Category Archives: security

We’re a proud Sponsor of InfoSec World 2018!

We’re traveling to Lake Buena Vista, Florida, for the InfoSec World 2018 conference at Disney’s Contemporary Resort! You can come say hi at Booth 207 where the eLearnSecurity team will be. 

Fun times await!

Info…What?

For more than 20 years, security experts have made InfoSec World one of the number 1 Cyber Security conferences. To manage today’s threats, security professionals must have the skills to be both a business partner and enabler and have the technical expertise to prevent, detect and respond to security challenges. InfoSec World features a world-class program and expert speakers from the field to help you do just that.

What Can I Do There & How Can it Help My Career?

It’s simple, here’s what you’ll gain from attending InfoSec World 2018 (And So Much More…):

Get Your eLearnSecurity FORGED T-Shirt

To our students attending the InfoSec World 2018 Expo, come by Booth 207 to say hello, take our awesome FORGED shirt home … and why not take a selfie for the occasion? 🙂 

Can’t Make it to InfoSec but You’d Like to Level-Up your IT Skills?

In today’s crazy busy lifestyle, it’s often hard to make time for yourself. However, it’s never too late to learn new skills and get that promotion you’ve been waiting for. When you think about it, what better way than a new certification and hands-on skills to convince your boss that you’re up for it?

Learn more and level-up your professional competencies, check out our various IT Security courses for yourself!

Attackers Abused Indian Bank’s SWIFT System to Try to Steal $2M

Digital attackers abused the SWIFT system of an Indian bank in an attempt to make off with approximately $2 million in stolen funds. On 18 February, City Union Bank disclosed the attempted heist in a statement (PDF): During our reconciliation process on 7th February 2018, it was found that 3 fraudulent transactions were initiated by […]… Read More

The post Attackers Abused Indian Bank’s SWIFT System to Try to Steal $2M appeared first on The State of Security.

An APFS Filesystem flaw could lead macOS losing data under certain conditions

The Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.

A few days ago a ‘text bomb‘ bug was reported for Apple iOS and macOS apps, the issue can crash any Apple iPhone, iPad Or Mac.

Now the Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.

The bug ties the way the operating system handles APFS sparse disk images formatted in Apple filesystem format APFS.

An Apple Disk Image is a disk image commonly used by the macOS operating system is “mounted” as a volume within the Finder. It contains the entire contents and structure of a disk volume, such as USB, CD, DVD, hard disk drive, or network share.

Disk images are commonly used by several Mac apps, for example for backup applications or disk cloning.

The expert discovered that APFS sparse disk images don’t properly manage the volume of the “free disk space” from the sparse disk image, the OS doesn’t correctly report “free disk space” respect the real “free disk space” value.

“Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image.” wrote Mike Bombich. “When I unmounted and remounted the disk image, however, the video was corrupted. If you’ve ever lost data, you know the kick-in-the-gut feeling that would have ensued. Thankfully, I was just running some tests and the file that disappeared was just test data. Taking a closer look, I discovered two bugs in macOS’s “diskimages-helper” service that lead to this result.”

Bombich explained that data are written into the void because the OS doesn’t warn users that there is no enough space on the underlying hard drive to contain his data.

As described by the expert, the misleading data are still accessible for a short period after the write operation, unfortunately after the next system reboot exceeding files become corrupted and inaccessible.

APFS

Bombich is the author of the Mac backup software Carbon Copy Cloner, according to statistics from his software no many users are affected. The expert says that only 7% of all Carbon Copy Cloner users store backups as sparse disk image files and that only 12% of these 7% use APFS-formatted disk images.

The Carbon Copy Cloner software will not support AFPS-formatted sparse disk images until Apple addresses the vulnerability reported by Bombich.

Below a video PoC of the flaw.

“Until Apple resolves this disk images bug, we strongly recommend that people avoid using APFS-formatted sparse disk images for any purpose with any application.” concluded the expert. 

Pierluigi Paganini

(Security Affairs – APFS, Data Leak)

The post An APFS Filesystem flaw could lead macOS losing data under certain conditions appeared first on Security Affairs.

Security Affairs: An APFS Filesystem flaw could lead macOS losing data under certain conditions

The Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.

A few days ago a ‘text bomb‘ bug was reported for Apple iOS and macOS apps, the issue can crash any Apple iPhone, iPad Or Mac.

Now the Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.

The bug ties the way the operating system handles APFS sparse disk images formatted in Apple filesystem format APFS.

An Apple Disk Image is a disk image commonly used by the macOS operating system is “mounted” as a volume within the Finder. It contains the entire contents and structure of a disk volume, such as USB, CD, DVD, hard disk drive, or network share.

Disk images are commonly used by several Mac apps, for example for backup applications or disk cloning.

The expert discovered that APFS sparse disk images don’t properly manage the volume of the “free disk space” from the sparse disk image, the OS doesn’t correctly report “free disk space” respect the real “free disk space” value.

“Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image.” wrote Mike Bombich. “When I unmounted and remounted the disk image, however, the video was corrupted. If you’ve ever lost data, you know the kick-in-the-gut feeling that would have ensued. Thankfully, I was just running some tests and the file that disappeared was just test data. Taking a closer look, I discovered two bugs in macOS’s “diskimages-helper” service that lead to this result.”

Bombich explained that data are written into the void because the OS doesn’t warn users that there is no enough space on the underlying hard drive to contain his data.

As described by the expert, the misleading data are still accessible for a short period after the write operation, unfortunately after the next system reboot exceeding files become corrupted and inaccessible.

APFS

Bombich is the author of the Mac backup software Carbon Copy Cloner, according to statistics from his software no many users are affected. The expert says that only 7% of all Carbon Copy Cloner users store backups as sparse disk image files and that only 12% of these 7% use APFS-formatted disk images.

The Carbon Copy Cloner software will not support AFPS-formatted sparse disk images until Apple addresses the vulnerability reported by Bombich.

Below a video PoC of the flaw.

“Until Apple resolves this disk images bug, we strongly recommend that people avoid using APFS-formatted sparse disk images for any purpose with any application.” concluded the expert. 

Pierluigi Paganini

(Security Affairs – APFS, Data Leak)

The post An APFS Filesystem flaw could lead macOS losing data under certain conditions appeared first on Security Affairs.



Security Affairs

The State of Security: The Financial Fallout of a Cyber Attack on a Business

There were 978 million victims of cybercrime last year and these people lost a combined $172 billion, according to Norton. Those numbers alone should be enough to make businesses sit up and take notice. It’s important, too, to stress that it isn’t just the large corporations that suffer at the hands of online criminals. About half of […]… Read More

The post The Financial Fallout of a Cyber Attack on a Business appeared first on The State of Security.



The State of Security

The Financial Fallout of a Cyber Attack on a Business

There were 978 million victims of cybercrime last year and these people lost a combined $172 billion, according to Norton. Those numbers alone should be enough to make businesses sit up and take notice. It’s important, too, to stress that it isn’t just the large corporations that suffer at the hands of online criminals. About half of […]… Read More

The post The Financial Fallout of a Cyber Attack on a Business appeared first on The State of Security.

Cybersecurity in 2028: Looking a Decade Ahead

It’s mid-February, which means IT security executives’ and industry analysts’ plans for 2018 are really starting to gather momentum. Every year, this personnel faces the difficult task of deciding what security investments they should make given current developments in the cyber threat landscape. Google Trends and other services can help organizations make these types of […]… Read More

The post Cybersecurity in 2028: Looking a Decade Ahead appeared first on The State of Security.

Contractors Pose Cyber Risk To Government Agencies

Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.

Read more of this story at Slashdot.

US’s Greatest Vulnerability is Ignoring the Cyber Threats From Our Adversaries, Foreign Policy Expert Says

America's greatest vulnerability is its continued inability to acknowledge the extent of its adversaries' capabilities when it comes to cyber threats, says Ian Bremmer, founder and president of leading political risk firm Eurasia Group. From a report: Speaking to CNBC from the Munich Security Conference on Saturday, the prominent American political scientist emphasized that there should be much more government-level concern and urgency over cyber risk. The adversarial states in question are what U.S. intelligence agencies call the "big four": Russia, China, North Korea, and Iran. "We're vulnerable because we continue to underestimate the capabilities in those countries. WannaCry, from North Korea -- no one in the U.S. cybersecurity services believed the North Koreans could actually do that," Bremmer described, naming the ransomware virus that crippled more than 200,000 computer systems across 150 countries in May of 2017. Borge Brende, president of the World Economic Forum, weighed in, stressing the economic cost of cyber crimes. "It is very hard to attribute cyberattacks to different actors or countries, but the cost is just unbelievable. Annually more than a thousand billion U.S. dollars are lost for companies or countries due to these attacks and our economy is more and more based on internet and data."

Read more of this story at Slashdot.

Germany’s defense minister: Cyber security is going to be the main focus of this decade.

On Saturday, Germany defense minister Ursula von der Leyen told CNBC that cyber attacks are the greatest challenge threatening global stability.

The cybersecurity is a pillar of modern states, the string of recent massive attacks including NotPetya and WannaCry is the demonstration that we are all potential targets.

Cyber attacks could hit governments, private companies and citizens in every time and from every where causing severe problems to the victims and huge financial losses. The cyber risk is directly linked to geopolitical, environmental, technological, and economic risks. A cyber attack could destabilize governments worldwide, it can get a business out of the business.

When journalists asked about the “single greatest threat to global stability,” to the German defense minister, she confirmed the disconcerting scenario.

“I think it’s the cyber threats because whatever adversaries you can think of and even if you talk about Daesh (the terrorist group) they use the cyber domain to fight against us.” Germany’s defense minister Ursula von der Leyen told CNBC.

Germany defense minister urges European states to invest in collective defense

“This decade will be the decade of improvement in cyber security and information ruling,” she added.

 

Governments and companies are already investing to improve the resilience to cyber attacks of their networks. The Germany defense minister also noticed that Governments are also working to improve their offensive cyber capabilities.

The US and UK are reportedly using cyber soldiers to fight the Islamic State.

The video interview is available at the following link:

https://www.cnbc.com/video/2018/02/17/cyber-threats-biggest-threat-to-stabililty-german-defense-minister-says.html

Pierluigi Paganini

(Security Affairs – Germany defense minister:, Information Warfare)

The post Germany’s defense minister: Cyber security is going to be the main focus of this decade. appeared first on Security Affairs.

2018 AppSec California: “Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare”

My latest presentation on securing big data was at the 2018 AppSec California conference:

When: Wednesday, January 31, 3:00pm – 3:50pm
Where: Santa Monica
Event Link: Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare

Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of modern digital life. Whether it be financial, health, education, energy, transit…emphasis on performance gains and cost reduction has driven the delegation of human tasks to non-human agents. Yet who in infosec today can prove agents worthy of trust? Unbridled technology advances, as we have repeatedly learned in history, bring very serious risks of accelerated and expanded humanitarian disasters. The infosec industry has been slow to address social inequalities and conflict that escalates on the technical platforms under their watch; we must stop those who would ply vulnerabilities in big data systems, those who strive for quick political (arguably non-humanitarian) power wins. It is in this context that algorithm security increasingly becomes synonymous with security professionals working to avert, or as necessary helping win, kinetic conflicts instigated by digital exploits. This presentation therefore takes the audience through technical details of defensive concepts in algorithmic warfare based on an illuminating history of international relations. It aims to show how and why to seed security now into big data technology rather than wait to unpoison its fruit.

Copy of presentation slides: UnpoisonedFruit_Export.pdf

flyingpenguin: 2018 AppSec California: “Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare”

My latest presentation on securing big data was at the 2018 AppSec California conference: When: Wednesday, January 31, 3:00pm – 3:50pm Where: Santa Monica Event Link: Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of […]

[[ This is a summary only. Read more at flyingpenguin.com ]]

flyingpenguin

Security Affairs: Effective Tips for Internet Safety for Kids You Must Read

Online safety for your kids is very important.  However, that doesn’t necessarily mean that it needs to be hard work.

The key thing is to learn how to get parental controls set up properly so that you won’t have to worry as much about online safety when your kids start to use the internet for both school projects and entertainment.

There are many ways that the version of the internet that your kids see can be fine-tuned.  One option is to use a free content filter that is offered by all of the major providers.

There are also sophisticated software that is available for sale that you can invest in if you feel the need for a more advanced solution.

In order to determine which is best for you, we will be covering some of the major parental control options that are available to you.

In this article, we will be discussing various parent control options that are available to you.  However, keep in mind, that although there are some very useful parental control tools that are available – it is still important for you to watch what your children are doing when they are online as much as you can.  There is no substitute when it comes to parental supervision of children.

Content filters

All of the major UK broadband providers, including EE, Virgin Media, TalkTalk, Sky, and BT offer content filters as a standard feature.

They block off sites that contain material that is inappropriate for children, like self-harming, pornography, and other nasty material. Access to sites that are known to contain malware and viruses are also restricted. The best internet packages will have this as standard nowadays.

Which broadband providers offer the best security? 

You will need to decide whether or not you want to use the filters when you are getting your broadband first set up.  The settings can be changed at any time by simply logging into your account.  So you can always change your mind on whether you want to use the filters or not.

Software

Some broadband providers offer parental control software as part of their broadband packages. This type of software is widely available. Content filters are network-level filters and are applied to anyone who uses the connection.

By contrast, parental control software affects only the device that it is installed on.  So for example, if you install parent control software on your desktop computer, it will not affect what your children are doing when they are using their tablets and phones.

In addition to filtering inappropriate content out, like gambling-related, violent and pornographic sites, some of this software also lets you monitor the online activity of your children and even restrict what times of days certain websites can be used.

This can definitely come in handy.  You will finally have a way of keeping them off of sites like Facebook and YouTube when they are supposed to be doing their homework.

In general, any device that is able to access the internet has its own onboard parental control sets that can be tinkered with before allowing your children to use it.

That is particularly helpful if the broadband company provides you with the software that is the kind that applies to just one device at a time.

For example, Apple’s iPad and iPhone, have a broad range of restrictions, and you cause the settings menu to easily access them.  You can lock them in place and protect them using a password.

Those devices, in addition to many others, also allow you to disable paid transactions inside of games and apps.  That way your kids can run up any bills without you knowing about it!

There is no such thing as a flawless system. That is why it is a very good idea to make use of all of the different tools that are available to you.

When you place restrictions on the way devices can be used and also install software, it makes it double unlikely that your children will be exposed to any unsuitable or harmful material while they are online.

This will help to put your mind at ease, which is so important these days with all of the dangers lurking online.

Web browsers

At times your web browser, which is the program that is used for browsing the internet, allows you to block out certain kinds of websites.

Those settings may be used in conjunction with whatever software you have installed on your computer already which provides you with an added layer of protection.

For example, when the Google Chrome browser is used – which is a free download that is available to use – it includes a feature that allows you to set up different account profiles for managers and supervised users, which gives you full control of how your children can use the internet when they are online.

Once again it is best to use these features of the browser in combination with other parental controls, especially since the settings apply only to the Chrome browser.  More tech-savvy, older children can quickly discover a workaround, such as downloading another web browser other than Google Chrome.

Websites

On certain internet platforms and websites, like iTunes, YouTube, and Google, there is a family-friendly filter that can be switched on that should block out any content that isn’t suited for children to see.

Once again, keep in mind that there is no such thing as a flawless system so that is why it makes sense to use these features in combination with other kinds of parental controls.

This is only really effective to use with very young children since older kids can figure out how the filter can be turned off if they get curious enough and want to look at things that they know they aren’t allowed to.

General advice on how to get safe online

Get Safe Online, an internet safety initiative has provided the advice below. We hope you find it helpful to manage your children’s experiences online.

Set some boundaries even before your child gets their first internet connected device – whether it is a console, laptop, tablet, or mobile device.  After they have their device, it might be harder to change the settings or how they use it.

Network-level parental controls are offered by all major providers. When you switch to a different broadband package, you will have an option for turning content filtering on, so that adult material is blocked.

Keep in mind that doesn’t mean all bad stuff will be blocked – there is no such thing as a fully effective filter.  You will need to stay vigilant and supervise your children.

Have a discussion with your children about what is appropriate and safe to share and post online.

All videos, photos, and comments are part of a person’s ‘digital footprint’ and may be seen by anybody and be available forever on the internet.

Speak with your children about the type of content they view online, along with the precautions they need to take when they are communicating with others online – for example, to never share personal information with strangers.

Keep in mind that services such as YouTube and Facebook have a reason for having minimum age limits of 13 years old.  Don’t cave in to pressure – speak with your child’s school and other parents to be sure everyone is on the same page.

Explain to your children that being online doesn’t provide them with protection or anonymity. Make sure that you clearly tell them that they shouldn’t do anything over the internet that they wouldn’t feel completely comfortable doing in real life.

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently. Follow Ali on Twitter @AliQammar57

 

 

 

Pierluigi Paganini

(Security Affairs – safety for kids, Internet)

The post Effective Tips for Internet Safety for Kids You Must Read appeared first on Security Affairs.



Security Affairs

Effective Tips for Internet Safety for Kids You Must Read

Online safety for your kids is very important.  However, that doesn’t necessarily mean that it needs to be hard work.

The key thing is to learn how to get parental controls set up properly so that you won’t have to worry as much about online safety when your kids start to use the internet for both school projects and entertainment.

There are many ways that the version of the internet that your kids see can be fine-tuned.  One option is to use a free content filter that is offered by all of the major providers.

There are also sophisticated software that is available for sale that you can invest in if you feel the need for a more advanced solution.

In order to determine which is best for you, we will be covering some of the major parental control options that are available to you.

In this article, we will be discussing various parent control options that are available to you.  However, keep in mind, that although there are some very useful parental control tools that are available – it is still important for you to watch what your children are doing when they are online as much as you can.  There is no substitute when it comes to parental supervision of children.

Content filters

All of the major UK broadband providers, including EE, Virgin Media, TalkTalk, Sky, and BT offer content filters as a standard feature.

They block off sites that contain material that is inappropriate for children, like self-harming, pornography, and other nasty material. Access to sites that are known to contain malware and viruses are also restricted. The best internet packages will have this as standard nowadays.

Which broadband providers offer the best security? 

You will need to decide whether or not you want to use the filters when you are getting your broadband first set up.  The settings can be changed at any time by simply logging into your account.  So you can always change your mind on whether you want to use the filters or not.

Software

Some broadband providers offer parental control software as part of their broadband packages. This type of software is widely available. Content filters are network-level filters and are applied to anyone who uses the connection.

By contrast, parental control software affects only the device that it is installed on.  So for example, if you install parent control software on your desktop computer, it will not affect what your children are doing when they are using their tablets and phones.

In addition to filtering inappropriate content out, like gambling-related, violent and pornographic sites, some of this software also lets you monitor the online activity of your children and even restrict what times of days certain websites can be used.

This can definitely come in handy.  You will finally have a way of keeping them off of sites like Facebook and YouTube when they are supposed to be doing their homework.

In general, any device that is able to access the internet has its own onboard parental control sets that can be tinkered with before allowing your children to use it.

That is particularly helpful if the broadband company provides you with the software that is the kind that applies to just one device at a time.

For example, Apple’s iPad and iPhone, have a broad range of restrictions, and you cause the settings menu to easily access them.  You can lock them in place and protect them using a password.

Those devices, in addition to many others, also allow you to disable paid transactions inside of games and apps.  That way your kids can run up any bills without you knowing about it!

There is no such thing as a flawless system. That is why it is a very good idea to make use of all of the different tools that are available to you.

When you place restrictions on the way devices can be used and also install software, it makes it double unlikely that your children will be exposed to any unsuitable or harmful material while they are online.

This will help to put your mind at ease, which is so important these days with all of the dangers lurking online.

Web browsers

At times your web browser, which is the program that is used for browsing the internet, allows you to block out certain kinds of websites.

Those settings may be used in conjunction with whatever software you have installed on your computer already which provides you with an added layer of protection.

For example, when the Google Chrome browser is used – which is a free download that is available to use – it includes a feature that allows you to set up different account profiles for managers and supervised users, which gives you full control of how your children can use the internet when they are online.

Once again it is best to use these features of the browser in combination with other parental controls, especially since the settings apply only to the Chrome browser.  More tech-savvy, older children can quickly discover a workaround, such as downloading another web browser other than Google Chrome.

Websites

On certain internet platforms and websites, like iTunes, YouTube, and Google, there is a family-friendly filter that can be switched on that should block out any content that isn’t suited for children to see.

Once again, keep in mind that there is no such thing as a flawless system so that is why it makes sense to use these features in combination with other kinds of parental controls.

This is only really effective to use with very young children since older kids can figure out how the filter can be turned off if they get curious enough and want to look at things that they know they aren’t allowed to.

General advice on how to get safe online

Get Safe Online, an internet safety initiative has provided the advice below. We hope you find it helpful to manage your children’s experiences online.

Set some boundaries even before your child gets their first internet connected device – whether it is a console, laptop, tablet, or mobile device.  After they have their device, it might be harder to change the settings or how they use it.

Network-level parental controls are offered by all major providers. When you switch to a different broadband package, you will have an option for turning content filtering on, so that adult material is blocked.

Keep in mind that doesn’t mean all bad stuff will be blocked – there is no such thing as a fully effective filter.  You will need to stay vigilant and supervise your children.

Have a discussion with your children about what is appropriate and safe to share and post online.

All videos, photos, and comments are part of a person’s ‘digital footprint’ and may be seen by anybody and be available forever on the internet.

Speak with your children about the type of content they view online, along with the precautions they need to take when they are communicating with others online – for example, to never share personal information with strangers.

Keep in mind that services such as YouTube and Facebook have a reason for having minimum age limits of 13 years old.  Don’t cave in to pressure – speak with your child’s school and other parents to be sure everyone is on the same page.

Explain to your children that being online doesn’t provide them with protection or anonymity. Make sure that you clearly tell them that they shouldn’t do anything over the internet that they wouldn’t feel completely comfortable doing in real life.

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently. Follow Ali on Twitter @AliQammar57

 

 

 

Pierluigi Paganini

(Security Affairs – safety for kids, Internet)

The post Effective Tips for Internet Safety for Kids You Must Read appeared first on Security Affairs.

Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election

The special prosecutor Robert Mueller has accused thirteen Russian nationals of tampering with the 2016 presidential election and charged them with conspiring against the United States.

Thirteen Russian nationals and three Russian entities have been indicted for a massive operation aimed to influence the 2016 Presidential election.

The special prosecutor Robert Mueller has accused the defendants of tampering with the 2016 US presidential election and charged them with conspiring against the United States.

According to the results of the investigation conducted by the prosecutor, the Internet Research Agency, a Russian organization, and the 13 Russians began targeting the United States back in 2014.

Russian nationals used stolen American identities and local computer infrastructure to influence the 2016 Presidential election, the group deliberately denigrate the candidate Clinton to support Trump.

“Certain Defendants traveled to the United States under false pretenses for the purpose of
collecting intelligence to inform Defendants’ operations. Defendants also procured and used
computer infrastructure, based partly in the United States, to hide the Russian origin of their
activities and to avoid detection by U.S. regulators and law enforcement.” reads the Mueller’s indictment.

“Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political
system, including the 2016 U.S. presidential election. Defendants posted derogatory information
about a number of candidates, and by early to mid-2016, Defendants’ operations included
supporting the presidential campaign of then-candidate Donald J. Trump (“Trump Campaign”) and
disparaging Hillary Clinton.”

The indictment states the Russian organization since April 2014 created a specific section focused on the US population that acted to influence the sentiment of citizens on the candidates through social media platforms, including Facebook, Instagram, Twitter, and YouTube. By 2014,

The group used VPN services to connect from Russia to the US and manage their network of social media accounts.

The organization would use email addresses such as staceyredneck@gmail.com during its activities.

The Russian propaganda machine created and controlled numerous social media accounts, one of them is the Twitter account “Tennessee GOP,” which used the
handle @TEN_GOP.

“The @TEN_GOP account falsely claimed to be controlled by a U.S. state
political party. Over time, the @TEN_GOP account attracted more than 100,000 online followers.” continues the Indictment.

The group used stolen identities of US citizens to buy political advertisements on social media, they also recruited Americans to spread derogatory information.

We are facing with a powerful and efficient propaganda machine. defendants and their conspirators
constantly monitored their campaign over social media. They measured the
size of the online U.S. audiences reached by their actions and the types of engagement with the
posts.

The activity of the organization was very active in 2016, when defendants posing as American citizens and communicating with Americans began to gather intelligence to better target their campaign.

“In order to carry out their activities to interfere in US political and electoral processes without detection of their Russian affiliation, the Defendants conspired to obstruct the lawful functions of the United States government through fraud and deceit, including by making expenditures in connection with the 2016 US presidential election without proper regulatory disclosure; failing to register as foreign agents carrying out political activities within the United States; and obtaining visas through false and fraudulent statements,” the indictment reads.

Social media giants Facebook and Twitter are both accused of running ads and promoted content for the groups operated by the Organization.

Twitter has admitted the involvement of thousands of bot accounts in Russian propaganda, the company has deleted 200,000 tweets posted by army of trolls used by the Kremlin.

Pierluigi Paganini

(Security Affairs – Mueller’s indictment, 2016 Presidential election)

The post Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election appeared first on Security Affairs.

Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.

Read more of this story at Slashdot.

A Hacker Has Wiped a Spyware Company’s Servers — Again

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again. Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.

Read more of this story at Slashdot.

The Destructive nature of North Korean Cyber-Attacks

Attacks like WannaCry and NotPetya were highly destructive on a scale never seen before. The disruption has still left some organisations suffering from the financial repercussions.

The reach of the attacks shocked many within the cyber industry and just this month, Ciaran Martin, the head of the National Cyber Security Centre, warned UK organisations to fear ‘reckless’ cyber attacks – like the WannaCry ransomware virus – where the perpetrator seemed to lose control.

WannaCry is strongly linked to Lazarus who operate out of North Korea and so security researchers at AlienVault have outlined new details of ‘reckless’ North Korean cyberattacks that have flooded uncontrollably into the wild, posing an ongoing security risk.

Rivts Virus

The Rivts virus is a piece of malware that is thought to have been leaked online after initially being created within North Korea as a test project. Its origins can be traced back to 2009 and is a file infecting worm which spreads through USB drives and hard drives which latches itself onto other uninfected files to spread.

According to AlienVault, the first file infected with Rivts was in 2011 – but the file meta-data indicates1 it was compiled two years earlier in February 2009. It is thought Rivts was circulating around infecting systems within DPRK (North Korea) for two years before escaping onto the Voice of Korea (similar to BBC World) website in 2011, which was its first public reference.

After examining the malware, the word ‘test’ has been located in multiple places which gives further evidence that Rivts could have been part of a prototype project. Despite not being considered a strong cyber threat, the original strain of the worm lasted a considerable amount of time.

The Lazarus SMB worms

When people think of Lazarus Server Message Block (SMB) worms, WannaCry is often the name that comes to mind. However, there are others that have also gained prominence. In 2014, Sony became the unfortunate target of an SMB attack which resulted in the Sony network being crippled for a matter of days with sensitive information on Sony and its employees leaked online. Then there’s the Brambul worm.

Brambul and WannaCry are essentially two peas from the same malware pod. In fact, earlier versions of WannaCry were seen performing the same SMB brute-forcing as Brambul. Considered an ancient worm, Brambul samples that are ten years old are still being discovered today. It was also found in 2015 that if you were to leave an insecure computer connected to the internet, Brambul came in at no.13 as being the most likely malware family to infect the computer.

The Infected USB

IBM and Lenovo were victims of breached supply chains in April 2017 and after alerting customers, both the severe manufactures distributed USB sticks containing installation software to customers of their storage servers. Unfortunately for them, the USB sticks contained the Faedevour malware worm. First samples of Faedevour are thought to have first appeared in 2013 and this was the same file that appeared on the Korean Central News Agency (KCNA) website in 2015. The attack suffered by KCNA was intentional as it was found that a malicious Javascript was added to the KCNA website to disguise the Faedevour worm as a fake Adobe Flash update.

This again is another example of the durability within these strains of malware that originate in North Korea and spread further than originally intended.

Click here to read the full AlienVault blog

The post The Destructive nature of North Korean Cyber-Attacks appeared first on IT SECURITY GURU.

Google Exposes How Malicious Sites Can Exploit Microsoft Edge

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process. To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Read more of this story at Slashdot.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 12, 2018

Valentine’s Day was earlier this week, and there was so much love in the air. There was also a lot of love in the Trend Micro world as our teams worked diligently to make sure our customers were protected from this month’s bevy of critical vulnerabilities across several vendors. This week, we focus on Microsoft, who issued a whopping 50 security patches covering Internet Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows and Microsoft Office. Eight of the CVEs came through the Zero Day Initiative program!

There are some scary bugs out there! One of the interesting ones that Microsoft patched this month for Microsoft Outlook used the preview pane as an attack vector. That means an exploit of this vulnerability could allow code execution without even opening an email. You can get more information on this month’s Microsoft updates from Dustin Childs’ February 2018 Security Update Review from the Zero Day Initiative:

Microsoft Security Updates

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before February 13, 2018. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with * shipped prior to this week’s DV package, providing preemptive protection for our customers.

CVE # Digital Vaccine Filter # Status
CVE-2018-0742 30334
CVE-2018-0755 *30237
CVE-2018-0756 30336
CVE-2018-0757 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0760 *30241
CVE-2018-0761 *30239
CVE-2018-0763 *30275
CVE-2018-0771 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0809 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0810 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0820 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0821 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0822 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0823 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0825 30341
CVE-2018-0826 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0827 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0828 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0829 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0830 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0831 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0832 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0833 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0834 30345
CVE-2018-0835 30349
CVE-2018-0836 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0837 30351
CVE-2018-0838 30362
CVE-2018-0839 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0840 30365
CVE-2018-0841 30388
CVE-2018-0842 30367
CVE-2018-0843 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0844 30366
CVE-2018-0846 30368
CVE-2018-0847 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0850 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0851 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0852 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0853 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0855 *30242
CVE-2018-0856 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0857 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0858 30331
CVE-2018-0859 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0860 30342
CVE-2018-0861 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0864 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0866 30410
CVE-2018-0869 Vendor Deemed Reproducibility or Exploitation Unlikely

Offensivecon 2018

If you happen to be reading this and you’re in Berlin, Germany, three members of our Zero Day Initiative team (Brian Gorenc, Abdul-Aziz Hariri and Jasiel Spelman) will be speaking later today at Offensivecon 2018, an international security conference that brings the hacker community together for networking and sharing knowledge. Their session, “L’art de l’évasion: Modern VMWare Exploitation Techniques,” will dive into modern exploitation techniques of VMware vulnerabilities and take an in-depth look at the available attack surfaces on a virtual machine. Learn more by clicking here: https://www.offensivecon.org/speakers/2018/zdi-team.html

Zero-Day Filters

There are 13 new zero-day filters covering five vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Adobe (5)

  • 30359: ZDI-CAN-5381: Zero Day Initiative Vulnerability (Adobe Flash Player)
  • 30370: ZDI-CAN-5237: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 30371: ZDI-CAN-5238: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 30372: ZDI-CAN-5241: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 30373: ZDI-CAN-5291: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)

Delta (1)

  • 30391: ZDI-CAN-5389: Zero Day Initiative Vulnerability (Delta Industrial Automation TPEditor)

Foxit (3)

  • 30355: ZDI-CAN-5376,5377: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30358: ZDI-CAN-5379: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30360: ZDI-CAN-5382: Zero Day Initiative Vulnerability (Foxit Reader)

Microsoft (1)

  • 30357: ZDI-CAN-5378: Zero Day Initiative Vulnerability (Microsoft Windows)

OMRON (3)

  • 30392: ZDI-CAN-5402: Zero Day Initiative Vulnerability (OMRON CX-One)
  • 30393: ZDI-CAN-5403: Zero Day Initiative Vulnerability (OMRON CX-One)
  • 30394: ZDI-CAN-5404: Zero Day Initiative Vulnerability (OMRON CX-One)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

How cryptojacking came to be, what to watch out for, and how Citrix can help you avoid it like the plague!

Cryptojacking targets both endpoints and servers – both on-premises and in the cloud. The goal is the same: enslave a massive botnet of devices and harness CPU cycles to mine cryptocurrency with minimal cost or investment. I briefly introduced the concept in the previous Digital Vikings blog post and the threat has grown month after month, likely coinciding with the run-up in the crypto market. We’ll look at crypto mining and at some mitigations to prevent and detect digital parasites from leeching CPU cycles for months or even years, generating cash for its owners all the while.

 

Primitive infectious organisms kill their host, gaining a one-time benefit: replication. But the more advanced ones feed on their hosts. These biological parasites live in or on a host organism and siphon nutrients at the host’s expense. Their main function is to leech from the host, not destroy it. Similarly, in the digital world, parasites don’t delete, encrypt, or ransom data; they siphon off compute resources – preferably undetected. Compute resources are a valuable commodity in the world of crypto-mining. Crafty adversaries driven by the opportunity of financial gain are weaponizing crypto mining to exploit the digital currency boom. This stealthier malware phenomenon called cryptojacking is becoming a popular payload since it’s an effective way to generate revenue with a lower chance of detection. The goal is to run undetected – stealing CPU cycles – essentially becoming a digital parasite.

 

For example, Coinhive – a website-based crypto miner that has the slogan “Monetize Your Business With Your Users’ CPU Power” – has been discovered hijacking user connections in a café in Argentina and online video sites. A European water utility was also hit by crypto mining – critical ICS and SCADA systems. If those critical systems aren’t enough – how about Russian supercomputers used for simulating nuclear weapons designs? Not even regulatory agencies such as the UK’s ICO are spared. Finally, some websites are using crypto mining as an alternative to advertising banners and pop ups – this can be an opt-in approach at monetization that is interesting to see develop.

 

Digital Gold Rush

 

For context – let’s take a brief look at what mining means in terms of crypto. Cryptomining is an intensive process – consistently running mathematical calculations that keep processors at 100% usage. Professional miners make a large upfront investment in specialized hardware and infrastructure (hosting, cooling, etc.) Then there are recurring electricity costs, maintenance, and staff. It’s a substantial investment to get ROI and become profitable, but cryptojackers reap the reward of crypto mining by herding botnets of compromised machines, collectively stealing CPU cycles and leaving end users with reduced performance while inflating the cost of electricity, both on-premises and in the cloud where elastic resources are priced on usage.

 

In the earliest days of crypto, Bitcoin mining was done with CPUs from desktop computers. As more miners came online, the difficulty level adjusted so that running multiple graphics processing units (GPUs) became more effective at mining. Next came specialized chipsets or ASICs designed specifically for mining Bitcoin – these are getting smaller and more efficient. To increase the chances of payout, multiple miners join pools in which they are compensated based on their contribution of compute resources or hash power. For Bitcoin, mining using CPUs, GPUs, or even the older ASICs will never reach ROI – the cost of energy consumption is greater than the revenue generated. With exceptions, mining Bitcoin tends to be limited to larger operations where the cost of energy is low – hydro power or subsidized power are attractive – China, Sweden, Iceland and the State of Washington among others.

 

But a large number of “altcoins” running different protocols and with lower difficulty levels have grown in popularity. These include Ethereum and Monero, among hundreds of others. While some alts have unique utility or functionality, they mainly provide a more lucrative opportunity to profit from mining (and cryptojacking) as they can be traded for Bitcoin. Monero is a favorite among mining botnets, where a couple thousand compromised systems can mine several hundreds of thousands of dollars a year. It’s not all dark and gloomy, crypto mining is great learning opportunity as well. Case in point is our very own Steve Wilson who embarked on a business and technology project with his daughter. How many experiments teach about blockchain, operating efficiencies, and equipment depreciation?

 

Digital Parasites

 

Endpoints are targeted through the web browser – a telltale symptom is sluggishness, high CPU usage, and the whine of maxed-out RPM on the cooling fans. An example is afinding by independent security researcher William DeGroot, who “believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero.” Another variant is a “drive-by” cryptojacking – where a hidden and persistent popup hangs around even after closing the site.

 

Mobile devices and gadgets are also susceptible, even more so since the mining scripts can run in the background or are more difficult to identify. One example is the Android variant named ADB.Miner. It typically runs on rooted devices using the same scanning code as the Mirai botnet -using the same techniques to search for open and accessible devices. If successful, the malware proceeds to infect them and mine Monero while spreading to more devices. Mobile apps such as Minergate Mobile and dozens of others have been available since 2016 – downloadable right off the internet. Weaponized variants are typically installed on rooted or jailbroken devices or potentially on the hundreds of thousands of apps removed from the app stores.

 

Server-side attacks are the same as previous botnets – but retooled. Instead of pharma mail spam, ransomware, or DDoS attacks – the bots host apps like Minergate and Smominru. The apps run surreptitiously and regularly while checking in with the mining pool hosts in order to get new blocks and validate work. The payload may come in through via spam emails that contain attachments such as malicious Word documents. A common vector is RDP enabled internet facing servers with weak passwords and no multifactor authentication. Tools like Shodan clearly show how pervasive internet facing servers are. Tools that sniff all ports for RDP listeners – make quick work of security through obscurity of changing RDP ports. Using brute force dictionary attacks, it’s only a matter of time before simple passwords are cracked. Once they are in, expect that backdoor accounts and backup access methods are deployed. As with other attacks, server side cryptojacking can be more complex and more complicated once it spreads. If the attacker gets access to the infrastructure, he or she may provision additional servers – in cloud environments, expect to see new servers with high end specs and cost.

 

A more recent cryptojacking attack is WannaMine. As described by CrowdStrike: “WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry. It’s fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus.” As discussed in Martin Zugec’s blog post, blocking the EternalBlue exploit used to deliver the WannaCry ransomware and fileless attacks have been possible with Bitdefender HVI and Citrix XenServer since day one.

Back to the basics… but smarter

 

Defending against cryptojacking requires a holistic approach and building a security architecture with a secure digital perimeter. The approach must focus on prevention as well as detection. Citrix has partnered with multiple security companies that enhance endpoint, network, server, and cloud protection. Secure Web Gateway protects browsers by preventing access to malicious websites and malware – by integrating with NetStar to inspect the incoming payload and block as needed. Additionally, for exploit delivered payloads – integrations with Bitdefender provides Hypervisor Introspection for XenServer. For mobile endpoints, XenMobile’s integration with Symantec Endpoint Protection Mobile (formerly Skycure) is stopping the exploits before the payload is delivered.

The post How cryptojacking came to be, what to watch out for, and how Citrix can help you avoid it like the plague! appeared first on IT SECURITY GURU.

Lackadaisical Employee Attitudes to Cyber Security are the Biggest Risks to Enterprises

The role of IT in defending against cyberattacks is more difficult than ever. It becomes even more challenging when IT departments are forced to tackle the lack of willingness by employees to take precautionary steps against attacks.

 

Based on new research involving more than 2,000 business and IT professionals at companies from various industries around the world, A10 AIR addresses the challenges IT decision makers face with the rise and complexity of cyberattacks, and the sometimes-careless attitudes of employees who unwittingly introduce new threats into their businesses.

 

The report revealed that employees often unknowingly weaken cybersecurity with the use of unsanctioned apps: one out of three (37 percent) of employees surveyed say they aren’t familiar with what a DDoS attack is, or even aware of how they could unknowingly become victimised.

 

This data is even more disturbing when almost half (48 percent) of IT leaders say they agree that their employees do not care about following security practices, according to the survey findings. It’s hard to protect someone who isn’t familiar with the warning signs associated with attacks – or willing to learn about them.

 

With often poor understanding of corporate security policies, this behaviour increases the risks that come with a growing reliance on disparate and app-dependent workforces, especially when one third (30 percent) of employees surveyed knowingly use apps their companies forbid.

 

Of those who use non-sanctioned apps, more than half (51 percent) claim “everybody does it,” while one third (36 percent) say they believe their IT department doesn’t have the right to tell them what apps they can’t use.

 

Why use unsanctioned apps in the first place? One third (33 percent) of all respondents claim IT doesn’t give them the apps needed to get the job done.

 

But Who’s Responsible for App Security?

For employees who want to check sports scores or listen to streaming music at work, poorly designed apps with weak security could provide the backdoor for attackers to gain entry into the employee’s corporate network.

 

While the WireX botnet recently hijacked thousands of devices through seemingly harmless apps, it’s a frightening reminder that it only takes one app with weak security to infect a mobile device. More than half (55 percent) of employees surveyed say they expect the use of business apps to increase, meaning the odds also increase of these devices becoming part of a larger DDoS attack, which can bring entire businesses to a screeching halt.

 

But who is ultimately responsible to protect employees who used non-sanctioned apps at work? App developers, IT departments and end users are at odds over who is responsible for application security and best practices regarding the many apps on the phones of employees. With employees, responsibility is low: only two out of five (41 percent) claim ownership for the security and protection of non-business apps they use, AIR found.

 

And who is that “someone else” who should be protecting users’ apps in the workplace? Employees think security should be provided by the app developers (20 percent), service providers (17 percent) and their IT department (16 percent).

 

But if you ask IT decision-makers who is internally responsible, one third say the security team is most responsible for protecting employee’s identity and personal information, followed by the CIO or vice president (17 percent) of the company, and 15 percent state “the whole IT department.”

 

Employee Behavior toward the Use of Banned Apps or Sites at Work

It’s an accepted fact that companies can block apps and websites at work – 87 percent of respondents find this practice acceptable, and 85 percent would accept a position at a company that does so. However, only two thirds (61 percent) of employees cliaim their companies actually block specific sites or apps.

 

Additionally, 10 percent don’t know if the apps they use at work are banned or not, demonstrating a need for better communications from IT, and the survey backs this up: 88 percent of IT heads say employees need better education on best security practices.

 

Perceived Attitudes of Employees and Thoughts on Best Practices

What other ways are IT professionals reminding employees about best practices when it comes to security? Password policies are communicated to employees through email reminders (66 percent) followed by employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent).

 

And when it comes to passwords, IT decision makers say their top recommended password policy is updating passwords regularly (76 percent), followed by choosing different passwords for different systems (59 percent), and two-factor or multi-factor authentication (53 percent).

 

But overall, what does IT need to do better protect their company? The biggest challenge noted by IT professionals is lack of corporate commitment to security policy and enforcement (29 percent).

 

But there is good news: although almost a quarter of IT decision-makers think there will be no improvement in security behaviour at their company, 75 percent optimistically think there will be.

The post Lackadaisical Employee Attitudes to Cyber Security are the Biggest Risks to Enterprises appeared first on IT SECURITY GURU.

2018 Winter Olympics: Citius, Altius, Fortius, Cyber Attacks?

Only days into the Winter Olympics and reports of cyber attacks are making headlines. Officials have confirmed that a cyber attack is to blame for an internet and Wi-Fi shutdown during the opening ceremony.

 

Noncritical systems were impacted – including the official Olympics website, which according to reports, went offline when organizers shut down servers to address the attack. Wi-Fi service also stopped working.

 

This follows the Department of Homeland Security’s recent warning that the 2018 Winter Olympics will be a hotbed of cybercriminal activity. While the warning was extended to those in attendance, you don’t have to be sitting in the stands to become an unwitting target.

 

Whether they’re part of a criminal syndicate or part of a nation-state attack group, cyber attackers love to use high-profile public events as a cover for their malicious activity. Even the most security conscious person can let their guard down when they’re caught up in the spectacle and excitement of something like the Olympics.

 

With that in mind, here are a few techniques and approaches that we believe attackers will use during the Olympics, both to target spectators on-site and those watching and reading about the Olympics at home or from the office.

 

Cryptomining

 

Cryptomining attacks are quickly replacing ransomware as the attacks du jour. Attackers will infect websites that are commonly used to view Olympic activity, stream events or provide news on what’s happening at the games.

 

By visiting an infected site, users unwittingly donate their computing power resource to mine cryptocurrency on behalf of the attacker – all without users knowing they were part of the process.

These attacks don’t require malware to run on the user’s endpoint. The only indication of the attack may be that your computer runs slower due to loss of computing power.

 

High Value Targets:  Olympic viewers back home or in the office

 

Spear Phishing Campaigns

 

This is one of the most common methods attackers use to gain a foothold on an endpoint or in an organisation. Attackers use peoples’ information to specifically target them with a malicious email, in hopes that they’ll click a link and unleash the payload it’s carrying.

 

There are already reports that attackers have been targeting Olympic officials for months. Whether you’re watching the games from home or attending, be wary of any email that contains links or attachments to information about events, times and websites to watch the games. Vigilance is the best defense against phishing attacks.

 

High Value Targets:  Olympic athletes, Olympic officials, country delegations and government representatives, viewers/fans

 

IoT and Mobile Payment Attacks

 

Mobile payments and IoT promises to be a big part of the 2018 Winter Olympics. Internet-connected devices have been a favourite target of attackers of the past year, primarily because of the incredibly poor security of most IoT devices. We can expect attackers to test device defenses used during the Olympics – whether it’s cameras, wearables or any other device that will be gathering data on athletes, attendees and officials.

 

While mobile payments make life much easier for the consumer, the platforms have historically had poor security and represent a real threat to consumer security. Some of the more prevalent mobile payment attacks include spoofed mobile wallets, or malware on the phone itself, which will collect all of your data, passwords and other sensitive information.

 

High Value Targets:  Fans/attendees, Olympic athletes, Olympic officials

 

Public Wi-Fi-Related Attacks

 

Public Wi-Fi-related attacks are an oldie and attacker favourite – something that has manifested in previous Olympics (or any public event where free Wi-Fi is provided).

 

These types of attacks are incredibly common – free Wi-Fi is typically poorly secured. It’s fairly easy for attackers to use Wi-Fi sniffing software to ferret out the data transmitted over the network. This becomes worrisome when you use pubic Wi-Fi for sensitive transactions like banking or even entering passwords to websites.

 

If you’re at the games, be extra careful about what network you’re connecting to and try to avoid accessing websites where you need to enter your passwords, sensitive information (like SS numbers) or banking/financial websites.

 

In addition to these recommendations, visitors should also consider using a mobile hotspot for Wi-Fi access.

The post 2018 Winter Olympics: Citius, Altius, Fortius, Cyber Attacks? appeared first on IT SECURITY GURU.

OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1

OpenSSL adds TLS 1.3 (Transport Layer Security) supports in the alpha version of OpenSSL 1.1.1 that was announced this week.

OpenSSL adds TLS 1.3 supports in the alpha version of OpenSSL 1.1.1 that was announced this week. TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

“OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now been made available.” states the OpenSSL’s announcement

“This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html)”

The first Internet-Draft dates back to April 2014, in January it was presented the 23 and will expire on July 9, 2018.

One of the most debated problems when dealing with TLS is the role of so-called middleboxes, many companies need to inspect the traffic for security purposes and TLS 1.3 makes it very hard.

“The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous.” reads a blog post published by Cloudflare in December that explained the difficulties of mass deploying for the TLS 1.3.

According to the tests conducted by the IETF working group in December 2017, there was around a 3.25 percent failure rate of TLS 1.3 client connections.

OpenSSL TLS 1.3

TLS 1.3 will deprecate old cryptographic algorithms entirely, this is the best way to prevent the exploiting of vulnerabilities that affect the protocol and that can be mitigated only when users implement a correct configuration.

In the last few years, researchers discovered several critical issues in the protocol that have been exploited in attacks.

OpenSSL maintainers have completely redesigned the OpenSSL random number generator in the new version.

The new OpenSSL release also includes the implementation for SHA3 and multi-prime RSA, and the support for the SipHash set of pseudorandom functions.

Pierluigi Paganini

(Security Affairs – OpenSSL,  TLS 1.3)

The post OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1 appeared first on Security Affairs.

Security Affairs: OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1

OpenSSL adds TLS 1.3 (Transport Layer Security) supports in the alpha version of OpenSSL 1.1.1 that was announced this week.

OpenSSL adds TLS 1.3 supports in the alpha version of OpenSSL 1.1.1 that was announced this week. TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

“OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now been made available.” states the OpenSSL’s announcement

“This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html)”

The first Internet-Draft dates back to April 2014, in January it was presented the 23 and will expire on July 9, 2018.

One of the most debated problems when dealing with TLS is the role of so-called middleboxes, many companies need to inspect the traffic for security purposes and TLS 1.3 makes it very hard.

“The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous.” reads a blog post published by Cloudflare in December that explained the difficulties of mass deploying for the TLS 1.3.

According to the tests conducted by the IETF working group in December 2017, there was around a 3.25 percent failure rate of TLS 1.3 client connections.

OpenSSL TLS 1.3

TLS 1.3 will deprecate old cryptographic algorithms entirely, this is the best way to prevent the exploiting of vulnerabilities that affect the protocol and that can be mitigated only when users implement a correct configuration.

In the last few years, researchers discovered several critical issues in the protocol that have been exploited in attacks.

OpenSSL maintainers have completely redesigned the OpenSSL random number generator in the new version.

The new OpenSSL release also includes the implementation for SHA3 and multi-prime RSA, and the support for the SipHash set of pseudorandom functions.

Pierluigi Paganini

(Security Affairs – OpenSSL,  TLS 1.3)

The post OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1 appeared first on Security Affairs.



Security Affairs

Security Affairs: SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues

SAP Security Notes – February 2018: SAP Security Notes February 2018 addressed several vulnerabilities including High-Risk flaws.

SAP has released February 2018 Patches that addressed some high-risk vulnerabilities in its software, a total of 26 Security Notes (5 high-, 19 medium- and 2 low-risk). Once again, the missing authorization check is the most common vulnerability type this month.

The Security Notes SAP addresses three cross-site scripting (XSS) vulnerabilities, two directory traversal flaws, two information disclosure bugs, two missing authorization checks, one unrestricted file upload, and other issues.

Affected products are the Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.

“On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

SAP Security Notes Feb 2018

SAP also addressed previous Security Notes that includes an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and a flaw that ties the way the SAP Note Assistant handles digitally signed notes.

Three critical vulnerabilities were reported by Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov, researchers at ERPScan security firm.

The details of the issues fixed thanks to the support of the researchers are:

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

The most severe vulnerability addressed by the security updates is a missing authentication check in SAP NetWeaver System Landscape Directory tracked as CVE-2018-2368, which received a CVSS base score of 8.3.

The flaw could be exploited by an attacker to access a service without any authorization, a circumstance that could lead to several attacks, including the privilege escalation and information disclosure,

“A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.” continues ERPScan.

The updates also addressed:

  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380) that could be exploited by an attacker to use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). that could be exploited by an attacker for revealing additional information (system data, debugging information, etc).

Other vulnerabilities addressed this month included a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6) and a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6).

Further info related to the flaws addressed by SAP are available on the company blog.

Pierluigi Paganini

(Security Affairs – SAP Security Notes February 2018, cybersecurity)

The post SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues appeared first on Security Affairs.



Security Affairs

SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues

SAP Security Notes – February 2018: SAP Security Notes February 2018 addressed several vulnerabilities including High-Risk flaws.

SAP has released February 2018 Patches that addressed some high-risk vulnerabilities in its software, a total of 26 Security Notes (5 high-, 19 medium- and 2 low-risk). Once again, the missing authorization check is the most common vulnerability type this month.

The Security Notes SAP addresses three cross-site scripting (XSS) vulnerabilities, two directory traversal flaws, two information disclosure bugs, two missing authorization checks, one unrestricted file upload, and other issues.

Affected products are the Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.

“On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

SAP Security Notes Feb 2018

SAP also addressed previous Security Notes that includes an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and a flaw that ties the way the SAP Note Assistant handles digitally signed notes.

Three critical vulnerabilities were reported by Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov, researchers at ERPScan security firm.

The details of the issues fixed thanks to the support of the researchers are:

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

The most severe vulnerability addressed by the security updates is a missing authentication check in SAP NetWeaver System Landscape Directory tracked as CVE-2018-2368, which received a CVSS base score of 8.3.

The flaw could be exploited by an attacker to access a service without any authorization, a circumstance that could lead to several attacks, including the privilege escalation and information disclosure,

“A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.” continues ERPScan.

The updates also addressed:

  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380) that could be exploited by an attacker to use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). that could be exploited by an attacker for revealing additional information (system data, debugging information, etc).

Other vulnerabilities addressed this month included a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6) and a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6).

Further info related to the flaws addressed by SAP are available on the company blog.

Pierluigi Paganini

(Security Affairs – SAP Security Notes February 2018, cybersecurity)

The post SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues appeared first on Security Affairs.

Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities

Android Security Bulletin for February 2018 – Google has fixed tens of vulnerabilities for Android OS, including several critical remote code execution (RCE) flaws.

The Android Security Bulletin for February 2018 addresses 26 vulnerabilities in the mobile operating system, most of which are elevation of privilege flaws.

The 2018-02-01 security patch level fixed 7 vulnerabilities, 6 in Media Framework and one issue affecting the System component.

The tech giant has fixed two critical RCE vulnerabilities in Media Framework. The first issue is the CVE-2017-13228 that affects Android 6.0 and newer, the second one, tracked as CVE-2017-13230, impacts Android 5.1.1 and later.

Android Security Bulletin

Google also fixed other vulnerabilities in Media Framework, including an information disclosure vulnerability, an elevation of privilege bug, and several denial-of-service flaws.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” states the advisory.

The most severe of these vulnerabilities is tracked as CVE-2017-13236, it is a System issue that could be exploited by an attacker to achieve remote code execution in the context of a privileged process. The attacker can trigger the flaw via email, web browsing, and MMS when processing media files.

The 2018-02-05 security patch level includes fixes for 19 vulnerabilities in HTC, Kernel, NVIDIA, Qualcomm, and Qualcomm closed-source components.

The most severe flaws included in the 2018-02-05 security patch level are two remote code execution vulnerabilities in Qualcomm components tracked as CVE-2017-15817 and CVE-2017-17760.

Google also released the Pixel / Nexus Security Bulletin that addresses 29 vulnerabilities in Google devices.

“The Pixel / Nexus Security Bulletin contains details of security vulnerabilities and functional improvements affecting supported Google Pixel and Nexus devices (Google devices). For Google devices, security patch levels of 2018-02-05 or later address all issues in this bulletin and all issues in the February 2018 Android Security Bulletin.” states Google.

“All supported Google devices will receive an update to the 2018-02-05 patch level. We encourage all customers to accept these updates to their devices.”

Pierluigi Paganini

(Security Affairs – Google, Android)

The post Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities appeared first on Security Affairs.

Research reveals increasing number of Microsoft vulnerabilities shows no sign of stopping

The number of Microsoft vulnerabilities have more than doubled in the last five years, according to the fifth annual Microsoft Vulnerabilities Report from Avecto.

 

The global security software company’s analysis of all disclosed Microsoft vulnerabilities in 2017 revealed 685 vulnerabilities, highlighting a significant increase compared to the number disclosed in 2013 (325).

 

Despite being widely regarded as the most secure Windows operating system, the number of Critical vulnerabilities in Windows 10 rose by 64% in 2017 compared to the previous year.

 

In total, 587 vulnerabilities were reported across Windows Vista, Windows 7, Windows 8.1/RT 8.1 and Windows 10 operating systems in 2017. This is a record high – increasing by 132% over a five-year period.

 

It was also found that the removal of admin rights could mitigate 80% of all Critical Microsoft vulnerabilities reported in 2017, as well as 95% of Critical vulnerabilities found in Microsoft browsers and 60% of Critical vulnerabilities in Microsoft Office products (Excel, Word, PowerPoint, Visio, Publisher and others.)

 

“One hundred percent security cannot be guaranteed in the cyber world,” said Dr. Eric Cole, instructor at The SANS Institute. “No matter how many safeguards you put in place, there will always be some risk. Prevention techniques like application whitelisting, removing admin access and adopting the principles of least privilege go a long way toward protecting individual users’ machines and reducing inroads to the network while not severely restricting user functionality.”

 

A five-year analysis of Windows vulnerabilities

 

Analysing Windows vulnerabilities over the last five years, the most significant trends include:

 

  • The number of reported vulnerabilities has risen 111% since 2013.
  • Number of Critical vulnerabilities has risen 60% in the same period.
  • There has been an 89% increase in Microsoft Office vulnerabilities and a 98% increase in Microsoft browser vulnerabilities (though this is in part due to the inclusion of Microsoft Edge from 2016 onwards.)
  • Since the 2013 report, 2017 shows the largest year-on-year increase of vulnerabilities by volume, with 451 vulnerabilities reported in 2016 compared to 685 in 2017.

 

“Despite the continued rise in vulnerabilities impacting Microsoft software, there are actions that enterprises can take to ensure that they’re protected without sacrificing productivity,” said Mark Austin, co-founder and CEO of Avecto. “The challenges organisations face to improve security have not changed, yet many are still unaware that by simply removing admin rights, the risk of so many threats can be mitigated.”

The post Research reveals increasing number of Microsoft vulnerabilities shows no sign of stopping appeared first on IT SECURITY GURU.

Gartner Provides Seven Steps Security Leaders Can Take to Deal With Spectre and Meltdown

Security and risk management leaders must take a pragmatic and risk-based approach to the ongoing threats posed by an entirely new class of vulnerabilities, according to Gartner, Inc. “Spectre” and “Meltdown” are the code names given to different strains of a new class of attacks that target an underlying exploitable design implementation inside the majority of computer chips manufactured over the last 20 years.

 

Security researchers revealed three major variants of attacks in January 2018. The first two are referred to as Spectre, the third as Meltdown, and all three variants involve speculative execution of code to read what should have been protected memory and the use of subsequent side-channel-based attacks to infer the memory contents.

 

“Not all processors and software are vulnerable to the three variants in the same way, and the risk will vary based on the system’s exposure to running unknown and untrusted code,” said Neil MacDonald, vice president, distinguished analyst and Gartner fellow emeritus. “The risk is real, but with a clear and pragmatic risk-based remediation plan, security and risk management leaders can provide business leaders with confidence that the marginal risk to the enterprise is manageable and is being addressed.”

 

Gartner has identified seven steps security leaders can take to mitigate risk:

 

  1. Acknowledge the Risk, but Don’t Panic

Modern operating systems (OSs) and hypervisors depend on structured, layered permission models to deliver security isolation and separation. Because this exploitable design implementation is in hardware — below the OS and the hypervisor — all software layers above are affected and vulnerable. However, memory can only be read, but not altered. Exploitation of the flaw requires untrusted code to be introduced and executed on the target system, which should be extremely difficult on a well-managed server or appliance such as a network or storage appliance. There is also an advantage in not rushing to “panic patch.” Early patches created conflicts with some antivirus offerings and locked up Windows desktops. Some conflicted with the use of AMD microprocessors, so that the systems would not boot. Other early patches had performance impacts that have been improved by subsequent patches.

 

  1. Start With a Detailed Inventory

Nearly every modern IT system will be affected to some extent. Not since Y2K has a vulnerability affected so many systems — desktops, mobile devices, servers, virtual machines, network and storage appliances, operation technology and the Internet of Things devices — required a deliberate, phased plan of action for remediation efforts. The starting point for security leaders must be an inventory of affected systems. In some cases, the risk-appropriate decision will be not to patch. However, in all cases, the roadmap for security leaders will be the inventory. For each system, a detailed database or spreadsheet is needed to track the device or workload, the version of its microprocessor, firmware version and OS.

 

  1. Develop a Risk-Prioritised Remediation Plan

The vulnerabilities are not directly remotely exploitable. A successful attack requires the attacker to execute code on the system. As such, application control and whitelisting on all systems greatly reduce the risk of unknown code execution. However, shared infrastructure as a service infrastructure is particularly vulnerable until the cloud providers update their underlying firmware and hypervisor layer (which the leading providers have done). Strong separation of duties and privileged account management reduce the risk of the introduction of untrusted code.

 

  1. Prioritise Your Remediation Efforts

When devising a remediation strategy, Gartner recommends breaking the strategy into prioritized phases, because the risk, performance implications and potential hardware upgrades required will vary greatly among use cases. Start with systems that represent the most risk — desktops, virtual desktop infrastructure, smartphones and externally facing servers.

 

  1. Acknowledge That Sometimes the Appropriate, Risk-Based Decision Is Not to Patch

Information security leaders need to be prepared for scenarios in which the appropriate decision is not to patch. In some cases, this will be due to lack of patches on older systems. In other cases, the impact on performance is not offset by the reduction in risk, so patches will not be applied. Even for some well-managed servers, the decision may be made to forgo patches to protect performance until future patches have demonstrably acceptable impacts. However, for server workloads, when the performance characteristics allow, Gartner recommends patching and firmware upgrades.

 

  1. Implement Strong System Operational Hygiene and Mitigating Controls

For systems that are not patched or only partially patched, multiple mitigating controls can reduce risk. The single most important issue to address is restricting the ability to place unknown or untrusted code onto the device. By reducing this, risks are significantly lowered, because attacks require local code execution. For all systems, this means taking a “default deny” approach, and application control and whitelisting greatly reduce the risk. To the extent that public attacks become known, traditional endpoint protection platforms and network-based intrusion prevention systems also mitigate the risk.

 

  1. Plan for Further Mitigation Efforts Through the Next Few Years

Spectre and Meltdown represent an entirely new class of vulnerabilities, and this is just the beginning. The underlying exploitable implementation will remain for years to come.

 

“Ultimately, the complete elimination of the exploitable implementation will require new hardware not yet available and not expected for 12 to 24 months. This is why the inventory of systems will serve as a critical roadmap for future mitigation efforts,” said Mr MacDonald. “To lessen the risk of future attacks against vulnerabilities of all types, we have long advocated the use of application control and whitelisting on servers. If you haven’t done so already, now is the time to apply a default deny mindset to server workload protection — whether those workloads are physical, virtual, public cloud or container-based. This should become a standard practice and a priority for all security and risk management leaders in 2018.”

 

Gartner clients can read more in the report “Security Leaders Need to Do Seven Things to Deal With Spectre/Meltdown.”

 

Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2018 taking place in National Harbor, Maryland, Tokyo, Sao Paulo, Sydney and Mumbai. Follow news and updates from the events on Twitter at #GartnerSEC.

The post Gartner Provides Seven Steps Security Leaders Can Take to Deal With Spectre and Meltdown appeared first on IT SECURITY GURU.

GDPR – Burden or Benefit?

Recently, we hosted a GDPR roundtable discussion for more than 20 CISOs, senior compliance and risk directors from enterprise organisations. The conversation ranged from readiness, to the New Data Protection Bill, to insights around various different Articles within GDPR and the tools companies need. Below are five key takeaways from the fascinating discussion.

 

  1. Key GDPR challenges

When asked what their biggest challenge is relating to GDPR, various participants talked about their concerns surrounding telemarketing, as they often don’t ask for permission when contacting clients. Other concerns included understanding data erasure as well as data mapping with legacy systems and hard copy files. They said handling historical records and legacy applications can be challenging. Participants said they were also unsure how to implement GDPR locally and follow this through with overseas parent companies. They also wondered how to ensure partner companies are adhering to the legislation. How to interpret and understand risk was another concern as the challenge of establishing the legal basis for processing personal data.

 

Many organisations don’t know why they have been amassing personal data for many years, creating ‘data lakes’ that are now a breach under Article 5. Organisations are concerned about erasing personal data because it is more complicated than they realised, they said, and many are uncertain how to ensure it is properly destroyed.

 

  1. Why do we need GDPR?

GDPR represents a major development in EU data protection law as data subjects’ rights are strengthened across the board, with a natural toughening of obligations for personal data. We talked about how GDPR puts a framework around the world’s biggest, single, digital market, which has developed enormously since the original Data Protection Act 1998. As we have embraced digital, consumers have freedom around what products and services they use, but that freedom makes it hard for organisations to do business across one digital market.  Many changes have been enabled by advances in technology, hence it has taken four years for GDPR to be agreed by the European Commission, European Parliament, and Council of Ministers.

 

GDPR is focused on personal data processing and providing greater accountability, transparency, and control. Under Article 13, a data privacy notice is given directly to the data subject and under Article 14, the data controller must give the data subject a data privacy notice. The data privacy notice is the cornerstone of transparency and accountability in the GDPR and if an organisation is going to process someone’s data, they must pay particular attention to this.

 

  1. The GDPR transition journey

The group discussed how organisations tackle GDPR. A typical GDPR transition journey starts with an assessment of the existing organisational landscape. The assessment involves identifying compliance and very high-risk areas of processing personal data. Organisations should then define a future state and work toward designing the people, processes and technology components that will mitigate risk. Technology can be used to effectively reduce risk in processing personal data and enable organisations to manage and continuously improve risk mitigation and data protection by design and by default (Article 25, GDPR).

 

  1. GDPR in a box

Full compliance with Article 25, which is all about data protection by design and default will mean an organisation is almost 100% compliant. One participant talked about Article 25 being “GDPR in a box.”

 

GDPR is a principles-based regulation; it doesn’t spell out in detail what organisations need to do to reduce high risk to residual risk. If an organisation has a personal data breach, it has to provide a narrative that shows the ICO and regulator(s) it has taken measures to mitigate risk through appropriate technical and organisational measures.  This led the conversation onto the role of the Data Protection Officer (DPO) and how this role can help by making sure the organisation is on the right path. Also, if there is a personal data breach, the supervisory authority may point to the fact that the organisation didn’t have a DPO as an aggravating factor.

 

  1. Burden or benefit?

So, is GDPR a burden or are there benefits? Will organisations be able to do more with personal data by building a personal sense of trust with their customers?  Or are they putting GDPR in place to make sure they don’t get fined or sanctioned?  The consensus was that, right now, about the greatest concern is not getting fined, with one participant commenting: “GDPR is so vast and so woolly, there is a fear of tripping yourself up, so we are focused on having the basics in place so we don’t get fined. This is first base and we’ll think about the next level after that.”

 

We concluded the roundtable by asking who felt they were GDPR ready. One participant was confident their organisation was 90% ready. Another claimed to have only started its GDPR journey yesterday. When thinking about what they would implement immediately, participants talked about embedding GDPR into their entire product-management lifecycle, aligning technology to different Articles and removing “data lakes” by seriously looking at the retention of data and its deletion.

The post GDPR – Burden or Benefit? appeared first on IT SECURITY GURU.

Don’t Get BuckHacked: What Are You Doing to Keep Your AWS S3 Data Private?

Leaky AWS S3 buckets have been spilling confidential information onto the public internet for years, and now anonymous hackers have created a search engine to make finding those exposed secrets even easier. New on the scene is “BuckHacker.” The name is a portmanteau, stemming from the fact that it allows the hacking of “buckets”, which […]… Read More

The post Don’t Get BuckHacked: What Are You Doing to Keep Your AWS S3 Data Private? appeared first on The State of Security.

The State of Security: Overcoming the Blame Game – Improving Security without Destroying Careers

Today, I was sitting in an awesome class being held at @BSidesHSV, and it got me thinking. The class entitled “Fundamentals of Routing and Switching for Blue and Red Teams” put on by @paulcoggin was a deep dive into layer 2 and layer 3 configurations and possible means of compromise. The content was outstanding, and […]… Read More

The post Overcoming the Blame Game – Improving Security without Destroying Careers appeared first on The State of Security.



The State of Security

Overcoming the Blame Game – Improving Security without Destroying Careers

Today, I was sitting in an awesome class being held at @BSidesHSV, and it got me thinking. The class entitled “Fundamentals of Routing and Switching for Blue and Red Teams” put on by @paulcoggin was a deep dive into layer 2 and layer 3 configurations and possible means of compromise. The content was outstanding, and […]… Read More

The post Overcoming the Blame Game – Improving Security without Destroying Careers appeared first on The State of Security.

Locally Decode Windows Administrator Password for AWS Instance

If you’ve run into that awkward moment in AWS when they ask you to submit your key into some suspicious-looking web interface in order to receive the password for your newly created instance, this quick command is for you.

After an instance is created and running, right-click on the instance and select “Instance Settings” then “Get System Log”:

As you just booted your instance for the first time, the administrator password will be printed to the log:

Copy the text between the password markup to your buffer and then paste it into this command along with the local directory of your pemfile:

echo "copied-password" | base64 -d | openssl rsautl -decrypt -inkey "directory/pemfilename" -out administrator.password

Then open the administrator.password file and you’ll see the password for your administrator account

Windows Analytics now includes Meltdown and Spectre detector

Good news for administrators of Windows systems, Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics.

Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics. The Meltdown-and-Spectre detector was available since Tuesday when Microsoft announced the new capabilities implemented in the free Windows Analytics service

The new capabilities allow admin to monitor:

  • Anti-virus Status: Some anti-virus (AV) software may not be compatible with the required Windows Operating System updates. This status insight indicates if the devices’ anti-virus software is compatible with the latest Windows security update.
  • Windows Operating System Security Update Status: This Windows Analytics insight will indicate which Windows security update is running on any device and if any of these updates have been disabled. In some cases, IT Administrators may choose to install the security update, but disable the fix. Our complete list of Windows editions and security updates can be found in our Windows customer guidance article.
  • Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.

The check for the status of the Operating System could allow admins to verify if Meltdown and Spectre patched are correctly working.

The antivirus check allows admins to verify if the running AV is compatible with required Windows Operating System updates.

The check for firmware status currently works only for Intel chips.

Windows Analytics Meltdown Spectre

Meltdown-and-Spectre detector is available for Windows 7 through Windows 10 and requires that systems are running the February 2018 patch levels (Win7 SP1, KB2952664; Win8.1, KB2976978; and for Win10, KB4033631).

Pierluigi Paganini

(Security Affairs – Meltdown-and-Spectre detector, Windows Analytics)

The post Windows Analytics now includes Meltdown and Spectre detector appeared first on Security Affairs.

Did a Spitfire Really Tip the Wing of V1?

Facebook is notoriously insecure, taking payments from attackers with little to no concern for the safety of its users. But that’s not exactly the issue when a finance guy in Sydney, Australia gives a shout-out to a Facebook userfor an “amazing shot” from history:

As anyone hopefully can see, this is a fake image. Here are some immediate clues:

  1. Positioning. Spitfire velocity and turbulence relative to V1 is questionable, so this overlapped steady formation is unlikely
  2. Vantage point. Given positioning issue, position aft of Spitfire even less likely
  3. Clarity. What device in this timeframe would have such an aperture let alone resolution
  4. Realism. The rocket trail, markings, ground detail…all seems too “perfect” to be real

That’s a short list to make a solid point this is a fabrication anyone should be able to discount at first glance. In short, when I see someone say they found an amazing story or image on Facebook there’s a very high chance it’s toxic content meant to deceive and harm, much in the same way tabloid stands in grocery stores used to operate. Entertainment and attacks should be treated as such, not as realism or useful reporting.

Now let’s dig a little deeper.

In 2013 an IAF Veteran posted a shot of a Spitfire tipping a V1, which passes many of the obvious tests above:

Then just a few weeks ago a “Military aviation art” account posted a computer rendered image with the comment “Part of a new work depicting the first tipping of a V-1 flying bomb with a wing tip. Who achieved this?”

The artist answers their own question in the next tweet, sadly omitting any link to original source or reference or even the type of realism found in the IAF veteran’s tweet. They simply say it really happened and post a photo of the pilot who achieved it. This is tragic because the story is not only worth telling, it puts the artist work in context (arguably lowering its value, which could be why it was omitted).

Fortunately “V1 Flying Bomb Aces by Andrew Thomas” is also online and tells us through first-person accounts of a squadron diary what really happened. While normally a V1 would be shot down, in this case after a Spitfire pilot found himself firing until out of ammo he became frustrated and instead managed to tip a wing of the V1:

Chaos Engineering: the Point of Adding Bugs on Purpose

Chaos engineering is a kind of contradiction: it works against the very system it is protecting in order to build an environment that is more resilient and more secure. How does it work? How is introducing errors useful and how does it help to secure the digital environment? Understanding this discipline can lead to substantial improvements.

What is it?

The concept of chaos engineering is based on four principles defined by Netflix. These principles consist of defining a “stable” state, making a hypothesis of the state that will follow, introducing variables that reflect events true to reality, and trying to break the hypothesis (in that order).

Through a series of tests, characteristics of the infrastructure, such as availability, security, and performance, are assessed. The goal is to resolve problems in these distributed systems in order to bolster recovery capabilities for the entire system. This means, in short, getting structures that withstand extreme conditions.

Resilience and “antifragility”

The concept of chaos engineering is only understood if we understand the definition of “antifragility”, a term coined by Nassim Nicholas Taleb. This is the precursor concept of chaos engineering and, in turn, is based on resilience. Resilience is defined as the ability to absorb disturbances. These disturbances are caused by stressors, or stress factors, that trigger destabilization.

It is a concept widely used in living organisms (ecology, physiology, psychology, etc.) and refers to the ability to overcome problems actively and adapt to the situation. “Antifragility” goes beyond resilience since it implies the evolution of a system, which would be able to grow from the stress to which it has been subjected to adapt to new failures.

Panda Adaptive Defense is a tool that keeps a close eye on the principles of antifragility and adds resilience to the company, while increasing visibility into the state of the corporate network.

The Simian Army

Taking all this into account, large companies such as Netflix or Amazon see in chaos engineering the possibility of testing their infrastructure to make their systems more mature and increasingly robust — and also more evolved. In short, more resilient. Since performing an analysis and correcting a problem in a repetitive and escalating way is a very difficult task, they use heuristic strategies focused on prioritizing decision-making aimed simply at resolving problems.

Thus, Netflix, for example, uses its own suite of applications called the Simian Army, which tests the stability of its network. Simian Army has more than a dozen stressors that test the system in various ways. Security Monkey, for expample, is just one “piece” of the Simian Army. It implements a security strategy into cloud-computing platforms based on chaos engineering.

How can chaos engineering help companies?

The first question is, why should a company consider using chaos engineering?

Implementing a strategy based on chaos engineering helps to work the antifragility of a platform, including meeting the control objectives and requirements of PCI-DSS in case of audits. Thus, any company could benefit greatly from implementing a tool such as Security Monkey in its security strategy.

This would require a “chaosification” of the platform in a controlled manner, which could consist of actions of the following type: disable SG (Security Groups) rules, modify files at random, randomly listen to ports, inject malicious traffic into the VPC (Virtual Private Cloud), randomly kill processes while they are taking place… and the list of havoc-wreaking could go on.

Thanks to this tool (or strategy), a deeper visibility of the consequences of attacks can be achieved with the intention of improving defenses. This, in the long run, is the basis of a more mature and reliable system, capable of recovering from attacks and reducing losses in the face of a serious security incident, something that should be mandatory for any high availability service.

The post Chaos Engineering: the Point of Adding Bugs on Purpose appeared first on Panda Security Mediacenter.

Security Affairs: Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws

Microsoft Patch Tuesday for February 2018 addressed a total of 50 vulnerabilities in affecting Windows operating system, Microsoft Office, web browsers and other products of the tech giant.

Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.

The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook,  and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.

One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.

“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.

Microsoft Patch Tuesday for February 2018

Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.

“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.

“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”

Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.

An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.

“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Users have to apply security patches as soon as possible.

Pierluigi Paganini

(Security Affairs – Microsoft Patch Tuesday for February 2018, hacking)

The post Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws appeared first on Security Affairs.



Security Affairs

Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws

Microsoft Patch Tuesday for February 2018 addressed a total of 50 vulnerabilities in affecting Windows operating system, Microsoft Office, web browsers and other products of the tech giant.

Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.

The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook,  and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.

One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.

“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.

Microsoft Patch Tuesday for February 2018

Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.

“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.

“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”

Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.

An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.

“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Users have to apply security patches as soon as possible.

Pierluigi Paganini

(Security Affairs – Microsoft Patch Tuesday for February 2018, hacking)

The post Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws appeared first on Security Affairs.

Breaches to financial services tripled over last five years

It has been revealed that the number of breaches suffered by the financial services sector has tripled over the past five years. The study, conducted by Ponemon found that the average cost of cybercrime for financial services companies globally has increased by more than 40 percent over the past three years, from $12.97 million per firm in 2014 to $18.28 million in 2017 – significantly higher than the average cost of $11.7 million per firm across all industries included in the study.

View Full Story

ORIGINAL SOURCE: Helpnetsecurity

The post Breaches to financial services tripled over last five years appeared first on IT SECURITY GURU.

Windows Analytics adopts Meltdown and Spectre detector

Microsoft’s telemetry analysis service, Windows Analytics has incorporated a Meltdown and Spectre locator with additional features including antivirus, operating systems updates and firmware services.

View Full Story

ORIGINAL SOURCE: The Register

The post Windows Analytics adopts Meltdown and Spectre detector appeared first on IT SECURITY GURU.

Communications service Telegram targeted by hackers

Kaspersky Lab researchers have discovered that the popular communications service Telegram is being exploited by Russian cyber-criminals. The exploit is allowing the hackers to remotely install new malware which could be used as a backdoor or as a way to deliver crypto-mining software.

View Full Story

ORIGINAL SOURCE: Infosecurity Magazine

The post Communications service Telegram targeted by hackers appeared first on IT SECURITY GURU.

9 in 10 Cybersecurity Leaders Concerned About Sharp Rise in Digital Threats, RiskIQ CISO Survey Finds

RiskIQ, the leader in digital threat management, today announced the release of its 2018 CISO Survey, revealing that 89.1 percent of all information security leaders are concerned about the rise of digital threats they are experiencing across web, social and mobile channels.

 

Some 1,691 U.S. and U.K information security leaders across multiple verticals, including enterprise, consulting, government and education, provided insights into their cyber risk concerns and plans for 2018.

 

Overall, the survey revealed a coming “perfect storm,” where the problem of staff shortages collides with escalating cybercrime, leaving organisations ill-equipped to manage and respond to cyber risks and threats that are accelerating in an era of digital transformation, pervasive connections and increasingly sophisticated attack strategies sponsored by nation-states and rogue actors.

 

As the Spectre and Meltdown security flaws in Intel chips dominated the news in early 2018, and after a year of major security breach announcements and settlements, including Equifax, Yahoo and Anthem, the following findings are hardly surprising:

  • 67 percent of cybersecurity leaders do not have sufficient staff to handle the daily barrage of cyber alerts they receive
  • 60 percent expect digital threats to grow as their organisations increase online engagement with customers
  • The top three digital threats information security leaders fear are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches
  • The top risk organisations face today is a lack of experienced staff to monitor and help protect networks from cybercrime
  • Currently, 37 percent of firms have engaged a managed security services provider (MSSP) to help monitor and manage cyber threats

 

“The RiskIQ 2018 CISO Survey illuminates a growing industry-wide problem, which is that cybercrime is growing at scale, and enterprises are already experiencing critical staff shortages.  That’s one reason 1 in 3 organisations have engaged with an MSSP to combat cyber risks and threats, and we expect that number to grow as the competition for top security talent gets far more intense,” said Lou Manousos, CEO at RiskIQ.

 

The full 2018 RiskIQ CISO Survey is available for download here [URL].

The post 9 in 10 Cybersecurity Leaders Concerned About Sharp Rise in Digital Threats, RiskIQ CISO Survey Finds appeared first on IT SECURITY GURU.

Security obsession risks GDPR compliance for UK business

Security concerns are twice as likely to drive cloud strategy than even the business’ core objectives, according to Calligo, a world-leading cloud solution provider. Even regulatory compliance and data privacy – the strategic themes of doing business in 2018 – receive a similarly low ranking.

Whereas security is the chief driver behind cloud strategy for 34% of 200 UK IT decision-maker respondents, the business’ core objectives, compliance and data privacy are each only the top consideration for 17%. This is despite the imminent implementation date of the European General Data Protection Regulation (GDPR) – May 25th 2018.

“Driven by media-fueled fears of severe fines and reputational damage, IT leaders have over-compensated in their cloud strategies and become almost myopically focused on security,” said Julian Box, CEO, Calligo. “This is to the enormous detriment of more strategic aims such as supporting the business’ objectives, and vital compliance with the GDPR’s data privacy requirements.”

“The great irony is that while these organisations fear and mitigate the consequences of a security breach, the consequences of regulatory non-compliance are identical – and yet they are not being defended against,” Box continued. “This probably stems from a mistaken belief within the IT industry that their role in GDPR adherence is centered on data security, leading organisations into compliance complacency and all kinds of non-compliant behavior. They are effectively erecting walls around data they are not entitled to hold.”

Calligo also found that security considerations are similarly influential in cloud provider selection. Regardless of the platform chosen, security was either the first or second most important consideration. For example, more than half (52%) of those who had chosen IBM Softlayer said they had done so primarily because of security, while 48% said the same for both Microsoft Azure and Google Cloud.

However, respondents also admitted their over-compensation for security has been detrimental to the business. More than four in ten (44%) said cost efficiencies were knowingly sacrificed in their cloud strategy, while 43% consciously compromised their ability to comply with regulatory requirements. Another 41% of cloud platform selections undermined data privacy.

Even worse, having committed their organisations to poorly-conceived cloud strategies, respondents said they feel trapped and unable to fix the problem. Some 39% said cost is a barrier to migrating to a new provider, while the fear of downtime is a major factor for 34%.

“The takeaway from these cloud strategy findings is not that security’s importance needs to be reduced – rather that the importance of data privacy and business objectives needs to be elevated,” added Box. “Organisations in this predicament need to seek out cloud service providers with the necessary experience to put their cloud strategy back on track. In particular, they need to ensure their cloud deployment meets the strategic necessities of doing business in 2018 – regulatory compliance and data privacy.”

The post Security obsession risks GDPR compliance for UK business appeared first on IT SECURITY GURU.

Cybersecurity Threat To Renewable Energy Infrastructure

Renewable energy technologies have established a significant role in the energy industry. Because of their prominence and growing importance to power supplies, it is vital for the industry to develop appropriate security, and specifically cybersecurity, strategies. A new report from energy sector experts, The Renewables Consulting Group (“RCG”), and cybersecurity specialists, Cylance Inc. (“Cylance”), provides insight into cybersecurity for the renewable energy industry, focusing on threat and impact assessment, and on measures to improve cyber protection.

Cyber-attacks targeting critical infrastructure have increased over recent years. Cybersecurity threats include ransomware, fileless attacks, advanced persistent threats (APTs) and Trojans. The security of a renewable energy asset can be broken down into two main components; physical security and cybersecurity. A successful cyber-attack has the potential, not just to cause the loss of personal and commercial information, or cause damage to electronic resources, but also to damage a project’s physical assets through the forced maloperation of components, impact its finances by disrupting generation, or create national, or regional, energy security risks in the event of a large-scale grid blackouts.

Maintaining a secure computing environment is a top concern for IT managers across the globe. Renewable energy companies would benefit from investing in information security. Achieving a secure environment includes dedicating resources to physical security, hardware and software, internet connectivity, remote management, and training personnel.

The report makes the following cyber security recommendations for renewable energy technologies:

  • Environment assessment: Renewable energy companies should carry out comprehensive assessments of their current cybersecurity posture.
  • Asset update: Updated systems provide a last line of defence when other security measures fail so it is critical IT infrastructure is updated and staff are trained to recognise the threats.
  • Access management: Access to sensitive systems and data needs to be properly managed.
  • Predictive tools: New tools, including artificial intelligence and machine learning, can help maintain a strong security as cyberattacks and operating environments become more complex.

“RCG is not aware of any other piece of research which draws together two expert companies to produce a joint report on the cyber threat to renewable project infrastructure.  If this report offers a pause for thought to all the renewable asset owners, manufacturers and maintainers; and subsequently even a single project strengthens its resistance to the obvious and increasing cyber threat out there, then Cylance and RCG will have done their job.” – RCG’s Sam Park, co-author of the report.

“The renewable energy sector has growing significance to world energy supplies and Cylance is happy to raise cybersecurity awareness as part of our mission to secure every endpoint under the sun,” said Cylance’s Dr. Anton Grashion, co-author of the report.

The full white paper, “Cybersecurity in Renewable Energy Infrastructure”, from RCG and Cylance, is available for download: https://thinkrcg.com/category/insights/white-paper/

The post Cybersecurity Threat To Renewable Energy Infrastructure appeared first on IT SECURITY GURU.

Making Light of the “Dark Web” (and Debunking the FUD)

Presently sponsored by: Netsparker - dead accurate web application security scanning solution - Scan websites for SQL Injection, XSS & other vulnerabilities

Making Light of the

I'll start this post where I start many of my talks - what does a hacker look like? Or perhaps more specifically, what do people think a hacker looks like? It's probably a scary image, one that's a bit mysterious, a shady character lurking in the hidden depths of the internet. People have this image in their mind because that's what they've been conditioned to believe:

Making Light of the

These are the images that adorn the news pieces we read and we've all seen them before. Hell, we've seen literally the same guy over and over again. See that bloke in the bottom right? He's the guy! No really, I wrote about him last year and exposed his involvement in everything from state-sponsored Iranian hacking to typosquatting to him potentially being Ed Snowden. These images are used because they're scary and people are drawn to scary headlines.

It's not just the media using scary imagery either, check out the first 20 seconds of this video promoting a home security product:

Holy shit! That's one bad dude! Except... what's he actually doing on that machine? I mean we know he's a hacker because he has a hoodie and we know he's hacking because the text on the screen is green, but it doesn't totally add up. As it turns out, he's using hackertyper.net and if you head over there now and allow your cat to walk over the keyboard, you can achieve exactly the same effect. They're trying to sell you a security thing based on something my 5-year-old can do!

Now, you might say "ah, that's just marketing", but let's go back to the hooded bandits in the original image. When TalkTalk was hacked in 2015, the perpetrator (or a representation thereof), was this bloke:

Making Light of the

Hoodie - check! (Also note the balaclava for extra security.) As the news broke, a "former cyber crime cop" was quoted as saying:

They are claiming to be from Russia and be an Islamic cyber jihadi group

Russian Islamic cyber jihadis - holy shit! How many scary things can you roll into one headline?! It's hard to imagine just how scary these characters are... except that now we know precisely what they look like:

Making Light of the

Well, we kinda know what he looks like, his face is obfuscated because he's a child! He's 17 here but was only 16 when he caused TalkTalk £42M worth of damage. (Incidentally, his punishment was that he received a "12-month youth rehabilitation order and had his iPhone and computer hard drive confiscated". That'll teach him.)

Not so scary, right? Unfortunately though, "not so scary" doesn't sell newspapers. But, of course, we've seen this all before. Remember LulzSec? They were particularly effective at wreaking havoc on the web around 2011 and back then, they too were represented as being another bunch of scary dudes. Well, at least until a teenager named Ryan Cleary turned up in court with his mum:

Making Light of the

Check out his mum's face - he is so grounded! And like the TalkTalk kid, actually, not all that scary after all.

Getting to the point of all this, the other day I shared a couple of tweets:

This seemed to resonate with a lot of people who, like me, have their bullshit-o-meter go off every time they hear the term "dark web" used in this way. The particular article I was responding to talked about a significant whack of breached credentials from big companies being found on the aforementioned "dark web" and per the earlier tweet, that struck me as odd; here I have lots of billions of records in Have I Been Pwned (HIBP) and only a very small portion of them came from the "dark web". So what's that about? (Incidentally, the media piece led to a company's website which led to a request for your personal information - no free email accounts allowed - before you could read the content.)

So let's start with the facts - what is the "dark web"? Here's a neat pic from thedarkwebsites.com which puts it all into context:

Making Light of the

For the sake of simplicity, that top 94% is what we all use day in, day out. We shop there, we bank there, we socialise there. As I'll show shortly, we also find huge troves of breached data there.

That remaining 6% of content in the "dark web" consists of resources accessible by "hidden" services, namely Tor. And that's a good place to start breaking down the "dark web" FUD because counter to what the headlines suggest, Tor hidden services aren't nearly as scary as they sound. When I hear most folks talk about the "dark web", I get the distinct impression that they're thinking about an IRL equivalent; it's like going down to the docks late at night where you come face to face with shady characters who, on a whim, may cave your head in with a baseball bat. Instead, Tor hidden services can be very familiar environments:

Making Light of the

This is merely Facebook accessed via their Tor service and they've had that up for years now. (My daughter in those shots is the one who's adept at hackertyper.net for which you allegedly need to buy a CUJO to keep her out of your network...) I'm using the Tor browser and in case you're thinking "wow, that looks just like a normal browser", that's because it's based on Firefox ESR with a few extra bits thrown in to help with anonymity. For example:

Making Light of the

It's also configured to route requests out over Tor and... that's pretty much it. Now I'm obviously not exactly seeking anonymity by signing into my own Facebook account over Tor, but you can appreciate how the right to privacy is enormously valuable to all sorts of people. Folks in the countries that predominantly read my blog are usually less concerned than those in other parts of the world, but in places where anything from political views to sexuality can have life-changing consequences, anonymity can be enormously important. The point here is simply that the "dark web" is very easily accessible and can have very mainstream uses. It's not necessarily this scary place full of shady characters doing dodgy things.

But, of course, there's also that element of it. You're probably familiar with stories of dark web market places (no air quotes this time as I'm not using the term hyperbolically), perhaps most notoriously Silk Road. Since then many others have come and also gone; Hansa, AlphaBay, TheRealDeal - all gone, many with their operators in jail or dead (it didn't work out so well for the operator of AlphaBay). But, of course, others still spring up in their place and even today, finding drugs on a marketplace behind Tor is trivial:

Making Light of the

Yes, they're ecstasy tablets in the shape of Trump's head. Yes, they're orange. No, I don't know if it's merely coincidental that both Donald Trump and the psychoactive drug shaped in his likeness may cause paranoia and lead to depression.

There are many less humorous products for sale on these same marketplaces. Some of them have led directly to the deaths of those who've used them and the legal consequences for buyers, sellers and marketplace operators alike can be dire.

Let's turn our attention back to our personal data being sold on the "dark web" though (back to air quotes) because that's what we're really here for. On that same marketplace selling Trump ecstasy, you can buy the Ashley Madison data dump:

Making Light of the

In this case, "DrunkNinja" (who's a stand-up bloke based on his rating), is offering it for about $10 worth of BTC (he's also using my description of the data classes from HIBP). So, does this mean they constitute a portion of the stash reportedly found on the "dark web"? Keep in mind that the Ashley Madison data was torrented extensively by the people that stole it in the first place! In fact, that was their entire MO - spread the data as far as possible. Anyone who's ever downloaded a torrent before could have easily grabbed it in minutes. No "dark web". No special browsers. Just. Plain. Torrents.

Oh - and just in case downloading the Tor browser is too much like hard work, Tor hidden services are accessible in any browser via Tor2Web anyway:

Making Light of the

It's literally just a matter of adding .to after the onion address. Yes, that does put anonymity at risk (which somewhat defies the point of an anonymity service), but it illustrates just how readily accessible the "dark web" really is.

Many times, exposed data is literally just lying around on publicly facing services. For example, here's an extract from my AusCERT talk last year that shows the discussion I had with the person who identified the Red Cross Blood Service data down here in Australia a couple of years ago:

Making Light of the

That URL in his last comment was just an IP address on the clear web. That's identical to how the massive stash of South African data was exposed last year. Or take the CloudPets situation - exposed Mongo DB with no credentials on it. Clear web again. When I look at the largest data breaches in HIBP, it's clear web for a long way down; the 711 million email addresses in the Onliner Spambot was another publicly facing folder:

Making Light of the

The billion plus records from the Exploit.In and Anti Public combo lists can be found floating around the clear web quite easily. In fact, very frequently there are entire personal stashes of data breaches just sitting there in public folders. I'm not going to screen cap them here because they're often easily discoverable via Google once you know the file names; you remember Google, it's that service that sits right up the top of that "surface web" image from earlier on. This stuff is very easily discoverable on the web we all use day in and day out.

Here's another example that perfectly illustrates the hyperbole surrounding the "dark web": back in December, we saw a heap of these headlines:

Making Light of the

Making Light of the

Making Light of the

These rather sensational stories were in response to a company called 4IQ writing about the find a few days earlier. On the 9th of December, they explained that "while scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date". Now, in fairness to them, that may be precisely how they'd found it - by crawling around Tor hidden services. However, they could have saved themselves a bunch of work and just downloaded it directly from the torrent posted to one of the world's largest websites by the very person who prepared it:

Making Light of the

That was 4 days before the data was "found on the dark web". Yes, I'm aware that people may now locate that post from the screen cap above, but the thing is sitting there on Reddit FFS! This is presently the 7th largest website in the world. Not the "dark web". Not even the "deep web". Reddit - "the front page of the internet". And in case you're wondering why you haven't seen this loaded into HIBP, it's because it's already there:

You can probably sense the frustration in my writing when the headlines are screaming out about this massive new dump found in a secretive location and I'm looking at it going "this is all stuff we've seen already - and it's on Reddit". But that headline doesn't have quite the same ring to it now, does it?

Moving on, how about Experian's "Dark Web" search":

4 seconds in and I'm petrified! I don't know precisely what the guy at the start of that video is doing, but there's a lot of green screens and we all know that means there's some serious hacking going on. Curious, I gave it a go and, well, where do we even start? Perhaps at the beginning before you do the search:

Alrighty, read all those 21,494 words and good to go? No? Of course you haven't! Nobody has (well, maybe Experian lawyers) but remember, you're agreeing to the terms of use and acknowledging the privacy policy and ad targeting policy before searching so yeah, good luck with that. But say you read all that (or lie and just do the damn search anyway), what happens next? Well, you wait for them to scan the "dark web" then several days later, they get back to you:

I can't really complain about the spam mails because I'm sure I just agreed to them in the terms and conditions I didn't read. And the other email I got about the "dark web" search didn't tell me where they found my data. Except that based on the date, I know precisely what that breach in the second image is: it's LinkedIn. I also know the asterisks under "Password" mean absolutely nothing because LinkedIn SHA-1 hashed their passwords and whilst yes, that was a woefully inadequate approach, nobody is cracking that 40-character random password generated out of my password manager. And as for the whole "dark web" thing, save yourself opening up the Tor browser and do a bit of Googling if you're looking for the LinkedIn data breach because just like the other incidents they reported my address as being found in, there's nothing "dark" about where you'll find them.

Now in fairness, there's a lot of data that's not easily discoverable publicly. For example, I'm yet to see some of the data breaches I was sent last year appear in many of the usual places; Kickstarter, Bitly, Disqus and imgur just to name a few. But this doesn't make them "dark web", it merely makes them "whoever has them is sitting on a private stash and not shooting their mouth off about it". I know, it doesn't have the same ring to it as "leaked on the dark web", but that's the reality.

Every time you see the words "dark web" used, ask yourself this question: what is the emotion the publication wants you to feel? Do they want you to feel scared? Will they sell more security things if you do? Will you be more likely to click through, read the story and become part of the ad monetisation campaign? Yes? Then it's probably FUD.

You'll see the term "dark web" accompanying all manner of security-related services for all the reasons mentioned above. "Dark Web Threat Alerts". "Dark Web Intelligence". "Dark Web Monitoring". Seriously - Google it - prepare popcorn first. One of them even recently described their "dark web [thing]" as being like "haveibeenpwned.com on steroids" and after checking on Wikipedia, I realised this was probably referring to the side effects of delusions, psychosis or possibly even cognitive impairment (it's aloso possible that they're on Trump ecstacy). On that front, a bunch of services similar to HIBP have popped up in recent times and they frequently lean on the "dark web" term in reference to where they'll be searching. This is what happens when the marketing team makes up terms they think will sell a product. It's in the same realm as "delivering proactive metrics", "streamlining world-class schemas" and "leveraging scalable applications". And in case you're thinking those sound ridiculous, it's because they all came from bullshitgenerator.com and if you keep generating bullshit on that site, you'll eventually get some "dark web" in there. The service just wouldn't be complete without it.

The State of Security: Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments

Ransomware attacks against healthcare providers aren’t new. In 2017, two crypto-malware infections affecting medical organizations made The State of Security’s top list of ransomware attacks for the year. The first involved an unknown strain that targeted Arkansas Oral & Facial Surgery Center, an incident which affected X-ray images, documents, and patient data related to recent […]… Read More

The post Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments appeared first on The State of Security.



The State of Security

Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments

Ransomware attacks against healthcare providers aren’t new. In 2017, two crypto-malware infections affecting medical organizations made The State of Security’s top list of ransomware attacks for the year. The first involved an unknown strain that targeted Arkansas Oral & Facial Surgery Center, an incident which affected X-ray images, documents, and patient data related to recent […]… Read More

The post Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments appeared first on The State of Security.

The State of Security: 6 Top Cloud Security Threats in 2018

2018 is set to be a very exciting year for cloud computing. In the fourth financial quarter of 2017, Amazon, SAP, Microsoft, IBM, Salesforce, Oracle, and Google combined had over $22 billion in their revenue from cloud services. Cloud services will only get bigger in 2018. It’s easy to understand why businesses love the cloud. […]… Read More

The post 6 Top Cloud Security Threats in 2018 appeared first on The State of Security.



The State of Security

6 Top Cloud Security Threats in 2018

2018 is set to be a very exciting year for cloud computing. In the fourth financial quarter of 2017, Amazon, SAP, Microsoft, IBM, Salesforce, Oracle, and Google combined had over $22 billion in their revenue from cloud services. Cloud services will only get bigger in 2018. It’s easy to understand why businesses love the cloud. […]… Read More

The post 6 Top Cloud Security Threats in 2018 appeared first on The State of Security.

SN 650: CryptoCurrency Antics

This week we discuss today's preempted 2nd Tuesday of the month, slow progress on the Intel Spectre firmware update front, a worse-than-originally-thought Cisco firewall appliance vulnerability, the unsuspected threat of hovering hacking drones, hacking at the Winter Olympics, Kaspersky's continuing unhappiness, the historic leak of Apple's iOS boot source code, a critical WiFi update for some Lenovo laptop users, a glitch at Wordpress, a butt of miscellany -- including a passwords rap -- some closing-the-loop feedback from our listeners... and then a look at a handful of CryptoCurrency Antics.

We invite you to read our Show Notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsors:

Many ID-Protection Services Fail Basic Security

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

Read more of this story at Slashdot.

Government cyber defence labelled as ‘woeful’

In the aftermath of the cyber attack that targetted numerous governmental websites over the weekend, which forced users across the world to mine cryptocurrencies for the benefit of criminals, many within the cyber industry have labelled the governments current cybersecurity defences as woefully inadequate.

View Full Story

ORIGINAL SOURCE: The Times

The post Government cyber defence labelled as ‘woeful’ appeared first on IT SECURITY GURU.

Warning over malware posing as IRS email

A malicious email spam attack is circulating and is posing as the Internet Revenue Service. People will do well to remember that the IRS does not initiate contact with taxpayers by email, text messages, or social media channels.

View Full Story

ORIGINAL SOURCE: Gizmodo

The post Warning over malware posing as IRS email appeared first on IT SECURITY GURU.

British businesses spreading cryptocurrency risk – 93% of companies stockpiling Bitcoin have invested in additional digital currencies

Today, new research suggests that half (50 per cent) of large UK businesses have built a stockpile of digital currency in case of a ransomware attack – and just seven per cent are only stockpiling Bitcoin. In fact, the vast majority (93 per cent) are spreading their cryptocurrency risk by investing in other digital currencies as well.

 

The research – commissioned by Citrix and carried out by OnePoll – quizzed 750 IT decision makers in companies with 250 or more employees across the UK to uncover the extent to which large British businesses are accumulating stores of cryptocurrencies, the impact of the fluctuating price of Bitcoin and how organisations plan to keep these investments secure against cybercriminals. The research also considered whether the increasing use of cryptocurrencies led to business use-cases beyond paying cybercriminals to regain access to their data following a ransomware attack.

 

Diversifying cryptocurrency portfolios

The poll revealed that almost nine in 10 (88 per cent) responding large UK businesses, which keep a ready stockpile of digital currency, do stockpile Bitcoin. While Bitcoin has proven extremely popular, the vast majority of these companies have also invested in additional cryptocurrencies. More than half (54 per cent) have bought Litecoin but a significant proportion of these organisations have also invested in Ethereum (43 per cent), Ethereum Classic (33 per cent), Ripple (33 per cent) and Dash (29 per cent). In fact, just seven per cent of large UK businesses are choosing to accumulate Bitcoin only.

 

Bitcoin returns

While more UK companies are building a ready stockpile of digital currency – rising from 42 per cent in 2016 to 50 per cent – the number of Bitcoins kept on standby has remained largely consistent. Large UK businesses now stockpile an average of 24 Bitcoins – only one more than the 2016 average.

 

This apparent consistency in terms of amount of Bitcoin kept on standby may reflect many organisations’ decision to cash in on inflated prices to make a profit. The poll uncovered that more than half (57 per cent) of those British companies stockpiling Bitcoin have sold some of their supply to make a profit as the cryptocurrency’s value inflated. An additional two fifths (38 per cent) of these businesses are currently considering making a sale – leaving just five per cent choosing to keep all their Bitcoins.

 

Securing Bitcoin

Almost two thirds (64 per cent) of those companies keeping a ready supply of Bitcoin believe that its inflated price has led cybercriminals to target their Bitcoin stockpile. In fact, large British businesses are very aware of the cyber threat to valuable Bitcoin wallets: only 5 per cent of organisations which stockpile the currency have not taken any steps to protect their Bitcoin reserves.

 

Of those which have made changes to secure their Bitcoin assets, more than half (52 per cent) have used specific back-up procedures. Other popular security measures include: using cold storage/offline storage (36 per cent), moving to multiple wallets (36 per cent), using a dedicated/hardened computer (35 per cent) and using dual control so multiple people are required to access the cryptocurrency (22 percent).

 

Crypto payments

Many large British businesses are stockpiling cryptocurrency with a view to using it for a number of use cases beyond paying a cyber ransom if required. In fact, just four per cent are building a ready supply of digital currencies specifically to pay ransom-demanding cyberattackers. The research found that two fifths (40 per cent) plan to use the currencies to pay providers, while one in three (32 per cent) are aiming to pay employees in a digital currency. Additional plans include using it together with smart contracts or other blockchain technologies (27 per cent), as part of fundraising (21 per cent) and to pay for training, R&D or other demonstrational activities (17 per cent).

 

Biggest concerns: value, internal policy and security

More organisations are investing in cryptocurrencies, yet its value is a key deterrent. More than a third of large UK businesses polled cite concerns that the digital currency will crash (35 per cent) and fluctuating prices (34 per cent) as factors that discourage them from stockpiling cryptocurrencies. Additionally, almost one in five (18 per cent) are concerned that the business will not be able to cash the cryptocurrency in when required.

 

Organisational policies and uncertainty are also holding companies back. One in three (33 per cent) admit that the fact they don’t have a policy on how to deal with digital currency as a type of company asset deters them from stockpiling a digital currency – while 31 per cent pinpoint the lack of an assigned budget to use to purchase digital currencies as a discouraging factor.

 

Security concerns are similarly rife. Almost one third (31 per cent) believe a stockpile of digital currency might make the business a target for cybercriminals while almost one in five (18 per cent) worry that it might put them at risk of insider theft. Additionally, while some companies keep cryptocurrency on the off chance they are required to pay a cyber ransom, one in ten (11 per cent) raised the concern that ransomware attackers may request payment in a different cryptocurrency – which the business does not stockpile – or potentially request payment in a national currency, e.g. dollars or pounds, instead.

 

Chris Mayers, chief security architect, Citrix, said:

 

“Initially many organisations were treating ransomware as a cost of doing business – just like shrinkage and fraud in some sectors – and building a stockpile of cryptocurrency to cover potential cyber ransoms. Yet this is changing as companies begin to embrace its potential as a revenue driver, as well as an alternative means to pay for staff and services. As British companies continue to build and diversify their cryptocurrency portfolios, vital security measures must be put in place to protect these reserves and ensure they can be used for a growing range of business processes instead of falling into criminal hands through ransom or theft.

 

“It is encouraging to see that organisations are aware of the need to protect cryptocurrencies, even though most of them have not yet put the full range of security measures into practice. With more than one cryptocurrency, and supporting diverse business needs, security becomes both more important and potentially more complex.  Organisations should adopt the same approach as they do for data and apps: simplify security by placing cryptocurrencies under centralised control with common policies and procedures, with robust defences. Cryptocurrencies must not be managed by ‘shadow IT’.”

The post British businesses spreading cryptocurrency risk – 93% of companies stockpiling Bitcoin have invested in additional digital currencies appeared first on IT SECURITY GURU.

An Analog to Security and Compliance: The Wonder Twins

Security and compliance are two sides of the same coin, although they are often seen as adversaries. The truth is, much like the 1980s power siblings, the Wonder Twins (whose powers only functioned when their fingers touched), they work hand-in-hand to shore up your information security better than any other combination. Compliance is Key Regulatory […]… Read More

The post An Analog to Security and Compliance: The Wonder Twins appeared first on The State of Security.

Security at the Speed of DevOps

DevOps and traditional security seem to be at odds with one other. But it doesn’t have to be that way. You can make security a part of your DevOps process without sacrificing agility or security. First, let’s define what DevOps is. Let’s then look at how it combines with security to create DevSecOps. DevOps: A […]… Read More

The post Security at the Speed of DevOps appeared first on The State of Security.

How Hackers Are Leveraging Machine Learning

Machine learning can be leveraged for both beneficial enterprise purposes as well as malicious activity.

For business executives and internal information security specialists, it seems that every day brings a new potential risk to the company – and in the current threat environment, it isn't hard to understand this viewpoint.

Sophisticated cybercriminals are continually on the lookout for the next big hacking strategy, and aren't shy about trying out new approaches to breach targets and infiltrate enterprises' IT assets and sensitive data. One of the best ways to stem the rising tide of threats in this type of landscape is to boost awareness and increase knowledge about the latest risks and how to guard against them.

Currently, an emerging strategy among hackers is the use of machine learning. Unfortunately, like many advanced and innovative technological processes, machine learning can be leveraged for both beneficial enterprise purposes as well as malicious activity.

Machine learning: A primer

Many internal IT and development teams as well as technological agencies are experimenting with machine learning – but white hats aren't alone in their use of this method.

As SAS explained, machine learning is an offshoot of artificial intelligence, and is based on the ability to build automated analytical models. In other words, machine learning enables systems to increase their own knowledge and adapt their processes and activities according to their ongoing use and experience.

"The iterative aspect of machine learning is important because as models are exposed to new data, they are able to independently adapt," SAS stated. "They learn from previous computations to produce reliable, repeatable decisions and results. It's a science that's not new – but one that has gained fresh momentum."

Individuals have likely encountered some form of machine learning algorithm in their daily life already – things like online recommendations from streaming services and retailers, as well as automated fraud detection represent machine learning use cases already in place in the real world.

Digital brain surrounded by computer parts. Artificial intelligence and machine learning can be used to bolster malicious attacks.

Machine learning on both sides of the coin

However, as legitimate agencies and white hat security professionals continue to dig deeper into advantageous machine learning capabilities, hackers are increasingly looking toward AI-based processes to boost the effects of cyberattacks.

"We must recognize that although technologies such as machine learning, deep learning, and AI will be cornerstones of tomorrow's cyber defenses, our adversaries are working just as furiously to implement and innovate around them," Steve Grobman, security expert and McAfee chief technology officer told CSO. "As is so often the case in cybersecurity, human intelligence amplified by technology will be the winning factor in the arms race between attackers and defenders."

But how, exactly, are hackers putting machine learning algorithms to work, and how will these impact today's enterprises? Let's take a look:

ML vs. ML: Evasive malware

When hackers create malware, they don't just look to breach a business – they also often want to remain within victims' systems for as long as possible. One of the first, and likely most dangerous, ways machine learning will be leveraged by hackers is to fly under the radar of security systems aimed at identifying and blocking cybercriminal activity.

A research paper from Cornell University authors described how this type of instance could be brought to life by hackers. Researchers were able to create a generative adversarial network (GAN) algorithm which, in and of itself, was able to generate malware samples. Thanks to machine learning capabilities, the resulting infection samples were able to effectively sidestep machine learning-based security solutions designed specifically to detect dangerous samples.

Security experts also predicted that machine learning could be utilized by cybercriminals to modify the code of new malware samples based on the ways in which security systems detect older infections. In this way, hackers will leverage machine learning to create smarter malware that could potentially fly under the radar within infected systems for longer periods of time.

This will require enterprises to be increasingly proactive with their security posture – monitoring of critical IT systems and assets must take place continually, and security officers must ensure that users are observing best protection practices in their daily access and network activities.

Magnifying glass on binary code with the word DATA in red in magnifying glass. Hackers could automate data gathering processes with machine learning.

Preemptive efforts: Laying the groundwork for attack

Forbes contributor and ERPScan co-founder and CTO Alexander Polyakov noted that hackers could also begin utilizing machine learning to support the work done leading up to an attack.

Before they look to breach an organization, cybercriminals typically begin by gathering as much information about a target as possible. This includes details about company stakeholders that could potentially later be used to spur a phishing attack. With machine learning in place, hackers wouldn't have to carry out these research efforts manually, and instead can automate and speed up the entire processes.

Leveraging machine learning in this way could mean a spike in targeted attacks that utilize personally identifiable information about company leaders and even lower level employees. Polyakov reported that this style of phishing attack could boost the chances of success by as much as 30 percent.

As phishing and targeted attacks become more sophisticated, it's imperative that executives and employees are educated about how to spot a fraudulent message created to appear legitimate. Often, phishing messages will include the recipient's name, title and other details to encourage the victim to open it. However, these emails may also include spelling errors or small changes in sender email addresses, company names, logos and other items used to support the appearance of legitimacy. Ensuring that employees don't fall for these tricks begins with proper security education and training as part of a layered security posture.

Bypassing CAPTCHA systems: Unauthorized access

Many websites and systems leverage CAPTCHA technology as a way to distinguish human users from bots or machine input. However, in the age of machine learning, even these formerly tried-and-true access protections aren't impervious.

This isn't the first time machine learning has emerged as a way for hackers to break through CAPTCHA access – in 2012, researchers proved that machine learning could bypass reCAPTCHA-based systems with an 82 percent success rate. More recently in 2017, researchers used machine learning to support 98 percent accuracy to sidestep Google reCAPTCHA protections.

This threat means that enterprises will have to strengthen their security protections, particularly those that prevent botnet access on customer-facing systems. Polyakov recommended replacing recognition CAPTCHA with MathCAPTCHA, or another more robust alternative.

Machine learning for security

Thankfully, as noted, machine learning can also be leveraged to boost security on the side of the enterprise.

As noted in this blog, machine learning can help pinpoint and close gaps in IoT security, improve the monitoring of data exchange between employee users, and even predict and stop zero-day threats. Click here to read more.

And to learn more about how to safeguard your enterprise against machine learning-based attacks, connect with the security experts at Trend Micro today.

Radware Blog: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers

Overview On February 8th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. […]

The post New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers appeared first on Radware Blog.



Radware Blog

Ep. 102 – Penning the Future with JJ Green

I don’t think any of you will be shocked when i say this world is increasingly more insecure. From our online persona to our physical security – everything is in danger. This month JJ Green tackles that topic with us. Feb 12, 2018

Contents

Download

Ep. 102 – Penning the Future with JJ Green

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 102 – Penning the Future with JJ Green appeared first on Security Through Education.

Free certificates and SSL encryption being exploited

Zscaler, a cloud security provider, reports that SSL encryption may not be safe as it has now become a means to launch and hide attacks, while free certificates have been used to disguise criminal movements.

View Full Story

ORIGINAL SOURCE: Security Brief

The post Free certificates and SSL encryption being exploited appeared first on IT SECURITY GURU.

GT Maritime Selects Lastline to Protect Shipboard Email Systems From Malware, Protecting Ships and Cargo, and Keeping Crews Connected

Lastline Inc., the leader in advanced network-based malware protection, today announced a partnership with GT Maritime, the leading provider of specialized technologies to ensure vessel compliance and business operability, as well as keeping crew in touch with friends and family while at sea. GT Maritime’s GTMailPlus, a secure, reliable, cloud-based service that optimizes essential business and personal communications, now includes Lastline’s industry-leading advanced malware detection technology to ensure ships’ communications, navigation, and other systems are secure from malware.

More than 51,000 commercial ships carrying 90% of the world’s trade goods provide a very large and vulnerable target for cybercriminals. A majority of malware is distributed via email, so securing email is essential for protecting onboard systems from advanced malware that easily evades detection by anti-virus (AV), anti-spam, and other anti-malware technologies.

Cybercriminals target ships at sea for a number of reasons, including ransomware (demanding payment to return control of a ship’s navigation system, for example), identity theft (targeting ship email systems in order to infect unsuspecting crew members), and politically-driven motives, such as decreasing a navy’s ability to intercept ballistic missiles. Regardless of the initial motive, the collateral impact of crippling a ship’s communications systems includes isolating the crew from friends and family.

“The added security that Lastline will now deliver provides immense value to our customers,” noted Robert Kenworthy, CEO of GT Maritime. “It greatly diminishes the risk of malware infecting critical systems that could lead to devastating results. When the risks are this high, only the best technology will suffice.”

Lastline has been repeatedly identified as the most effective at detecting advanced malware by independent third parties. For the second year in a row, Lastline achieved 100 percent security effectiveness in the 2017 NSS Labs Breach Detection Systems Group Test. Prior to Lastline achieving 100 percent detection in the 2016 Breach Detection test, no other product had achieved this result in any NSS test. In addition, the 2016 Forrester Wave™: Automated Malware Analysis Q2 Report identifies Lastline as the strongest offering on the market.

“We’re honored that GT Maritime selected Lastline for their malware detection,” said Brian Laing, Lastline CRO. “We have a long history of partnering with market-leading companies that, after extensive vetting, identified Lastline as superior to alternatives. In such a unique market, we’re pleased that we can do our part to ensure the safety of ships at sea, as well as their cargo and crews.”

GT Maritime deployed the Lastline sensor in-line in full Mail Transfer Agent (MTA) mode to isolate, independently analyze, and block malicious attachments and URLs before they are routed to recipients. The Lastline analysis provides evidence-based reporting so that GT Maritime’s incident response engineers have complete transparency. Lastline malware detection, fully integrated with GT Maritime’s GTMailPlus, is available immediately.

The post GT Maritime Selects Lastline to Protect Shipboard Email Systems From Malware, Protecting Ships and Cargo, and Keeping Crews Connected appeared first on IT SECURITY GURU.

Less than 1 in 5 enterprises have a customer notification plan in place in the event of a data breach

The European Union’s General Data Protection Regulation (GDPR) goes into effect this May and lawmakers in the U.S. are proposing stricter data breach legislation. With increased pressure on companies to better protect data and improve notification procedures in the event of a data breach, Tripwire, Inc. surveyed 406 cybersecurity professionals to see how prepared organizations are feeling.

Findings from the study revealed that just over three quarters (77 percent) of companies subject to GDPR could meet the 72-hour notification window, with 24 percent claiming they could notify customers of a data breach within 24 hours. In addition, when asked how prepared their organization was to notify customers in the event of a data breach, less than a fifth (18 percent) said that they were fully prepared with a process in place. The majority (73 percent) said they were ‘somewhat prepared’ and would have to figure things out ‘on the fly.’

“When it comes to cybersecurity, it’s short-sighted to figure things out ‘on the fly,’” said Tim Erlin, vice president of product management and strategy at Tripwire. “The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble.”

When asked to characterize their company’s capabilities for knowing where its customer data is stored versus for protecting customer data, respondents were more confident in knowing where the data is. Over a third (35 percent) said their knowledge of where the customer data is stored is ‘excellent’ by comparison to just over a fifth (21 percent) saying the same for their ability to protect customer data.

Other findings from the study revealed that most don’t feel they are fully prepared for any aspect of a security breach. Less than a fifth (18 percent) felt they were fully prepared with a cross-functional team in place to work across IT, finance and communications. Nearly three quarters (73 percent) were not fully prepared to protect customers and only a fifth (22 percent) felt prepared to absorb potential financial penalties as a result of a security breach.

Erlin added: “There are plenty of tried and tested frameworks available from governing bodies in the cybersecurity space that can help organizations who feel like they’re struggling to prepare for a security incident and more specifically, GDPR. If you are an organization subject to GDPR – and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses – you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren’t hit with a big fine come May 2018.”

The post Less than 1 in 5 enterprises have a customer notification plan in place in the event of a data breach appeared first on IT SECURITY GURU.

Visitor safety gets major boost at Belfast’s premier events venue with IP security camera upgrade

New system propels The Odyssey Complex into the future of security with low-light technology that assures superb image quality, even during concerts and sporting events

The Odyssey Complex, a premier entertainment venue in Belfast that plays host to many of the city’s high-profile concerts, exhibitions and sporting events, has installed a future-proofed IP security solution that ensures its 1,000,000 visitors each year can enjoy the facilities in a safe and secure environment.

The vast 23-acre site comprises the SSE Arena; a Pavilion including restaurants, shops and a cinema; the W5 Science and Discovery Centre; as well as a 1,500-space car park.

The new system, consisting of more than 140 IP cameras from Axis Communications, replaces an analogue CCTV solution which was nearing the end of its technical life cycle. It produces better quality images and makes it easier for the onsite security teams to investigate crimes and identify individuals of interest.

The IP camera system was installed by Diamond Systems, an Axis Partner and specialist in electronic fire and security solutions. The inclusion of HD IP cameras, which feature Axis’ innovative Lightfinder technology with extreme light sensitivity, provides security teams with more life-like colours in low-light conditions, vital within the arena during sporting events and concerts.

Brian Hughes, Group Head of Facilities at The Odyssey Complex, states: “The safety of our patrons is of paramount importance to The Complex, which is why we have taken this step to invest in a future proof system. Upgrading to HD IP camera technology made complete sense to us as we strive to maintain our status as the leading event facility in Northern Ireland.

“Through the use of intelligent applications such as Lightfinder we can be confident that we have the technology to support our unique security needs. Working closely with Axis and Diamond Systems, we were also keen to ensure the system had capacity to include analytics in the future. This could include customer footfall and queue management, bringing benefits in terms of operational effectiveness, guest satisfaction and, of course, visitor safety.”

Steve Snoddon, Managing Director at Diamond Systems, adds: “We installed the original CCTV system 17 years ago when the complex was first developed. While providing value at the time, technology has progressed at such a rapid pace since that it was time for us to re-evaluate the technology available to support its requirements.”

Peter Dempsey, Key Account Manager at Axis Communications, comments: “We wanted something that would not only incorporate today’s leading technology and maintain a high level of cybersecurity, but also prepare the complex for its security needs in the future. As the leading entertainment venue of its kind in Northern Ireland, the Odyssey’s security requirements are continuously evolving. Our commitment to really understand the business, and partnering with organisations such as Diamond Systems, ensured we could deliver a solution that was tailored to its needs.”

The post Visitor safety gets major boost at Belfast’s premier events venue with IP security camera upgrade appeared first on IT SECURITY GURU.

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Presently sponsored by: Netsparker - dead accurate web application security scanning solution - Scan websites for SQL Injection, XSS & other vulnerabilities

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

A couple of years back as the US presidential campaign was ramping up, the Trump camp did something stupid. I know, we're all shocked but bear with me because it's an important part of the narrative of this post. One of their developers embedded this code in the campaign's donation website:

<script src="https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js" type="text/javascript></script>

See the problem? This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. Now, imagine if Igor took a dislike to Trump. Or someone else took issue with the bloke (hypothetically, of course) and made a pull request. What could you do if you could modify that script and subsequently cause your own arbitrary JavaScript to execute on Trump's website? Easy answer - almost anything. Modify the DOM, redirect the user, load in external content, challenge visitors to install software, add a key logger and grab any non-HTTP only cookies. This was actually a serious story back then but it was quickly rectified and we all moved on.

Until now. I woke up on the other side of the world to most people this morning and my Twitters had gone nuts overnight with this story:

One site with a cryptominer is one thing (although the fact it was on the UK's Information Commissioner's Office is noteworthy in and of itself), but it was much, much more than that. It was the US Courts too. And the UK's National Health Service. Even my own state government down here had been hit. In fact, more than 4k impacted sites were quickly identified and they spanned all sorts of different industries. However, it wasn't the sites themselves that had been compromised, rather a script they had a dependency on:

This is Texthelp and they exist to "help everyone read, write and communicate with clarity in class, at work and in life". They create assistive technologies, one of which is a product called Browsealoud which does this:

Our innovative support software adds speech, reading, and translation to websites facilitating access and participation for people with Dyslexia, Low Literacy, English as a Second Language, and those with mild visual impairments.

This short video makes the use case pretty clear:

As Texthelp points out on their site, there's a bunch of regulatory requirements around accessibility which government sites in particular need to play nice with. The value proposition of Browsealoud is that it makes integration dead simple, just copy and paste this one script:

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

And now we're back to the Trump problem except it's no longer hypothetical, it's real. That script - the one at http://www.browsealoud.com/plus/scripts/ba.js - was maliciously modified to inject a cryptominer and by virtue of it being embedded directly into thousands of sites around the world, the malicious script cascaded down to users of those sites. (Incidentally, at the time of writing that script is offline, consequently breaking every site dependent on it and, one would imagine, possibly leaving them in breach of their accessibility requirements.) Here's what the modified script looked like:

De-obfuscated, that first snippet of code looks like this:

And there's your problem - the file at https://coinhive.com/lib/coinhive.min.js is being embedded directly into the site. (Incidentally, Coinhive is a quasi-legitimate service to "Monetize Your Business With Your Users' CPU Power", there doesn't appear to have been any direct involvement from them in this case.)

Now, onto solutions and ultimately onto the paradox referred to in the title. We have a very robust, well-proven defence for this in subresource integrity (SRI). We've had this for ages and Scott pumped out a piece in response to this incident explaining precisely how to use it. If you look at the source code of this blog you can see it used courtesy of the "integrity" attribute when I embed Report URI JS:

<script src="https://cdn.report-uri.com/libs/report-uri-js/1.0.1/report-uri-js.min.js" integrity="sha256-Cng8gUe98XCqh5hc8nAM3y5I1iQHBjzOl8X3/iAd4jE=" crossorigin="anonymous"></script>

If - for whatever reason - that library is modified upstream of my website, the sha256 hash of the file will be different to the one specified above and the browser simply won't run it. It stops attacks like the one today dead. We've also got awesome support for it across the major browsers and yes, Edge is behind the curve here but that'll hit in the next version:

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

In Scott's blog post, he also points out that we have content security policies (CSP) which provide another layer of defence. A good policy would have stopped the cryptominer from being loaded from coinhive.com in the first place as it wouldn't have appeared as a white-listed script source. In short, we have the technology to fix this so why did things blow up so spectacularly today? This is where it gets a bit tricky...

Let's compare the two scripts I've just mentioned, those being Report URI JS and Browsealoud. Here's the respective paths they're embedded from:

  1. https://cdn.report-uri.com/libs/report-uri-js/1.0.1/report-uri-js.min.js
  2. http://www.browsealoud.com/plus/scripts/ba.js

We will never modify Report URI JS 1.0.1 from its current state. It is, for perpetuity, locked in to that version number. You can safely use an integrity attribute on your script tag because if ever we want to change the implementation, we'll simply rev the version. If you want fixes or features in version 1.0.2 then you'll need to update your own script source and, in turn, the value of the integrity attribute. All of which means this:

Versioned external libraries can easily be protected with SRI because the contents of that specific version will never change.

Now, onto Browsealoud and you'll note there's no version number when their script is referenced. But whilst this is embedded in precisely the same way as Report URI JS, it's a different philosophy because rather than being a static library, Browsealoud is a service. Refer back to the comment at the start of the file I showed earlier:

/* [Warning] Do not copy or self host this file, you will not be supported */

At some point in the future, Texthelp may decide to change the Browsealoud implementation. They may make a bug fix to that file. They might change the API endpoints the library calls. They could change the branding. They might add a new feature. They could decide to do anything and by virtue of their subscribers simply embedding the JS directly into their website and effectively saying "ok, over to you guys, implement the service however you like", they can do anything. And someone did - they put a cryptominer in the file. Which means this:

Non-versioned external libraries can't be protected with SRI if there's an expectation that the service providing them may change them in the future.

And that's the paradox. So how do we fix it? Well firstly, we need to do a bit of threat modelling: If you drill down into the source code of this blog, you'll notice a script is dynamically injected into the head of the page which looks like this:

<script src="//troyhunt.disqus.com/embed.js" data-timestamp="1518392252947"></script>

Wait - isn't this exactly the same story as with Browsealoud?! Yes, it is, and I'm opening visitors to this blog up to a very similar (but ultimately different) risk. If someone pwns that Disqus script, they could add their own arbitrary JS to my site. The threat modelling aspect of this, however, is that I know this is a risk for all the reasons a whole bunch of other people who hadn't thought about this until today now know it's a risk. The decision I've made has been a conscious one; there is enough value in the Disqus service and a low enough impact on a personal blog were it to be compromised that on balance, it's an acceptable risk.

However, the bit where my embedding Disqus is ultimately different to the way the other sites were embedding Browsealoud is that I also have a CSP on this blog. That blog post was made only 11 days ago and as you'll read there, I faced some barriers to get it in place. But now that it's there, it would stop this attack dead because coinhive.com is not an allowable script source. Yes, the Disqus script could still be modified by the attacker and their arbitrary JS would run in my visitors' browsers because I don't have SRI, but no, it wouldn't be able to pull down the cryptominer. A robust CSP is an awesome defence and because I'm also reporting any violations, I'd know immediately if someone did manage to modify that Disqus script. Compare that to today's situation where some folks responsible for government sites had absolutely no idea what was going on:

This is why CSPs and reporting are so invaluable as they bring visibility you never would have had before. (Incidentally, even though today's version of Edge can't do SRI, it can block and report when a CSP is violated so this defence is extra important for the Microsoft browser.) I know I'm waxing lyrical about CSPs and reporting here, but the technology is genuinely that good and it's why I joined Report URI in the first place!

Now, getting back to that threat modelling, I would argue that governments websites are not the type of site you want to allow this to happen with. They should be using SRI and they should be only allowing trusted versions to run. This requires both the support of the service (Browsealoud) not to arbitrarily modify scripts that subscribers are dependent on and the appropriate processes on behalf of the dev teams. For example, by locking yourself into a discrete version in this fashion you're not going to automatically get any software updates. But think of what we're really saying here - that an external service shouldn't be able to modify active content that executes in your visitors' browsers without your explicit say so. That sounds very reasonable in this situation and what's more, it's something that we should be doing anyway. Have a read of Using Components with Known Vulnerabilities within OWASP's Top 10 Web Application Security Risks:

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

If you're serious about this stuff (as governments should be), then this needs to feature in your software management program. There are resources mentioned above to help you do this - retire.js is a perfect example as it relates to client-side libraries. And yes, this takes work:

But there are also things we can do to help organisations hosting scripts to help their users "fall into the pit of success", so to speak. For example, follow Cloudflare's lead and when you provide code snippets for embedding tags, give them the SRI version:

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

I'd like to see them go further and default to the SRI version (as we do with Report URI JS) or further highlight its value. When I teach people about SRI in my workshops or talk about it at conferences, the vast majority of people don't know what it is so we need to help educate further on that front. Regardless, Cloudflare's approach is much better approach than Pastebin's:

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

That's to embed the code sample with the cryptominer from earlier on and as you can see, there's no SRI on the script tag. If someone modifies that script upstream of the site it's being embedded it, it'll simply run whatever is in the file. When I embedded it above, I elected to drop it into the page via the iframe option and I have a frame-src directive in my CSP to allow pastebin.com. That's a pretty good middle ground of bringing in external content without introducing an unnecessary level of risk, but I'd still love to see that integrity attribute in Pastebin's sample code.

Then there's the counter-argument that you should just serve these libraries yourself and not be dependent on a CDN. Besides the point of that not working when we're talking about services like Browsealoud and Disqus, that also presents all sorts of other problems, particularly around cost and performance. My first big traffic spike on Have I Been Pwned (HIBP) came just days after launching it when I observed the following over a 24 hour period:

I realised, for example, that I’d served up 15GB of jQuery alone – that’s minified and HTTP compressed too. Crikey.

These days, a big day would result in me serving close to half a terabyte of data which could easily come from a public CDN. This is not data I need to pay for. It's also not data my visitors need to load from a single origin at potentially high latency and they wouldn't need to load it at all if they'd already been served that file from another site using the same CDN. There are many, many good reasons for using a globally distributed CDN to serve content and with a combination of SRI and CSP, we can do this without wearing the risks of what we saw happen earlier today. Last thing on that front - I'd also argue that it's one thing to use a CDN hosted by Cloudflare or Google and quite another to use one provided by an organisation that before today, most people had never even heard of.

Frankly, I think we all got off a bit lightly from today's event. This was a very rudimentary and opportunistic attack. It was also highly visible and happened at one of the quietest periods of the week. Imagine for a moment if that really clever thought piece from last month about harvesting credit cards had have come to reality instead. Do read that - it's enormously thought provoking - and it's hard not to conclude that we totally dodged the proverbial bullet today. Question is, will it be enough to drive change in the way sites are creating dependencies on external scripts?

Finally, if you'd like to see a demo of precisely how the browser handles SRI when the script has been modified upstream, check out this talk from NDC Oslo last year (embedded at 7:06 where the SRI bit begins, runs for about 11 mins):

Security Mindset: Balancing Firmness and Flexibility

Navigating the noise, complexity and uncertainties of the cybersecurity landscape demands clear thinking. But that’s no easy task. The security professional today has to be knowledgeable about the organization’s own environment, business needs and risks, compliance requirements, best practice frameworks, internal policies and procedures, and the crowded market of product vendors and service providers. Add […]… Read More

The post Security Mindset: Balancing Firmness and Flexibility appeared first on The State of Security.

How Plant Operators Can Overcome the Language Barrier to Securing OT Environments

Securing industrial operations is a unique challenge. The same approach used to secure information technology (IT) networks can’t effectively secure plant floors. That’s because operational technology (OT) has evolved tremendously over the years, creating very complex environments consisting of a dizzying variety of devices from different makes, models and generations communicating through different protocols. To […]… Read More

The post How Plant Operators Can Overcome the Language Barrier to Securing OT Environments appeared first on The State of Security.

Games Organizers at Pyeongchang Winter Olympics Confirm Cyber Attack, Won’t Reveal Source

Pyeongchang Winter Olympics organizers confirmed on Sunday that the Games had fallen victim to a cyber attack during Friday's opening ceremony, but they refused to reveal the source. From a report: The Games' systems, including the internet and television services, were affected by the hack two days ago but organizers said it had not compromised any critical part of their operations. "Maintaining secure operations is our purpose," said International Olympic Committee (IOC) spokesman Mark Adams. "We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure."

Read more of this story at Slashdot.

Olympics officials confirm cyberattack during opening ceremony

Officials saw suspicious activity on Olympics systems during the 2018 winter games' opening ceremony, and now it's confirmed: it was a cyberattack. PyeongChang organizers have revealed that someone compromised services (including internet and TV) while athletes were on parade. Everything had been "resolved and recovered" by the 9th, spokesman Sung Baik-you said. He added that they knew the cause of the attack, but were "not going to reveal the source" after talking to the International Olympics Committee.

Source: Reuters

Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

Read more of this story at Slashdot.

Pennsylvania requires paper trail on all new voting machines

Pennsylvania has taken a leaf out of Virginia's book and is now looking to replace its obsolete and vulnerable voting machines with more secure ones. A new directive requires counties planning to replace their voting machines with new ones that have paper backups -- problem is, the state doesn't have the budget for them. Most of the 20,000 machines Pennsylvania has been using the past decade are purely digital, so the state will need around $60 million to replace them with systems that cost $3,000 each.

Source: AP

Equifax breach may have exposed more data than first thought

The 2017 Equifax data breach was already extremely serious by itself, but there are hints it was somehow worse. CNN has learned that Equifax told the US Senate Banking Committee that more data may have been exposed than initially determined. The hack may have compromised more driver's license info, such as the issuing data and host state, as well as tax IDs. In theory, it would be that much easier for intruders to commit fraud.

Source: CNN Money

Security Affairs: Online Auction Safety Tips for Buyers and Sellers

Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?

Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.

Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.

The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.

There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.

By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.

A good place to start is by familiarizing yourself with some of the common risks including the following:

  • Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
  • Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
  • Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
  • Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
  • Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.

online auction

Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:

  • Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
  • Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
  • Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
  • Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
  • Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
  • Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.

That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.

Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.

  • Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
  • Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.

About Author:

Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently.

 

 

Pierluigi Paganini

(Security Affairs – Online auction, identity theft)

The post Online Auction Safety Tips for Buyers and Sellers appeared first on Security Affairs.



Security Affairs

Online Auction Safety Tips for Buyers and Sellers

Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?

Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.

Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.

The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.

There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.

By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.

A good place to start is by familiarizing yourself with some of the common risks including the following:

  • Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
  • Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
  • Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
  • Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
  • Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.

online auction

Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:

  • Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
  • Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
  • Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
  • Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
  • Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
  • Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.

That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.

Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.

  • Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
  • Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.

About Author:

Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently.

 

 

Pierluigi Paganini

(Security Affairs – Online auction, identity theft)

The post Online Auction Safety Tips for Buyers and Sellers appeared first on Security Affairs.

Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad

According to a security advisory issued by Lenovo, two critical vulnerabilities in Broadcom chipsets affects at least 25 models of Lenovo ThinkPad.

The affected models are ThinkPad 10,  ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260.

One of the flaws was discovered in June by Google that publicly disclosed it in September. Google also published a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier.

The flaw tracked as CVE-2017-11120, is a memory corruption vulnerability that could be exploited by attackers to execute code and establish a backdoor on a targeted device. T

The flaw initially reported affecting specific Broadcom chipsets used in Apple iPhones, Apple TV, and Android devices was patched in the same month.

The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.

Now Lenovo warns of the presence of the flaw in two dozen ThinkPad models that use Broadcom’s BCM4356 Wireless LAN Driver for Windows 10.

The Broadcom Wi-Fi chipsets used by Lenovo ThinkPad devices are affected by the CVE-2017-11120 flaw and also by the CVE-2017-11121 vulnerability, both issue are rated as “critical” and received a CVSS 10 score.

“Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU).“reads the security advisory.” Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates. Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed.” 

The flaws can be exploited by remote attackers to execute arbitrary code on the adapter (not the system’s CPU) of the target system.

The CVE-2017-11121 vulnerability was also discovered by Google experts, it is a buffer overflow vulnerability caused by improper validation of Wi-Fi signals.

“Properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects,” reads the description for the flaw.

Lenovo users urge to update the Wi-Fi driver for their ThinkPad models.

 

Pierluigi Paganini

(Security Affairs – Lenovo Thinkpad, Broadcom Wi-Fi chipsets)

The post Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad appeared first on Security Affairs.

VMware releases temporary mitigations for Meltdown and Spectre flaws

VMware has provided detailed instruction on how to mitigate the Meltdown and Spectre vulnerabilities in several of its products.

VMware is releasing patches and workarounds for its Virtual Appliance products affected by the Meltdown and Spectre vulnerabilities.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The mitigations measures could be applied to vCloud Usage Meter, Identity Manager (vIDM), vCenter Server, vSphere Data Protection, vSphere Integrated Containers and vRealize Automation (vRA).

“VMware Virtual Appliance updates address side-channel analysis due to speculative execution” states the advisory published by the company.

VMware

The company acknowledged problems for its virtual appliances and opted to release workarounds to protect its customers. The proposed solutions are only temporary waiting for a permanent fix that will be released as soon as they are available.

The complete list of workarounds is available here, in some cases, admins can mitigate the issue by launching a few commands as a privileged user, in other cases the procedure to deploy mitigations is more complex.

 

Pierluigi Paganini

(Security Affairs – Spectre patches, VMware )

The post VMware releases temporary mitigations for Meltdown and Spectre flaws appeared first on Security Affairs.

Hackers In Equifax Breach Accessed More Personal Information Than Previously Disclosed

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and drivers' license information beyond the license numbers it originally disclosed. The revelations come some five months after Equifax announced it had been breached and personal information belonging to 145.5 million consumers had been compromised, including names, Social Security numbers, dates of birth and addresses. It's unclear how many of the 145.5 million people are affected by the additional data including tax ID numbers, which are often assigned to people who don't have Social Security numbers. Hackers also accessed email addresses for some consumers, according to the document and an Equifax spokeswoman, who said "an insignificant number" of email addresses were affected. She added that email addresses aren't considered sensitive personal information because they are commonly searchable in public domains. As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.

Read more of this story at Slashdot.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 5, 2018

It was a busy week in the cyber security world, but it shouldn’t be surprising given that the 2018 Winter Olympics in Pyeongchang have begun. I shouldn’t blame just the Olympics, but it’s hard not to given the international focus, controversy around the ban of certain athletes and its proximity to a certain country. So let’s jump right in…

Adobe Flash Player

Earlier this week, Adobe released a critical security update for a pair of vulnerabilities in Flash Player, one of which has been actively exploited in phishing attacks attributed to North Korean APT actor Group 123. Both bugs are classified as use-after-free vulnerabilities that can result in remote code execution. The vulnerability that is being actively exploited (CVE-2018-4878) was found by Kr-CERT/CC, South Korea’s national computer emergency response team. The other vulnerability (CVE-2018-4877) came through our Zero Day Initiative via “bo13oy” of Qihoo 360’s Vulcan Team.

This week’s Digital Vaccine® (DV) package includes coverage for the Adobe Flash vulnerabilities. The following table maps Digital Vaccine filters to the Adobe updates:

Bulletin # CVE # Digital Vaccine Filter # Status
APSB18-03 CVE-2018-4877 30346
APSB18-03 CVE-2018-4878 30343

 

WordPress “load-script” Usage Vulnerability

On Tuesday, we released DVToolkit CSW file CVE-2018-6389.csw for the WordPress “load-script” usage vulnerability. This filter detects usage of load-scripts.php in WordPress. The load-scripts.php is a built-in script in WordPress that processes user-defined requests. Due to insufficient validation, any user can send large amounts of requests for processing which could cause system resource exhaustion and result in a denial-of-service condition. User authentication is not required to exploit this vulnerability. Customers using TippingPoint solutions should note that the CSW filter will be obsoleted by DV filter 30356.

Cisco ASA WebVPN Host Scan Memory Corruption Vulnerability

We also released DVToolkit CSW file CVE-2018-0101.csw for the Cisco ASA WebVPN Host Scan Memory Corruption Vulnerability. This filter detects an attempt to exploit a memory corruption vulnerability in the Cisco Adaptive Security Appliance (ASA). The specific flaw is due to a failure to properly allocate memory when parsing the host-scan-reply tag. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process. Authentication is not required to exploit this vulnerability. Customers using TippingPoint solutions should note that the CSW filter will be obsoleted by DV filter 30369.

Zero-Day Filters

There are 11 new zero-day filters covering five vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Foxit (6)

  • 30318: ZDI-CAN-5312: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30319: ZDI-CAN-5370,5372: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30333: ZDI-CAN-5371: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30335: ZDI-CAN-5373: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30337: ZDI-CAN-5374: Zero Day Initiative Vulnerability (Foxit Reader)
  • 30338: ZDI-CAN-5375: Zero Day Initiative Vulnerability (Foxit Reader)

Hewlett Packard Enterprise (2)

  • 30308: HTTP: HPE Moonshot Provisioning Manager Appliance khuploadfile.cgi Directory Traversal (ZDI-18-001)
  • 30309: HTTPS: HPE Moonshot Provisioning Manager Appliance khuploadfile.cgi Directory Traversal (ZDI-18-001)

Microsoft (1)

  • 30330: ZDI-CAN-5369: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)

Quest (1)

  • 28124: HTTP: Quest NetVault Backup Multipart Request Header Buffer Overflow Vulnerability (ZDI-18-004)

Trend Micro (1)

  • 30311: HTTPS: Trend Micro Mobile Security for Enterprise SQL Injection (ZDI-17-782)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Researcher found multiple vulnerabilities in NETGEAR Routers, update them now!

Security researchers Martin Rakhmanov from Trustwave conducted a one-year-study on the firmware running on Netgear routers and discovered vulnerabilities in a couple of dozen models.

Netgear has just released many security updates that address vulnerabilities in a couple of dozen models.

The vulnerabilities have been reported by security researchers Martin Rakhmanov from Trustwave, which conducted a one-year-study on the firmware running on Netgear’s box.

Users are recommended to apply the security patches as soon as possible, they can be exploited by hackers to compromise gateways and wireless points.

The expert discovered that 17 different Netgear routers are affected by a remote authentication bypass that could be exploited by a remote attacker to access target networks without having to provide a password.

“This also affects large set of products (17 total) and is trivial to exploit. Authentication is bypassed if “&genie=1″ is found within the query string.” reads the analysis published by Rakhmanov.

Yes, it’s right, an attacker just needs to append the “&genie=1” the URL to bypass authentication, of course, the attack works against any gateways with remote configuration access enabled.

Attackers can access the device changing its DNS settings to redirect browsers to malicious sites.

netgear routers

Another 17 Netgear routers are affected by Password Recovery and File Access vulnerabilities. The flaws reside in the genie_restoring.cgi script used by the Netgear box’s built-in web server, the vulnerability can be triggered to extract files and passwords from its filesystem in flash storage and to pull files from USB sticks plugged into the router.

“Some routers allow arbitrary file reading from the device provided that the path to file is known. Proof-of-concept for Nighthawk X8 running firmware 1.0.2.86 or earlier:

curl -d “id=304966648&next_file=cgi-bin/../../tmp/mnt/usb0/part1/README.txt” http://192.168.1.1/genie_restoring.cgi?id=304966648

The above will fetch README.txt file located on a USB thumb drive inserted into the router. Total of 17 products are affected. Specific models are listed in the Advisory notes.” continues the analysis.

The list of issues discovered by the researcher includes a command Injection Vulnerability on D7000, EX6200v2, and Some Routers, PSV-2017-2181. After pressing the WPS button, the Netgear routers allows for two minutes a remote attacker to execute arbitrary code on the box with root privileges.

“Only 6 products are affected, this allows to run OS commands as root during short time window when WPS is activated.” states the analysis.

 

Pierluigi Paganini

(Security Affairs – Netgear routers, hacking)

The post Researcher found multiple vulnerabilities in NETGEAR Routers, update them now! appeared first on Security Affairs.

EMEA in Firing Line for Evolving DDoS Threats

F5 Labs today released new figures highlighting how DDoS attacks continue to grow and evolve in EMEA. According to customer data from F5’s Poland-based Security Operations Center (SOC), 2017 saw a 64% rise in mitigated incidents. EMEA is also firmly in the firing line, accounting for over 51% of reported global DDoS attacks.

 

Reflecting the spike in activity, F5 reported a 100% growth for EMEA customers deploying Web Application Firewall (WAF) technology in the past year. Meanwhile, anti-fraud solutions adoption increased by 76% and DDoS by 58%.

A key discovery was the relative drop in power for single attacks. Last year, the SOC logged multiple attacks of over 100 Gbps, with some surpassing 400 Gbps.

 

In 2017, the top attack stood at 62 Gbps. This suggests a move towards more sophisticated Layer 7 DDoS attacks that are potentially more effective and have lower bandwidth requirements. 66% of reported DDoS attacks were multi-vector and required sophisticated mitigation tools and knowledge.

 

“DDoS threats are on the rise in EMEA compared to the rest of the world, and we’re seeing notable changes in their scope and sophistication compared to 2016,” said Kamil Wozniak, F5 SOC Manager.

 

“Businesses need to be aware of the shift and ensure, as a matter of priority, that the right solutions are in place to halt DDoS attacks before they reach applications and adversely impact on business operations. EMEA is clearly a hotspot for attacks on a global scale, so there is minimal scope for the region’s decision-makers to take their eyes off the ball.”

 

Four seasons of threat intelligence

 

Q1 2017 started with a bang, with F5 customers facing the widest range of disruptive attacks recorded to date. User Diagram Protocol (UDP) Floods stood out, representing 25% of all attacks. Attackers typically send large UDP packets to a single destination or random ports, disguising themselves as trustworthy entities before stealing sensitive data. The next most common attacks were DNS Reflection (18%) and SYN Flood attacks (16%).

 

Q1 was also the peak for Internet Control Message Protocol (ICMP) attacks, whereby cybercriminals overwhelm businesses with rapid “echo request” (ping) packets without waiting for replies. In stark contrast, Q1 2016 attacks were a 50/50 split between UDP and Simple Service Discover Protocol (SSDP) floods.

 

Q2 proved equally challenging, with SYN Floods moving to the front of the attack pack (25%) followed by Network Time Protocol and UDP Floods (both 20%).

 

The attackers’ momentum continued into Q3 with UDP floods leading the way (26%). NTP floods were also prevalent (rising from 8% during the same period in 2016 to 22%), followed by DNS reflection (17%).

 

2017 wound down with more UDP flood dominance (25% of all attacks). It was also the busiest period for DNS reflection, which accounted for 20% of all attacks (compared to 8% in 2017 during the same period).

 

Another key discovery during Q4 and one that vividly underlines cybercriminals capacity for agile reinvention was how the Ramnit trojan dramatically extended its reach. Initially built to hit banks, F5 Labs found that 64% of its targets during the holiday season were US based e-commerce sites. Other new targets included sites related to travel, entertainment, food, dating and pornography. Other observed banking trojans extending their reach include Trickbot, which infects its victims with social engineering attacks, such as phishing or malvertizing, to trick unassuming users into clicking malware links or downloading malware files.

 

“Attack vectors and tactics will only continue to evolve in EMEA,” said Wozniak. “It is vital that businesses have the right solutions and services in place to safeguard apps wherever they reside. 2017 showed that more internet traffic is SSL/TLS encrypted, so it is imperative that DDoS mitigation solutions can examine the nature of these increasingly sophisticated attacks. Full visibility and greater control at every layer are essential for businesses to stay relevant and credible to customers. This will be particularly important in 2018 as the EU General Data Protection Regulations come into play.”

The post EMEA in Firing Line for Evolving DDoS Threats appeared first on IT SECURITY GURU.

Risky business: The dangerous online behaviours putting corporate data at risk

Be honest, have you ever indulged in adult content in the office? No? Well look around you, because recent statistics prove that at least two in five workplaces are witnessing their employees doing exactly that. Gone are the days when an employee’s occasional procrastination simply amounted to twiddling their thumbs and staring blankly out the window. Now our instant access to the Internet has the potential to cause harm to corporate networks.

A new study by OneLogin explored the amount of online freedom that employees are being given and the detrimental impact unrestricted internet access is having on UK businesses. By trusting their staff with free reign to the unpredictable world of the web, many companies are leaving themselves vulnerable and putting their corporate data at risk.

The study surveyed 605 IT professionals and found that; 41% have spotted a high-percentage of employees accessing adult content, 45% have seen a high-percentage of employees visiting gaming and gambling websites, and 37% have noticed phishing website use. This kind of behaviour is not only a colossal waste of UK productivity, but also a cyber-security nightmare that could leave an abundance of confidential files in the wrong hands.

 

Workplace woes

Technology has transformed our lives dramatically over the last twenty years, from how we purchase goods to how we consume media platforms. Never have we had such easy access to a vast, far-reaching world of information and entertainment through the internet. However, for all the benefits that these improvements have gifted us, in terms of convenience and quality, it has also revealed some very modern challenges for businesses.

 

People in the UK are spending more time than ever accessing risky materials online and this has inevitably transcended into the workplace. These websites represent a major threat to cyber-security because they are often plagued with downloadable materials and adverts that are embedded with viruses and other harmful malware.

 

For example, experts have recently warned the millions of Pornhub users to be careful, after it emerged that cyber-criminals were targeting the website with a highly dangerous ‘Kotver malware’ that was cleverly masked through pop-up ads. This use of ‘malvertising’ on legitimate websites has become incredibly popular among hackers and accessing these materials within the workplace can be catastrophic, leaving company networks far more susceptible to phishing scams and viruses, which can be incredibly costly to remediate.

 

And there are plenty of examples of this risk becoming a reality. 2017 saw a host of devastating cyber-attacks on major companies such as Deloitte and Equifax, as hackers stole information about thousands of customers. The thought of confidential documents and people’s personal details getting into the wrong hands is a harrowing one, and it’s likely to become a far greater issue in 2018. Companies that allow their staff unrestricted access to the internet are in grave danger of placing their names next on the list of cyber hacking victims.

 

Protect your data before you wreck your data

According to the survey respondents, 67% of businesses neglect to invest in single sign-on (SSO) solutions, and 54% don’t use a domain name filtering system. To avoid a descent into the further chaos that hacks create, businesses need to focus their attention on controlling the content that is being accessed via the corporate network and evolve cybersecurity strategies to reflect modern employee needs. SSO solutions, for example, help to keep information secure by using policy-driven password security and multi-factor authentication to ensure that only authorised users have access to sensitive data, while domain name filtering blocks access to potentially dangerous websites based on a business’s specific criteria.

 

Businesses must prioritise training to educate their employees on the hazardous consequences of high-risk websites and raise awareness of the issue throughout the organisation. With the most common form of successful cyber-attacks arising from phishing emails, businesses must conduct regular employee phishing assessments. This enables businesses to identify who in their organisation is most liable to click on harmful emails, and help those who aren’t as tech-savvy to be aware of what exactly a phishing email is. Yet worryingly, nearly two thirds (62%) of the study respondents admitted their business fails to conduct employee phishing assessments, and more than a third (36%) don’t invest in security education.

 

Despite cyber-security posing itself as one of the main threats facing businesses in 2018, companies are still failing to properly enforce sanctions on internet access in the workplace. So, ensure that your business is implementing these measures to stop high-risk websites being your downfall.

The post Risky business: The dangerous online behaviours putting corporate data at risk appeared first on IT SECURITY GURU.

Is Investing in Cryptocurrency Worth the Security Threats?

Even people who aren’t familiar with investing have heard of cryptocurrency — especially lately since it has frequently made headlines.

Some of those news stories about digital currencies focus on the rapid rises — and seemingly inevitable declines — of Bitcoin, one of the most well-known cryptocurrencies.

Others discuss how people had relatively stable lifestyles but lost most of what they had after becoming interested and investing in cryptocurrency. Some people who have had substantial successes in cryptocurrency realm live in anonymity, not wanting to attract too much attention.

These potential downsides and others have some people wondering if the potential to get rich as a cryptocurrency investor is appealing enough to make the less-profitable outcomes less frightening. Indeed, when things go wrong, security is often the first thing people lose.

Cryptocurrencies Becoming More Attractive to Hackers

Cryptocurrency investors keep their virtual funds in digital wallets. Pickpockets have swiped physical currencies for generations, and the same is true for cryptocurrencies. Increasing interest levels makes them more tempting to hackers. In January 2018, hackers stole more than half a billion dollars worth of digital currency from Coincheck, a Japanese exchange.

Analysts say investors should expect more attacks of the same kind. Sometimes, the hacks occur on investors’ computers through a process called cryptojacking, which involves taking control of a victim’s browser and using it to create or “mine” cryptocurrencies fraudulently.

According to research collected by Check Point, a cybersecurity company, mining malware has affected 55 percent of organizations worldwide. Statistics from December 2017 indicate the most widely used threat of this kind is called Coinhive.

Cybercriminals depend on botnets, too, which are groups of internet-connected devices infected by a common type of malware. Botnets were once not considered financially viable, but experts say newer cryptocurrencies are easier to mine, and people can rent botnets for as little as $40.

The growing likelihood of getting hacked is one of the many reasons people prefer investing in traditional physical currencies, such as silver. Compared to cryptocurrencies, statistics show silver is historically stable. Even after experiencing downturns, it often makes a complete rebound in 12 to 15 months.

People Are Losing Access to Their Digital Wallets

The stress of losing an actual wallet is severe enough, but for individuals who cannot gain access to their digital wallets after forgetting the password or deleting a file that contains cryptocurrency information, the anxiety can be even worse.

Mark Frauenfelder, an investor who lost $30,000 of cryptocurrency after forgetting a PIN, knows that reality all too well. He eventually recovered it, but not without going through months of anguish and failed efforts.

A software architect using the alias Dave Bitcoin launched a website called Wallet Recovery Services to help people in Frauenfelder’s predicament. Dave relies on a computer program to try millions of passwords in a short timeframe — otherwise known as brute force decryption. He has about a 30 percent success rate and charges individuals 20 percent of whatever is in the recovered wallets.

Dave reports his business has boomed, due in large part to the rising popularity of cryptocurrencies. Even as currencies evolve, the fact that humans forget things remains constant.

Cryptocurrency Wealth and Its Connection to Personal Safety

As mentioned earlier, people who have reaped the rewards of cryptocurrency in significant ways typically stay tight-lipped. Sometimes, they don’t disclose the kinds of digital currency they own — their closest friends and relatives may not know how much they possess. Fellow investors who want to have the same victories could hound those who divulge more details, too.

The primary reason investors stay quiet about their cryptocurrency holdings is that they fear getting robbed or otherwise targeted. The decentralized nature of cryptocurrencies is appealing to many people, but it also means they can’t put their wealth in banks to reduce the personal safety risk.

Cybercriminals have also tried to tap into investors’ paranoia for gain by using an online death threat scam. It tells victims’ their lives are in danger unless they pay a specific amount of cryptocurrency.

Evaluating the Plausibility of Disaster

At the beginning of the year, the Utah Division of Securities warned that cryptocurrency dealings could become risky for several reasons, including evidence of digital money used for fraud. With all these factors in mind, potential investors must take stock of the circumstances surrounding their situations and determine those most likely to cause threats to security.

Then, it’s crucial for them to take action to minimize the likelihood of something devastating happening. That may mean going to great lengths to prevent losing a digital wallet access code, investing in a home monitoring system or beefing up malware protection on their computers.

The inherent uncertainty of cryptocurrency investing is even higher for individuals who do not assess possible threats and decide how they can reduce them.

After all, if cryptocurrencies continue to flourish, the efforts to scam people and steal their wealth will increase, too.

The post Is Investing in Cryptocurrency Worth the Security Threats? appeared first on IT SECURITY GURU.

How to Avoid Ransomware in 5 Easy Steps

As you scroll through your social media feed, a window pops up: “Your hard drive has been encrypted. You have 48 hours to pay $200 or your data will be destroyed.” You see a link and instructions to “pay in Bitcoin.” An ominous looking timer counts down the seconds and minutes for the two-day window. Nine, eight, seven….  

Your thoughts immediately go to the contents of your hard drive — your daughter’s graduation video, your bank statements, a life insurance policy, pictures of your grandchildren — they all sit there, vulnerable, helpless bits of ones and zeros…and you don’t know what the heck bitcoin is.

Welcome to the world of ransomware — digital data hostage-taking only Hollywood could make up. Ransomware is a security threat for people and business, and cybersecurity experts predict it will only get worse in the future. One cause for its popularity is the profitability of the enterprise. Cyberthieves rake in millions every year with threats to destroy or encrypt valuable data if their ransoms aren’t paid.

You don’t need to be a millionaire or multinational corporation to be at risk. Cyberthieves also target the data of average consumers. When they target consumers, hackers may only request a few hundred dollars ransom but when the threat includes a thousand people, it makes for quite the lucrative venture. Many ransomware victims feel the risk of losing their data is too great, so they pay up. However, this only encourages the criminals.

The best way to combat ransomware is by not becoming a victim in the first place. To that end, here are five immediate steps you can take to avoid ransomware attacks.   

Step 1: Set Your Operating System to Automatically Update

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to the web works better when it’s OS is updated. Tech companies like Microsoft and Apple regularly research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a cybersecurity game of cat and mouse. Cyberthieves search for “holes,” and companies race to find them first and “patch” them.

Users are key players in the game because they are the ultimate gatekeepers of their operating systems. If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs better with an updated OS.

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows 10 automatically updates (you have no choice), older versions don’t. But setting auto updates are easy, whether you’re on a Mac or PC.  

Step 2: Screenshot Your Bank Emails

Cybercriminals use trojans or worms to infect your computer with ransomware. So avoiding these will help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams, which trick users into opening email attachments containing viruses or clicking links to fake websites posed as legitimate ones.

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing emails that look like they come from banks, credit card companies, or the IRS. Phishing emails kickstart your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn in your account.”

Cybercriminals use this fear to distract people so they will overlook the telltale signs of the phishing email like misspellings or common fear-inducing subject lines.     

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others business that manage your sensitive information. Use these screenshots to compare with future emails you receive so you can spot phishing phonies and avoid ransomware.

Step 3: Bookmark Your Most Visited Websites

The next step in your ransomware avoidance journey is to bookmark all of your most visited websites. Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or infect your computer with malware.

Think twice before you visit a website by clicking a link in an email, comments section, or private messaging app. Instead, bookmark your most visited or high-value websites and visit them through your browser.  

Step 4: Backup Your Data to the Cloud and a Hard Drive

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable, then cyberthieves have the upperhand, but if you have multiple copies, you have taken away the power behind the threat.

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup at all.

The post How to Avoid Ransomware in 5 Easy Steps appeared first on Panda Security Mediacenter.

Who Is Responsible for Your Cloud Security?

The cloud is a tremendous convenience for enterprises. Running a data center is expensive. Doing so not only requires buying a lot of servers, cable, and networking appliances but also electricity, labor costs, cooling, and physical space. Services like Amazon’s AWS, Microsoft’s Azure, Oracle’s Cloud, and Google’s Cloud Platform give businesses the benefits of having […]… Read More

The post Who Is Responsible for Your Cloud Security? appeared first on The State of Security.

Symantec’s untrusted certificates: How many are still in use?

The fallout from Google’s decision last year to stop trusting Symantec certificates has been difficult to quantify, but one security researcher has provided clarity on how many untrusted certificates are still being used.

Arkadiy Tetelman, senior application security engineer at Airbnb, posted research over the weekend about the number of untrusted certificates still in use by Symantec customers (Symantec’s certificate authority (CA) business was acquired late last year by rival CA DigiCert). According to Tetelman, who scanned the Alexa Top 1 Million sites, approximately 103,000 Symantec certificates that are set to have trust removed this year are still in use; more than 11,000 of those will become untrusted certificates in April with the release of Chrome 66, and more than 91,000 will become untrusted in October with Chrome 70.

“Overall the issue is not hugely widespread,” Tetelman wrote, “but there are some notable hosts still using Symantec certificates that will become distrusted in April.”

According to Tetelman’s research, those notable sites include iCloud.com, Tesla.com and BlackBerry.com. He noted that some users running beta versions of Chrome 66 are already seeing connections to websites using these untrusted certificates rejected, along with a browser security warning that states “Your connection is not private.”

Google’s decision to remove trust for Symantec-issued certificates stems from a series of incidents in recent years with the antivirus maker’s CA business. Among those incidents were numerous misissued certificates (including certificates for Google) and repeated auditing problems. Last March, Google announced its intent to remove trust from Symantec certificates based on its investigation into the company’s CA operations. After months of negotiations – and hostile public sparring – between Symantec and the web browser community, Symantec finally agreed to a remediation plan offered by Google, Mozilla and other browser companies.

That remediation plan gave Symantec a choice: either build a completely new PKI for its certificates or turn over certificate issuance operations to one or more third-party CAs. Symantec ultimately opted to sell its PKI business to DigiCert in August.

DigiCert, meanwhile, still has to make good on the remediation to which Symantec agreed. And so far, it has; DigiCert met a Dec. 1 deadline to integrate Symantec’s PKI with its own backend operations and ensure all certificates are now issued and validated through DigiCert’s PKI.

But DigiCert will still have to contend with untrusted certificates currently used by Symantec customers. Along with the Chrome 66 and 70 release dates, new versions of Mozilla’s Firefox will also remove trust for Symantec certificates; Firefox 60, scheduled for May, will distrust Symantec certificates issued before June 1, 2016, while Firefox 63, scheduled for December, will distrust the rest of Symantec’s certificates.

In other words, more work needs to be done before this mess is completely cleaned up.

The post Symantec’s untrusted certificates: How many are still in use? appeared first on Security Bytes.

Security Glue Between the Silos of Endpoint, Server, Cloud and Network Security Gets More Critical

Endpoint and Host security techniques have diverged. There used to be considerable similarity between the techniques and tools used to secure desktops, servers, and even networks. Desktops evolved to become Endpoints, as mobile devices proliferated and they were assembled into a collective of being in the category of not-a-server.

But as practitioners know, it isn’t all about the tech. Organizations changed, too: operations groups diverged into distinct endpoint ops and data center or server ops teams. At the same time security shifted to more often becoming about monitoring and ensuring security than by implementing it and operating it.

BYOD and mobile workers pushed Endpoint Protection Platforms (EPP) into new tasks, like encryption, application control and DLP.  Server communication and composition changed, and servers became increasingly virtual and are highly replaceable through orchestration. Server security became very different and subdivided into unique types reflecting the different exposures between web servers, data servers, and others.

The future sees this trend continuing. In the near term, containers mean that intra-server security becomes more complex and a bigger task. Containers shouldn’t normally house data, but they handle it and therefor become a target, especially if the application security regime doesn’t include container security. The communication between containers and between containers and apps becomes a key point to embed security. But likely not the only place, as the algorithms inside apps and containers become a future target. In the mid term, serverless becomes the new milestone in a changing data center as to how servers evolve and present new security challenges. “Is the server secured?” becomes a degree more abstract and moves towards “Are the server(s) secured?”

Network security is under organizational pressure as network ops gets sometimes forgotten in the move to hybrid and cloud. Contrary to the belief that network security goes away, it becomes more critical as your data moves to new and odd places. Endpoints and servers still need securing, and so too does the connection to them. There isn’t enough space in this blog entry to cover all the security dynamics of cloud security.

Clearly, all this disruption and specialization has created very narrow silos. Meanwhile, attacks are going low and slow. Within these silos the challenge today is in spotting meaningful attacks but how fast the label of meaningful is assigned and then the time to resolution of an alert. And that is within a silo. As the whitespace between the security silos of endpoint, server, network and cloud expand the opportunity to pull together becomes more important. SIEM is a critical tool, but the pre-SIEM and post-SIEM phases in reducing alert resolution effort and time there is wealth of security-relevant information lying between these silos. Better glue between these silos can mean better pre-SIEM secfurity operations creating fewer alerts to resolve, what comes out of the SIEM is more relevant, and these resulting alerts can have a faster time to resolution. Too often we rely on the least-scalable resource to be this glue between the silos, our “meat computers” – our people.  There are other security and tech silos as well I haven’t mentioned such as data, personnel, and data center.

The greatest challenges and opportunities in security present themselves when the organization and technology go orthogonal. As our technology, security, and organizations gets more specialized and more silo’d, putting more non-human security glue between these silos is a big opportunity. Specifically, recognizing that security happens across silos, even when security itself isn’t structured that way.

Have we got a training and safety programme in place?- A key question today’s CEOs should ask

I have recently been writing a series of articles that tackle the various questions CEOs should be asking their teams when it comes to cybersecurity prevention. Previously I’ve written about how organisations are managing risks, the evolution of the budget and understanding the top five risks or high-risk areas within the business. In this article I am going to address why CEOs should have training and safety programmes in place and prioritise them accordingly.

 

When I work with CEOs, I like to use a safety programme within an organisation as a parallel to a cybersecurity programme. There are a number of industries where having a safety programme is required. While NOT required by all industries it is certainly a good idea for all companies to have one.

 

A Plan for Safety

 

I once had a manager who previously managed a safety programme for a small trucking firm. The company had under-invested in its prevention of accidents, training and awareness, and managing driver sleep time between shifts. The risk of under investment was raised numerous times without the appropriate action being taken. An incident finally occurred involving a gas truck, an overpass, and a Volvo heading home. The results of this accident were devastating.

 

A cyber incident can have very kinetic results including loss of life, loss of customers, damaged reputation, stolen data, business up-time or a class action lawsuit. The threat of a cyberattack is very real. Ensuring your employees are aware and understand their role in securing your organisation is a great way to decrease your risk of an incident.

 

By the way, the trucking firm went out of business as a result of litigation. This was an actual worst-case scenario for them.

 

Safety is a programme that requires management and training. It is a culture in an organisation which needs to be nurtured and supported. Companies with a culture of safety make it visible to the entire organisation. However I am sorry to say that we don’t often adopt the same approach with cybersecurity.

 

To create a culture of safety in an organisation, time and resources are spent to ensure people are properly equipped and trained in procedures and understand how to prevent incidents, as well as what to do in the event of an incident.

 

When I served in the Marine Corps, safety was drilled over and over and we were also shown videos as well as given training. These videos showed us the accidents. They talked about what went right and what went wrong. We drilled into the scenarios so that we not only understood but were prepared.

 

One particular scenario that really stood out for me with regard to safety planning was when I was stationed on an aircraft carrier as a Marine. We first watched a video of the U.S.S. Forrestal blazing away as a jet-fuel fire began lighting off live ammunition. That video led to endless firefighting simulation drills. Yes, as a Marine, I threw on firefighting gear and grabbed hoses. Even the Marines had a job firefighting in the event of a fire. It was part of our culture on board and part of our daily lives. Incidentally, we later had two fires: an F-18 that caught the wrong wire and an on-board fire. Neither resulted in anything more than a bit more training and no loss of life.  This shows that training and constant awareness works.

 

These are all qualities that a cybersecurity programme should share. Safety is everyone’s responsibility. So is cybersecurity. As the CEO, you don’t need to know all of the ins and outs of the programme, but knowing if everyone in the organisation has gone through it is a good start. Your team should also have specific training for you, the executive team, and the board. You should go through the training and ask any questions that come up. Your team should be constantly educating the entire organisation to help ensure your Commander’s Intent for Cyber Security is being carried out.

 

To create the culture in your organisation you, as the leader, should find a way to communicate the importance of cybersecurity. Start by filming a video message and sharing this with your employees.

 

We all know that people are the key to any successful organisation. People are also the key to a successful cybersecurity programme. Ensuring they are aware and well trained will keep you out of the headlines and ahead of your competition.  So make sure that as the CEO you put the right emphasis on training and having the appropriate safety programmes in place.

 

The post Have we got a training and safety programme in place?- A key question today’s CEOs should ask appeared first on IT SECURITY GURU.

Cryptocurrency Marketplaces Hit by a Spectrum of Attacks Amidst Major Shifts in Cybercrime, Reveals New ThreatMetrix Report

ThreatMetrix®, The Digital Identity Company®, today revealed a 113 percent year-over-year increase in cyberattacks in Q4 2017, as both the volume and the nature of attacks transform.

The Battle for a Safe Cryptocurrency Market

The Q4 2017 Cybercrime Report reveals that cryptocurrency marketplaces, designed to facilitate trading on the full range of digital currencies, are experiencing a range of fraudulent activity. The world of cryptocurrency has moved from being the playground of the criminal underworld to be a prime target for attacks on legitimate transactions.

Fraudulent new accounts are created using stolen or synthesised identities to set up mule accounts to launder money. Additionally, legitimate accounts are being hacked to make fraudulent payments and transfer cryptocurrency balances out when at their highest value.

“Cryptocurrency marketplaces need a more accurate way to verify the identity of new customers who open an account in order to prevent the infiltration of criminals,” said Vanita Pandey, Vice President of Product Marketing at ThreatMetrix. “Using intelligence from the ThreatMetrix Digital Identity Network, these marketplaces can better differentiate between good customers and fraudsters the moment they arrive, and thus see an immediate reduction in fraudulent activity on their platforms.”

From Russia Without Love

The Q4 2017 Cybercrime Report also revealed an increased volume of attacks originating from Russia, using both automated bots and location spoofing tools. In fact, for the very first time, Russia emerged as a top attack originator, with the majority of incidents targeting ecommerce retailers in the U.S.

Key shopping days in Q4 over the holiday season saw up to 2 million bot attacks coming from Russia alone. These persistent, but increasingly sophisticated, attacks were primarily targeting top American retailers.

eCommerce Attacks: The Dark Side of the Holiday Season

The number of attacks on eCommerce during the fourth quarter of 2017 was 113 percent of the volume of attacks across all industries in the previous quarter, underscoring the pressure retailers are under during this period. Almost 193 million transactions were rejected as fraudulent, representing a 173 percent increase over the previous year.

The quarter also saw heavy bot activity from across the globe with more than 34 million attacks during the peak holiday shopping period. In addition to these 34 million attacks, ThreatMetrix recorded about 800 million bot attacks throughout the quarter, ranging from simple account validation attacks to sophisticated bots attempting to masquerade as legitimate customer traffic.

Other key highlights from Cybercrime Report: Q4 2017

  • ThreatMetrix detected and stopped 251 million attacks in real time last quarter, as the overall attack rate grew 50 percent year-on-year.
  • 52 percent of all online transactions now come from mobile devices, a 54 percent increase from two years ago.
  • 58 percent of all account creations are now done on a mobile device, and attacks on mobile account creations grew 150 percent since the start of 2017.
  • Cross-border transactions continue to grow quarter-on-quarter: 30 percent of transactions are now cross-border, up from 25 percent at the beginning of 2017.
  • The ThreatMetrix Digital Identity Network analysed more than 610 million transactions during the peak holiday shopping days around Black Friday.
  • Bot attacks have reached unprecedented levels this quarter with 840 million bot attempts detected and blocked.

“ThreatMetrix holds an unprecedented vantage point from which to help businesses distinguish between trusted users and potential threats, using everything we know about the way a user interacts digitally to better understand the legitimacy of each and every online transaction,” said Pandey. “By harnessing intelligence from the ThreatMetrix Digital Identity Network, businesses can better detect the markers of high-risk behavior, and thus block cybercrime before it impacts the trust of end users—whether through breached data, monetary loss, or simply by increased friction.”

To access the Cybercrime Report: Q4 2017 click here.

The post Cryptocurrency Marketplaces Hit by a Spectrum of Attacks Amidst Major Shifts in Cybercrime, Reveals New ThreatMetrix Report appeared first on IT SECURITY GURU.

You can still be tracked even with the GPS off!

Researchers at IEEE have shown it is possible to track mobiles even when GPS and Wi-Fi are turned off, with some of the data collected without permission with smartphone manufactures deeming the information non-sensitive.

View Full Story

ORIGINAL SOURCE: The Register

The post You can still be tracked even with the GPS off! appeared first on IT SECURITY GURU.

Intel releases new Spectre security updates, currently only for Skylake chips

Intel is releasing new firmware updates that should address Spectre vulnerabilities CVE-2017-5715 for Skylake processors.

Intel is releasing new firmware updates limited to Skylake processors to address Spectre vulnerabilities, patches for other platforms are expected very soon.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The company provided beta releases for the updates to apply to other processors to customers and partners to conduct extensive tests before the final release.

We all know the disconcerting story about the security patches released by Intel, on January 3, white hackers from Google Project Zero have disclosed some vulnerabilities in Intel chips called Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), Intel promptly released security patches but in many cases they caused problems to systems.

Many companies rolled out patches to revert the Intel updates, including Red Hat and Microsoft.

Now Intel seems to have a more clear idea about the cause of the problems observed after the deploy of the initial updates and release new microcode updates.

“For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown). ” states the microcode revision guidance issued by Intel.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

While many users have chosen to don’t install the patches to avoid problems, security firms are reporting the first PoC malware that exploits the Meltdown and Spectre vulnerabilities.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.

 

Pierluigi Paganini

(Security Affairs – Intel, CVE-2017-5715)

The post Intel releases new Spectre security updates, currently only for Skylake chips appeared first on Security Affairs.

Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker

Cryptocurrencies are hot. According to https://coinmarketcap.com, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. Even Kodak is getting into the act with KODAKcoin. And currently, the price trajectory of Bitcoin is higher than a North Korean rocket, with Blockchain saving the world one application at a time. […]… Read More

The post Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker appeared first on The State of Security.

The State of Security: Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker

Cryptocurrencies are hot. According to https://coinmarketcap.com, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. Even Kodak is getting into the act with KODAKcoin. And currently, the price trajectory of Bitcoin is higher than a North Korean rocket, with Blockchain saving the world one application at a time. […]… Read More

The post Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker appeared first on The State of Security.



The State of Security

Are You PCI Curious? A Short History and Beginner’s Guide

When I was a kid and we would go out to dinner, my dad would often pay using a credit card. The server would come over with an awkward, clunky device, put the credit card in it, and scan the card. By scan, I mean make an impression of the numbers on a piece of […]… Read More

The post Are You PCI Curious? A Short History and Beginner’s Guide appeared first on The State of Security.

For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA

Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.

At the end of January, the company released security updates the same flaw in Cisco ASA software. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.

The vulnerability resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software, it was discovered by the researcher Cedric Halbronn from NCC Group.

The flaw received a Common Vulnerability Scoring System base score of 10.0.

According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

Further investigation of the flaw revealed additional attack vectors, for this reason, the company released a new update. The researchers also found a denial of service issue affecting Cisco ASA platforms.

“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” reads a blog post published by Cisco.

The experts noticed that the flaw ties with the XML parser in the CISCO ASA software, an attacker can trigger the vulnerability by sending a specifically crafted XML file to a vulnerable interface.

CISCO ASA attack

The list of affected CISCO ASA products include:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

According to Cisco experts, there is no news about the exploitation of the vulnerability in the wild, anyway, it is important to apply the security updates immediately.

 

Pierluigi Paganini

(Security Affairs – CISCO ASA, hacking)

The post For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA appeared first on Security Affairs.

Meet the Tiny Startup That Sells IPhone and Android Zero Days To Governments

An anonymous reader writes: The story of Azimuth Security, a tiny startup in Australia, provides a rare peek inside the secretive industry that helps government hackers get around encryption. Azimuth is part of an opaque, little known corner of the intelligence world made of hackers who develop and sell expensive exploits to break into popular technologies like iOS, Chrome, Android and Tor.

Read more of this story at Slashdot.

Half of SMEs fear financial loss from poor IT security and data compliance

Recent research by Ultima, a leading provider of on-premise and cloud IT infrastructure and managed service solutions, has found that over half (58%) of the UK’s SMEs think their businesses are at risk of financial loss from poor IT security and data compliance, with 67% believing they may be out of business in three years if their IT security and compliance doesn’t improve.

 

There was also a good degree of realism expressed by SMEs, with 41% acknowledging that spending money on IT security is not a priority for their business, and just over half (55%) acknowledging that they could probably never fully protect their business from IT breaches.

 

Scott Dodds, CEO, Ultima says, “Our research findings show that most SMEs are acutely aware of the dangers of IT security breaches and the possible financial loss this can lead to. But it’s easy to think that hackers only target large enterprises when this is not the case. We know of many SMEs who have had data breaches and lost significant amounts of money that have hurt their ability to do business. Government statistics show the cost of breaches for SMEs is between £75,000 and £310,800*.

 

“There are measures and systems that all businesses should put in place to improve their IT security, from simply checking their security software and licenses are-up-to date, to undertaking Cyber Security Assessments and plugging security infrastructure gaps as well as making sure they are GDPR compliant. If they don’t do this, with the new GDPR regulations coming into force in May, SMEs could be faced with significant financial penalties for infringing data protection legislation on top of any business financial loss. One way to ensure a greater degree of IT security and compliance is to use robotic process automation as it removes room for human error,” says Dodds.

 

The One Poll research found SMEs are optimistic that the latest robotic process automation (RPA) technology can be utilised to help improve their IT security. It found that 63% of UK SMEs believe RPA can help improve this situation and 88% will consider using or be investing in RPA to help improve their IT security and data compliance.

 

Ultima has a comprehensive IT security solutions offering for SMEs and is making RPA software robots available to them as part of its SaaS offering. The firm is using RPA technology in its own business to automate some of its own back-end operations and has seen its productivity rise by a factor of two since implementing the technology. With a simple cloud deployment and as-a-service delivery, Ultima has worked with UK business, Thoughtonomy, to develop an intelligent automation platform which, for smaller installations, requires little or no infrastructure and application re-architecture.

The post Half of SMEs fear financial loss from poor IT security and data compliance appeared first on IT SECURITY GURU.

Increasing hacker threats to the Healthcare Industry

According to a recent report from cybersecurity firm Norton, hackers stole a total of £130bn from consumers in 2017. These attacks hit over 978m victims around the world and include large scale attacks on the NHS like WannaCry. However, surprisingly, still more than a quarter of those compromised believe they are safe from future attacks.  Norton warns cybercrime victims that they’re not doing enough to protect themselves against these types of attacks and that attacks of this nature are only set to increase as new threat vectors are sought in 2018.

 

The healthcare industry: a prominent target for hackers

 

In fact, in the first days of 2018, published research revealed that nearly every computer chip manufactured in the last 20 years contains fundamental security flaws, with specific variations on those flaws being dubbed Spectre and Meltdown.

 

Additionally, there were two significant cyberattacks reported during the second week of the year. The first one, a ransomware attack targeting Hancock Health hospital, affected over 1,400 files. Hackers compromised a third-party vendor’s administrative account to the hospital’s remote-access portal and launched SamSam ransomware. The hospital had to pay the ransom to unlock patient data which, according to the FBI, the hackers were not interested in stealing.

 

The second cyberattack involved a hacker (or group of hackers) who stole more than half of the Norwegian population’s healthcare data from Health South-East RHF.  Evidence of a severe data breach on the Hospital’s website was revealed by the parent company Sykehuspartner HF. To understand the scale of such an attack, keep in mind that Health South-East RHF is the largest of Norway’s four healthcare regions and manages 2.9 million out of Norway’s total 5.2 million inhabitants over 18 counties, including the one that contains Oslo.

 

Strengthening IT security against threats

 

Even though, according to the ‘State of Software Security’ report, the vast majority of healthcare providers (85%) have increased their cyber-security spending over the past year, the industry is still struggling to protect its digital assets from hackers.  But healthcare organisations have a duty to ensure the security of their patients’ data, therefore one of the key objectives in 2018 should be around adopting a better risk management and security strategies and improving their response processes to active threats. Putting at risk such sensitive information can have a disastrous impact on their finances, reputation and databases – not to mention their patients. To put this into context, on average each victim of cybercrime spends up to two days per month dealing with the malware’s repercussions.

 

Today’s enterprise perimeter has completely eroded and is causing every organisation to think differently about security. The concept of Zero-Trust Networking has been derived from this fact and is particularly relevant to healthcare organisations who, as stated earlier, cannot afford to let any patient data or other high value data or apps get into the wrong hands. Complex healthcare networks degrade an organisation’s security posture, but healthcare workers demand convenient access to critical systems and patient databases in order to provide the best care possible.  Likewise the interconnectedness of healthcare networks also increases the attack surface. For example, there are a lot of temporary contractors who are linked with not just the healthcare organisation itself but also a whole chain of suppliers.

 

So, whilst healthcare organisations try to modernise their processes, their systems and digitise, they are being exposed to growing cybercrime risk, especially if they allow their staff to utilise their own devices such as smartphones.

 

The post Increasing hacker threats to the Healthcare Industry appeared first on IT SECURITY GURU.

The Truth behind the Cyber Skills Gap

With it being 2018 and the start of a new year, one would assume it would bring a fresh start, filled with new possibilities and opportunities for the cyber industry. In reality, the problems have remained the same. Nearly every year seems to sprout an attack that impacts organisations on a global scale – 2017 was the year of WannaCry and Mirai in 2016. But for security professionals, there is an even bigger issue that has preoccupied their attention, and it’s even bigger than suffering from a data breach or a cyber-attack.

The latest Ponemon Institute survey revealed that the ‘lack of competent in-house staff’ was the biggest cybersecurity worry for CISO’s. Staffing problems concerned CISO’s more than suffering a data breach (67%), a general cyber attack (59%) or even being affected by ransomware (48%). Some may be shocked to hear that considering the devastation of WannaCry and NotPetya last year.

Many in the industry have cried out for a resolution to plug this critical gap in the cyber market, and with the number of threats mounting, and new innovative technologies being developed, where are the reinforcements of security professionals to take to the online battlefields? This question continues to be left unanswered, but there are some theories as to why this has happened.

Martin Ewings, director of specialist markets at Experis says, “businesses are now challenged to both keep up with the wave of new technologies that are emerging all the time and prepare for ever more sophisticated cyber attack. Add the escalating digital skills crisis, and the extensive requirements of the upcoming European General Data Protection Regulation (GDPR) reform, and it’s hardly surprising that IT security now has a firm place at the top of the boardroom agenda.”

With GDPR coming into force in May of this year, organisations could face fines of up to 20 million if they fail to meet the required data security and compliance laws. This has only added to the demand for data protection personnel, a problem Dr. Andrew Rogoyski, vice president of cyber security services at CGI UK has alluded to. He said the “demand for cyber security talent is greater than it has ever been” with GDPR “pushing organisations to think about how they manage risk.”

Some have called for a complete overhaul of the education system, with action also needed from the Government to promote STEM (Science, Technology, Engineering, Mathematics) subjects at schools. Research by McAfee found that school education played a major role in the decision making for adults who left without adequate IT skills and no knowledge of cyber security. In fact, more than one in five (21%) British adults would have considered a career in cyber security if IT lessons had been more engaging at school, with 15% stating they would have considered a career in cyber security had the lessons been more interesting.

F5 Networks systems engineer David Maclean believes this that the lack of education offered has definitely aggravated the situation, saying “action from Government, educational institutions, and the wider tech industry must work together to help youngsters channel their talent into cybersecurity and pursue exciting and rewarding careers. Education must start early, and courses need to offer the right balance of knowledge and practical skills. This should include industry collaboration with schools and appropriate curriculum changes. Industry role models are also important in helping students understand the significance of cyber-security in a rapidly evolving digital world. Access to better security resources will significantly raise the profile and importance of cybersecurity in the academic curriculum. Done correctly, not only will this help students into new career paths, but it should also better prepare them to better manage their personal data on a daily basis.”

This opinion is echoed by Graeme Gordon, chief executive of IFB and chairman of ScotlandIS, who says that barriers within the industry need to be broken down to showcase the opportunities available to the next generation. He said, “the economy can guarantee jobs for the tech-savvy. Just look at how technology has changed our world; to remain game changers, there needs to be confident, skilled young people to become the new wave of innovators. Let’s build meaningful connections between business, education, and parents as by doing so we will work towards finding our next generation of bright talent.”

The post The Truth behind the Cyber Skills Gap appeared first on IT SECURITY GURU.

6 Common Cloud Security Myths Debunked for You!

You’ve probably been hearing about the cloud a lot, and with the increasing number of businesses moving their data online, it’s obvious that cloud computing and security are here to stay! With a number of benefits like data security, minimized risks, regulatory compliance, flexibility, round-the-clock availability, uninterrupted maintenance and support, and more, the cloud can […]… Read More

The post 6 Common Cloud Security Myths Debunked for You! appeared first on The State of Security.

SN 649: Meltdown & Spectre Emerge

This week we observe that the Net Neutrality battle is actually FAR from lost, ComputerWorld's Woody Leonard enumerates a crazy January of updates, "EternalBlue" is turning out to be far more eternal than we'd wish, will Flash EVER die? A new 0-day Flash exploit in the wild, what happens when you combine Shodan with Metasploit?, Firefox 59 takes another privacy enhancing step forward, a questionable means of sneaking data between systems, another fun SpinRite report from the field, some closing the loop feedback from our listeners, and a look at the early emergence of Meltdown and Spectre exploits appearing in the wild.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsors:

Cyber Readiness Report a Reminder of Financial Services Firms’ Complex Security Needs

Today Hiscox publishes its Cyber Readiness Report, surveying how prepared major institutions are to face cyber-attacks. Last year the report found many businesses underprepared for cybersecurity threats.

The need for financial institutions to be prepared against cyberattacks is doubly pressing this year, following a raft of new regulations. These have shifted the mandate from one of annual compliance exercises to an ongoing assurance that IT systems are prepared and secure.

A variety of products offer security for financial services companies’ critical applications. But the growing complexity of banks’ systems means that the approach to cyber security products is not fit for purpose, warns systems integrator World Wide Technology.

Nick Hammond, lead advisor for financial services at World Wide Technology, comments: “The Hiscox report will serve as an important reminder to financial services firms about the importance (and difficulty) of securing against the cyber threats.

“This kind of protection is all the more necessary this year, in the wake of new regulations such as MiFID II, PSD2 and GDPR. Unlike older rules that only required yearly tick-box compliance exercises, these new regulations require continued assurance of critical applications.

“But with the complexity of existing IT systems, which have been built with different and sometimes opposing metrics over the years, this is easier said than done. Legacy infrastructures are often formed from an extremely complex patchwork of applications, which communicate with each other in convoluted ways.

“This web of opaque interdependencies is creating problems for cyber security. Without a clear view of how the system is plumbed together, there can be knock-on effects downstream when one application is prevented from sharing data with another system or user.

“To meet changing regulatory requirements, companies in the financial space need to access infrastructural expertise, to generate a working, real-time picture of the entire framework. Only after gaining this level of visibility can the right security policies be fitted to each application in a way that fits within the functioning of the existing system, allowing components to communicate as they need to whilst closing them off from external threats.”

The post Cyber Readiness Report a Reminder of Financial Services Firms’ Complex Security Needs appeared first on IT SECURITY GURU.

Regulation within crypto currency markets

According to Reuters: “Japan’s financial regulator said on Friday it had ordered all cyrptocurrency exchanges to submit a report on their system risk management, following the hacking of over half a billion dollars of digital money from Coincheck.”

Whilst the whole premise of blockchain technology and crypto currencies revolves around it being essentially unhackable, the exchanges that trade these currencies are vulnerable. The introduction of system risk management (which we assume to be risk management of the software/operating systems and servers) checks is a step forward for the cryptocurrency space although it only covers one area of exposure linked to the cryptocurrency market.

History of incidents

Crypto currency has been a booming market with increases in some major coins in the high 1000’s of percent over the last year. This rise, coupled with a lack of regulation, has seen the crypto currency world being hit with a number of negative incidents from Ponzi schemes to fraud, scams and hacking incidents.

Bitconnect, which as of writing of this article, is trading at roughly $8.60, a huge fall from its height of over $300 a month ago, is an example of a potential major Ponzi scheme which has lost $2.4 billion worth of value over 10 days.

The subpoena by US regulators of crypto exchange Bitfinex and its relationship with Tether is another concern to the crypto currency market with many claiming Tether to be a scam. Tethers are tokens backed by US dollar deposits, with each tether always worth one dollar. These tokens should be backed by dollars but thus far the company has yet to provide evidence of its holdings to the public and has not had any successful audits as of yet.

There have also been a large number of Initial Coin Offerings (ICO’s), used to raise money for startups by issuing tokens/coins, which have raised vast sums of money only for the owners to disappear with all the money, whilst others have been less deliberate but have been just as devastating to investors. A cryptocurrency called Tezos, raised $232 million last year, but suffered internal power struggles which has left the project in disarray.

This brings us to the current concern in Japan of cyber attacks of exchange platforms. Cyber attacks and hacking attempts of exchanges have been frequent with Bitfinex, coinbase and kraken amongst others having been closed down for days at a time during 2017 due to a number of hacking attempts. It is the successful hacking incidents which are the most worrying however, with successful hacks such as MT Gox, which cost almost 350 million and two attacks on Youbit which led to it’s bankruptcy. The most recent coincheck hacking was worth 500 million, a record, and it is this which has caused Japan to act.

Regulation

Last year, China took a definitive stand on regulation on crypto currencies which sent shockwaves through the market. Some feel it was perhaps heavy handed with ICO’s being banned, bank accounts being frozen, bitcoin miners being kicked out and nationwide banning on the internet of cryptocurrency trading related sites. Others however believe that it has been a positive step, and has encouraged other governments to take regulation seriously and hopefully take a more balanced approach. It certainly isn’t in the interest of governments to stop ICO’s, which provide many positives including innovation, but they should certainly regulate them from a consumer protection, taxation and organised crime standpoint.

Implementing regulation also removes uncertainty for investors as well as the companies who are involved in ICO’s. Uncertainty is the source of many risks and often a negative certainty is better than uncertainty as it allows a focus within set parameters.

It’s important to remember that too little regulation doesn’t offer protection and too much stifles innovation.

How to regulate

There are a number of ways to regulate cryptocurrencies and the following are just some examples:

1)     Framework for ICOs

New ICO’s are currently not subject to much in terms of regulation globally. One of the problems is determining how they should be treated with some being considered securities. As a fund raising vehicle, there could certainly be a framework that lays out key requirements of an ICO such as a company needing to be registered in order to issue a token, transparency in terms of individual members of the registered company as well as perhaps introducing a few requirements that regular IPO’s require such as implementing risk management. Currently in USA, ICOs are expected to adhere to Anti Money Laundering (AML)/Know Your Customer (KYC) practices.

2)     Regulate exchanges

Exchanges, which is where much of the transactions take place in terms of trading coins, is a logical area of focus when it comes to regulations

South Korea’s financial services commission for example, has stated that trading of cryptocurrencies can only occur from real-name bank accounts. This ensures KYC and AML compliance. According to the FSC, the measures outlined were intended to “reduce room for cryptocurrency transactions to be exploited for illegal activities, such as crimes, money laundering and tax evasion,”

Regulators should focus on regulation that encourages transparency and minimises anonymity.

1)     Tax Laws

Clarity needs to be brought into the tax laws in terms of when investors should pay capital gains. The USA has been quite quick to ensure that crypto-to-crypto transactions are now taxable and not just crypto to Fiat currency transactions. This is not the case in the UK however, where things are less clear and will become even more so, once crypto currencies start to introduce dividend like behaviour.

2)     Reserve requirements of exchanges

Most banks and stock exchanges are required to hold a certain amount in reserves in order to survive any major downturn or crash. This should most certainly be the case for crypto currency exchanges too especially considering the volatility which sees crashes of 60% several times a year with some crypto currencies falling 90% before recovering. This is also known in part as systemic risk which could be what the Japanese financial regulator defines as system risk.

3)     System risk management

As we have seen from this Japan story, one way of ensuring more protection and reliability is by ensuring there is regulation around system risk management on exchanges. There should be minimum requirements protecting against hacking, phishing and other cyber related attacks. The requirements could be scaled against value of the exchange, number of users or number of daily transactions.

It’s important to note that much is being done to reduce the risks of hacking incidents such as the concept of a decentralised exchange. This would essentially be a crypto currency exchange on the blockchain, much like the crypto currencies themselves. This would reduce hacking significantly and whilst it is not currently practical, it could be the standard of the future.

Self-Regulation

The Crypto Currency market gets a lot of negative publicity and much of this could be rectified if there was more self-regulation. It would also reduce volatility within the market and bring about positive change. This refers to both exchanges and ICO’s alike.

The Japan Blockchain Association (JBA) for example has established self-regulation standards which includes the use of cold wallets amongst its 15 crypto exchange members (of which Coincheck was one of them) and are now looking to strengthen the standards further following this recent incident.

Risk Management in the Crypto Currency Space

Risk Management, as with all organisation’s, plays a vital role in meeting and exceeding objectives whilst providing resilience and stakeholder confidence. Exchanges and companies that are raising/have raised ICO’s should ensure that Risk Management is part of their business. Identifying risks and opportunities, assessing them and implementing response plans should be standard. Cyber risks, reputational risks, operational risks, system risks and strategic risks should all be considered and prepared for, which would minimise market disruption and reduce the likelihood of financial ruin. At the very least they owe it to the investors who have funded them.

For investors, with volatility so high, the rewards are great but so are the risks. Investors should ensure that they only invest what they can afford to lose, do their due diligence on their investments which includes understanding the technology, the team and look for a prototype rather than a wild concept. Additionally, investors should always be on the lookout for phishing scams and suspicious emails.

Finally, even the most optimistic investor should at least consider that cryptocurrencies are a speculative bubble that could burst.

Find out more about IRM’s Strategic Insights into Cyber Risk Course and many more here.

The post Regulation within crypto currency markets appeared first on IT SECURITY GURU.

How Long is Long Enough? Minimum Password Lengths by the World’s Top Sites

Presently sponsored by: Do you desire peace of mind? The hackers don't wait, secure your website and mobile apps with Gold Security today.

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place.

Last year, I wrote about authentication guidance for the modern era and I talked about many of the aforementioned requirements. I particularly focused on how today's thinking is at odds with many of the traditional views of how passwords should be handled. That post has a lot of guidance from the NCSC in the UK and NIST in the US and it debunked many of those long-held beliefs; get rid of complexity rules, allow long passwords, let people paste them and move away from forced rotation. However, there was nothing on minimum required lengths, and that got me thinking - what's the correct number?

When I run my Hack Yourself First workshop, that's one of the first questions I ask - "what's the correct minimum password length?" I was thinking about that again just this weekend when preparing V2 of Pwned Passwords because I thought I might be able to use a minimum length threshold to reduce the size of the data set. So, rather than projecting my own views on minimum password length, I thought I'd go and check what the world's top sites are doing. Here's 15 of the biggest with a summary and some further commentary after that:

Google

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Facebook

This is a bit misleading; it doesn't need to be longer than 6, it needs to be 6 or longer.

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Wikipedia

Amazingly, Wikipedia's minimum criteria is... you must have a character. That is all.

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

But hey, that's a step up from where they have been in the past:

Reddit

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Yahoo

Whilst they don't explicitly state it, Yahoo requires you reach 8 characters before you pass the minimum length criteria:

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Amazon

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Twitter

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Microsoft

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Instagram

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Netflix

Netflix is super short at only 4 chars. At a guess, the need to enter that password via TV remotes could be partly behind the decision to keep it so short.

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

LinkedIn

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Twitch

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Pornhub

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Ebay

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

imgur

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Summary

Let's lay everyone out together in a single table:

Google 8
Facebook 6
Wikipedia 1
Reddit 6
Yahoo 8
Amazon 6
Twitter 6
Microsoft 8
Instagram 6
Netflix 4
LinkedIn 6
Twitch 8
Pornhub 6
Ebay 6
imgur 6

Surprised? Many people will be in terms of 6 being the most prevalent because it feels short. 9 of the 15 sites allow 6 chars, 4 of them require a minimum of 8 chars then there's Netflix with only 4 and Wikipedia, well, let's not go there! Now, here's my great insight from all of this:

Every single minimum password length is an even number! How scientific do you think the process of determining the perfect minimum length is when all the big players just happened to land on 4, 6 or 8?

There's no 5 or 7 or 9, just nice, round, symmetrically even numbers. So that's the first insightful observation here - there's a definite lack of science involved.

But here's the other thing and this speaks to the point I made many times in the modern era password guidance blog post: authentication today is about much, much more than just comparing 2 strings. That's the way it was in the beginning - you have a username and a password and if the ones in the system match the ones the user provides then they're in - but these days, we're going well beyond that.

For example, we have 2FA. Yes, adoption rates are worryingly low, but it's now a mass-market security control we have access to on all sorts of services that didn't have it even just 5 years ago. We're also getting better at understanding user behaviour in terms of the way people choose passwords; that's the whole point of the Pwned Passwords initiative in that it recognises that humans make crap security decisions! Let's identify that early and help them make the right choices (i.e. "you really don't want to use that password...").

Then there are controls based around other user heuristics, for example challenging them for verification via the registered email address if they sign in from an unusual location (you may have seen Facebook do this before). Same again when someone is using a new browser - that may result in a drop in confidence which then requires further verification. In fact, the whole premise of "confidence" is becoming particularly important as we move away from this binary state of either allowing access or blocking it outright. Try going to many sites via Tor and you'll get a challenge to prove you're a human because as it turns out, bad guys are particularly fond of using anonymity tools.

The point of all this is that you can no longer just look at a minimum length and say "ah, 6 characters - or even just 4 - is way too few" because authentication schemes can be far more intelligent than simply matching those 2 strings. That's not to say those nice round, even numbers are always correct either - there are plenty of sites that don't have any intelligence beyond mere string matching - but hopefully it provides food for thought.

Oh, and if you do happen to find a site with an odd number for the minimum length, leave a comment below because I'm kinda curious now 😀

Best Practices in Healthcare Information Security

Some of the most common phrases that come out of information security professional mouths include “Well, that did not work” and “The project fell apart, and I don’t know what I could have done better.” The pain of not knowing what security best practices your team can/should implement can cost the company time and money. It […]… Read More

The post Best Practices in Healthcare Information Security appeared first on The State of Security.

A Look Back: Reviewing the Worst Cyber Attacks of 2017 and the Lessons Learned

Unsurprisingly, 2017 was another year of record-high attacks and breaches.

It seems that each year that passes is worse than the last in terms of hacking and cyber attacks, and 2017 was no exception.

"Surprising no one, 2017 was marked another 'worst year ever' in data breaches and cyber incidents around the world," said Jeff Wilbur, director of the Internet Society's Online Trust Alliance.

In the trend of years passed, 2017 saw numerous, high-profile data breaches and dangerous malware and ransomware samples, each appearing more sophisticated and advanced than the last. Hackers aren't easing up on business or consumer targets anytime soon. So the best course of action for the industry to take is to apply the lessons learned from these attacks to future protection strategies.

"The vast majority of 2017 breaches could have been prevented with simple security processes."

Let's review some of the disastrous breaches, attacks and infections that took place in 2017 and see what lessons can be learned from these impactful instances: 

Equifax: Waiting to report a breach

Hands down, Equifax was the poster child for calamitous data breaches last year. Unfortunately, this breach event included a veritable storm of worst-case scenarios – not only did the breach impact a considerable number of consumers, but it was highly sensitive data that was stolen, and the information was taken from a company that promised to help prevent the kind of fraud its breach likely supported.

According to CNN, attackers breaching Equifax systems were able to steal 182,000 sensitive documents that included customers' personal information, as well as 209,000 credit card numbers. All told, the attack is estimated to impact as many as 143 million Americans, whose Social Security numbers, birth dates, addresses and other personal details were contained in stolen documents.

One of the most daunting issues about this attack is that hackers made off with basically everything an attacker needs to create a stolen identity profile. These packaged identities sell for $30 or more on underground black markets, and with the sheer amount of data stolen, attackers stand to make a bundle from this attack, while threatening the identities of millions.

"Data breaches involving Social Security numbers are not rare, but this is the largest ever recorded," said Eva Velasquez, Identity Theft Resource Center CEO. "This is a unique situation because of the quality of data that was stolen along with the scale of the breach."

A key lesson for businesses to learn from this attack is not to wait to report the breach. CNN noted that the company paused for six full weeks before making the public aware of the attack. This gave hackers a considerable head start when it came to the sale and eventual fraudulent use of stolen sensitive data.

When a breach takes place, it's imperative to respond as quickly as possible, and ensure that those impacted by the event are aware. In this way, the breached organization along with its affected customers and partners can work in tandem to reduce the consequences.

Consumer handing credit card with POS portals in the background. Credit monitoring and fraud prevention firm Equifax was victim of one of the most damaging breaches of 2017.

Uber: Covering up the attack

Popular ride-sharing service Uber was breached in the fall of 2016, with the names, emails and phone numbers of 57 million users being compromised in the process. This instance makes this year's list, however, because the breach wasn't reported until the company's new CEO Dara Khosrowshahi came forward in late November 2017 – over a year later.

Worse still, is the fact that it appears the company worked to actively cover up the attack instead of addressing it. WIRED contributor Lily Hay Newman reported that Uber paid a $100,000 ransom to hackers to prevent them from exposing the attack to the public.

"These actions likely violated data breach disclosure laws in many states, and Uber reportedly may have even tried to hide the incident from the Federal Trade Commission investigators," Newman wrote. "If you're going to be hilariously sketchy about covering up your corporate data breach, this is how it's done."

A word to the wise: Don't.

WannaCry: Unpatched vulnerability 

In addition to damaging attacks on businesses, 2017 also presented lessons in individual samples impacting a wide swath of organizations across the globe. In a single day, thousands of targets around the world were impacted by WannaCry, with some instances being life threatening – WIRED reported that the particularly damaging ransomware sample infected the National Health Service in the United Kingdom, and affected the daily operations and patient care in emergency rooms, hospitals and facilities.

Compounding the damages here was the fact that the ransomware leveraged a critical vulnerability now known as EternalBlue, which was made public after hacking group the Shadow Brokers breached the National Security Agency in the spring of 2017. After the attack, the Shadow Brokers released stolen NSA tools, including the EnternalBlue Windows exploit.

CNN reported that all told, WannaCry impacted targets in over 150 countries. Although a patch for EternalBlue was released before the vulnerability was highlighted by the Shadow Brokers, the number of infected organization shows the risk outdated software can pose.

"The WannaCry infections were so bad that, in an unusual move, Microsoft released a patch for Windows systems that it had stopped updating," CNN contributor Selena Larson wrote.

"Ransomware" in red among white and grey zeros and ones. WannaCry was one of worst ransomware infections seen last year.

Honorable mention: Misconfigured security exposes voter records

While not one of the most widespread or damaging instances of last year, there's still a critical lesson to be learned here.

In the spring of 2017, a security researcher found open and accessible records of nearly 200 million American voters. The issue was eventually traced back to misconfigurations by a GOP data firm within its Amazon cloud storage security settings. Interestingly, CNN pointed out that this wasn't the only event of its kind recently.

"It was the latest in a string of major breaches stemming from insecure Amazon servers where data is stored," Larson wrote. "They are secure by default, but Chris Vickery, a researcher at cybersecurity firm UpGuard, regularly finds that companies set it up wrong."

This instance shines the light on security settings – it's imperative that organizations understand the services they are using and the configuration choices available to them. Any time a change is made, IT stakeholders should check that settings have been adjusted correctly and that no open doors are left for unauthorized users.

A need for robust, multi-layered protection

There are several lessons to be learned from last year's infections and breaches. In addition to the points discussed above, it's critical that businesses have multi-layered protection in place and consistently leverage best practices for data protection.

TechRepublic reported that the vast majority of 2017 breaches – 93 percent overall – could have been prevented with simple security processes like ensuring patches are in place, blocking fraudulent email addresses and training employees about phishing strategies.

For more information on securing data and systems within your enterprise, connect with the experts at Trend Micro today.