Grab your shovels, dust off the snow blower, and bundle up. The way patches are accumulating this month is making me think of winter in Minnesota. I’m talking about the kind where the snow flurries start and stop so many times over the course of a few weeks, you suddenly realize there is a lot of snow out there! So the question is, do you shovel in small amounts when there are breaks in the … More
The post December Patch Tuesday forecast: Let it snow, let it snow, let it snow appeared first on Help Net Security.
Thanks to our friends at GreatHorn for sponsoring this week's podcast. In this episode of the Podcast, # 123: Troy Hunt, the founder of HaveIBeenPwned.com joins us to talk about Marriott International's big mess: a breach of Starwood Hotels' reservation system that revealed information on half a billion (with a "B") guests. And, in our second...
Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.
Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.
On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.
On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution.
There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.
Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month, Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy
- T-Mobile Breach Affects Two Million Customers
- Air Canada Mobile App Breach Affects 20,000 People
- Microsoft takes down 'Russian political Hackers
- Dixons admits Data Breach now Affects 10 million
- Butlin's says Guest Records may have been Hacked
- Huawei set to face even more scrutiny from UK Security Forces
- Reddit user data compromised after 'serious’ Hack
- Instagram Hack sees accounts replaced with film stills
- UK Universities among 76 targeted by Hackers
- Bank of Spain hit with DDoS Attack
- Chinese Hotel Group leak of Millions of Guests’ Data
- Reported Data Breaches up 160% since GDPR
- US warns of Supply Chain Cyber-Attacks
- PGA Championship hit by Ransomware Attack
- Teenage fan Hacks into Apple network
- NIST issues Guidance for Protecting Medical IoT devices
- FBI arrests key members of 'prolific’ FIN7 Cyber Crime Group
- Microsoft Patches 60 Vulnerabilities for Windows, IE\Edge, Office, .NET, Exchange, SQL, Chakra and Adobe
- PHP flaw places CMS sites at risk of remote code execution
- Adobe Releases Important Fixes for Flash Player
- Adobe Releases Critical Fixes for Acrobat and Acrobat Reader
- Adobe pushes out ‘out-of-band’ Critical Updates for Photoshop CC
- Adobe issues ‘out of band’ Patch for Creative Cloud Desktop Application
- Cisco Patches DoS-related flaws in AsyncOS, Unified Comms Manager (CUCM, IM, and P) and ASA
- 'Foreshadow' attack affects Intel chips
- Fax machines and all-in-one devices could be used by Hackers to Infiltrate Networks
- Security update issued after Critical RCE vulnerability found in the core of Apache Struts
- Cyber fall-out of nation-state conflicts extends beyond politics
- Experts warn of increase in Phishing Attacks targeting Cryptocurrency
- Latest Mirai variant leverages open source project for cross-platform infections
- AdvisorBot Downloader in Malware Campaign targeting Hotels, Restaurants, and Telecoms
- Researchers find new POS malware with no data exfiltration capabilities
- CrowdStrike: Global Supply Chain Survey, two-thirds of organisations attacked
- Mimecast ESRA Report: Email attacks on the rise, say 80% of Businesses
- Data Leakage Prevention (DLP) – ISF Briefing Paper
- Cyber-Attack! Would your firm handle it better than this?
- Unpicking the Cyber-Crime Economy
- Cyber fall-out of nation-state conflicts extends beyond politics
- CCTV cameras at three Blackpool schools was live streamed on a US-based website.
- Personal details belonging to millions of teachers, pupils and parents who use Edmodo on sale on the dark web
- Independent Schools' Bursars Association (ISBA), which supports senior management staff in more than 1,000 schools, said the issue of cyber attacks had become more than an "isolated incident".
- School bomb hoaxes revealed to be part of Minecraft gamer feud
- My guidance on IBM developerWorks on Combating IoT Cyber Threats
- Smart home devices used as weapons in website attack
- How hackers could use a doll to open your front door
- German ban on the sale of smartwatches aimed at children
- Fitness App Hack Impacts 150 Million People
- GitHub Survived the Biggest DDoS Attack Ever Recorded
- TalkTalk urged to Improve Cybersecurity in wake of 'worryingly easy' Web System Flaw
- Billion Euro Cyber-Suspect Arrested in Spain
- Gwent Police sat on Data Breach Exposure for a Year before informing ICO
- Equifax finds More US Victims of 2017 Breach
- AWS S3 bucket managed by Walmart Partner exposes info on 1.3M
- Intel redesigns Chips to address Spectre and Meltdown Vulnerabilities
- Fancy Bear Suspected in United Kingdom's Anti-Doping Agency Cyber Attack
- Orbitz hit with Data Breach, 880,000 Payment Cards at Risk
- UK Government Smart Device (IoT) Security Guidelines: Experts ‘it needs more teeth'
- US Punishes 19 Russians over Vote meddling and Cyber-attacks
- Microsoft Patches 75 Vulnerabilities for IE/Edge, Exchange, Office, ChakraCore& Flash
- Adobe Releases Critical Fixes for Flash Player
- AMD Update Addresses Critical Vulnerabilities, says Flaws not so Severe
- BranchScope, a New Intel Processor Vulnerability Discovered by Researchers
- Cyber Attacks are one of the Biggest Threats Schools Face, experts warn
- Blackout Threat to Britain from Russian Cyber-Attack
- Recently Patched Flash Vulnerability Spotted in Massive Malspam Campaign
- APT15 Observed Targeting UK Government Contractor
- Ireland on the front line in Russia's new Hacking War
On the international front, the Winter Olympic games were subjected to several cyber-attacks kicking websites and other services offline during the games. The UK government blamed Russia for the NotPetya attacks as part of an attack on the Ukraine. North Korea's nation-state allegedly backed APT37 (Reaper) is believed to be expanding its cyber-attack capabilities with an objective of causing disruption according to FireEye. An Open AWS S3 Bucket exposed the private information of thousands of FedEx customers, and Google reported it will longer label all HTTP websites at 'not secure' from July 2018.
- Digital Guardian: Do you know your data's worth?
- 77 Facts About Cyber Crime
- GDPR Preparation: Recent Articles of Note
- North Korea (APT37) expanding Cyber Attack capabilities, Intention is Disruption
- Coldroot RAT Still Undetectable Despite Being Uploaded on GitHub Two Years Ago
- Hackers could Obfuscate Malware through Code Signing and SSL Certificates
- Two New Thefts using SWIFT Network Confirmed
In the United States, the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.
- Meltdown & Spectre: Critical Intel, AMD and ARM Processor Vulnerabilities
- ICO fines £400,000 fine on Carphone Warehouse following 2015 Data Breach
- Forever 21 Blames Malware & Lapses in Encryption, for Payment Card Compromise
- Major UK Infrastructure Cyberattack is 'When, not If' the National Cyber Security Centre
- Hackers steal $400,000 (£290,000) BlackWallet Crypto-Currency after DNS Hack
- NotPetya Attack Totally Destroyed Maersk's Computer Network
- US FTC fines VTech Toy Firm over Data Breach
- Sensitive Medical Records on AWS (Cloud) Bucket found to be Publicly Accessible
- Meltdown & Spectre Vulnerability & Patching Details
- Microsoft releases 16 Security Updates for IE/Edge, .NET, SQL, Office, & Windows
- Apple releases updates for Safari, iOS, watchOS and macOS
- Adobe releases fix for Flash Player
- Cisco warns of a Critical Vulnerability in its SSL VPN solution
- Cisco Security Updates nix high-impact DoS and Privilege Escalation Bugs
- CrossRAT: Advanced APT Undetectable Malware Globally Targeting all OS Platforms
- Necurs Botnet launches Massive 47 million emails per day Campaign
- CryptoMix Ransomware variant carries new ‘.tastylock’ Extension
- Satori Creator linked with new Mirai variant Masuta
- Cyber Breach Trends Report: 2017 Cyber-incidents Doubled, 93% preventable
- Carbon Black Report 2017 Threat Report
- Netscout Annual Worldwide Infrastructure Security Report: DDoS Complexity Rising
- Malwarebytes 2017 State of Malware Report: Spyware increasing
- Cisco 2018 Privacy Maturity Benchmark Study
Google Security Researchers, aka Project Zero, discovered the new computer processor flaws, which they have named 'Meltdown' and 'Spectre' when breaking the bad news on 3rd January 2018. Both Meltdown and Spectre allow an attacker or malware to access privileged information from within what should be a protected area of (kernel) memory. Meaning the potential disclosure of passwords, encryption keys, and confidential data from within virtual environments i.e. where multiple virtual machines are hosted on a single hardware platform.
The Meltdown vulnerability is present on all Intel processors manufactured after 1995 and is the easiest of the two flaws to exploit. This vulnerability exploitation method is known as "rogue data cache load", and can be mitigated by applying the latest operation system patches/updates by Microsoft (KB4056892), Apple, and the various Linux distributions. However, the bad news is according to researchers, the patches are expected to slow (processors) computer systems down between 5% and 30%, given it will be essentially a software patch to fix a hardware defect.
- Meltdown (rogue data cache load - CVE-2017-5754)
- Update your antivirus software before applying Microsoft patches, as Microsoft warned that given their patch changes the design of Windows internal memory management, it could cause issues with installed anti-virus software, therefore the Microsoft update will not install if the anti-virus software is not compatible with the patch. Therefore update your anti-virus application before (the application not the definitions) before applying Microsoft security patches.
- Apple has confirmed all iPhones, iPads, and Mac computers are affected and have released patches for Meltdown in December 2017. Apple has stated there has 'no measurable reduction in the performance of macOS and iOS'.
- Microsoft Surface patches and guidance
- Google have stated patches cause ‘negligible impact on performance’
- See CVE-2017-5754 and meltdownattack.com for further details on Meltdown.
The Spectre vulnerability is present on Intel, AMD and ARM processors, and involves two more conceptual methods of attack called 'bounds check bypass' and 'branch target injection', both of which appear to be difficult to execute. Spectre will be much harder to fix by vendors, so expect to wait for the patch releases for it.
- Spectre variant 1 (bounds check bypass - CVE-2017-5753
- Spectre variant 2 (branch target injection CVE-2017-5715)
- Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.
- Google has released patches for Android phones in December 2017
- See CVE-2017-5715, CVE-2017-5753 and meltdownattack.com for further details
- Understanding The Meltdown And Spectre Exploits: Intel, AMD, ARM, and Nvidia
- Meltdown, Spectre Can Be Exploited Through Your Browser
- Latest Patching Details
It is not currently known if hackers or malware have exploited either Meltdown and Spectre vulnerabilities. Detecting these type of processor exploits is far from easy, as specific processor activity is not typically recorded and checked in centralised security audit log files and audit systems, therefore Meltdown and Spectre exploitations are extremely hard to detect.
The recommended course of action is to quickly apply the Meltdown and Spectre operation systems\vendor security patches as they are made available, but be mindful of the impact these patches will have on systems, namely, the negative processor performance, and any potential issues with anti-virus software and applications which could impact critical services, especially on servers and within virtual\cloud environments and on low processor powered devices such as IoT devices. Therefore comprehensive patch testing and a rollback plan are essential within businesses environments before Meltdown and Spectre patches are applied, and will help to identify and address any significant performance issues caused by the patches.
Within high-security environments, consider a strategy to replace all (processor) hardware, although a labour intensive and costly approach, it would provide a much higher degree of assurance once fixed processors are released by the chip manufacturers. Hardware replacement may even be a cost-effective approach in the medium to long-term if the performance impact of the patches turns out to be particularly severe.
Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!
Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing.
The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.
2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.
Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.
Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.
- NCSC warns UK government agencies on use of Kaspersky Products and Services
- Morrisons Supermarket held Liable after Employee Leaks Data
- Data breach at PayPal's TIO Networks unit affects 1.6 million Customers
- Hackers target Private UK Schools
- Hackers could turn off UK School and Military Base Heating Systems
- UK & US Blame North Korea for WannaCry
- German Spy Agency warns of Chinese LinkedIn Espionage
- Nadine Dorries MP under scrutiny for comments about Password Sharing
- Three plead guilty to creating Mirai IoT Botnet Malware
- Cryptocurrency thieves steal £51 million of Bitcoin from Mining Platform
- Microsoft releases 19 Critical Security Updates for IE/Edge, Office, & Windows
- Adobe releases fixes for Flash Player
- Updates Address Security Vulnerabilities in Apache Struts versions 2.5 to 2.5.14
- Cisco Patches Multiple Vulnerabilities in WebEx Platforms
- Apple Release Security Updates shortly after releasing another KRACK Fix
- TLS exploit Capitalises on 19-year-old vulnerability; Vendors issue Patch
- TeamViewer releases Emergency Patch for Permissions Flaw
- VMware Fixes Bugs in vCenter Service Appliance and Hypervisors
- Threat Group APT-C-23 still active, releases GnatSpy Mobile Malware
- Microsoft bug CVE-2017-11882 Exploited to deliver Loki Information Stealer
- Uber paid off Hackers to delete the Stolen Data of 57 Million People
- OWASP Top Ten 2017 Released: App Development Best Practice & Top Vulnerabilities
- Equifax's Net Income down £20m and £67m Costs Post Data Breach
- Jewson tells Customers their Data may have been Stolen
- Cash Converters hit by Security Breach
- Web Analytics may Jeopardise User Information and GDPR Compliance
- US charges members of elite Chinese Hacking Unit APT3
- Imgur Discloses years-old Data Breach that Compromised 1.7 Million Users
- Hackers 'fool' iPhone X Face ID with a Simple Mask
- Tether Crypto-Currency Operator Reports $31m Raid
- Microsoft releases 20 Critical Security Updates for IE/Edge, Office, & Windows
- Adobe releases fixes for 83 Security Vulnerabilities in Acrobat and Flash
- Apple Addresses KRACK exploits in iOS and macOS Updates, and an Emergency Patch
- Cisco: Critical Vulnerability in 12 types of Voice OS-based Products
- Oracle issues emergency patch for JoltandBleed bug in Tuxedo Middleware
- Windows, Mac and Linux all at Risk from Flaws in Excel File Reader Library
- US CERT issues warning on ASLR vulnerability in Windows 8 & 10
- Intel Management engine Vulnerabilities Expose Millions of PCs to Attack
- APT28's latest Word doc Attack Eliminates needing to Enable Macros
- DDoS attacks have doubled in the six months, up 91% in the First Quarter of 2017
- New Mirai variant back on the Radar after New Exploit Code Published
- Cobalt Malware leverages recently Patched 17-year-old Microsoft Flaw