Category Archives: information security news

Kaspersky Lab found a serious vulnerability in Windows

A team of specialists from Kaspersky Lab, an anti-virus company headquartered in Russia, discovered a 0-day vulnerability in Windows systems. Cybercriminals were actively exploiting this security problem in real targeted attacks.

According to Kaspersky Lab experts, they found a previously unknown vulnerability in Windows that was allegedly used to carry out targeted attacks by at least two cyber groups — FruityArmor and the recently discovered SandCat.

Using this vulnerability, an attacker could infiltrate the victim's network or device by attacking Windows 8 and 10. As a result of a successful attack, the cybercriminal got full control over the vulnerable system.

Kaspersky lab promptly notified Microsoft of the problem, which allowed the developers to release a patch that is already available to users.

"The discovery of this exploit shows that such expensive and rare tools are still of great interest to hacker groups. Organizations need to find solutions that can protect against such threats," says Anton Ivanov, Kaspersky Lab anti-virus expert.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

Security roundup: February 2019

We round up interesting research and reporting about security and privacy from around the web. This month: security as a global business risk, insured vs protected, a 12-step programme, subject access requests made real, French fine for Google, and an imperfect getaway.

Risks getting riskier

Some top ten lists are not the kind you want to appear on. Data theft and cyber attacks both featured in the World Economic Forum’s Global Risks Report 2019. Only threats relating to extreme weather, climate change and natural disasters ranked above both security risks.

The report is based on a survey which asked 1,000 decision makers to rate global risks by likelihood over a 10-year horizon. As ZDNet reports, 82 per cent of those surveyed believe there’s an increased risk of cyberattacks leading to the theft of money and data. Some 80 per cent believe there’s a greater risk of cyberattacks disrupting operations.

The report also refers to the increased risk of cyberattacks against critical infrastructure, along with concerns about identity theft and decreasing privacy. The WEF’s overview includes a video of a panel discussing the risks, and the report itself is free to download.

Insuring against cyber attacks

Thinking of buying cyber risk insurance in the near future? The legal spat between Mondelez and Zurich might give pause to reconsider. The US food company sued its insurer for refusing to pay a $100 million claim for ransomware damages. NotPetya left Mondelez with 1,700 unusable servers and 24,000 permanently broken laptops. Zurich called this “a hostile or warlike action” by a government or foreign power which therefore excluded it from cover.

As InfoSecurity’s story suggests, Zurich might have been on safer ground by invoking a gross negligence clause instead, since Mondelez got hit not once but twice. And where does this leave victims? “Just because you have car insurance does not mean you won’t have a car crash. Just because you have cyber insurance does not mean you won’t have a breach,” said Brian Honan.

Lesley Carhart of Dragos Security said the case would have implications for cyber insurance sales and where CISOs spend money. “Not only is Zurich’s claim apparently that nation state adversaries can’t be insured against, but it adds the ever tenuous question of attribution to insurance claims,” she wrote.

The 12 steps to better cybersecurity

Somewhat under the radar, but no less welcome for that, Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a high-level document that takes the form of a 12-step guide. It’s written in non-technical language, clearly intended for a wide audience. The steps include tips like getting senior management support for a cybersecurity strategy. The full report is free to download from here. We’ve taken a deep dive into the contents and you can read our thoughts here.

Fight for your right to part…ake of your data

GDPR obliges companies to cough up the personal data they hold about us on request, but what does that mean in practice? Journalist Jon Porter exercised his right to a subject access request with Apple, Amazon, Facebook, and Google. Just under 138GB of raw data later, he discovered that little of the information was in a format he could easily understand. If some of the world’s biggest tech companies are struggling with this challenge, what does that say for everyone else? It’s a fascinating story, available here.

Google grapples French fine

And speaking of all things GDPR-related, France’s data protection regulator CNIL has hit Google with a €50 million fine for violating the regulation. The CNIL claims Google didn’t make its data collection policies transparent enough and didn’t obtain sufficient, specific consent for personalising ads.

As Brian Honan wrote in the SANS Institute newsletter: “While the €50 million fine is the item grabbing the headlines, the key issue here is the finding by CNIL of the unlawfulness of Google’s approach to gathering people’s personal data. This will have bigger implications for Google, and many other organisations, in how they ensure they legally gather and use people’s personal data in line with the GDPR.”

You can run, but you can’t hide

Here’s a cautionary tale about the dangers of oversharing personal data on smart devices. UK police collared a hitman for an unsolved murder after data from his GPS watch linked him to scouting expeditions of the crime scene. Runners World covered the story and the Liverpool Echo published CCTV footage of an alleged recon trip near the victim’s home.

It’s an extreme example maybe, but the story shows how heavy our digital footprints can be (running shoes or not). Social media sharing can also be a security risk for a company’s remote workers. Trend Micro’s Bob McArdle outlined this very subject in his excellent Irisscon 2018 presentation. Social engineering expert Lisa Forte tweeted that she can gather intel about target companies from what their employees post online.

Things we liked

Protector, puzzle master, moral crusader, change agent: the many faces of a CISO. MORE

And another thing: want to be a good security leader? Learn to tell a good story first. MORE

Making the contentious case that breaches can be a good thing, and aren’t automatically bad for business. MORE

Google Chrome, used by almost two-thirds of web browsers, has a new plugin that warns users when entering a username/password combination that’s been detected in a data breach. MORE

An offer you couldn’t retweet: meeting the godfather of fake news. MORE

The Council to Secure the Digital Economy (CSDE) has published a guide to help protect the Internet from botnets. The International Anti-Botnet Guide will be updated every year. MORE

ENISA has released a study of CSIRTs and incident response capabilities in Europe to 2025. MORE

The post Security roundup: February 2019 appeared first on BH Consulting.