their support! LastPass has analyzed over 47,000 businesses to bring you insights into security behavior worldwide. The report helps you explore changes in password security practices worldwide, and see where businesses are still putting themselves […]

Windows 7 Support Ends Today – What should you do?

If your business is still running on Windows 7, it is time to take the end of January 14, 2020 seriously. Here are the four options.

If your company still operates on Windows 7, you have to make some important decisions and there is very little time left. The end of support for Windows 7 is only hours away officially— January 14, 2020. After that year, Microsoft would automatically stop delivering security updates and many third-party vendors will also have withdrawn support.

Most companies have long completed their Windows 10 migration planning and are in the final phases of implementation of this plan. If you’re still inaccurate or incompatible, it’s time to take it seriously. (To make certain that you are aware of the coming deadline, as the deadline approaches Microsoft displays pop-up notifications on Windows 7 PCs, you’ll receive the complete message warning you that your operating system is no longer supported after the deadline passes) I calculate that you have four options for this. Which one you choose depends on why your company still sticks to Windows 7.

If the main reason for this is inertia, you must find something that motivates you. For example, you could calculate cleaning costs after a successful ransomware attack, including the loss of business as you struggle to recover.

You may want to learn that running an unregulated, unpatched operating system places you at risks of infringement, resulting in heavy fines and business failure until consumers become aware of them.

A compatibility issue is the other possible deployment blocker. Compatibility should not be a problem for most Windows 7 apps. A Microsoft project named Windows App Assure offers free program remediation programs for companies paying for Office 365 licenses. Microsoft says its engineers will “help you to remediate customized business line apps, engage 3rd party software companies with Windows 10 and resolve Office 365 ProPlus macro and add-in issues.” If your business relies upon specialized hardware or line-of-business programming that will absolutely not run on Windows 10, you could take the opportunity to pay to extend the dead support to Windows 10. But that only extends the unavoidable one to two years, or at most three years. Your search for a substitute should now be well under way.

So, what’s your choice?

As I know that at least a dozen people in the comments on this post will offer one specific suggestion, let me put it right at the top of the list.

OPTION 1: SWITCH TO LINUX/Other OS

Something tells me that most companies with Windows7 have already taken this option into consideration and refused it until the bitter end. This is especially the case for companies which are limited by compatibility issues with a Windows-critical application.

But of course, if the mobile system is fully replaced and every productivity device you have turned off it’s a preferable alternative to the next choice in the chart.

OPTION 2: DO NOTHING

Windows 7 won’t stop operating on January 15, 2020. However, you would probably not notice any improvements. This is certainly an option if you feel lucky. You may even find the absence of monthly updates to be convenient.

WINDOWS 10 So you want to keep Windows 7 running? Good luck to small businesses Anything changes: Microsoft redesigns the 100 icons used in its applications & FAQ tools: How to handle Windows 10 patches Affordable Laptop offers: Windows & Chromebooks for $500 (CNET) Windows 10; Spoiler’s warning cheat sheet (TechRepublic).

If you absolutely need to operate one or more Windows 7 PCs, maybe because you are running a critical app or controlling an old but essential hardware, the best advice I can give is to completely disconnect the machine and lock it so that only one unreplaceable app is operational.

OPTION 3: Pay for EXTENDED SUPPORT

Microsoft offered to continue to supply patches for XP appliances owned by major companies paying for Custom support agreements when Windows XP support ended in April 2014. But the contracts weren’t inexpensive. Only very large companies could qualify for one and then, as my colleague Mary Jo Foley discovered, the cost was literally millions of dollars

The extended support option for Windows 7 is much more democratic. Microsoft announced its plan to offer paid Windows 7 Extended Security Updates (ESUs) in September 2018, and in October 2019 the company announced that this support was being extended to companies of all sizes. Nor will you need megabucks: annual cost of a calendar year 2020 ESU contract is around $50 per device (although your reseller may charge more), up to $100 a year in year two and $200 in year three.

This escalating price schedule aims to discourage Windows 7 users who would otherwise be tempted to take the boot a little further down the road. You will also need to locate a reseller that is a member of the Cloud Service Provider network and can provide the ESU licenses that you need. This isn’t as straightforward as I learned as I attempted to do just that.

The post Windows 7 Support Ends Today – What should you do? appeared first on .

App Leaks Thousands of Baby Photos and Videos Online

App Leaks Thousands of Baby Photos and Videos Online

An app designed to record and share milestones in a child's development has leaked thousands of images and videos of babies online.

Bithouse Inc., the developer of the Peekaboo Moments app, failed to secure a 100 GB Elasticsearch database containing more than 70 million log files dating from March 2019. As a result, information including email addresses, geographic location data, detailed device data, and links to photos and videos has been exposed.

The breach was discovered by Dan Ehrlich, who operates Texas-based computer security consulting firm Twelve Security.

Ehrlich estimates that at least 800,000 email addresses are in the exposed data, which is stored on servers hosted by Singapore-based Alibaba Cloud.

"I've never seen a server so blatantly open," Ehrlich told Information Security Media Group. "Everything about the server, the company's website and the iOS/Android app was both bizarrely done and grossly insecure."

Peekaboo Moments, which appears to be run by a company based in China, allows parents to record their baby's birth date and track the infant's length and weight. Now parents will be able to use it to record an unexpected milestone—their baby's first ever data breach.

The free app claims to take the security of users' data seriously and to offer users a "secured space" in which to record their child's precious moments. The company makes money by offering additional storage, with subscription plans starting at $8.99 per quarter.

On its Google Play app profile page, it states: "Data privacy and security come as our priority. Every Baby’s photos, audios & videos or diaries will be stored in secured space. Only families & friends can have access to baby’s moments at your control."

The length of time the Elasticsearch server has been unsecured or who may have accessed its contents are unclear. 

Information Security Media Group said that repeated efforts to contact Peekaboo Moments CEO Jason Liu—based in San Francisco, according to his LinkedIn profile—have drawn a blank. 

Attempts to contact the company and other Peekaboo employees have also proved unsuccessful.

According to Google Play, the Peekaboo Moments app has been downloaded 1 million times since launching in 2012.

Rethinking cyber scenarios—learning (and training) as you defend

In two recent posts I discussed with Circadence the increasing importance of gamification for cybersecurity learning and how to get started as a practitioner while being supported by an enterprise learning officer or security team lead. In this third and final post in the series, Keenan and I address more advanced SecOps scenarios that an experienced practitioner would be concerned with understanding. We even show how Circadence and Microsoft help seasoned practitioners defend against some of the most prevalent and advanced attackers we see across industries.

Here are more of Keenan’s insights from our Q&A:

Q: Keenan, thanks for sharing in this digital conversation with me again. I admire your passion for gamified cyber learning. I’d not put the two ideas together, that you can adopt gaming concepts—and consoles—in a way that makes learning the often difficult and evolving subject matter of “cyber” much more fun and impactful. Now that I’ve used Project Ares for a year, it’s hard to imagine NOT having an interactive, gamified platform to help me build and refine cybersecurity concepts and skills. Several friends and colleagues have also registered their teenagers for Circadence’s Project Ares Academy subscriptions to kickstart their learning journey toward a cyber career path. If kids are going to game, let’s point them to something that will build employable skills for the future.

In our last two blogs, we introduced readers to a couple of new ideas:

Now, let’s pivot and focus on practical cyber scenarios (let’s say Tier 1 or Tier 2 defender scenarios)—situations that would likely be directed to experienced cyber professionals to handle. Walk us through some of detail about how Circadence has built SecOps gaming experiences into Project Ares through mission scenarios that are inspired by real cyber incidents pulled from news headlines incorporating today’s most common attack methods such as ransomware, credential theft, and even nation-state attacks?

A: Sure. I’ll start with descriptions of a couple of our foundational missions.

Scenario one: Ransomware—Project Ares offers several mission scenarios that address the cyber kill chain around ransomware. The one I’ll focus on is Mission 10, Operation Crimson Wolf. Acting as a cyber force member working for a transportation company, the user must secure networks so the company can conduct effective port activity. However, the company is in danger as ransomware has encrypted data and a hacker has launched a phishing attack on the network, impacting how and when operators offload ships. The player must stop the ransomware from spreading and attacking other nodes on the network before it’s too late. I love this scenario because 1) it’s realistic, 2) ransomware attacks occur far too often, and 3) it allows the player to engage in a virtual environment to build skills.

Users who engage in this mission learn core competencies like:

  • Computer network defense.
  • Incident response management.
  • Data forensics and handling.

We map all our missions to the NIST/NICE work role framework and Mission 10 touches on the following work roles: System Security Analyst, Cyber Defense Analyst, Cyber Defense Incident Responder, and the Cyber Defense Forensics Analyst.

Image from scenario one: Ransomware

Scenario two: Credential theft—Another mission that’s really engaging is Mission 1, Operation Goatherd. It teaches how credential theft can occur via a brute force attack. In this mission, the user must access the command and control server of a group of hackers to disable a botnet network in use. The botnet is designed to execute a widespread financial scam triggering the collapse of a national bank! The user must scan the command and control server located at myloot.com for running services, identify a vulnerable service, perform a brute force attack to obtain credentials, and then kill the web server acting as the command and control orchestrator.

This scenario is powerful because it asks the player to address the challenge by thinking from an adversary’s perspective. It helps the learner understand how an attacker would execute credential theft (though there are many ways) and gives the learner a different perspective for a well-rounded comprehension of the attack method.

Users who engage in this mission learn core competencies like:

  • Network protocols.
  • Reconnaissance and enumeration.
  • Password cracking and exploration.

The NIST/NICE work role aligned to this mission is a Cyber Operator. Specific tasks this work role must address include:

  • Analyzing target operational architecture for ways to gain access.
  • Conducting network scouting and vulnerability analysis of systems within a network.
  • Detecting exploits against targeted networks.

Image from scenario two: Credential theft

Q: Can you discuss how Project Ares’ learning curriculum addresses critical threats from advanced state or state-backed attackers. While we won’t name governments directly, the point for our readers to understand is that the national and international cybersecurity stage is built around identifying and learning how to combat the tools, tactics, and procedures that threat actors are using in all industries.

A: Here’s a good example.

Scenario three: Election security—In this mission, we deploy in our next release of Project Ares, which now leverages cloud native architecture (running on Microsoft Azure), is Mission 15, Operation Raging Mammoth. It helps a cyber professional protect against an election attack—something we are all too familiar with through recent headlines about election security. As an election security official, the user must monitor voting systems to establish a baseline of normal activity and configurations from which we identify anomalies. The user must detect and report changes to an administrator’s access permissions and/or modifications to voter information.

The NIST/NICE work roles aligned to this mission include professionals training as a Cyber Defense Analyst, Cyber Defense Incident Responder, or Threat/Warning Analyst.

Image from scenario three: Election security

I’ve reviewed some of the specific cyber scenarios a Tier 1 or Tier 2 defender might experience on the job. Now I’d like to share a bit how we build these exercises for our customers.

It really comes down to the professional experiences and detailed research from our Mission and Battle Room design teams at Circadence. Many of them have explicit and long-standing professional experience as on-the-job cyber operators and defenders, as well as cyber professors and teachers at renowned institutions. They really understand what professionals need to learn, how they need to learn, and the most effective ways to learn.

We profile Circadence professionals in the Living Our Mission Blog Series to help interested readers understand the skill and dedication of the people behind Project Ares. By sharing the individual faces behind the solution, we hope current and prospective customers will appreciate Project Ares more knowing that Circadence is building the most relevant learning experiences available to support immersive, gamified learning of today’s cyber professionals.

Learn more

To see Project Ares “in action” visit Circadence and request a demonstration, or speak with your local Microsoft representative. You can also try your hand at it by attending an upcoming Microsoft Ignite: The Tour event, which features a joint Microsoft/Circadence “Into the Breach” capture the flag exercise.

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, including guidance on Zero Trust, visit Reach the optimal state in your Zero Trust journey.

The post Rethinking cyber scenarios—learning (and training) as you defend appeared first on Microsoft Security.

Securing open-source: how Google supports the new Kubernetes bug bounty



At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a new bug bounty program for Kubernetes that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved.

Launching the Kubernetes bug bounty program

Kubernetes is a CNCF project. As part of its graduation criteria, the CNCF recently funded the project’s first security audit, to review its core areas and identify potential issues. The audit identified and addressed several previously unknown security issues. Thankfully, Kubernetes already had a Product Security Committee, including engineers from the Google Kubernetes Engine (GKE) security team, who respond to and patch any newly discovered bugs. But the job of securing an open-source project is never done. To increase awareness of Kubernetes’ security model, attract new security researchers, and reward ongoing efforts in the community, the Kubernetes Product Security Committee began discussions in 2018 about launching an official bug bounty program.

Find Kubernetes bugs, get paid

What kind of bugs does the bounty program recognize? Most of the content you’d think of as ‘core’ Kubernetes, included at https://github.com/kubernetes, is in scope. We’re interested in common kinds of security issues like remote code execution, privilege escalation, and bugs in authentication or authorization. Because Kubernetes is a community project, we’re also interested in the Kubernetes supply chain, including build and release processes that might allow a malicious individual to gain unauthorized access to commits, or otherwise affect build artifacts. This is a bit different from your standard bug bounty as there isn’t a ‘live’ environment for you to test—Kubernetes can be configured in many different ways, and we’re looking for bugs that affect any of those (except when existing configuration options could mitigate the bug). Thanks to the CNCF’s ongoing support and funding of this new program, depending on the bug, you can be rewarded with a bounty anywhere from $100 to $10,000.

The bug bounty program has been in a private release for several months, with invited researchers submitting bugs and to help us test the triage process. And today, the new Kubernetes bug bounty program is live! We’re excited to see what kind of bugs you discover, and are ready to respond to new reports. You can learn more about the program and how to get involved here.

Dedicated to Kubernetes security

Google has been involved in this new Kubernetes bug bounty from the get-go: proposing the program, completing vendor evaluations, defining the initial scope, testing the process, and onboarding HackerOne to implement the bug bounty solution. Though this is a big effort, it’s part of our ongoing commitment to securing Kubernetes. Google continues to be involved in every part of Kubernetes security, including responding to vulnerabilities as part of the Kubernetes Product Security Committee, chairing the sig-auth Kubernetes special interest group, and leading the aforementioned Kubernetes security audit. We realize that security is a critical part of any user’s decision to use an open-source tool, so we dedicate resources to help ensure we’re providing the best possible security for Kubernetes and GKE.

Although the Kubernetes bug bounty program is new, it isn’t a novel strategy for Google. We have enjoyed a close relationship with the security research community for many years and, in 2010, Google established our own Vulnerability Rewards Program (VRP). The VRP provides rewards for vulnerabilities reported in GKE and virtually all other Google Cloud services. (If you find a bug in GKE that isn’t specific to Kubernetes core, you should still report it to the Google VRP!) Nor is Kubernetes the only open-source project with a bug bounty program. In fact, we recently expanded our Patch Rewards program to provide financial rewards both upfront and after-the-fact for security improvements to open-source projects.

Help keep the world’s infrastructure safe. Report a bug to the Kubernetes bug bounty, or a GKE bug to the Google VRP.

Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?

Russia-linked cyber-espionage group hacked the Ukrainian energy company Burisma at the center of the impeachment trial of US President Donald Trump.

The Russian cyberspies, operating under Russia’s GRU military intelligence agency (aka Fancy Bear) carried out a spear-phishing campaign in November aimed at accessing the email of Burisma Holdings employees.

The attack was detailed by California-based cybersecurity firm Area 1 Security in a report.

“This report details an ongoing Russian government phishing campaign targeting the email credentials of employees at Burisma Holdings and its subsidiaries and partners. The campaign against the Ukranian oil & gas company was launched by the Main Intelligence Directorate of the General Staff of the Russian Army or GRU.” reads the report published by Area 1 Security. “Phishing for credentials allows cyber actors to gain control of an organization’s internal systems by utilizing trusted access methods (e.g.: valid usernames and passwords) in order to observe or to take further action. Once credentials are phished, attackers are able to operate covertly within an organization in pursuit of their goal.”

In December President Trump was facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. and its relationship with the former board member Hunter Biden, the son of Joe Biden.

Russian military cyberspies were gathering information by hacking the Ukrainian gas company.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 US elections,” continues the Area 1 report.

It is not clear which information the hackers have accessed, experts believe Russian spies were searching for potentially embarrassing material on the rival Biden and his son.

In July 2019, a phone call from Trump to Ukrainian President Volodymyr Zelensky was asking him to investigate the Bidens and Burisma.

Burisma hired the Biden’s son while his father was vice president and leading the Obama administration’s Ukraine policy.

“Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can’t beat the vice president,” said Andrew Bates, a spokesman for the Biden campaign.” states the NYT.

“Now we know that Vladimir Putin also sees Joe Biden as a threat,” Mr. Bates added. “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

The scheme was similar to the one allegedly adopted by Russian intelligence ahead of the Presidential election in 2016, when the cyberspies hackerd emails from Hillary Clinton’s campaign and used an army of trolls to spread propaganda and misinformation.

According to Area 1’s report, the GRU spies hacked the servers of Burisma Holdings.

In this campaign, the GRU combined several different authenticity techniques to compromise the targeted network, such as Domain-based authenticity, Business process and application authenticity, and Partner and supply chain authenticity.

“Since 2016, the GRU has consistently used an assembly line process to acquire and set up infrastructure for their phishing campaigns. Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials.” continues the report.”Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains.”

Trump is expected to stand trial in the Senate as early as this week on two articles of impeachment abuse of power and obstruction of Congress.

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)



The post Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma? appeared first on Security Affairs.

Play Store Still Peppered with Fleeceware Apps

Play Store Still Peppered with Fleeceware Apps

Four months after fleeceware's initial exposure, Android users who purchase "subscriptions" to apps from the Google Play Store are still at risk of being ripped off.

Fleeceware hit the news in September 2019, when researchers at SophosLabs showed how some app publishers were using a sneaky business model to drastically overcharge Android users for basic services. 

On the Google Play Store, researchers found multiple instances of app publishers operating a system where users could be charged excessive amounts of money for apps if they didn’t cancel a “subscription” before the short free trial window closed.

New research published today by SophosLabs reveals that fleeceware has not been shorn from the store. 

"While the company did take down all the apps we had previously reported to them, fleeceware remains a big problem on Google Play," wrote researchers.

"Since our September post, we’ve seen many more Fleeceware apps appear on the official Android app store."

New fleeceware flagged by SophosLabs includes entertainment or utility apps, fortune-telling apps, instant messengers, video editors, and beauty apps. 

Some apps, offering basic services such as a reverse-image search, which Google does for free, charge over $200 for an annual subscription. 

Researchers said that the total number of installations of these apps totals nearly 600 million across fewer than 25 apps. Some of the individual apps on the store appear to have been installed on more than 100 million devices.

One popular keyboard app investigated by researchers allegedly transmits the full text of whatever its users type back to China. 

Clues to the fleeceware apps' financial chicanery can be found in customers' reviews.

"User reviews reveal serious complaints about overcharging, and that many of these apps are substandard, and don’t work as expected," wrote researchers. 

Some users claim to have been charged an annual subscription fee despite unsubscribing by a certain date as per the app's instructions. 

Researchers noted apps offering weekly and monthly subscription payment options in an attempt to make their product seem more budget friendly. 

"In one case, we found an app displaying subscription fees of €8.99 per week, or €23.99 per month, which works out annually to €467.48 (if you pay the weekly amount for 52 weeks) or €287.88 (if you pay the monthly amount for 12 months)," wrote researchers. 

Adobe Patches Five Critical Illustrator CC Flaws

Overall Adobe patched nine flaws in Illustrator CC and Experience Manager.

Texan Arrested for Cyber-stalking Realtors and Threatening Their Kids

Texan Arrested for Cyber-stalking Realtors and Threatening Their Kids

A Texas man has been arrested on suspicion of sending perverse and threatening text messages to real estate agents across America.

Lubbock resident Andy Castillo allegedly used multiple phone numbers and an app to mask his identity when cyber-stalking as many as 100 realtors in up to 22 different states. 

The 56-year-old is accused of sending pornographic images to agents along with sexually explicit text messages soliciting sex. It is further alleged that Castillo attempted to solicit sex from some agents' children. 

Castillo is accused of downloading photographs of agents' kids from social media and sending the pictures to the agents, along with chilling descriptions of his desire to sexually assault their children.

All the real estate agents targeted in this particularly disturbing cyber-stalking case are women. 

Detective Joseph Scaramucci said Castillo "was searching the top 10 realtors in different cities" and "saving female realtors' photographs right off the internet with their contact information."

Castillo was arrested in his apartment last week and taken into custody by McLennan County Sheriff's Office (MCSO). Authorities seized two cellphones and an electronic tablet belonging to Castillo.

Deputies allege that just five minutes prior to his arrest, Castillo sent lewd and threatening messages to people in San Francisco and New Orleans.

McLennan County sheriff Parnell McNamara said the MCSO began investigating Castillo in late December 2019 after receiving complaints from seven Waco-based realtors about pornographic images and messages that they had received from unknown numbers.

The results of the investigation suggest Castillo sent sexually explicit and threatening messages to women in at least twenty cities in ten different states. However, McNamara said Castillo could have stalked hundreds of women in up to 22 states and that he is expecting further victims to come forward.

Currently, Castillo is accused of cyber-stalking agents throughout Texas, including in Amarillo, El Paso, Lubbock, San Antonio, and Waco. The Texan is facing a second-degree felony charge of criminal solicitation with intent to commit aggravated sexual assault of a child.

Police are investigating reports of similar cyber-stalking behavior that have been filed in Tucson, Arizona; Anaheim, Berkeley, Irvine, San Jose, and Santa Clara, California; Broward County and Daytona Beach, Florida; New Orleans, Louisiana; Reno, Nevada; Albany and Manhattan, New York; Belfort, South Carolina; Seattle, Washington; and Washington, D.C.

Oracle issues patches for 333 vulnerabilities

Oracle’s quarterly Critical Patch Updates to be released today include fixes for 333 security vulnerabilities.

The company said in a pre-release announcement that some of the vulnerabilities affect multiple products.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible,” it adds.

The fixes include:

  • 12 new security patches for the Oracle Database Server versions 12.2.0.1, 18c, 19c.  Three of the vulnerabilities may be remotely exploitable without authentication credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed;
  • 23 new security patches for the Oracle E-Business Suite versions 12.1.1-12.1.3, 12.2.3-12.2.9.  The majority of the vulnerabilities may be remotely exploitable without authentication;
  • 50 security patches for Oracle Enterprise Manager, 10 of which may be remotely exploitable without authentication. The highest CVSS v3.0 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 9.8. Versions affected include  Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0;  Enterprise Manager for Fusion Middleware, versions 12.1.0.5, 13.2.0.0, 13.3.0.0; Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0; Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 and Oracle Application Testing Suite, versions 13.2, 13.2.0.1, 13.3, 13.3.0.1;
  • 19 security patches for Oracle MySQL, including MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior; MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior and MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior;
  • Eight security patches for Oracle Supply Chain. The highest CVSS v3.0 Base Score of vulnerabilities affecting Oracle Supply Chain is 9.6. Versions affected include Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1; Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6; Oracle Agile PLM Framework, version 9.3.3; Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6; Oracle AutoVue 3D Professional Advanced, version 5.3 and Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1.

There are also patches for other products including PeopleSoft, Siebel CRM, JD Edwards, Java SE, Oracle Communications Applications, Construction and Engineering, Financial Services Applications, Fusion Middleware and more.

Also today Adobe released security updates for Illustrator CC for Windows and Experience Manager.

 

Adobe Releases First 2020 Patch Tuesday Software Updates

Adobe today released software updates to patch a total of 9 new security vulnerabilities in two of its widely used applications, Adobe Experience Manager and Adobe Illustrator. It's the first Patch Tuesday for the year 2020 and one of the lightest patch releases in a long time for Adobe users. Moreover, none of the security vulnerabilities patched this month were either publicly disclosed or

5G Security

The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its access to degrade or disrupt communications services in the event of a larger geopolitical conflict. Since the internet, especially the "internet of things," is expected to rely heavily on 5G infrastructure, potential Chinese infiltration is a serious national security threat.

But keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards­the protocols and software for 5G­ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

To be sure, there are significant security improvements in 5G over 4G­in encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren't enough.

The 5G security problems are threefold. First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it.

Second, there's so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems.

Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.

Already problems are being discovered. In November 2019, researchers published vulnerabilities that allow 5G users to be tracked in real time, be sent fake emergency alerts, or be disconnected from the 5G network altogether. And this wasn't the first reporting to find issues in 5G protocols and implementations.

Chinese, Iranians, North Koreans, and Russians have been breaking into U.S. networks for years without having any control over the hardware, the software, or the companies that produce the devices. (And the U.S. National Security Agency, or NSA, has been breaking into foreign networks for years without having to coerce companies into deliberately adding backdoors.) Nothing in 5G prevents these activities from continuing, even increasing, in the future.

Solutions are few and far between and not very satisfying. It's really too late to secure 5G networks. Susan Gordon, then-U.S. principal deputy director of national intelligence, had it right when she said last March: "You have to presume a dirty network." Indeed, the United States needs to accept 5G's insecurities and build secure systems on top of it. In some cases, doing so isn't hard: Adding encryption to an iPhone or a messaging system like WhatsApp provides security from eavesdropping, and distributed protocols provide security from disruption­regardless of how insecure the network they operate on is. In other cases, it's impossible. If your smartphone is vulnerable to a downloaded exploit, it doesn't matter how secure the networking protocols are. Often, the task will be somewhere in between these two extremes.

5G security is just one of the many areas in which near-term corporate profits prevailed against broader social good. In a capitalist free market economy, the only solution is to regulate companies, and the United States has not shown any serious appetite for that.

What's more, U.S. intelligence agencies like the NSA rely on inadvertent insecurities for their worldwide data collection efforts, and law enforcement agencies like the FBI have even tried to introduce new ones to make their own data collection efforts easier. Again, near-term self-interest has so far triumphed over society's long-term best interests.

In turn, rather than mustering a major effort to fix 5G, what's most likely to happen is that the United States will muddle along with the problems the network has, as it has done for decades. Maybe things will be different with 6G, which is starting to be discussed in technical standards committees. The U.S. House of Representatives just passed a bill directing the State Department to participate in the international standards-setting process so that it is just run by telecommunications operators and more interested countries, but there is no chance of that measure becoming law.

The geopolitics of 5G are complicated, involving a lot more than security. China is subsidizing the purchase of its companies' networking equipment in countries around the world. The technology will quickly become critical national infrastructure, and security problems will become life-threatening. Both criminal attacks and government cyber-operations will become more common and more damaging. Eventually, Washington will have do so something. That something will be difficult and expensive­let's hope it won't also be too late.

This essay previously appeared in Foreign Policy.

EDITED TO ADD (1/16): Slashdot thread.

CES 2020: Intel shows off Tiger Lake processors with ‘double-digit performance gains’ and new graphics

At the Intel CES 2020 conference on Jan. 6th, Intel gave a glimpse of its Tiger Lake processor, the next-gen processor that will succeed Ice Lake launched just last year.

Tiger Lake will be manufactured on 10nm+, a refined version of Intel’s current 10nm transistors. The more pluses there are behind the node’s name, the more mature the transistor process. Improved manufacturing processes usually bring better energy efficiency and higher transistor density. For example, Intel’s Coffee Lake processors are manufactured using its 14nm++ transistors.

Also:

Intel Tiger Lake, NUC, Comet Lake-H sneak peek


Through fine-tuning the architecture, Intel promised that Tiger Lake will bring “double-digit performance gains” over Ice Lake. In addition, it will be updated with a next-generation AI engine and even more robust integrated graphics based on its new Xe graphics architecture.

The press conference heavily underscored the importance and utility of AI for professional creatives. Tools like Tapaz can sharpen blurry photos automatically; Adobe Photoshop and Premier can also take advantage of Intel’s AI engine to make better object selections and dynamic subject trimming in videos.

Gregory Bryant, executive vice-president of Intel computing group, shows off a tiny motherboard designed for Tiger Lake. Photo by Tom Li.

To demonstrate its graphics performance, Intel showed a Tiger Lake equipped laptop running several popular videogames at consistent 60 frames per second at 1080p resolution.

Tiger Lake will support Thunderbolt 4 and Wi-Fi 6.

Intel supplemented the Tiger Lake news by showing off a motherboard almost as small as a smartphone. While the company didn’t announce where such a concept would be used, it can enable more computing power in ultra-compact systems such as the Intel NUC.

Tiger Lake is expected to arrive later this year.

 

GCHQ Urges People to No Longer Use Windows 7 PCs for Banking, Email

The Government Communications Headquarters (GCHQ) is urging people to no longer use computers with Windows 7 installed for banking or email. A spokesperson for the National Cyber Security Centre (NCSC), a part of GCHQ, encouraged consumers to upgrade their Windows 7 devices. As quoted in a report by Telegraph: We would urge those using the […]… Read More

The post GCHQ Urges People to No Longer Use Windows 7 PCs for Banking, Email appeared first on The State of Security.

Most Firms Still on Windows 7 as Support Deadline Arrives

Most Firms Still on Windows 7 as Support Deadline Arrives

Two-thirds of UK businesses and two-fifths of US firms are still running Windows 7, according to new research released on the day the operating system, and Windows Server 2008, reach their end-of-support deadline.

Organizations that fail to upgrade their operating systems or invest in costly extended support from Microsoft will no longer receive patches from the vendor, exposing themselves to unnecessary cyber risk, according to Kollective, which issued the research.

“It took many businesses up to three years to move from XP to Windows 7 and we can expect a similar timeline for the move to Windows 10. While a lot of companies have migrated the majority of their systems away from Windows 7, being “almost there” isn’t good enough,” argued Jon O’Connor, solution architect at Kollective.

“It only takes a handful of unsecured devices to launch a full-scale cyber-attack, so having even one or two Windows 7 PCs on your network could pose a serious risk. IT teams need to know for certain that every single device on their networks is off of Windows 7 — but the reality is that most simply don’t know.”

As if to emphasize the potential risks of staying on unsupported operating system versions, news emerged this week that Microsoft is shipping a fix today for a critical flaw in a core Windows component, which could have wide-ranging consequences if left unpatched. The bug is so bad that reports suggest Redmond has already secretly supplied the patch to high-value customers.

Carl Wearn, head of e-crime at Mimecast, urged organizations to ensure they have third-party security tools in place to help shield any exposure to threats.

“As organization’s move their operations to the cloud, legacy support issues like this will likely become a thing of the past in the next 10 to 15 years, but as Windows 7 remains in use across many organisations at present people should be aware of the increased vulnerability which this OS will now experience as it is no longer supported,” he continued.

“Ensuring good cyber hygiene and the use of fallback facilities, as-well as ensuring the updating of a good antivirus solution, becomes even more critical to an organization if it continues to use an unsupported OS.”

Trend Micro argued that “virtual patching,” or intrusion prevention technology, can also help in these circumstances, by protecting unsupported and unpatched operating systems.

“Speaking to numerous businesses over recent weeks, a worryingly high number are prepared to adopt a wait-and-see policy following the end of Server 2008 support on 14 January 2020,” argued VP of sales, Ross Baker.

“This amounts to an extreme hedging of bets and something we would definitely not recommend.”

Some organizations may not be able to upgrade to new OS versions if they have compatibility issues with business-critical legacy applications, or, for example, if Windows has been embedded in OT systems by a manufacturer, added VP of security research, Rik Ferguson.

Lottery hacker gets 9 months for his £5 cut of the loot

We don't care how little you made from your crimes, the judge said. We care that you went after an outfit that gives a ton to charities.

Travelex says it won’t pay ransom to crooks as currency chaos continues

While most of us spent New Year’s Eve celebrating, the IT department at Travelex was grappling with a ransomware virus that was spreading through its systems.

Almost two weeks on, the currency exchange service is finally starting to restore its internal systems, having been forced to take its website offline and suspend many of its operations.

Employees have been forced to work with pen and paper, severely delaying the few processes that could still be performed, while several UK banks that work with the company have had to turn away customers who wanted to order foreign banknotes.

A Royal Bank of Scotland representative said: “We are currently unable to accept any travel money orders either online, in branch or by telephone due to issues with our travel-money supplier, Travelex.

“We apologise for any inconvenience caused.”

Lloyds and Barclays have issued similar statements, causing huge problems for people across the country who are looking to convert their pounds into foreign currency.


What is ransomware?

Ransomware is a specific type of malware that encrypts computer files, essentially locking the owner out of their systems.

The ransomware will then display a message demanding that the victim make a payment to regain access.

Criminals generally plant malware on victims’ computers by hiding it in an attachment contained within a phishing email.


Why not just pay the ransom?

Many ransomware victims feel obliged to pay up, because it’s the quickest way to get back to business.

However, experts generally urge organisations not to negotiate, because payments help fuel the cyber crime industry and there’s no guarantee that meeting the criminals’ demands will put the infected organisation in a better position.

For example, there’s the possibility that the cyber criminals will up the ransom demand if you try to negotiate, or that they won’t keep their word once you’ve paid.

There have also been cases where the ransomware has contained bugs that make it impossible to decode the data once you’ve received the decryption key.

You should also acknowledge that buying your freedom will only solve one small problem. Your IT team will still have to spend hours – if not days – restoring your systems, and you’ll still face the repercussions of massive delays.

That’s why experts say it’s better to use the money to get straight to your recovery. You’ll have the moral victory of fighting off cyber criminals – demonstrating in the process that it’s not worth targeting you again in the future – while also approaching the situation proactively.


See also:


Proactivity is essential when it comes to security incidents, because you’ll need to prove that you’ve considered the risks and have a response plan.

This is equally important for employees, who should feel that management has the situation under control, as it is for the ICO (Information Commissioner’s Office), which regulates GDPR (General Data Protection Regulation) compliance in the UK.

A further problem Travelex faces is that it didn’t report the incident to the ICO when it was first infected. And remember, it’s still a data breach if cyber criminals are locking you out of your systems rather than stealing sensitive data. That’s because a data breach is classed as anything that affects the confidentiality, integrity or availability of information.

Ransomware attack can also develop into ‘traditional’ data breaches if the criminals are able to access information from the locked systems. The criminal hackers in this case have claimed to have done that by siphoning off 5 GB of data from Travelex’s databases.

Preventing ransomware attacks

It’s impossible to avoid the risk of ransomware altogether, because there are so many ways that cyber criminals can target you.

However, as the majority of infections are the result of malicious attachments in phishing emails, you can eradicate your biggest threat by training employees to spot suspicious messages.

You can give them the tools they need by enrolling them on our phishing and ransomware e-learning course.

This ten-minute course introduces employees to the associated risks and describes the link between phishing and ransomware. Armed with this knowledge, your staff will be better equipped to detect suspicious emails and know how to respond.

Learn more


 

The post Travelex says it won’t pay ransom to crooks as currency chaos continues appeared first on IT Governance UK Blog.

20 IT resolutions for 2020

Even in the high-touch field of healthcare, where human interactions remain core to the delivery of most services, IT exec Bill Fandrich feels the pressure to bring technology-fueled transformations to bear.

Fandrich, senior vice president and CIO of Blue Cross Blue Shield of Michigan, says he must focus on how to use technology to create higher quality, more affordable services as well as to improve interactions for administrators, medical providers and patients. And he must determine, out of all the technology options available, which ones deliver the most returns for the best value based on his company’s overall goals and objectives.

He takes the pressure in stride, saying: “It’s kind of amazing being in technology now because there has not been a more impactful time when it comes to the value and importance of IT.”

To read this article in full, please click here

(Insider Story)

Texas School District Loses $2.3m in Phishing Raid

Texas School District Loses $2.3m in Phishing Raid

A Texas school district has found out the hard way that phishing attacks remain a serious financial threat to organizations of all shapes and sizes, losing an estimated $2.3m in a recent scam.

Manor Independent School District took to Twitter to post official confirmation that the FBI is currently investigating the incident.

“This investigation is still ongoing and although there are strong leads in the case we are still encouraging anyone with information to contact Detective Lopez at the Manor Police Department,” it added.

According to reports, three separate fraudulent transactions took place in November last year following the phishing attack, although there are few other details to go on.

The news comes as school districts in the US battle against a growing threat from ransomware.

Data released by Armor in December 2019 revealed that 72 districts had been impacted during the year, affecting an estimated 1039 schools nationwide. Separate findings from Emisoft released at the end of the year claimed as many as 1224 schools may have been affected.

Javvad Malik, security awareness advocate at KnowBe4, argued that employee error needs to be addressed more effectively by organizations at risk of phishing attacks.

“Cyber-criminals will attack organizations with the intention of getting the highest return on investment. Usually this translates into social engineering attacks, which are in essence cons against people to do things against the interest of the company,” he added.

“This usually occurs in the form of phishing emails, but can also be SMS messages or phone calls. Therefore, organizations should take time to invest in security awareness and training so that they can be better-prepared to identify and report any suspicious activity.”

Ed Macnair, CEO of Censornet, argued that in failing to mitigate the risk of phishing, the Texas school district also potentially exposed its 10,000 pupils to data theft.

“There is no doubt about the importance of training employees to recognize these modern phishing techniques. Unfortunately, emotions often take over from reason in these situations and no amount of training can account for this,” he added.

“Employee awareness therefore needs to be combined with a robust, multi-layered approach to email security. Traditional pattern matching technologies are useless against modern techniques and organizations need to combine algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves.”

How does Artificial Intelligence boost the power of cybersecurity?

Estimated reading time: 2 minutes

An artificial intelligence (AI) revolution is brewing in cybersecurity. A recent market report pegged the global artificial intelligence (AI) in the cybersecurity market to be worth USD 7.1 billion in 2018 and expected to reach approximately USD 30.9 billion by 2025, at a CAGR of around 23.4%.

There is a sea of change in cybersecurity attack patterns with enterprises turning to new technology and approaches to stay ahead of these threats. Thanks to the increasing volume and velocity of modern-day threats, enterprises are rapidly moving towards a threat detection and response approach— this is where artificial intelligence can greatly help.

Through AI-based solutions, enterprises will be able to improve threat intelligence, protection and detection at a much faster rate than before. AI will enable this by reducing the requirement of having specialized cybersecurity experts within the enterprise – a factor which will be welcomed by an industry which faces a rapid skill shortage in this domain.

An easier way to deal with data overload

Currently, there’s an overload of data for information security teams to deal with. The data is both structured and unstructured; analyzing it is a manual and repetitive task. Teams spend inordinate amounts of time on analyzing all this data manually — the risk for error is high and the time is also not spent productively.

Through machine learning and deep learning techniques, data analysis can be left to artificial intelligence, leaving cybersecurity employees to more productively use their time. By analysis and tracking millions of data from various sources, an AI system can be trained to better understand cybersecurity threats.

The power of automation

In the last couple of years, there have been fears raised over whether artificial intelligence will take over jobs, leaving humans redundant. It is natural to have such concerns leading to pushback against the implementation of AI in a workforce. However, when it comes to cybersecurity, AI and its resultant tools like machine learning and automation will actually augment a workforce.

Automation, for example, will mitigate repeatable tasks and operate them at a pace far greater than an average human being ever can, providing faster and better results. The benefit for cybersecurity teams is twofold – fatigue is reduced and time is spent on finding better ways to secure an enterprise.

Speeding up incident response through Artificial Intelligence

According to the latest study by Ponemon, the global average time to identify and contain a data breach is a whopping 279 days. Enterprises are aware that with the magnitude of threats around them, the incident response has become a key priority and artificial intelligence can be a key ally in this case.

AI can detect threats or suspicious activity on a real-time analysis sending actionable intelligence for incident response in a matter of seconds. By tapping into the power of artificial intelligence, enterprises will see a faster response to threats, enabling better security and intelligence.

Drive a more efficient organization

Cumulatively, the benefits of AI in cybersecurity add up to create a more efficient organization. With a better and more rigorous analysis of both unstructured and structured data along with continuous assessments of new threats, an enterprise’s cybersecurity framework is far more solid and defined. In the long run, AI-powered enterprises will be more efficient and have greater productivity.

Seqrite understands the need for enterprises to integrate AI into their cybersecurity efforts. GoDeep.AI, Seqrite’s proprietary Artificial Intelligence capability is now embedded in most of the inventory, offering a Cloud-based Deep Learning Module, Advanced Behavior Detection System and other powerful features to provide a unique AI-based cybersecurity solution.

The post How does Artificial Intelligence boost the power of cybersecurity? appeared first on Seqrite Blog.

Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution

Tech giant Cisco has recently addressed two high-severity vulnerabilities affecting its Webex and IOS XE Software products.

Cisco Systems has released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.

The Webex flaw resides in the web-based management interface of Cisco Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.

“A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.” reads the security advisory published by Cisco.

“The vulnerability is due to improper validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by logging in to the web-based management interface with administrative privileges and supplying crafted requests to the application. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node.”

An authenticated, remote attacker could exploit the issue by supplying crafted requests to the application.

This flaw affects Cisco Webex Video Mesh Software releases earlier than 2019.09.19.1956m.

The vulnerability has received a CVSS score of 7.2 out of 10, the good news is that Cisco said that it is not aware of any attacks exploiting the flaw in the wild.

Cisco also addressed a high-severity flaw in the web user interface of Cisco IOS and Cisco IOS XE Software that runs on Cisco routers and switches.

“A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.” reads the Cisco security advisory.

“The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.”

The vulnerability could be exploited by an unauthenticated, remote attacker to launch a cross-site request forgery (CSRF) attack on the vulnerable devices. An attacker could exploit the issue by tricking the victims into clicking specially-crafted links that then send a forged request to the webserver running on the device.

The attacker could exploit the vulnerability to perform arbitrary actions with the privilege level of the targeted user.

The issue affects Cisco devices that are running vulnerable releases of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with the HTTP Server feature enabled.

The flaw was reported by Mehmet Önder Key and received a CVSS score of 8.8, Cisco is not aware of any exploits in the wild against the issue.

Pierluigi Paganini

(SecurityAffairs – Cisco WebEx, hacking)

The post Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution appeared first on Security Affairs.

China-linked APT40 group hides behind 13 front companies

A group of anonymous security researchers that calls itself Intrusion Truth have tracked the activity of a China-linked cyberespionage group dubbed APT40.

A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked cyberespionage group, tracked as APT40, uses 13 front companies operating in the island of Hainan to recruit hackers.

The Intrusion Truth group has doxed the fourth Chinese state-sponsored hacking operation.

“We know that multiple areas of China each have their own APT.” reads the report.

“After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.”

The Intrusion Truth group has already other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan).

The cyber-espionage group tracked as APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

APT40

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

The 13 companies identified by the Intrusion Truth have similar characteristics, like the lack of an online presence, and experts noticed overlapping of contact details and share office locations. The companies were all involved in the recruiting of hackers with offensive security skills.

“Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum,” reads the post published by Intrusion Truth.

“While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks,” they go on to say.

According to the experts, a professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.

One of the above companies was headquartered in the University’s library, and the professor was also a former member of China’s military.

“Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!” continues the post. “Gu Jian, a Professor in the Information Security Department and former member of the PLA is now the contact person for an APT front company which itself is linked to twelve other front companies.”

Technical details of the analysis are included in the report published by the experts.

Pierluigi Paganini

(SecurityAffairs – Intrusion Truth, APT40)

The post China-linked APT40 group hides behind 13 front companies appeared first on Security Affairs.