Author Archives: Rajiv D

Packet Storm: GNU inetutils 1.9.4 telnet.c Overflows

GNU inetutils versions 1.9.4 and below are vulnerable to a stack overflow vulnerability in the client-side environment variable handling which can be exploited to escape restricted shells on embedded devices. Most modern browsers no longer support telnet:// handlers, but in instances where URI handlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. A stack-based overflow is present in the handling of environment variables when connecting telnet.c to remote telnet servers through oversized DISPLAY arguments. A heap-overflow is also present which can be triggered in a different code path due to supplying oversized environment variables during client connection code.

Packet Storm

Packet Storm: Mikrotik RouterOS Telnet Arbitrary Root File Creation

An exploitable arbitrary file creation weakness has been identified in Mikrotik RouterOS that can be leveraged by a malicious attacker to exploit all known versions of Mikrotik RouterOS. The RouterOS contains a telnet client based on GNU inetutils with modifications to remove shell subsystem. However an attacker can leverage the "set tracefile" option to write an arbitrary file into any "rw" area of the filesystem, escaping the restricted shell to gain access to a "ash" busybox shell on some versions. The file is created with root privileges regardless of the RouterOS defined group.

Packet Storm

Packet Storm: GNU Privacy Guard 2.2.12

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions.

Packet Storm

Infosecurity – Latest News: ICO Slaps £200K Fine on Nuisance Text Biz

ICO Slaps £200K Fine on Nuisance Text Biz

The Information Commissioner’s Office (ICO) has fined a London-based company £200,000 for sending millions of nuisance texts to unsuspecting consumers.

Tax Return Limited sent a staggering 14.8 million text messages between July 2016 and October 2017 without gaining proper consent first.

The firm claimed in its defense that consent had been given through third-party websites, but the ICO ruled that these privacy policies were too vague and generic. What’s more, neither Tax Return nor the third party service provider it used for its campaign were listed on the policies.

“Spam texts are a real nuisance to people across the country and this firm’s failure to follow the rules drove over 2,100 people to complain,” claimed ICO director of investigations, Steve Eckersley.

“Firms using third-party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third-party consent is also not enough and companies will be fined if they break the law.”

The ICO has the power to fine firms up to £500,000 for breaking the Privacy and Electronic Communications Regulations (PECR): the regime which governs marketing calls, emails, texts and faxes.

Tax Return is just one of many firms to have been fined large sums by the regulator over the past few years.

Last month the ICO fined ACT Response of Middlesbrough £140,000 for sending 496,455 marketing calls to subscribers of the Telephone Preference Service (TPS) who had signed up specifically to avoid nuisance calls. Secure Home Systems (SHS) of Bilston, West Midlands, was fined £80,000 for making calls to 84,347 TPS-registered numbers.

Other offending firms include Keurboom Communications (£400K), Miss-Sold Products UK (£350K), and Your Money Rights (£350K), among many more.

Campaigners have called on the government to come good on its promise to directly fine directors of companies which breach the PECR. A current loophole means many seek bankruptcy to escape punishment, only to go on to set up new businesses.



Infosecurity - Latest News

Packet Storm: Safari Proxy Object Type Confusion

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion.

Packet Storm

Packet Storm: Falco 0.13.0

Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.

Packet Storm

Packet Storm: HP Security Bulletin MFSBGN03837 1

HP Security Bulletin MFSBGN03837 1 - A vulnerabilities in Apache Tomcat was addressed by Micro Focus Network Node Manager i. The vulnerability could be exploited Remote Cross-Site Scripting (XSS) and Remote Disclosure of Information. Revision 1 of this advisory.

Packet Storm

Packet Storm: HP Security Bulletin MFSBGN03835 1

HP Security Bulletin MFSBGN03835 1 - The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users access to arbitrary details of the Local and LDAP users via POST method and to arbitrary details of other user's Fortify projects via GET method. Revision 1 of this advisory.

Packet Storm

Packet Storm: Debian Security Advisory 4354-1

Debian Linux Security Advisory 4354-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or bypass of the same-origin policy.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3816-01

Red Hat Security Advisory 2018-3816-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include memory disclosure and client-side security problems.

Packet Storm

Packet Storm: WebDAV Server Serving DLL

This Metasploit module simplifies the rundll32.exe Application Whitelisting Bypass technique. The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotely and execute the provided export function. The export function needs to be valid, but the default meterpreter function can be anything. The process does write the dll to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV but does not load the dll from that location. This file should be removed after execution. The extension can be anything you'd like, but you don't have to use one. Two files will be written to disk. One named the requested name and one with a dll extension attached.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3845-1

Ubuntu Security Notice 3845-1 - Eyal Itkin discovered FreeRDP incorrectly handled certain stream encodings. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applies to Ubuntu 18.04 LTS and Ubuntu 18.10. Eyal Itkin discovered FreeRDP incorrectly handled bitmaps. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.

Packet Storm

Packet Storm: WordPress Snap Creek Duplicator Code Injection

When the WordPress plugin Snap Creek Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to arbitrary PHP code execution. WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit to make the WordPress site work again.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3844-1

Ubuntu Security Notice 3844-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass same-origin restrictions, or execute arbitrary code. Multiple security issues were discovered in WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to open privileged pages, or bypass other security restrictions. Various other issues were also addressed.

Packet Storm

Search Msdn: Take C# 8.0 for a spin | .NET Blog – blogs.msdn.microsoft.com

Take C# 8.0 for a spin. Yesterday we announced the first preview of both Visual Studio 2019 (Making every developer more productive with Visual Studio 2019) and .NET Core 3.0 (Announcing .NET Core 3 Preview 1 and Open Sourcing Windows Desktop Frameworks).One of the exciting aspects of that is that you get to play with some of the features coming in C# 8.0!

Search Msdn

Search Msdn: Open Sourcing XAML Behaviors for WPF | .NET Blog

Today, we are excited to announce that we are open sourcing XAML Behaviors for WPF.. In the past, we open sourced XAML Behaviors for UWP which has been a great success and the Behaviors NuGet package has been downloaded over 500k times. One of the top community asks has been to support WPF in the same way. XAML Behaviors for WPF now ships as a NuGet package – Microsoft.Xaml.Behaviors.Wpf.

Search Msdn

DataBreachToday.com RSS Syndication: Weak Encryption Leaves Mobile Health App at Risk for Hacking

DHS, Philips Issue Advisories for HealthSuite Android Health App
The lack of strong encryption in Philips' HealthSuite Health Android app leaves the mobile health software vulnerable to hacking, according to a new advisory issued by the medical device manufacturer and an alert from the Department of Homeland Security.

DataBreachToday.com RSS Syndication

Packet Storm: Ubuntu Security Notice USN-3837-2

Ubuntu Security Notice 3837-2 - USN-3837-1 fixed vulnerabilities in poppler. A regression was reported regarding the previous update. This update fixes the problem. It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service. Various other issues were also addressed.

Packet Storm

Packet Storm: Debian Security Advisory 4353-1

Debian Linux Security Advisory 4353-1 - Multiple security issues were found in PHP, a widely-used open source denial of service/information disclosure when parsing malformed images, the Apache module allowed cross-site-scripting via the body of a insufficient input validation which can result in the execution of arbitrary shell commands in the imap_open() function and denial of service in the imap_mail() function.

Packet Storm

Infosecurity – Latest News: Amplification Bots Retweet Misinformation

Amplification Bots Retweet Misinformation

Amplification bots spread both information and misinformation across Twitter's social network through retweets, and according to new research from Duo Security, these bots not only affect how content spreads but also how the information is perceived.

Published today, Anatomy of Twitter Bots: Amplification Bots, Jordan Wright and Olabode Anise detail the characteristics that make up amplification bots based on a data set of 576 million tweets. The researchers also looked at how to build a crawler that can map out entire botnets of this kind.

The research is the culmination of a three-part series that began at Black Hat 2018 with "Don’t @ Me: Hunting Twitter Bots at Scale" and was followed by a more detailed explanation of how fake followers operate.

The focus in this final part of the series is on automated retweeting. Because retweeting is what boosts an account's popularity, amplification bots are concerning from an information security perspective. “Automated retweeting of a tweet [is considered] to be more damaging to social network conversation, since it actively spreads content as opposed to just artificially boosting the content’s popularity,” the authors wrote.

Determining which accounts are bots and which are authentic took a bit of work, though. In essence, researchers had to distinguish different patterns of likes and retweets from a wide sampling of accounts.

“We found that an average account’s timeline is composed 37.6 percent of retweets while the 90th percentile was composed of 75 percent of retweets. Because our dataset of tweets does include accounts that exhibit bot-like characteristics, it’s important to note that the the overall distribution of retweets in an account’s timeline may be affected by their behavior.”

Research suggested a key factor that distinguishes bots from actual user accounts is found in the timeline, with actual users tending to retweet in consecutive order while the activity of bots is more scattered. After determining normal behaviors, researchers set out to find bots as seen in the image below:

Credit: Duo Security
Credit: Duo Security

“The account’s most recent (re)tweet has 969 retweets and 164 likes, which is strange. Most tweets with that many retweets won’t have a retweet-to-like ratio of almost 6:1. To put some numbers to how rare this is, only 0.2 percent of tweets in our dataset had more than at least 900 retweets and a similar retweet-to-like-ratio,” researchers wrote.

Finding one bot then opened the door for the discover of many more amplification bots, which have the potential to sully the credibility of retweets, though determining legitimate information from misinformation is a challenge.



Infosecurity - Latest News

Infosecurity – Latest News: House Report Says Equifax Breach Was Preventable

House Report Says Equifax Breach Was Preventable

The US House of Representatives Committee on Oversight and Government Reform released its report on the Equifax breach. It found that the lack of modernized security controls combined with dozens of expired certificates created vulnerable systems and resulted in the data breach of 143 million records.

The cyberattack that started on May 13, 2017, lasted for 76 days, during which time malicious actors were able to access and exfiltrate unencrypted personally identifiable information hundreds of times, according to the report.

The breach resulted in CEO Richard Smith announcing his retirement on September 26, 2017, a little over a month after he had delivered a speech at the University of Georgia in which he explained that the company manages massive amounts of very unique data.

Smith stated: “We have data on approaching 100 million companies around the world. The data assets are so large, so unique it is...credit data, it is financial data – we have something like $20 trillion of wealth data on individuals, so how many annuities, mutual funds, equities you own. About $20 trillion on property data, so property that you might own – what the value was when you bought it, what it’s worth today. Utility data, marketing data, I could go on and on and on – but massive amounts of data.” 

According to the committee’s findings, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation.”

“This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.”

In addition, building critical IT applications on custom-built legacy systems added to the complexity of Equifax’s systems, which was addressed too late to prevent the breach. The report noted that Equifax understood that operating legacy IT systems posed inherent security risks, as was evidenced by the company’s action to modernized its infrastructure – steps that should have been taken much sooner.

The committee concluded that “Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”



Infosecurity - Latest News

Infosecurity – Latest News: Middle East Servers Targeted in Saipem Cyber-Attack

Middle East Servers Targeted in Saipem Cyber-Attack

Oil services company Saipem, based in Milan, Italy, was the victim of a cyber-attack that appears to be targeting servers in the Middle East, according to reports from Reuters.

The attack targeted servers in Saudi Arabia, the United Arab Emirates and Kuwait, while the servers in Italy, France and Britain remain unaffected, according to Saipem’s head of digital and innovation, Mauro Piasere. The attack origination has not yet been determined.

“The servers involved have been shut down for the time being to assess the scale of the attack,” Piasere told Reuters.

Information Security tried to contact Saipem. As of the time of writing this, the company has not responded. The company did share an announcement on its website in which it stated:

“We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities. We are also in the process of notifying the report of the incident to the competent authorities.”

A small Aberdeen, Scotland, office is the only European site affected by the attack, which has impacted 400 servers that remain down as the company investigates, according to Bloomberg Law.

“It's still too early to tell, but given Saipem's position as a trusted third-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past – which points to the destructive Shamoon attacks of 2012 and 2016, now widely attributed to Iran," said Phil Neray, VP of industrial cybersecurity at CyberX.

Earlier this year, Saipem announced that it was looking to transition from oil and gas construction to offshore and wind energy, Energy Voice reported. To that end, it has invested $55m into technological innovation, though it is unclear what percentage of that investment is slated for cybersecurity.



Infosecurity - Latest News

Packet Storm: Red Hat Security Advisory 2018-3817-01

Red Hat Security Advisory 2018-3817-01 - Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below. Security fix: Issues addressed include a cross site scripting vulnerability.

Packet Storm

Packet Storm: CyberLink LabelPrint 2.5 Stack Buffer Overflow

This Metasploit module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the application. This Metasploit module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).

Packet Storm

Packet Storm: Faraday 3.4

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Packet Storm

DataBreachToday.com RSS Syndication: Equifax Breach ‘Entirely Preventable,’ House Report Finds

Democrats Slam Republican Report for Not Advancing New Breach-Prevention Laws
The data breach suffered by Equifax in 2017 "was entirely preventable," according to a report released by the House Oversight Committee's Republican majority. Some Democratic lawmakers have slammed the report for failing to advance legislative or oversight changes to help prevent future breaches.

DataBreachToday.com RSS Syndication

Infosecurity – Latest News: Quarter of NHS Trusts Have No Security Pros

Quarter of NHS Trusts Have No Security Pros

New research has revealed a dearth of qualified cybersecurity staff in the NHS and low levels of spending on in-house training for employees.

RedScan received Freedom of Information (FOI) responses from 159 trusts between August and November.

It found that nearly a quarter of trusts have no qualified security professionals working in-house despite some of them employing as many as 16,000 staff.

Although some of this security work is outsourced by the health service, RedScan director of cybersecurity, Mark Nicholls, claimed that security specialists should still number more than the average of one per 2628 employees revealed by the research.

“There’s no magic number. Every organization has a responsibility to assess its cybersecurity risk and make a judgement call about the number of trained professionals it needs. Factors to consider include the size of the network, number of employees, systems in use, plus the type and quantity of data stored,” he told Infosecurity.

“When you consider how big a target the NHS is, how diverse and interconnected its networks are and how many people rely on healthcare services day-to-day, it’s pretty clear that trusts lack the specialist skills required. The fact that several trusts with more than 10,000 employees had no security professionals whatsoever is a great concern.”        

What’s more, trusts spent an average of only £5356 on data security training over the past 12 months, with GDPR understandably the most common course type undertaken. However, this average figure hides a wide disparity in spending, with some trusts forking out just £238 and some as much as £78,000.

Trusts are also failing to meet minimum standards on information governance (IG) training, with NHS Digital requiring 95% of all staff to pass such training every 12 months, according to RedScan. Unfortunately, just 12% of trusts that sent back FOI answers had met this target, with the majority having trained 80-95% of staff.

However, a quarter had trained less than 80%, with some claiming less than half had been sent on IG courses.

The healthcare sector accounted for 43% of all data breach incidents reported to the ICO between January 2014 and December 2016, although this figure may be relatively high because of mandatory reporting requirements in the sector.

It added another 619 incidents in Q2 2018/19 alone, including 420 labelled as “disclosure of data” and 190 security-related.



Infosecurity - Latest News

DataBreachToday.com RSS Syndication: Fresh Google+ Bug Exposed 52.2 Million Users’ Data

Google Advances Date for Mothballing Google+ Social Network for Consumers
Google says a buggy API update it pushed last month for its soon-to-be-mothballed Google+ social network exposed personal information for 52.2 million users. The data-exposure alert arrives just two months after Google admitted that a March problem with the same API exposed data for 500,000 users.

DataBreachToday.com RSS Syndication

Infosecurity – Latest News: New Google+ Bug Moves Site End Date Forward

New Google+ Bug Moves Site End Date Forward

Google is speeding up the closure of its unpopular social networking platform after discovering a new bug affecting over 52 million users.

The tech giant announced in October that it would be shutting Google+ in August 2019. However, that date has been brought forward to April next year, while its APIs will disappear “within the next 90 days,” according to G Suite product management VP, David Thacker.

The reason appears to be a newly discovered vulnerability in the API which the firm says impacts roughly 52.5 million users.

“With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile — like their name, email address, occupation, age — were granted permission to view profile information about that user even when set to not-public,” Thacker explained.

“In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.”

On the plus side, however, no developers were able to access information such as financial data, ID numbers, passwords, or similar which could have been used for identity theft. Google also said it has no evidence any developers abused the access they did have to users’ non-public information.

Thacker said Google was in the process of notifying any enterprise customers affected by the bug, with a list of impacted users being sent to system administrators.

The original vulnerability disclosed in October shared non-public profile information including name, email address, occupation, gender and age with others. Around 500,000 users were thought to be affected.



Infosecurity - Latest News

Packet Storm: Red Hat Security Advisory 2018-3804-01

Red Hat Security Advisory 2018-3804-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 7.3 will be retired as of November 30, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 7.3 EUS after November 30, 2018.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3841-2

Ubuntu Security Notice 3841-2 - USN-3841-1 fixed a vulnerability in lxml. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that lxml incorrectly handled certain HTML files. An attacker could possibly use this issue to conduct cross-site scripting attacks. Various other issues were also addressed.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3800-01

Red Hat Security Advisory 2018-3800-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include improper path handling.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3805-01

Red Hat Security Advisory 2018-3805-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.7 will be retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.7 EUS after December 31, 2018.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3806-01

Red Hat Security Advisory 2018-3806-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Telco Update Service for Red Hat Enterprise Linux 6.6 will be retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.6 TUS after December 31, 2018.

Packet Storm

Infosecurity – Latest News: House Releases Cybersecurity Strategy Report

House Releases Cybersecurity Strategy Report

The House Energy and Commerce Committee released the comprehensive Cybersecurity Strategy Report, in which it identified procedures to both address and prevent cybersecurity incidents.

In the report, the committee identified six key concepts and priorities, noting, “The identification of these principles shaped the subcommittee’s approach to cybersecurity and guided subsequent work. As each of these concepts emerged, the subcommittee began exploring and analyzing possible strategies for addressing them.”

In addition to recognizing that there will always be unknowns and that it’s impossible to protect what you don’t know you have, the committee also realized that software is no longer written but assembled. As a result, there must be a common cybersecurity language, which was the fourth concept. The remaining two concepts stated, “Digital assets age faster and less predictably than physical ones. Cybersecurity takes a 'whole-of-society' approach.”

In attempting to answer the question, "If traditional IT strategies have proven ineffective, what can organizations do to better strengthen their cybersecurity capabilities?," identifying these six concepts led the committee to outline six priorities, which are:

  • Priority 1: The widespread adoption of coordinated disclosure programs.

  • Priority 2: The implementation of software bills of materials across connected technologies.

  • Priority 3: The support and stability of the open-source software ecosystem.

  • Priority 4: The health of the Common Vulnerabilities and Exposures (CVE) program.

  • Priority 5: The implementation of supported lifetimes strategies for technologies.

  • Priority 6: The strengthening of the public–private partnership model.

“Cybersecurity has become a priority for all Americans – from government and military leaders and corporate executives to small-business owners and everyday families,” said Rep. Greg Walden of Oregon, according to KTVZ.com. “That’s why we must take steps to strengthen our ability to confront the threats facing the internet and connected technologies that we are increasingly dependent on.

"This latest report outlines a strategy that, based on the significant body of work the Energy and Commerce Committee has already completed, would elevate cybersecurity capabilities across all sectors. We’ve had real bipartisan success in pursuing several of these policies at the committee, and I look forward to working across the aisle in the upcoming session of Congress to continue this vital work.”



Infosecurity - Latest News

Infosecurity – Latest News: Privacy a Key Concern for Telecoms and Consumers

Privacy a Key Concern for Telecoms and Consumers

Two recently published surveys about the telecom industry revealed that privacy as it relates to security and the internet of things (IoT) has become a top concern for both businesses and consumers.

Allot Telco's security trends report for 2018’s third quarter found that 50% of consumers polled were concerned about loss of privacy or a cyber-attack. Additionally, 72% of the consumers surveyed stated that they were willing to pay a monthly fee, averaging at $5.26, for an IoT security service, and 16% of those who would buy security services would make that investment in their internet service providers (ISPs).

More than 1,200 consumers across 10 different countries participated in the survey, which found that "to improve the security posture of homes and connected devices, the following must occur: Security at the device level must improve and security must be delivered at the network level."

Similar sentiments were mirrored in the recent 2018 Annual Industry Survey, published by Telecoms.com, which showed that 75% of the 1,500 executives from global telecom industries who participated in the survey said that privacy was the key concern of consumers living in a highly connected smart home, followed by identity theft, fraud and vandalism through hacking into connected devices.

Further, 90% of all respondents thought consumers would be willing to pay for smart-home cybersecurity service. Nearly three-quarters (74%) thought consumers would be happy to pay up to $10 a month.

“Over half of the respondents identified four different types of security solutions – DNS blacklisting/firewalls, IP/domain blacklisting, antivirus solutions, and deep packet inspection. Service providers need security capabilities that are high performance and multilayered. They should adopt targeted measures to secure every potential vulnerability, including the data center, control plane, and applications,” the report said.

According to the report, in view of these concerns industry professionals are planning to actively deliver IoT security services. To that end, 56% of respondents saw IoT as an important driver to expand their service portfolio and 46% saw it as significant channel to deliver new revenues.



Infosecurity - Latest News

DataBreachToday.com RSS Syndication: Eastern European Bank Hackers Wield Malicious Hardware

'DarkVishnya' Heists Stole Tens of Millions of Dollars, Kaspersky Lab Says
Hackers have been plugging inexpensive hardware into banks' local area networks to help perpetrate heists that have stolen tens of millions of dollars, warns Kaspersky Lab. It says that since 2017, the "DarkVishnya" attack campaign has hit at least eight Eastern European banks.

DataBreachToday.com RSS Syndication

DataBreachToday.com RSS Syndication: After Mega-Breach, Marriott May Pay for New Passports

But Victims Must Prove Fraud for Hotel Giant to Cover Cost of New Passport
Victims of the massive Marriott International data breach, which exposed data for 500 million customers, including some passport numbers, may be able to claim reimbursement for the cost of obtaining a replacement passport, provided they can prove it led to fraud.

DataBreachToday.com RSS Syndication

Infosecurity – Latest News: Teen Email Hoaxer Gets Three Years

Teen Email Hoaxer Gets Three Years

A Hertfordshire teenager has been sentenced to three years behind bars after pleading guilty in September to making bomb threats to thousands of schools and disrupting a transatlantic flight.

George Duke-Cohan, 19, from Watford, first sent bomb threats to UK schools in March 2018 and was arrested days later, according to the National Crime Agency (NCA).

The plot is said to have forced the evacuation of students at 400 schools and colleges.

However, just a month later he sent a mass email to schools in the UK and US warning that a pipe bomb had been planted on their premises, for which he was re-arrested.

Despite being on bail for charges related to these crimes, Duke-Cohan is then said to have made prank calls to United Airlines, claiming a flight to San Francisco from the UK had been hijacked by gunmen.

In one call, he pretended to be a worried father whose daughter had called him mid-flight, warning of the terrorists.

He was then arrested for a third time at his home on August 31, with officers recovering several electronic devices he had been denied access to under his bail conditions.

The 19-year-old had caused “serious worry and inconvenience to thousands of people,” according to NCA senior investigating officer, Marc Horsfall.

“He carried out these threats hidden behind a computer screen for his own enjoyment, with no consideration for the effect he was having on others. Despite being arrested and having conditions imposed restricting his use of technology, he persistently broke those conditions to continue his wave of violent threats,” he added.

“This investigation proves that operating online does not offer offenders anonymity. Duke-Cohan now has a criminal record which will harm his future career prospects and this should act as a deterrent to others.”



Infosecurity - Latest News

Search Msdn: .NET Framework December 5, 2018 Preview of Cumulative …

Today, we are releasing the December 5, 2018 Preview of .NET Framework Cumulative Update for Windows 10 version 1809 and Windows Server 2019. For more information about the new Cumulative Updates for .NET Framework for Windows 10 version 1809 and Windows Server 2019 please refer to this recent announcement. Quality and Reliability

Search Msdn

Search Msdn: Engineering OneNote Blog – blogs.msdn.microsoft.com

July 5, 2013 By Daniel Escapa 28 Updated OneNote for iPad, iPhone & Android! Monday was a great day and we shipped a bunch of new clients out there to the world It was really awesome to get them out the door and also get your feedback, we are digging through all of the app store feedback, tweets and blog comments, really great stuff so please ...

Search Msdn

Packet Storm: Debian Security Advisory 4350-1

Debian Linux Security Advisory 4350-1 - It was discovered that incorrect processing of very high UIDs in Policykit, a framework for managing administrative policies and privileges, could result in authentication bypass.

Packet Storm

Packet Storm: SQLMAP – Automatic SQL Injection Tool 1.2.12

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Packet Storm

Infosecurity – Latest News: UK Consumers Have Lost £500 Each Through Online Crime

UK Consumers Have Lost £500 Each Through Online Crime

Two-fifths of UK consumers have been a victim of cybercrime with phishing topping the list, according to new research from GMX.

The email provider polled over 2000 Brits last month to better understand the impact and extent of online threats.

It found that half of those netizens affected lost money as a result. The average lost was £565 ($720), although 1% of respondents said they lost over £10,000.

Phishing and “misuse of data” were the most common forms of cybercrime, each accounting for 11% of answers. Next came malware (10%), fake e-stores (7%), online extortion (6%), and charity fraud (5%), where recipients are tricked into donating to spoofed worthy causes.

The over-55s were least likely to be victims of online crime, with 73% claiming they had never been caught out, versus 47% of those aged 16-24. This could be because older netizens are more cautious online, and/or that they spend less time on the internet.

The email firm urged consumers to remember its “three Cs”: context, common sense and charity aware.

The news comes as the busy online Christmas shopping period is well underway, with Brits expected to spend billions at their favorite e-commerce stores. They were predicted to have splashed out £5bn on Black Friday alone, half of which was online.

Security vendor Sonicwall claimed that UK phishing scams soared 648% year-on-year this Cyber Monday. It recorded 2535 attacks over the course of Monday and 11,433 for the week around this busy shopping weekend, a 436% increase on the same period in 2017.

With the run-up to Christmas still the busiest time for online shoppers in the UK, the firm warned that consumers could be deluged by phishing and similar scams, eroding trust in the brands they shop with and hitting stores’ profits.



Infosecurity - Latest News

Packet Storm: Ubuntu Security Notice USN-3840-1

Ubuntu Security Notice 3840-1 - Samuel Weiser discovered that OpenSSL incorrectly handled DSA signing. An attacker could possibly use this issue to perform a timing side-channel attack and recover private DSA keys. Samuel Weiser discovered that OpenSSL incorrectly handled ECDSA signing. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. Various other issues were also addressed.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3831-2

Ubuntu Security Notice 3831-2 - USN-3831-1 fixed vulnerabilities in Ghostscript. Ghostscript 9.26 introduced a regression when used with certain options. This update fixes the problem. It was discovered that Ghostscript contained multiple security issues. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service. Various other issues were also addressed.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3838-1

Ubuntu Security Notice 3838-1 - It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3795-01

Red Hat Security Advisory 2018-3795-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 32.0.0.101. Issues addressed include a code execution vulnerability.

Packet Storm

Infosecurity – Latest News: #BHEU: We Must Update Cybersec Education to Develop More Security Experts

#BHEU: We Must Update Cybersec Education to Develop More Security Experts

Speaking at Black Hat Europe in London, Nahman Khayet, security researcher and Shlomi Boutnaru, CTO at Rezilion, explored the current cybersecurity skills shortage and its link to the education system.

Khayet explained that there are three main characteristics of security experts, which are ‘thinking outside the box,’ ‘adversarial thinking’ and ‘technical knowledge.’

He also cited a quote from M Gladwell regarding the 10,000 Hour Rule, “…the key to achieving world-class expertise in any skill, is, to a large extent, a matter of practicing the correct way, for a total of around 10,000 hours…”

“This sentence has two meanings for us,” Boutnaru said. “The first, is we believe that each person in the world should practice and experience as much as they can in order to become an expert,” and the second is that “every cybersecurity expert should have a lot of experience in the industry before they actually become an expert.”

However, Boutnaru argued that teenagers studying computing in schools are suffering from limitations of the education system. They are being taught less technical material like safe internet use, privacy controls, password safety and computer safety, he added, but some “cybersecurity deep knowledge is missing” from the curriculum.

“What about network threats? What about denial of service? What about IP spoofing? What about code vulnerabilities, and others? If you think about it, a lot of teenagers are today developing applications for mobile, web apps, but they don’t have the basic understanding of those [aforementioned] specific threats. Why? Because we are not teaching them that.”

“Students, when they are not getting the right education of cybersecurity, they are not understanding (later on) when they apply for work in the industry the security risks,” said Khayet. “If we look at the characteristics of security experts, they lack all of them.

So, both speakers argued that there is a great need to upgrade the current approach to teaching cybersecurity to teenagers by:

  • Adding practical cybersecurity training in schools as early as possible
  • Exposing girls in middle school to female cybersecurity leaders systematically
  • Teach cutting edge technology with hands-on experience
  • Invest more in pedagogical concepts



Infosecurity - Latest News

Packet Storm: Red Hat Security Advisory 2018-3772-01

Red Hat Security Advisory 2018-3772-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include cleartext password logging.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3771-01

Red Hat Security Advisory 2018-3771-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include cleartext password logging.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3768-01

Red Hat Security Advisory 2018-3768-01 - Red Hat Fuse enables integration experts, application developers, and business users to collaborate and independently develop connected solutions. Fuse is part of an agile integration solution. Its distributed approach allows teams to deploy integrated services where required. The API-centric, container-based architecture decouples services so they can be created, extended, and deployed independently. This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse 7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, denial of service, deserialization, and traversal vulnerabilities.

Packet Storm

Packet Storm: Ubuntu Security Notice USN-3837-1

Ubuntu Security Notice 3837-1 - It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service. It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Various other issues were also addressed.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3773-01

Red Hat Security Advisory 2018-3773-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include cleartext password logging.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3792-01

Red Hat Security Advisory 2018-3792-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. Issues addressed include a denial of service vulnerability.

Packet Storm

Packet Storm: Red Hat Security Advisory 2018-3779-01

Red Hat Security Advisory 2018-3779-01 - IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP35. Issues addressed include a denial of service vulnerability.

Packet Storm

Infosecurity – Latest News: #BHEU: Did the ‘Grain of Rice Chip’ Drive New Risk Assessments?

#BHEU: Did the 'Grain of Rice Chip' Drive New Risk Assessments?

Speaking at the Black Hat Europe conference in London, trainer and researcher Joe FitzPatrick from SecuringHardware.com asked delegates if their risk assessment considers $5 hardware attacks and if not, “why worry about $1m [hardware attacks], as what is more likely?”

In his talk 'A Measured Response to a Grain of Rice,' which took a strong look at the controversial Bloomberg article about tiny chips found on motherboards, FitzPatrick said that we first heard of malicious implants as part of the Snowden leaks in 2013, and the “Ant Catalogue” as reported by Der Spiegel.

“Usually we think of keystroke loggers via USB but they have been around for decades, as have Modchips,” he said.

Asking when hardware attacks make sense, he said it makes sense to have air gaps and heavily monitored networks, as well as to be aware of physical access which would not be possible remotely, and supply chain access to firmware.

Focusing on the Bloomberg story, which alleged that a chip affected 30 companies, FitzPatrick said that there was a lot of reaction to the story, as well as questions on how to test and what the indicators of compromise are. “By the time the board gets to you, something has changed to the schematics to figure out what chips are what,” he added.

FitzPatrick said that there was little in the article on what the chip did, and using the term “component graffiti” he argued that the article caused “a lot of assumptions and doom and gloom.”

He said: “Was it real or a hoax? I don’t know: we don’t have information and I am no expert, however I can say it is possible and the things described are possible and I see challenges as a technical person.”

He asked why there were no first-hand accounts of what it did, and went on to say that a typical server has more than 10 components with firmware, hundreds of active components, and thousands of passive components, meaning that there is a “huge surface to look at.”

Concluding by discussing what we can do, FitzPatrick said that ripping up servers “is a waste of time” and asked delegates if they review what a supplier does and where hardware was acquired, and if they look inside systems.

“Actual risk is a combination of impact and frequency,” he said. “We need to respond to the threat and not to the hype.”



Infosecurity - Latest News