Category Archives: security

Overcoming DevOps Implementation Challenges

Most organizations have already adopted or are moving towards adopting a DevOps model into their work culture for improved productivity and workflow. In simple terms, DevOps is an application delivery methodology that encourages collaboration and communication between the developers and operations teams across all phases of the Software Development Life Cycle (SDLC). The collaboration between […]… Read More

The post Overcoming DevOps Implementation Challenges appeared first on The State of Security.

New Attack Group Orangeworm Targets Healthcare Sector in US, Asia, and Europe: Symantec

Security researchers at Symantec say a group of hackers has been targeting firms related to health care in order to steal intellectual property. The security firm observed a hacking team, called Orangeworm, compromise the systems of pharmaceutical firms, medical-device manufacturers, health-care providers, and even IT companies working with medical organizations in the US, Europe, and Asia markets. Victims don't appear to have been chosen at random but "carefully and deliberately." You can read the full report here.

Read more of this story at Slashdot.

Hacking a Satellite is Surprisingly Easy

Caroline Haskins, writing for The Outline: Hundreds of multi-ton liabilities -- soaring faster than the speed of sound, miles above the surface of the earth -- are operating on Windows-95. They're satellites, responsible for everything from GPS positioning, to taking weather measurements, to carrying cell signals, to providing television and internet. For the countries that own these satellites, they're invaluable resources. Even though they're old, it's more expensive to take satellites down than it is to just leave them up. So they stay up. Unfortunately, these outdated systems makes old satellites prime targets for cyber attacks. [...] A malicious actor could fake their IP address, which gives information about a user's computer and its location. This person could then get access to the satellite's computer system, and manipulate where the satellite goes or what it does. Alternatively, an actor could jam the satellite's radio transmissions with earth, essentially disabling it. The cost of such an attack could be huge. If a satellite doesn't work, life-saving GPS or online information could be withheld to people on earth when they need it most. What's worse, if part of a satellite -- or an entire satellite -- is knocked out of its orbit from an attack, the debris could create a domino effect and cause extreme damage to other satellites.

Read more of this story at Slashdot.

Are the AMD chip vulnerabilities cause for concern?

panda-security

In the wake of the alarm caused by the Meltdown and Spectre cases, the news of thirteen vulnerabilities affecting AMD’s chip architecture has triggered a new wave of uncertainty about the security risks to which millions of devices were exposed. It took a week before AMD acknowledged that the vulnerabilities revealed in a CTS-Labs report were true. After evaluating all the information documented by this company, AMD finally confirmed the existence of these vulnerabilities, assuring however that the risk was minimal.

What’s the story with AMD chips?

There are two aspects to the security flaws revealed by CTS-Labs. The first affects the AMD Secure Processor in Ryzen and EPYC chips. This is precisely the component responsible for processor security, where devices store passwords and encryption keys. On the other hand, other vulnerabilities, grouped under the name ‘Chimera’, affect the chipset that usually accompanies Ryzen systems.

What all 13 vulnerabilities have in common is that they enable a backdoor to be exploited in order to inject malicious code and launch a range of attacks. In this way, an attacker could take control of a system to steal network user credentials and move through corporate networks. It also means that someone could read and write in secure memory areas, bypass BIOS protection, or attack the operating system of a device. In short, these vulnerabilities in AMD’s products could have serious consequences for all types of organizations, as they could leave them vulnerable to attackers who could use these backdoors to gain access to sensitive information.

This latest news comes just weeks after AMD was embroiled in the case of Meltdown and Specter, although the main company affected was Intel. Even though the source of the vulnerabilities is not the same, as with Meltdown and Specter, these flaws could allow cybercriminals to access critical information on system memory and launch a range of attacks.

How to resolve the problem

After acknowledging the existence of these vulnerabilities, AMD has now presented a plan to address them. In the coming weeks, they are set to publish firmware updates that will be installed through BIOS updates. Moreover, the company has announced that, unlike what happened with the solutions for Meltdown and Specter, these updates will not impact on the performance of the affected systems, nor on the servers or the computers based on those CPUs.

At the same time, AMD has played down the issue, explaining that the risk was minimal, as to exploit these vulnerabilities, an attacker would first need to have administrator access to the system. As Mark Papermaster, AMD’s CTO, points out, attackers with this kind of access would have numerous attack mechanisms at their disposal to delete, create or modify any file on the system, without the need to exploit these vulnerabilities.

This attack confirms two things. On the one hand, the need for advanced cybersecurity systems that can detect any anomalous behavior that could potentially enable the theft of administrator login credentials on corporate systems. And, on the other hand, they are a reminder of the importance of regularly updating corporate systems to mitigate the risk of attacks that jeopardize critical data.

The post Are the AMD chip vulnerabilities cause for concern? appeared first on Panda Security Mediacenter.

Take These Steps to Secure Your WordPress Website Before It’s Too Late

You might have heard that WordPress security is often referred to as hardening, WordPress website security is all about putting locks on doors and windows and having lookouts on each of your “towers.”

You might have heard that WordPress security is often referred to as “hardening.” While the name might cause a few eyebrows to raise, overall, it makes sense. To clarify, the process of adding security layers is similar to boosting the reinforcements to your home, castle, or fort. In other words, WordPress website security is all about putting locks on doors and windows and having lookouts on each of your “towers.”

While this may be all good, what can you genuinely do to improve your website’s security – at the same time giving your readers and customers the guarantee that their sensitive information won’t fall into the wrong hands?

Wordpress website security

1. Perform all WordPress updates

Although it can seem impossible that something as simple as keeping up with updates would make any difference, in actuality, it does have a considerable impact. This means that whenever you log in and see the “Update Available” notification, you should make time to click. Of course, this is where having regular back-ups will also give your peace of mind that at the end of the process nothing will be broken.

2. Add Two-Step Authentication

Another excellent way to prevent force attacks on your site is by setting up a much-needed two-step authentication process. If you have it for your Gmail or Yahoo account, then you should definitely have one for a website which could be used by hundreds or more users.

The two-step measure means that you’ll be asked to input a password after a code is sent to your phone or email. Often, the second login code is sent via SMS, but you change that to your preferences.

You also have the option of adding different plug-ins, including Google Authenticator, Clef, or Duo Two-Factor Authentication.

3. Panic Button: Website Lockdown

The lockdown feature is commonly enabled when multiple failed login attempts are made, which can help against pesky and persistent brute force attempts. In this case, whenever a hacker tries to input the wrong password multiple times, the website shuts down and displays an “error” message –all while you get notified of this unauthorized activity.

Again, you can use different plug-ins to use, and one of our favorites is the iThemes Security – by using it, you can directly specify a certain number of failed login attempts after which the system bans the attacker’s IP address.

4. Use Your Email to Login

When trying to sign in, you have to choose a username. Our recommendation would be using an email ID instead of a username since the latter is more accessible to predict and hack. Plus, WordPress website accounts require a unique email address, which adds another layer of security.

5. Use SSL To Encrypt Data

SSL, otherwise known as a Secure Socket Layer, is a smart way of securing the admin panel by yourself –making sure that the transfer of data between the server and users is safe.

Overall, this measure makes it hard for hackers to breach the connection or spoof your info, and the best part is that getting an SSL certificate for your WordPress website is a piece of cake. While you can separately purchase one from a dedicated company, you can also ask your hosting solution to provide you with one – it may even be an option that comes with their package.

SSL, otherwise known as a Secure Socket Layer, is a smart way of securing the admin panel by yourself –making sure that the transfer of data between the server and users is safe.

Overall, this measure makes it hard for hackers to breach the connection or spoof your info, and the best part is that getting an SSL certificate for your WordPress is a piece of cake. While you can separately purchase one from a dedicated company, you can also ask your hosting solution to provide you with one – it may even be an option that comes with their package.

All SSL certificates have an expiration date, meaning that they’ll need to be reissued. In some cases you’ll need to manually approve or cancel your certificate. Because each email handles things a bit differently, you should go to your hosting provider for more information. Alternatively, go to the site of Bluehost, as there is a whole section on how you can accept the new SSL into your application.

After all, it’s noteworthy to realize that an SSL certificate will also affect how your website ranks on Google because sites which incorporate SSLs are more secure – ultimately leading to more traffic.

6. Backup your WordPress website

We’re briefly mentioned this point before, but just to emphasize the importance, you have to get into the habit of organizing scheduled backups. Why is it important? Well, because, for example, if your site is compromised, you’ll be able to restore a prior version with losing your data. There are multiple automated solutions out there, including BackupBuddy, VaultPress, and many others.

Another great advice is using reliable hosting solutions which can ensure consistent backups of information, helping you achieve greater peace of mind. For example, Bluehost is excellent at protecting your business from involuntary data loss. To learn more and use their coupon to get a discount, go to the site.

7. Cut Back on Plugin Use

Although it may seem hard, you should make the effort of limiting the total number of plugins you install on your site. You need to be picky because it’s not just about security –it’s about overall performance.

To better explain, loading your website with numerous plugins will slow it down significantly. Thus, if you don’t need it, take the minimalist approach and skip it. Also, the fewer plugins you have, the fewer chances you give hackers to access your info. Two birds with one stone.

8. Hide Author Usernames

When you leave the WordPress defaults just as they are, it can be effortless to find the author’s username. Moreover, it’s not uncommon that the primary author on the site is also the administrator, which makes things even easier for hackers. At any point that you’re handing your information up to hackers on a silver plate, you are maximizing the chances that your site will eventually be compromised.

According to experts, including the well-regarded DreamHost, it’s good practice to hide the author’s username. It’s relatively easy to achieve, as you need to add some code to your site. Once that is done and dusted, the code will act as a curtain or veil where the admin’s information won’t be displayed by using an input – instead, they will be sent back to your homepage.

 

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently. Follow Ali on Twitter @AliQammar57

 

 

Pierluigi Paganini

(Security Affairs – WordPress website, security)

The post Take These Steps to Secure Your WordPress Website Before It’s Too Late appeared first on Security Affairs.

Money Saving Expert Martin Lewis sues Facebook over ‘scam’ adverts

The personal finance expert Martin Lewis is suing Facebook for allowing scammers to use his name and image in fake adverts on the social network. Mr Lewis will lodge an action for defamation against the company today, arguing that as a publisher it is responsible for the false ads. The case is thought to be the first of its kind. The broadcaster said that he had been deeply upset over cases in which people had lost up to £100,000. “It’s so distressing, when all my life I have campaigned against this kind of thing,” Mr Lewis said.

View Full Story

ORIGINAL SOURCE: The Times

The post Money Saving Expert Martin Lewis sues Facebook over ‘scam’ adverts appeared first on IT SECURITY GURU.

Russian hackers can breach UK security systems warns GCHQ

Britain’s security services cannot offer “absolute protection” against Russian hackers, a top spy has warned. GCHQ cyber defence chief Ciaran Martin warned that it is a matter of “when not if” the UK suffers a “serious cyber attack”. He claimed spooks are now battling to stop attacks that “most impact on our way of life” instead of trying to prevent every breach. Mr Martin – who heads the National Cyber Security Centre – told the Daily Telegraph that “services can be disrupted” by Putin’s crack hacking squads. He wrote: “Turning off the lights and the power supply by cyber attack is harder than Hollywood films sometimes make out,” he writes.

View Full Story

ORIGINAL SOURCE: The Sun

The post Russian hackers can breach UK security systems warns GCHQ appeared first on IT SECURITY GURU.

SunTrust Bank employee steals data of 1.5 million customers

US-based SunTrust Bank said it is working with law enforcement after it discovered that a former employee had stolen private information belonging to nearly 1.5 million customers. “In conjunction with law enforcement, we discovered that a former employee while employed at SunTrust may have attempted to print information on approximately 1.5 million clients and share this information with a criminal third party,” SunTrust CEO William Rogers said in a press conference on Friday.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post SunTrust Bank employee steals data of 1.5 million customers appeared first on IT SECURITY GURU.

Router security not understood by most

A recent survey of 2,205 regular users has proven once again that most people don’t update router firmware, don’t change default credentials, and don’t generally know how to secure their devices. For the past two-three years, there has been a deluge of news articles and research papers detailing large botnets built by exploiting router vulnerabilities and by hijacking devices still running default login credentials. These are the two main methods exploited by attackers.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post Router security not understood by most appeared first on IT SECURITY GURU.

Adobe Flash on its way out

Less than 5% of worldwide websites use Flash, new information has revealed, with most websites favouring Javascript for running features. Flash is used most commonly on Google websites, although there are some others, such as 6rrb.net, Monabrat.org and Intourist, also using it. Recently, Slate.com and Wappalyzer.com have started using the tech, according to technology usage survey site W3Techs, which seems a rather counterintuitive move as pretty much every other website has stopped using it.

View Full Story

ORIGINAL SOURCE: IT Pro

The post Adobe Flash on its way out appeared first on IT SECURITY GURU.

The digital gold rush: the dark side of cryptocurrency adds to the infosec challenge

As the general public tried to get its head around the concept of cryptocurrency and blockchain at the back-end of 2017, infosecurity professionals were facing one of the universal truths of our industry: whenever there is an innovation in technology or society, those who want to exploit it for illicit gain are never far behind.

In the case of cryptocurrency, its current high profile is legitimising a means of exchange that, until recently, was mostly the preserve of the deep and dark web as the preferred payment method from victims of ransomware attacks. So, while Joe Public began a twenty-first century gold rush to try and make a killing in the fluctuating cryptocurrency markets, the cybercriminal community started putting its own ideas of how to get its hands on the digital gold into action. The result? Cryptojacking looks set to overtake ransomware as the number one motive for cyberattacks in 2018.

Black market dynamics

The reasons for this are not hard to work out. Fundamentally, the majority of cybercriminals are motivated by the prospect of making a quick buck with as little effort as possible. Ransomware, though lucrative does have a couple of drawbacks that have its exponents looking for an easier target:

  • Setting up a cryptocurrency wallet takes time and most companies don’t have one at the point they are attacked. This means the criminal has to wait for payment instead of seeing an instant profit.

 

  • Using exchanges costs money. Fees vary but if you want to be profitable do you really want to pay exchange fees at all?

 

  • The fluctuating price of cryptocurrency makes it hard to rely on as a means of payment – attackers constantly have to tweak their files so that the value of the payment remains within the range that victims are likely to pay: a bit too much like hard work.

On top of this, diversification is critical for any business. Like any other venture, cyber criminals want to spread out their sources of income. By seeding cryptojacking malware. They can avoid the hassle and admin of running ransomware campaigns and settle back while unsuspecting victims print money for them.

High profile victims bring the issue to the fore

Injecting malware into websites is still depressingly easy to do, and the growing scale of the problem hit the headlines earlier this year when 4,000 sites were infected with a cryptojacking bug designed to mine the currency Monero. The Coinhive cryptominer was injected into the sites via a compromised plugin that was designed to assist site accessibility; in this case it allowed cybercriminals to access a bunch of Monero. There were red faces at the UK Information Commissioner’s Office, among many other government agencies, as they shut their sites down to deal with the problem and tighten security.

An interesting point about this attack was that the perpetrators only aimed to hijack around 60% of the site visitors’ CPU power, causing a slowdown but not the kind of total shutdown that would immediately bring the attack to everyone’s attention. Already, attackers are showing the kind of evasion and innovation that we associate with a tactic that is here to stay. I expect to see strategies becoming more sophisticated as time goes on, making life difficult for infosec professionals tasked with protecting the ever-growing number of endpoints under their jurisdiction.

Blurred lines – cryptomining for good causes

Of course, mining cryptocurrency is perfectly legitimate when done openly, and it can even be harnessed for good. How about instead of seeing adverts when you visit your favourite website, your computer is used to mine cryptocurrency while you browse? No more irritating ads, but the site owner still makes money. The site could even decide to mine currency to donate to a charity for users who opt in. While this is perfectly legitimate and even praiseworthy, it presents a headache for infosec professionals trying to put protocols in place to protect systems. What do you allow and what do you block?

Preventing your endpoints from joining the cryptomine workforce

For infosec professionals, this latest scourge is yet more evidence of the importance of protecting endpoints, especially as we’re seeing cryptojacking starting to morph from misdirection of processing power towards actual malware installation on compromised systems. Vulnerable endpoints are susceptible to infiltration and, once an attacker can execute a piece of code on an organisation’s endpoint, it can do all kinds of damage. Just as with ransomware, we saw an evolving into credential theft and lateral movement, so we should expect the same from malicious crypto-software.

Protecting against cryptojacking and related malware requires the same measures that any strong endpoint security programme should have because attackers are generally using the familiar tactics we’re used to defending against.

So, we’re looking for great cyber hygiene in the form of patching; reducing the attack surface with technology such as application whitelisting; tuned next-generation antivirus (NGAV); and good content filtering and control of admin accounts. Organisations can control browser settings in their environment and use those settings to help thwart these types of attacks. You should also pay close attention to an increase in the number of tickets or user complaints related to system slowness that could indicate cryptomining in progress.

Rapid detection and response remain the key to robust network defence. Employing a threat hunting tool, such as Carbon Black’s Cb Response, lets you go further and proactively search for anomalies that flag malicious activity.

Cryptojacking and cryptomining malware are the latest new kids on the block designed to exercise the ingenuity of cybercriminals and those of us who make it our business to stop them. Effectively, it’s just yet another reason threat actors are trying to get control of your endpoints except this time, instead of stealing your data, they’re after processing power to mine cryptocurrency. The battle continues for mastery over the endpoint and deploying sound strategies to defend against attacks will keep us busy for the foreseeable future.

The post The digital gold rush: the dark side of cryptocurrency adds to the infosec challenge appeared first on IT SECURITY GURU.

Positive Technologies uncovers critical vulnerabilities in APC uninterrupted power supplies

Positive Technologies experts Ilya Karpov, Evgeny Druzhinin, and Stephen Nosov have discovered four vulnerabilities in management cards for APC by Schneider Electric hardware. These uninterrupted power supply (UPS) units are used in various sectors. Two of the vulnerabilities received the maximum possible CVSS v3 score of 10, indicating a very high degree of risk.  

 

Security issues were found in APC MGE SNMP/Web Card Transverse 66074 management cards, which are present in several series of UPS units: Galaxy 5000/6000/9000, EPS 7000/8000/6000, Comet UPS/3000, Galaxy PW/3000/4000, and STS (Upsilon and Epsilon).[1]

 

The first vulnerability, CVE-2018-7243 (score 10), in the built-in web server (port 80/443/TCP) allows a remote attacker to bypass the authentication system and obtain full administrative access to the UPS, which jeopardizes the continued uptime of equipment connected to electrical power.

 

Schneider Electric recommends replacing vulnerable management cards with NMC kit G5K9635CH on the Galaxy 5000, Galaxy 6000, and Galaxy 9000. For the MGE EPS 7000 and MGE EPS 8000, the vendor recommends installing NMC kit G9KEPS9635CH. For other affected units, no replacement cards are available. The vendor also recommends following cybersecurity best practices in order to minimize risks.

 

The second vulnerability found in the built-in web server (port 80/443/TCP) enables an attacker to obtain sensitive information about the UPS unit (CVE-2018-7244, score 5.3).

 

Exploitation of the third vulnerability (CVE-2018-7245, score 7.3) can result in an unauthorized user changing the settings of the device, including disable parameters. To address these two vulnerabilities, users must, on the access control page, enable authentication for all HTML pages (this can be selected by the user during initial setup of the UPS).

 

With the fourth vulnerability (CVE-2018-7246, score 10), a remote attacker can intercept administrator account credentials. If SSL is not activated on the UPS, account credentials are sent in cleartext when the access control page is requested. The vendor advises specifying SSL as the default mode and applying special precautions to limit access to administration interfaces, such as by using Modbus RTU in combination with a Modbus/SNMP gateway.

 

For early detection of cyberincidents and awareness of ICS vulnerabilities, Positive Technologies offers PT ISIM and MaxPatrol for the specific needs of industrial protocols and networks.

The post Positive Technologies uncovers critical vulnerabilities in APC uninterrupted power supplies appeared first on IT SECURITY GURU.

The importance of inspecting encrypted traffic

Many adversaries to enterprise cybersecurity are using sophisticated encryption tactics to bypass defences and infiltrate networks. Enterprises are trying to fight back by employing HTTPS and using SSH, as well as other advanced protocols for data exfiltration. SSH, for example, is often used for remote management access because it performs well. But, when nearly 70 percent of all enterprise traffic is encrypted, understanding what’s hiding inside that traffic is imperative. So, what can you do to inspect that traffic?

 

The first step is to come up with an enterprise threat model so that you can easily look at and assess a threat, then outline the techniques that your adversaries are going to use. For example, The Mitre corporation developed one that they call attack matrix and as you go through and look at the attack matrix it will outline techniques that are used for exfiltration of data, command and control for remote adversaries to control malware. When you look at this and then look across at your own network you may see that you have a firewall, an IDS and an advanced threat protection, which is all good to have. However, if 60-70% of the traffic you get is encrypted then what use are these security measures at monitoring this? Enterprises need a plan in place to monitor encrypted traffic as well.

 

The next step involves utilising an advanced data exfiltration protocol, such as SSH. SSH is great and is oftentimes used for remote management access because it performs so well. RDP, Remote Desktop Protocol, is another protocol that many enterprises utilise to great effect so, in order to figure out what is best for your enterprise it’s important to consider your threat enterprise model that was discussed above. How does your model aim to inspect traffic and which software are you utilising? Some programs out there only allow you to focus on one protocol at a time while other can inspect everything from SSH to RDP to HTTPS. Which software your enterprise is using will affect what steps you need to take to monitor encrypted traffic.

 

If you’ve followed everything so far then you should be utilising an IPS, IDS, ATP and be using something akin to the Mitre attack template to evaluate your cybersecurity, which may seem like a lot, but as any cybersecurity expert will tell you: ‘there is no such thing as too much protection.’ So what type of issues might you need to still account for?

 

Well let’s assume you have a next-generation firewall and you are performing decryption at then suddenly you hit a performance bottleneck. This bottleneck would likely be caused by advanced threat protection detecting problems that are different than what your next-generation firewalls going to detect, which will be different than your IDS, and so on. All these programs detecting different problems all at the same time will likely incur latency because these are all happening at once. However, there are single devices out there that can do all of these tasks solo which will help improve performance, reducing the chance of a bottleneck creating less of a chance that your users are going to even be aware that you’re performing this inspection.

 

You may also have the issue of employee negligence or ignorance among your IT staff. Last year a report from the Ponemon Institute found that 37% of enterprises hand over their encryption duties to their cloud providers, taking an off-hand approach and rely on someone one else to do such an important job for them. Then separately a survey by Venafi found that 23 percent of their respondents had no idea how much of their encrypted traffic is decrypted and inspected. By passing off responsibility to an outside business and not properly tracking encryption in the business, many enterprises are opening themselves up outside threats, even if they have the latest technology.

 

To conclude, with at least 70 percent of all traffic encrypted it is important that enterprises are aware of everything that is hiding amongst this traffic or they risk cyber threats sneaking through. In order to achieve this, a good cyber threat model is needed as well as utilising an advanced data exfiltration protocol, like SSH. It is imperative that once you have the model in place that you have some technology that can help to easily manage it all and not be met with a performance bottleneck. Finally, it is key that all of the staff in your IT department is fully aware of exactly what is encrypted and heavily monitoring it as frequently as possible. With all of this in place, your enterprise should be fully prepared to keep your business safe from threats hiding within encrypted traffic.

The post The importance of inspecting encrypted traffic appeared first on IT SECURITY GURU.

IRL Analogies Explaining Digital Concepts are Terrible

Presently sponsored by: Netsparker - a scalable and dead accurate web application security solution. Scan thousands of web applications within just hours.

IRL Analogies Explaining Digital Concepts are Terrible

Remember the anti-piracy campaign from years back about "You Wouldn't Steal a Car"? This was the rather sensationalist piece put together by the Motion Picture Association of America in an attempt to draw parallels between digital piracy and what they viewed as IRL ("In Real Life") equivalents. Here's a quick recap:

The very premise that the young girl sitting in her bedroom in the opening scene is in any way relatable to the guy in the dark alley sliding a slim jim down the Merc's door is ridiculous. As expected, the internet responded with much hilarity because no-way, no-how are any of the analogies in that video even remotely equivalent to digital piracy:

IRL Analogies Explaining Digital Concepts are Terrible

And even if they were - even if you could directly compare the way both a movie and a car can be illegally obtained then yes, of course people would do it!

IRL Analogies Explaining Digital Concepts are Terrible

Setting aside for a moment the fact that the music in this piece was itself pirated (or at least misused in such a fashion that it resulted in the rights group that produced the video being fined), clearly these analogies are terrible. Now don't get me wrong - I'm not making these points in defence of piracy - rather it's to draw attention to the fact stated in the post's titled: IRL analogies explaining digital concepts are terrible. I got to thinking about this again over the weekend after watching responses to this blog post:

You can read the details in that post, what matters here is that the mechanics involve someone incrementing an identifier in a URL in order to download another resource. (This isn't just about the Canadian bloke either - and this is critical as people focused on him - but other noteworthy cases that demonstrated enumeration too.) Sometimes, the resource being accessed via enumeration isn't intended to be public, sometimes the person involved knows that and sometimes they highly automate the process to pull down large volumes of data. That's really the whole thing in a couple of sentences yet over and over again, people deferred to IRL analogies in an attempt to explain things. As I read these, I kept coming back to how totally irrelevant they often are; I've actually made a really conscious effort over recent years to avoid this pattern, particularly when responding to media queries the non-tech public will then read because frankly, they're extremely misleading.

For example, there's the assertion that leaving a resource publicly accessible is the equivalent to leaving your front door open:

The implication being that if a door is left wide open then it's not breaking and entering, except that it actually is:

Burglary is typically defined as the unlawful entry into almost any structure (not just a home or business) with the intent to commit any crime inside (not just theft/larceny). No physical breaking and entering is required; the offender may simply trespass through an open door.

But that's actually an IRL misunderstanding rather than a poor digital analogy. If we suspend reality for a moment and imagine it wasn't breaking and entering to walk into someone else's unlocked house, the argument falls apart when you consider the premise of enumeration is that something is actually downloaded from the site as well. I won't dignify that with an analogy about it being equivalent to taking something from the house because in the digital world the "taken" thing is still there!

Here's a true story: I was at a BBQ on the weekend and whilst we were sitting outside eating our sausages, an intruder made their way in through an outwardly-facing bedroom door then into a brightly-lit study facing a courtyard full of very surprised looking adults. The moment he was in that first room, he was trespassing and had anyone caught him there, it would not have been a polite conversation. But the whole premise of finding someone's physical door unlocked in the first place just doesn't translate:

I mean think about it - if you found someone walking around the outside of your house trying each door, would you say "thank you good sir for making sure my security was alright" or would you call the cops? Exactly.

When the cops (eventually) arrive, the person "checking for unlocked doors" is not going to want to stick around. Conversely, I've had many discussions with companies where someone has identified security vulnerabilities in their things and not only have I been happy to talk to them about it, the company in question has usually been pretty grateful. Reckon that's how you'd react when finding a stranger jiggling the lock on your front door? Or what if they actually did enter your house like BBQ guy from before?

I can tell you exactly how that eventually panned out and it involved a lot of fingerprint powder! Short of a friendly neighbour who you know and trust wandering over because you've left the back door open, this just simply doesn't translate. And what if you have one of those "Welcome" mats on your door step?

No - that doesn't mean everyone is welcome! IRL is full of contradictory security indicators because the same house with the welcome mat also has a sign up saying they don't want door-to-door salesmen and beware of the dog (which may or may not exist). But we as humans understand the IRL meaning of these things.

The same irrational house analogies extend to the car as well:

One of the big problems with trying to compare digital security in the context of a web asset to physical security is that whilst the former can be tested from absolutely anywhere, the latter requires immediate proximity. The threats are totally incomparable. Then there's the fact that absolutely everyone who has a car knows how to lock it because it's a simple binary state achieved with a consumer-friendly device; lock, unlock. Lock, unlock. Easy. This in no way compares to the nuances of securing increasingly complex digital assets running on the internet.

No, it's not a brilliant analogy! Not just due to the aforementioned points, but also because you can walk down a street, look at a car, see the windows down and reasonably conclude that the windows are down with nothing more than your eyes! Testing for enumeration risks requires conscious, deliberate effort and if successful, results in you gaining access to material that wasn't intended to be in your hands. It'd be like if you looked at a car with the windows down and suddenly the owner's wallet was in your hands... except it's not because IRL analogies are terrible!

And then there's the whole "inadvertent security violation" analogy:

These analogies miss the nuances of IRL; I was sitting outside on my balcony having a cold one recently and the neighbour walked past an exposed window with his gear on display. Putting aside for a moment the fact that I never, ever want to see that again, nobody IRL is going to accuse me of anything nefarious for experiencing that one frightful moment. But if I sit there with a set of binoculars and an infrared camera then the game changes somewhat. It just doesn't translate to the digital world.

Getting back to enumeration, in my original post I pointed out that the time to stop probing for an enumeration risk is when you identify one piece of data you shouldn't have access to.

This falls apart in all the same ways as the anti-piracy campaign did; if you steal a lolly (or a car), then the original owner no longer has that thing. We learn this as children - "Don't take your sister's toy away from her because she'll no longer be able to play with it and she'll start crying and etc etc". Short of a sanctioned penetration test on a candy store, there is no circumstance in which walking out with someone else's sugary treats is ever ok - that's not how any of this works!

The same argument that physical access to an IRL thing is incomparable to a digital one holds true here too:

Placing someone else's things physically in your own hand whilst you're standing in their store is not analogous to copying their ones and zeros from the (perceived) sanctity of your own home. And as for the store owner's responsibility, you can walk into any store any day of the week and see things they'd rather you not reproduce and this works because we have very different views of trust IRL to what we do online. The same goes for other documents you might observe publicly:

Ok, full points for recognising that it's a bad analogy, but the premise that an attorney would do this in the first place is extremely unlikely because they would logically stop and think "anyone could walk past and take that". Everyone knows this no matter how technically inclined they are and again, we all learn from a very young age that once you can physically reach out and grab something, you can take it. I know that sounds childishly simplistic, but that's because it is! You can't in any way compare this to an improperly configured webserver.

The whole basis of IRL definitions of public versus private simply don't translate and there are many, many examples of how analogies like this just don't stack up:

When there's a sign that says "Keep out - private property", that means precisely what it sounds like and if you ignore it - because it's still publicly accessible - undesirable consequences may ensue. But we don't do that on the internet, we use technical controls instead so it's more like putting a security fence around the property... except that's another bad IRL analogy because chain wire works totally differently to digital controls.

It even got to the point where people were arguing about which analogy was best!

And that one doesn't make any sense either because once you walk through the library door, you expect to be able to read the books on the shelf, that's how libraries work! You're not making GET requests in there, you're picking up real things.

Look - I get it - people are simply trying to explain things in relatable terms and I certainly don't want to criticise them for that intent. However, at best these analogies downplay or overstate the significance of the situation and at the worst, they completely misrepresent reality. So, let's dismiss with the analogies and draw things back to the original topic: if you're in support of enumeration being permissible per the 3 examples I gave in that post, would you do it yourself? Would you pull down hundreds of thousands of records containing other people's data "just because it was there"? And if you did, would you be happy to do so from your own IP address? Would you tell your kids it's ok to do this? Regardless of whether people argue it's legal versus illegal or moral versus immoral, anyone paying attention knows the consequences that may befall you if you go down this path, even if they fundamentally disagree. After all, you wouldn't enumerate a car, would you?

CVE-2018-0229 flaw in SAML implementation threatens Firepower, AnyConnect and ASA products

Cisco has announced a set of security patches that address the CVE-2018-0229 vulnerability in its implementation of the Security Assertion Markup Language (SAML).

The CVE-2018-0229 flaw could be exploited by an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.

“A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.” reads the security advisory published by CISCO.

“The authentication would need to be done by an unsuspecting third party.”

The CVE-2018-0229 flaw affects the following Cisco solutions:

  • Single sign-on authentication for the AnyConnect desktop mobility client;
  • Adaptive Security Appliance (ASA) software; and
  • Firepower Threat Defense (FTD) software.

According to Cisco, the flaw exists because there the ASA or FTD Software doesn’t implement any mechanism to detect that the authentication request originates from the AnyConnect client directly.

An attacker could exploit the CVE-2018-0229 vulnerability by tricking victims into clicking a specifically crafted link and authenticating using the company’s Identity Provider (IdP). In this scenario, the attacker can hijack a valid authentication token and use that to establish and set up an AnyConnect session through an affected device running ASA or FTD Software.

CVE-2018-0229

The flaw affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products:

  • 3000 Series Industrial Security Appliances (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

Cisco confirmed that only ASA software running version 9.7.1 and later are vulnerable, the issue also affects FTD software running version 6.2.1 and later, and AnyConnect version 4.4.00243 and later.

Pierluigi Paganini

(Security Affairs – CVE-2018-0229, CISCO)

The post CVE-2018-0229 flaw in SAML implementation threatens Firepower, AnyConnect and ASA products appeared first on Security Affairs.

‘Drupalgeddon2’ Touches Off Arms Race To Mass-Exploit Powerful Web Servers

Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers. Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

Read more of this story at Slashdot.

AlienVault presents OTX Endpoint Threat Hunter, its innovative free endpoint scanning service

Threat intelligence firm AlienVault announced the launch of a free endpoint scanning service, called OTX Endpoint Threat Hunter.

Threat intelligence firm AlienVault announced the launch of a free endpoint scanning service, called OTX Endpoint Threat Hunter, that allows private firms and security experts to identify threats in their networks.

“OTX Endpoint Threat Hunter is a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild—all. for. free.” states the announcement published by AlienVault.

AlienVault OTX Endpoint Threat Hunter

The OTX Endpoint Threat Hunter service is part of the AlienVault Open Threat Exchange (OTX) platform that currently provides more than 19 million threat indicators contributed by over 80,000 users.

This means that users can assess their infrastructure by using threat information collected by the world’s largest open threat intelligence community.

OTX Endpoint Threat Hunter is a free threat-scanning service that allows users to detect malware and other threats on endpoints using OTX threat intelligence.

The new service uses lightweight endpoint agent, the AlienVault Agent, that executes predefined queries against one or more OTX pulses, the agent can be installed on Windows, Linux and other endpoint devices.

Each pulse includes a complete set of data on a specific threat, including IoCs.

OTX Endpoint Threat Hunter is directly integrated in OTX, this means that users can start using it without the use of other security tools as explained by AlienVault.

  • If you haven’t already, register with the Open Threat Exchange (OTX). It’s free to join.
  • Download and install the AlienVault Agent on the Windows or Linux devices* you want to monitor. The AlienVault Agent is immediately ready to find threats.
  • Launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses.
  • The AlienVault Agent executes the query, and within moments you can view the results of the query display across all your endpoints on a summary page within OTX.

OTX Endpoint Threat Hunter can also be used to scan for processes running without a binary on disk, scan for crypto-mining activity and scan for installed malicious / annoying Chrome extensions.

AlienVault has described several scenarios where Endpoint Threat Hunter can be effective, including:

  • Identify whether your endpoints have been compromised in a major malware attack.
  • Assess the threat posture of your critical endpoints.
  • Query your endpoints for other suspicious activities.

Users can also scan all the endpoints against multiple pulses at once, the OTX Endpoint Threat Hunter allows to scan against pulses as well as YARA rules in multiple ways:

  • Scan all AlienVault-contributed Pulses
  • Scan by all AlienVault-contributed YARA Rules (Linux only)
  • Scan by all pulses you subscribe to (all pulses updated in the last 7 days)
  • Scan by all pulses you subscribe to (all pulses updated in the last 30 days)

Pierluigi Paganini

(Security Affairs – OTX Endpoint Threat Hunter, cyber threats)

The post AlienVault presents OTX Endpoint Threat Hunter, its innovative free endpoint scanning service appeared first on Security Affairs.

Cyber Security Agency Eskenzi PR wins a Queen’s Award for Enterprise 2018

Her Majesty The Queen, advised by the Prime Minister, has honoured Eskenzi PR and Marketing with a Queen’s Award for Enterprise 2018, recognising its outstanding achievement in International Trade. Eskenzi has been in business for over twenty years, working with cyber security companies all over the world, to raise awareness of security issues organisations face and the cutting edge technology available to thwart cyber attacks.  This award comes at a time when the government is paying particular focus in this area, having recently launched its strategy to support the export of cyber security technology.

The Queen’s Award for Enterprise are the UK’s most prestigious business awards, recognising and celebrating business excellence across the UK. This year it has been given to just 152 companies for overseas trade and International growth.

Yvonne Eskenzi, Co-Founder at Eskenzi PR said: “The Queen’s Award is the highest accolade that any British company can achieve. For us, it is recognition of the contribution and hard work we, as an agency, deliver in the cyber security sphere. We’re proud to say we’ve been in the space, from the start, working tirelessly to highlight cyber security challenges organisations’ face daily, and promoting the technologies that help strengthen their defences. Over twenty years ago we helped to launch Infosecurity Europe – a cyber security exhibition held annually in London, it was a subject few outside of the sector understood, or even knew existed. Today it’s front page news and being debated during board meetings and at dinner parties around the world. I’m especially proud that we have won the Award for all our work overseas, recognising Eskenzi PR as the go to international PR agency for Cyber Security.”

Eskenzi PR Ltd is a specialist agency, working closely with the very best cyber security companies in the world, including those coming out of Israel, Silicon Valley, Europe and of course, the UK. Today, the agency represents over 25 companies, working with many leading vendors in cyber including Airbus Cybersecurity, Imperva, ESET and AlienVault.

By investing in technology, Eskenzi PR has the tools needed to ensure it remains one step ahead of its competitors, enabling the agency to grow quickly across the UK, France, Germany, Benelux, The Nordics, and, most importantly, the USA.

In choosing the winners of this award, the Queen is advised by the Prime Minister, who is assisted by an advisory committee including the government, industry and commerce, and trade unions. Successful organisations may fly the Queen’s Award flag at their principal premises and are entitled to use the emblem on their stationery, advertising and goods. A corporate award is valid for five years. Additionally, the Queen hosts a reception at Buckingham Palace for representatives of Eskenzi PR.

The two co-founders of Eskenzi PR – Yvonne Eskenzi and Neil Stinchcombe, who are a husband and wife team, will attend a reception at Buckingham Palace to meet HRH The Prince of Wales and other winners on 28th June.

The post Cyber Security Agency Eskenzi PR wins a Queen’s Award for Enterprise 2018 appeared first on IT SECURITY GURU.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 16, 2018

It was a crazy week at this year’s RSA Conference in San Francisco. I always try to get a quick view of the floor to see companies old and new exhibit their wares. Unfortunately, work never sleeps when you attend a conference, and the shortage of seating at this year’s event left many, including myself, with a view of the actual floor. So I decided to listen instead.

 

 

You would be surprised what you can hear if you really pay attention. I heard someone ordering something and giving out their credit card number, someone asking another person about a job, and even someone talking on the phone with their pet sitter and giving them the code for their home alarm system.

Imagine if I had heard this information and I was a “bad guy.” I could piece some information together and attempt to impersonate someone else via email to get some valuable data like banking information…all without including a malicious file. Email is still one of the most lucrative attack vectors for cyber criminals, with total global losses from business email compromise (BEC) scams predicted to reach $9 billion this year. To counter those scams, Trend Micro introduced its Writing Style DNA, a new layer of protection against BEC attacks that uses artificial intelligence (AI) to “blueprint” a user’s style of writing through more than 7,000 writing characteristics. When an email is suspected of impersonating a high-profile user, like an organization’s CEO, the style is compared to Trend Micro’s trained AI model and a warning is sent to the implied sender, the recipient and the IT department. You can learn more about Writing Style DNA here.

Postscript: For the record, I did nothing with the information I heard – but I could have. Be aware of your surroundings because you never know who might be listening.

Adobe Security Update

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before April 10, 2018. The following table maps Digital Vaccine filters to the Adobe updates. You can get more detailed information on this month’s security updates from Dustin Childs’ April 2018 Security Update Review from the Zero Day Initiative:

Bulletin # CVE # Digital Vaccine Filter #
APSB18-08 CVE-2018-4932 31154
APSB18-08 CVE-2018-4933 31156
APSB18-08 CVE-2018-4934 31186
APSB18-08 CVE-2018-4935 31190
APSB18-08 CVE-2018-4936 31201

 

Zero-Day Filters

There are six new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Apple (1)

  • 31167: ZDI-CAN-5544: Zero Day Initiative Vulnerability (Apple Safari)

GE (4)

  • 31161: ZDI-CAN-5538: Zero Day Initiative Vulnerability (GE MDS PulseNET)
  • 31163: ZDI-CAN-5539: Zero Day Initiative Vulnerability (GE MDS PulseNET)
  • 31164: ZDI-CAN-5540: Zero Day Initiative Vulnerability (GE MDS PulseNET)
  • 31165: ZDI-CAN-5541: Zero Day Initiative Vulnerability (GE MDS PulseNET)

Oracle (1)

  • 31138: HTTPS: Oracle Secure Backup exec_qr Command Injection Vulnerability (ZDI-09-003)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

The post TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 16, 2018 appeared first on .

iOS users can now use Google prompt on their devices via the Gmail app

Google announced that iOS users can now benefit from Google prompt feature via their Gmail application. Security and usability are crucial requirements for Google.

Google announced that iOS users can now receive Google prompts via their Gmail application.

“In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature.” reads the blog post published by Google.

“Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account,” 

Google prompt

Google prompt was designed to inform users of any attempt to log into their accounts and confirm it with a tap on their mobile devices.

Gmail users can approve sign-in requests via 2-Step Verification (2SV) by simply taping a “Yes” button on their smartphone since June 2016.

The 2-Step Verification process leverages login authentication code sent via SMS, once the user has received it, he will need to enter it on a sign in page.

The tech giant has launched the Google prompt to make this process simpler, it displays a popup message on the user’s mobile devices asking them to confirm the login with a single tap.

Google prompt was rolled out to both Android and iOS devices, but on iOS, the users need to have the Google Search app installed.

In October 2017,  Big G introduced Google prompt in the G Suite. The company implemented the feature to all of its users who choose to enable the extra layer of security, but in order to use it, iOS users need to have the Google app installed on the device.

Now Google has overwhelmed this limitation and iOS users can benefit from the Google prompt without having Google app installed.

iOS users who have both the Google app and Gmail app installed on their devices will receive the prompts from Gmail.

The availability of Google prompt in Gmail for iOS will be available to all users in a few days.

Pierluigi Paganini

(Security Affairs – Google prompt, iOS)

The post iOS users can now use Google prompt on their devices via the Gmail app appeared first on Security Affairs.

AWS server found unprotected exposing data on 48 million people

LocalBlox, a company that scrapes data from public web profiles, has left the details of over 48 million users on a publicly accessible Amazon Web Services (AWS) S3 bucket.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post AWS server found unprotected exposing data on 48 million people appeared first on IT SECURITY GURU.

Watch out users of Ad Blockers, there could be malware!

As if trying to navigate your online privacy wasn’t complicated enough, it turns out the adblocker you installed on your browser may actually be malware. Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google’s popular browser Chrome.

View Full Story

ORIGINAL SOURCE: Motherboard

The post Watch out users of Ad Blockers, there could be malware! appeared first on IT SECURITY GURU.

TalkTalk customers concerned over privacy

A number of TalkTalk’s broadband ISP customers in the UK have raised concerns after the provider sent them an alarmist warning email, which without providing any useful details claimed that they “may have downloaded a virus on one or more of your devices” (phishing emails adopt a similar approach).

View Full Story

ORIGINAL SOURCE: IS Preview

The post TalkTalk customers concerned over privacy appeared first on IT SECURITY GURU.

Russia to increase cyber activity against UK

A network of Russian trolls is behind a new disinformation campaign about who was responsible for chemical weapons attacks in Syria and Salisbury, a government source has said.
Social media bots are said to be responsible for a 4,000 percent increase in the spread of ‘lies and disinformation’ according to Whitehall research made public for the first time.

View Full Story

ORIGINAL SOURCE: ITV

The post Russia to increase cyber activity against UK appeared first on IT SECURITY GURU.

With less than 50 days to the General Data Protection Regulation (GDPR) deadline, are you ready for the change?

It is virtually impossible to open a magazine or newspaper recently without reading something about GDPR but with little over a month until the introduction of the regulation on 25th May 2018, it seems few British people and businesses are prepared for its implications.

Despite the new regulations being announced two years ago, there still appears to be a great deal of mystery surrounding GDPR for most British people. The noise surrounding the regulation is often negative with a great deal of scaremongering surrounding heavy fines to business for data breaches and little said about the effect GDPR will have on real people – the data subjects.

To the average consumer, GDPR appears overwhelmingly complex and difficult to understand but this doesn’t have to be the case. In fact, what most people don’t yet seem to appreciate is that the new regulation offers an opportunity to individuals to own their details giving them the ability to control and even revoke consents for sharing and storing their personal data. In an increasingly data driven digital world, the requirement to share our personal information is often a daily activity and the general public are becoming much more familiar with requests for their details.

A 2017 survey conducted by market research company, YouGov highlighted that the majority of British people still don’t understand what GDPR is and how it will affect them personally. The survey revealed that while two in five people said they had seen or heard something in the media about a new data protection regulation, almost three quarters (72 percent) hadn’t actually heard of the regulation itself.  A more recent survey conducted by Kantar earlier this year found that just 35% of those polled had heard of GDPR and had little understanding of the regulation. Even as the deadline approaches, it seems the British public remain uniformed.

News stories of data breaches in the UK and around the world make headlines highlighting the risks when personal data falls into the wrong hands but most people seem unaware that GDPR should help in avoiding some of these issues. Just a few weeks ago, data analytics firm, Cambridge Analytica found itself at the centre of a dispute with Facebook over the use of personal data and whether this activity impacted the outcome of the UK Brexit referendum or the US 2016 presidential election. According to data and research website, eMarketer, around 34 Million people in the UK are currently Facebook users so news of misuse of personal data on this social media giant will obviously unsettle a large proportion of the population and raise awareness of the implications of oversharing personal information.

It seems that the British public often provide an uninformed market to those organisations that retrieve and hold personal data. The new rules under GDPR, offer a real opportunity to consumers to control their own personal information making it incredibly important for people to understand their rights. It is important not only for individuals to educate themselves on the new regulation, but for businesses and service providers to ensure they have the robust processes in place to simplify the consent process for consumers. The new regulation empowers individuals to own their personal information ensuring that data is not processed prior to consent being given. UK businesses not only need to ensure they have policies and procedures in place to adhere to GDPR, but must also ensure all staff who deal with consumers personal information are thoroughly trained on its impact and on the rights of the individual.

Firstly, people should understand that the term ‘personal data’ can refer to anything that identifies an individual including photographs, name and date of birth, home address, dependents, racial or ethnic origin, religious belief, health conditions, gender etc. Many organisations hold vast quantities of outdated, inaccurate information in databases and hard copy filing systems and the individuals concerned often aren’t even aware that the data being held still exists. Under the new regulation, organisations are permitted to hold historical data however GDPR introduces the much talked about ‘right to be forgotten’ which enables data subjects the right to request an organisation delete all information held about them if it is no longer relevant.

Whilst placing greater focus on the data subject, GDPR also offers businesses the opportunity to clear a backlog of unnecessary information and provide a better, trusting and more secure service to their clients and customers. Under GDPR, data subject consent must be explicit and permissions must be easily understood with the minimum use of jargon. The regulation will simplify the process and empower individuals to control their own personal data whilst also making organisations who deal with personal information more accountable for its security. There is no doubt the introduction of the regulation will present a challenge but overall GDPR represents a very positive change for us all.

The post With less than 50 days to the General Data Protection Regulation (GDPR) deadline, are you ready for the change? appeared first on IT SECURITY GURU.

Six Steps to Secure Cryptographic Keys

Cryptocurrency seems to bring out the best effort from cyber criminals. From nation states to traditional attackers, the rise in crypto-related attacks is staggering. The motivation is obvious: it’s financially driven. Despite the recent drop, cryptocurrency values have skyrocketed over the past couple of years incentivising attackers to create malicious code and sophisticated hacking tools to harvest cryptocurrency coins. One quick way to a massive payday is achieved by compromising a digital wallet and stealing the wallet’s private key. When attackers get their hands on a digital wallet, they can take full control of the funds.

 

Retailers have started to accept cryptocurrency right alongside good old-fashioned cash and credit. This trend is commercialising decentralised currency and forcing the hand of many big banks to get on board. The leg up criminals have, in many of these attacks, is the anonymity involved in crypto-transactions. As this form of currency gains more credibility, organisations in every industry will need to implement security controls to mitigate risk against crypto-credentials from becoming exposed.

 

A Quick Review on Digital Wallets

 

There are two types of digital wallets: hot wallets and cold wallets. Hot wallets are used by individual users and organisations to store smaller amounts of currency, adding the need to be more fluid in nature for quick transfers and exchanges. There are many cryptocurrency services such as Coinbase and Bittrex that manage and store the wallet’s private key and provide users with easy access. In most cases, this type of managed service is password protected.

 

Conversely, cold wallets, used by organisations and security-savvy individuals, typically hold much larger amounts of digital currency. This type of wallet keeps its associated private key off the internet completely (for obvious reasons) and often stores it on an offline computer. Yet, as demonstrated by some of the recent attacks, if the network becomes compromised, then the keys will follow suit shortly thereafter.

 

There are solutions available that store private keys on a USB stick-like device that does not allow the extraction of the private key. The device is simply inserted into a computer to prove the user has access to the key (using cryptographic functionality zero trust algorithms). This solution provides sound security on the private keys, however, this is not suitable for larger organisations that need to control who has access to the device and its associated credentials.

 

Don’t Get Digitally Mugged

Cryptocurrency private keys are not exclusively used by human users. There are many automated processes that perform cryptocurrency transactions as well. Securing private keys for all users (both human and machine) is a foundational first step, quickly followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage.

 

What’s essential is that we start to view cryptocurrency private keys as another type of a privileged credential, and take steps to manage and protect them, with the appropriate workflows and access controls.

 

Here are six key (pun intended) considerations to help secure and protect cryptographic keys:

 

  1. Store cryptographic keys in a secure digital vault – Move keys into a digital vault with multiple layers of security wrapped around it, enforce multi-factor authentication to all users who have access to the vault.
  2. Introduce role segregation – Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.
  3. Enable secure application access – Enable access to stored keys for authorised applications and verify that the applications are legitimate.
  4. Audit and review access key activity – Audit all activity related to key access and implement trigger events to alert the necessary individuals of any key activity.
  5. Enforce workflow approvals – Enforce workflow approvals for anything considered to be highly sensitive and the same goes for accessing the keys.
  6. Monitor cryptocurrency administrator activities – Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities (e.g. the system hosting the wallet).

 

Cybercriminals will continue to look at this technology as another opportunity to line their pockets. But with organisations needing to respond to demand for this type of currency, it’s essential to put in place safeguards, rather than just jumping in on the trend. Safeguarding critical systems from key harvesting and many other types of advanced attacks will be key in ensuring they don’t find themselves caught out.

The post Six Steps to Secure Cryptographic Keys appeared first on IT SECURITY GURU.

TaskRabbit has been brought back to life – Security industry opinion

At the beginning of this week (Monday 16th), TaskRabbit, the IKEA-owned mobile marketplace that matches freelance labour with local demand, had its website and app hacked resulting in both shutting down and going offline. The company had offered a statement to its customers saying, “ we understand how important your personal information is and are working with an outside cybersecurity firm and law enforcement to determine the specifics.”

An investigation is under way to seek what information may have been compromised and how the breach occurred with TaskRabbit advising all users to change passwords and monitor for unusual activity across accounts in case of signs of stolen identity. This is sound security advice but what did the security industry have to say regarding the hack:

Bob Egner, VP at Outpost24 said that the reason this hackers targeted TaskRabbit data is due to it being interesting and valuable. He said, “attacks of this nature are attempted when there is a potential gain for the attacker in this case, to monitize any personal information that can be obtained.  All web applications are vulnerable, it’s only a matter of how much effort the attacker is required to expend.  It’s really an economic problem where the payback has to be larger than the expended effort.

Any public facing web application that holds large amounts of personal information should have a comprehensive application security testing program in place to assess the application, it’s data stores, the infrastructure on which it runs, and the users assigned to manage and operate the overall system.  Any weaknesses should be remediated in a prioritized way so that the potential for attack is reduced to the lowest possible level and maintained there.  The focus should be on the economic equation, where the effort required to compromise the system is much greater than the value of any stolen information.”

According to Tim Helming, director of product management at DomainTools, the TaskRabbit breach is an indication of how comprehensively nefarious actors can interfere with business functions–and potentially harm users. Tim goes on to say, “To take control of a website and expose such trusted resources as TaskRabbit’s GitHub repository, as well as daily transaction volumes and information regarding employees, the threat actors must have had comprehensive access to the network. While we don’t yet know the specifics of how this attack unfolded, it is a good reminder of the importance of practices such as least-privilege access controls, robust network segmentation, and strong phishing controls. Organizations need to take cybersecurity seriously, particularly when it could affect the livelihood, reputation and privacy of both employees and service users.”

The post TaskRabbit has been brought back to life – Security industry opinion appeared first on IT SECURITY GURU.

Watch out for and report malicious Russian cyber activity

The UK & US Governments have issued a joint Technical Alert  advising all businesses – public and private sector, critical infrastructure providers, and ISPs supported them – to review their network security and report back on any signs of malicious cyber activity carried out by or on behalf of the Russian Government.

 This first joint security statement, Government officials said they had “high confidence” that Russian state-sponsored cyber actors was behind the “broad campaign” to compromise network hardware devices such as routers, switches, firewalls, and the Network Intrusion Detection System (NIDS).

By compromising these devices, the cyber criminals are able to redirect traffic, steal valuable information, and have a staging post for future offensive activity. Multiple sources, including private and public-sector cyber security research organisations and allies, have reported this activity to the U.S. and UK governments.

Businesses of all sizes are advised to read the Technical Alert and act on the recommendations. The alert contains details of Indicators of Attack (IoA) on the networks of compromised victims. Any signs of compromise should be reported to DHS, FBI, NCSC or law enforcement immediately.

Ciaran Martin, CEO of the National Cyber Security Centre said:

“This is the first time that in attributing a cyber attack to Russia the U.S. and the UK have, at the same time, issued joint advice to industry about how to manage the risks from the attack. It marks an important step in our fight back against state-sponsored aggression in cyberspace.

Guards all the doors and holds all the keys

Network devices are ideal targets, as the majority of organizational and customer traffic must traverse these critical devices. Any cyber criminal with access to these devices can monitory, modify, deny and redirect traffic as desired. This coupled with a lack of regular updates, as once installed network devices are often neglected when assumed to be working correctly, often only receiving attention when a fault arises, means a complete layer of corporate security could be bypassed without knowing.

 Mitigation Strategies

There is a large amount of publicly available cybersecurity guidance and best practices from NCSC, DHS, device vendors, and the cybersecurity community on mitigation strategies.

The advice given to firms in Technical Alert TA18-106A includes ways to configure their systems correctly and how to apply patches to address hardware vulnerabilities.

  • Review network device logs and data for indications of compromise on all network device hosts.
  • Do not allow unencrypted management protocols to enter an organization from the Internet.
  • Harden the encrypted protocols based on current best security practice.
  • Do not allow Internet access to the management interface of any network device.
  • Immediately change default passwords and enforce a strong password policy.
  • Apply software updates and security patches to all devices.

Also ensure a reputable Endpoint Detection and Response solution is in place across the network, such as Panda Adaptive Defense, to mitigate attacks should your network devices be compromised.

See It. Say It. Sorted.

 

The post Watch out for and report malicious Russian cyber activity appeared first on Panda Security Mediacenter.

Is Enumerating Resources on a Website “Hacking”?

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

Is Enumerating Resources on a Website

I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate. It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms:

So the crux of the matter seems to be that the guy pulled down a bunch of files by enumerating through file names without realising that the publisher of said files had not intended for them to be public. Allegedly, he didn't realise the data wasn't meant to be public and as I later put it, this was his mistake:

The crossroads I referred to in that tweet reflects the fact that many of us working in this space are often faced with a decision; we've identified that data is accessible in this fashion (we've discovered a URL parameter can be modified to pull another resource), do we proceed with accessing more data or stop there? Everyone will agree with everything I've written so far, let's start getting into the more contentious side of things and we'll start with the view in defence of the young bloke:

This was public data. Whether it was intended to be public or not does not change the fact that it was published to a location which exposed it to the world without any requirement for authorisation whatsoever. His "crime" was simply to use the technology as it was designed to work. There was a lot of support for this position:

The counterargument is that this was not simply a case of the guy following links and landing somewhere the site operator didn't intend people to find, this was parameter tampering. He manipulated the URL such that it exposed resources beyond the ones he organically found by browsing the site and that is exploiting a known vulnerability. In fact, it was up there in the OWASP Top 10 until last year (when it was merged into "broken access control") and it's referred to as an insecure direct object reference.

Seeing legal action appear as a result of enumerating through URLs is not unprecedented. In 2011, Patrick Webster identified a weakness in First State Superannuation's web portal which allowed him to access 770k financial records belonging to other customers. The cops subsequently turned up on his doorstep and took his computer things away. The previous year, Andrew Auernheimer (AKA "weev") found he could enumerate IDs in AT&T's iPad enrolment API such that he managed to obtain 114k records of other subscribers. He was subsequently charged and found guilty of identity fraud and conspiracy to access a computer without authorisation.

Now, at this stage you may well say "Yeah, but Patrick and weev knew they were exploiting a security weakness whilst the young Canadian guy simply thought he was accessing material that was intended to be public", to which I would wholeheartedly agree. These cases are very different in intent and assuming we can take the news reports at face value, the charges against him are totally out of line. However, much of the defence I've seen for the guy's actions centred on the premise that if there's no protection on the data (as was the case with Patrick and weev), then it's free game. That's something I vehemently disagree with.

Last year I did a talk at the local AusCERT conference titled The Responsibility of Disclosure: Playing nice and staying out of prison. I've embedded a video of that below deep-linked precisely to the point where I talk about the ethics of probing away at direct object reference vulnerabilities and it's worth watching just a few minutes here:

The key takeaway here is that in terms of vulnerabilities, once you "plus 1" in a URL and pull someone else's record, that's it - you're done. You've proven the risk. For example, when I was investigating the vulnerability in Nissan's LEAF a couple of years ago, once I found one other vehicle via an exposed VIN then that was it. I could have pulled hundreds or thousands of other vehicle's data, but to what effect? Some people will argue that you won't be taken seriously enough unless you make a big impact by pulling a heap of data, but is that worth ending up in the same boat as any of the 3 guys mentioned above? No, it's not, especially when there are numerous other ways to highlight the vulnerability.

Now, to the question posed in the title, is any of this "hacking"? Frankly, I don't think it matters what term you put on it and you could argue it either way: it was by no means a sophisticated attack and it's something even my 8-year-old son could do, but it did also result in access to material which wasn't intended to be accessible. If I had to take a side, I'd say "no hack" simply because the intent wasn't there, but equally I'd argue that the other two examples I've given could be construed as hacks because the intent was clearly to access data that both parties knew was meant to be protected.

In summary, improperly secured publicly facing data shouldn't be viewed as a free for all. There are many cases where those accessing it know damn well it's not intended to be exposed in that fashion and indeed there are many precedents of very unpleasant legal consequences as a result. But that doesn't seem to be what this case is about and assuming there's not some major piece of the story missing from the reporting, the young guy is getting a pretty raw deal. In this case, I think this is a much fairer comment on the whole thing:

New Windows Defender Browser Protection Chrome extension aims to protect them from online threats.

Microsoft announced the new Windows Defender Browser Protection extension that aims to protect them from online threats.

Microsoft has a surprise for Chrome users in the Chrome Web Store, it’s the new Windows Defender Browser Protection extension that aims to protect them from online threats.

The new extension will help users in avoiding phishing emails, as well as, websites delivering malware.

links in phishing emails, as well as websites that trick users into downloading and installing malicious software.

“The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer. ” reads the description provided by Google on its store for the Windows Defender Browser Protection extension.

To protect Chrome users, Windows Defender Browser Protection checks the URL accessed against a list of malicious URLs, in the case it matches the list Windows Defender Browser Protection will show a red warning screen that informs users on the risks related to the malicious URL

The Chrome extension takes advantage of the same intelligence that powers Microsoft Edge’s protection capabilities, allowing users to add an extra layer of security when browsing online.

Windows Defender Google Chrome

Microsoft aims to reach the level of security implemented with the Edge browser, according to the NSS Labs 2017 Web Browser Security Comparative Report while Edge blocked 99 percent of phishing attempts, Chrome blocked 87 percent and 70 percent in Firefox.

The NSS Labs report also measured the level of protection for each browser against phishing attacks.

According to NSS Labs, the Edge browser could block 92.3% of phishing URLs and 99.5% of the Socially Engineered Malware (SEM) samples, while Chrome was able to block 74.5% of phishing URLs 87.5% of SEM samples.

Pierluigi Paganini

(Security Affairs – Windows Defender Browser Protection, Google Chrome)

The post New Windows Defender Browser Protection Chrome extension aims to protect them from online threats. appeared first on Security Affairs.

LinkedIn’s AutoFill Plugin Could Leak user Data, Secret Fix Failed

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."

Read more of this story at Slashdot.

To Cyber or Not the Cyber, That is the RSAC Talk Analysis

I don’t know where you are, but the data analysis of the RSA Conference by the prestigious Cyentia Institute is amazing. They wrote algorithms to tell us what the “most important” talks are each year from 25 years of security conference data, and illustrate our industry’s trend over time. Who can forget “A top 10 topic in 2009 was PDAs”?

This is the slide that made everyone laugh, of course:

Trends going up? GDPR, Ransomware, Financial Gain and Extortion. Big Data exploded up and then trends down over the last five years.

Trends going down? BYOD, SOX, GRC, Hacktivism, Targeted Attack, Endpoint, Mobile Device, Audit, PCI-DSS, APT, Spam…

Endpoint going down is fascinating, given how a current ex-McAfee Marketing Executive war is going full-bore. RSAC 2018 Expo Protip: people working inside Clownstrike and Cylance are unhappy with all the noise they make about attribution and threat actors given their actual product performance and value.

That’s just a pro doing qualitative sampling, though, so consider the implication of qualitative analysis.

Some cyber companies talk threat actor in the way that Lockheed-martin talks when they want to sell you their latest bomb technology. Is that bomb effective? Depends how and what we measure. Ask me about 1968 OP IGLOO WHITE spending $1B/year on technology based on threat actor discussions almost exactly like those we see in the ex-McAfee Marketing Executive company booths…

#TripwireBookClub – Attacking Network Protocols

A while ago, I had the crazy idea that I needed to read more technical books, so I purchased a pair of books that appealed to me: Attacking Network Protocols and Serious Cryptography, both published by No Starch Press. I was interested in reading along with others and sharing our thoughts and opinions, so I […]… Read More

The post #TripwireBookClub – Attacking Network Protocols appeared first on The State of Security.

Endpoint Security Testing Matters: New NSS AEP Test Results

NSS Labs, Inc. has just released the 2018 edition of their Advanced Endpoint Protection testing, and Trend Micro’s endpoint solutions have performed very well, resulting in a “recommended” rating. We had strong performance on “security effectiveness,” meaning that we detected and blocked threats effectively. We also had a low total cost of ownership relative to most other vendors in the test.

You can see the test results here: https://resources.trendmicro.com/NSSLabs-Adv-Endpoint-Report.html

“Next Generation” isn’t working better than Trend Micro

This latest test clearly shows Trend Micro performing better than a number of “next generation” endpoint vendors. These same vendors would have you believe a marketing story that Trend Micro relies on AV signatures and can’t detect modern threats, but this has proven to be nonsense. The line between Trend Micro and “next gen” is blurrier than ever.

We have performed well on this and other independent tests because of our cross-generation blend of threat detection techniques. We’re one of the very few endpoint security vendors using state-of-the art machine learning techniques to analyze threats not only pre-execution, but also at run-time (which dramatically boosts effectiveness against file-less malware). We also leverage behavioral IOA detection, our anti-exploit engine, virtual patching capabilities, and a powerful noise cancellation capability to reduce false positives.

In the coming days, vendors who did poorly may release “re-tests” in order to benefit from correcting “bugs” in their products. Unsurprisingly, after learning from their missed detections and correcting their “bugs” they will be able to improve their performance. It’s important to focus on the level playing field of the public test, where all vendors see the test scenarios for the first time.

Testing Matters

Independent third-party testing of endpoint security products is more important than ever, in a landscape full of marketing claims and “next generation” jargon. It is difficult for enterprises to assess the numerous vendor offerings in order to figure out who will actually be more effective, without unacceptable operational cost.

Our objective is to work constructively with independent test labs, avoiding “pay for play” tests, and aiming for an evaluation that is as real-world as possible. We do this instead of publishing our own biased tests, and instead of encouraging customers to test endpoint products for themselves, with biased sample sets we provide. Independent labs are going to deliver a better answer for customers.

Tests like this NSS AEP evaluation make our products better; you can be sure that for each of the small number of missed detections, Trend Micro has investigated, learned, and improved its products already. That’s a key benefit for customers, beyond the evaluation report itself.

Blocking Matters

It’s worth noting that NSS Labs’ latest AEP test rates “security effectiveness” on the Y axis based on ability to block threats, not only detect them. This aligns with what we frequently hear from our customers: they want effective detection, but they also want automatic response (quarantine, isolation, process termination). Response shouldn’t be left to a later investigative stage if it can be handled immediately and automatically. Our detection technologies are seamlessly linked with our response capability, even with run-time detections where process termination can be followed by roll-back to ensure data isn’t damaged or lost.

Achieving Low TCO

NSS Labs not only examines detection and blocking effectiveness, but also assesses TCO using a formula that accounts for product cost, but also the staffing costs to operate products, deal with investigations, missed detections and outbreaks. During this test cycle Trend Micro showed we minimize these staffing expenses by minimizing manual effort for the IT team, and providing the information and tools needed for prompt investigation.

We’re not resting after this test result. The threat landscape keeps on moving, and we continue to invest heavily to enhance our detection effectiveness while keeping TCO low for our customers.

The post Endpoint Security Testing Matters: New NSS AEP Test Results appeared first on .

The Human (Resource) Role in the Journey to GDPR Compliance

Employees are at the center of dealing with the General Data Protection Regulation (GDPR), which is the new European regulation that aims to strengthen and standardize the data pricy rights of European citizens. As we’ve discussed throughout this blog series, the GDPR impacts many organizations processing customer data from outside of the EU, but these new data transparency and security benchmarks also need to be adhered to for employee data.

HR departments in particular will be impacted by the GDPR, as a large amount of data processing and controlling happens within them.

HR departments need to know if there are any potential compliance gaps, and must know where they get their data, how they get it, and who uses it. As a critical part of our GDPR journey, we’ve mapped all of our employee data so that we know what data we have, how and where it’s stored, how long we are planning to keep it, and how we will protect it throughout the employee lifecycle.

At Trend Micro, protecting employee data is a part of our global commitment to data privacy. In order to comply with the GDPR, we’ve initiated new policies and procedures and also revisited key items like confidentiality agreements and consent procedures across the employee lifecycle. This includes changes to:

  • Recruitment – prospective employees now need to consent to how we will use their data from the very beginning
  • Employee contracts – employment contracts needed to be updated, including indicating how we use and store their data, and also identifying how their data will be kept
  • Partner processing agreements – all our payroll and benefits partners must meet our new standards for data privacy

Employees also play a critical role in our GDPR compliance efforts. In order help them better understand their role in ongoing compliance, we’ve developed a training program that all our employees will take. This program will not only help employees understand the GDPR, it will also illustrate how we protect their data.

Hear more from Claudia Wu, Senior Vice President, Global HR, on how the GDPR affects our employees, and what we are doing to protect their data.

Video Schedule

4/25 – Marketing Operations: Learn how our Marketing Operations team ensures that our customer data is protected across all external platforms.

5/2 – Products and Services: Hear from Bill McGee, SVP Cloud Security, on how we’re always evolving to deliver state-of-the-art capabilities in our products, and how we help our customers deliver their portion of the shared security responsibility of cloud environments.

5/9 – Sales and Channel Enablement: See how important it is that our existing partners understand GDPR, and how we help them find the tools needed to achieve GDPR compliance.

The post The Human (Resource) Role in the Journey to GDPR Compliance appeared first on .

5 Common Sense IoT Regulations

F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click here

For most of human history, the balance of power in commercial transactions has been heavily weighted in favour of the seller. As the Romans would say, caveat emptor – buyer beware!

However, there is just as long a history of people using their collective power to protect consumers from unscrupulous sellers, whose profits are too often based on externalising their costs which are then borne by the society. Probably the earliest known consumer safety law is found in Hammurabi’s Code nearly 4000 years ago – it is quite a harsh example:

If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then that builder shall be put to death.

However, consumer safety laws as we know them today are a relatively new invention. The Consumer Product Safety Act become law in the USA in 1972. The Consumer Protection Act became law in the UK in 1987.

Today’s laws provide for stiff penalties – for example the UK’s CPA makes product safety issues into criminal offenses liable with up to 6 months in prison and unlimited fines. These laws also mandate enforcement agencies to set standards, buy and test products, and to sue sellers and manufacturers.

So if you sell a household device that causes physical harm to someone, you run some serious risks to your business and to your personal freedom. The same is not true if you sell a household device that causes very real financial, psychological, and physical harm to someone by putting their digital security at risk. The same is not true if you sell a household device that causes very real psychological harm, civil rights harm, and sometimes physical harm to someone by putting their privacy rights at risk. In those cases, your worst case risk is currently a slap on the wrist.

This situation may well change at the end of May 2017 when the EU General Data Protection Regulation (GDPR) goes into force across the EU, and for all companies with any presence or doing business in the EU. The GDPR provides two very welcome threats that can be wielded against would-be negligent vendors: the possibility of real fines – up to 2% of worldwide turnover; and a presumption of guilt if there is a breach – it will be up to the vendor to show that they were not negligent.

However, the GDPR does not specifically regulate digital consumer goods – in other words Internet of Things (IoT) “smart” devices. Your average IoT device is a disaster in terms of both security and privacy – as our Mikko Hypponen‘s eponymous Law states: “smart device” = “vulnerable device” (my personal corollary is “smart device” = “vulnerable surveillance device”).

The current IoT market is like the household goods market before consumer safety laws were introduced. This is why I am very happy to see initiatives like the UK government’s proposed Secure by Design: Improving the cyber security of consumer Internet of Things Report. While the report has many issues, there is clearly a need for the addition of serious consumer protection laws in the security and privacy area.

So if the UK proposal does not go far enough, what would I propose as common sense IoT security and privacy regulation? Here are 5 things I think are mandatory for any serious regulation in this area:

  1. Consumer safety laws largely work due to the severe penalties in place for any company (and their directors) who provide consumers with goods that place their safety in danger, as well as the funding and willingness of a governmental consumer protection agency to sue companies on consumers’ behalf. The same rigorous, severe, and funded structure is required for IoT goods that place consumers’ digital and physical security in danger.
  2. The danger to consumers from IoT goods is not only in terms of security, but also in terms of privacy. I believe similar requirements must be put in place for Privacy by Design, including severe penalties for any collecting, storing, and selling (whether directly, or indirectly via profiling for targeting of advertising) of consumers’ personal data if it is not directly required for the correct functioning of the device and service as seen by the consumer.
  3. Similarly, the requirements should include a strict prohibition on any backdoor, including government or law enforcement related, to access user data, usage information, or any form of control over the devices. Additionally, the requirements should include a strict prohibition on vendors providing any such information or control via “gentleman’s agreements” with a governmental or law enforcement agency/representative.
  4. In terms of the requirements for security and privacy, I believe that any requirements specifically written into law will always be outdated and incomplete. Therefore I would mandate independent standards agencies in a similar way to other internet governing standards bodies. A good example is the management of TLS certificate security rules by the CA/Browser Forum.
  5. Requirements must also deal with cases of IoT vendors going out of business or discontinuing devices and/or software updates. There must be a minimum software update duration, and in the case of discontinuation of support, vendors should be required to provide the latest firmware and update tool as Open Source to allow support to be continued by the user or a third party.

Just as there will always be ways for a determined person to hack around any physical or software security controls, people will find ways around any regulations. However, it is still better to attempt to protect vulnerable consumers than to pretend the problem doesn’t exist; or even worse, to blame the users who have no real choice and no possibility to have any kind of informed consent for the very real security and privacy risks they face.

Let’s start somewhere!

The Flu and DDoS, From an Epidemic to a Solution

While the mobile industry was busy celebrating telecom innovation at MWC18, another kind of innovation was making headlines: a record 1.35 Tbps DDoS attack. It caused some disruption and highlighted the potential for much worse. In this instance, the attack was detected and mitigated relatively quickly—but it required manual intervention and rerouting of traffic. Fortunately, service was only disrupted for a few minutes, but it could have been much worse, and other targets might not have been as ready.

 

DDoS it is a worldwide problem that will not only be harmful if not treated on time but that also seems to be getting worse. This is why I tend to compare it with a flu epidemic, one that affects the connected world. And indeed both DDoS attacks and the flu have similarities.

For those who haven’t been paying attention to the latest medical news, this flu season has been especially rough. In January, Time magazine explained the phenomenon:

The flu shot is tweaked each year in an attempt to target what are projected to be the most prevalent strains of the disease, but the process isn’t foolproof.”

 

This analysis of the flu season points out to what I see as the major resemblance between DDoS and the flu. Indeed in the case of the flu, vaccination acts as a static defence that targets specific, projected flu strains, and is only effective against 30per cent of H3 viruses. In the same manner, facing DDoS attacks, telecom operators only know how to mitigate what they already know it’s a “known knowns” approach.

 

ISPs and enterprises, just as health professionals are thus facing the same challenge. How will they defend themselves against non-prevalent strains? Indeed the unforeseen DDoS attacks, the new vectors, the zero-day exploits are in fact unknown unknowns. But then the comparison also has its limits. Indeed, fortunately, the world of data communications has a solution to DDoS attacks.

 

Facing DDoS attacks, firms may make use of autonomously adaptive, machine-learning algorithms utilising artificial intelligence techniques to automatically detect anomalous behaviour and trigger mitigation of the attack. And indeed, the recent attack on GitHub was spotted by IT professionals who noticed an unusual spike in inbound traffic. It was caused by the amplification of UDP traffic reflection through Memcached servers’ default port 11211. They eventually managed to fence of the attacks by rerouting traffic to a scrubbing centre provider that cleaned out the malicious packets and the attack ended shortly afterwards.

The attack didn’t last more than a few minutes but could have been worse if it had struck a less prepared company, and indeed other companies aren’t as prepared. If a firm the size GitHub can divert terabits of traffic to external DDoS cleanup services, this is a costly solution and for many firms scrubbing, and latency costs are prohibitive. This problem is bound to become even acuter as 5G and IoT expand the scale of data communications. Adding to heavy security costs, many short-term “hit and run” attacks evade external detection due to their short time stamp and will not get scrubbed.

Facing this harsh reality, I would like to point to a better solution. One that would enable networks, through high-performance, to distribute inline system that use machine learning techniques to automatically detect and mitigate any type of attack at wire speed, regardless of scale, within seconds and without disrupting service. This would unimped legitimate traffic while malicious traffic would be discarded. No manual intervention would be required. Here is how this works:

In the above picture, every packet of data is inspected by high-performance, inline appliance instances. This enables attacks to be automatically detected and surgically blocked within seconds. Network services are neither threatened nor disrupted. This success is achieved by using advanced Network Behavior Anomaly Detection (NBAD) technology. Volumetric attacks are detected by the anomalies they cause in the normally time-invariant behaviour of Layer 3 and Layer 4 packet rate statistics.

The dynamic creation of mitigation rules and surgical filtering of attack packets prevents over-blocking and enables legitimate traffic to flow unimpeded, assuring network protection and service QoE at all times.

DDoS attacks also have an aspect to often overlook: service providers can also be infected and become the source for outgoing botnet attacks. This can be harming for their customers and their reputation. Such outbound attacks can only be caught by inline systems that inspect all packets, travelling in every direction. Inspecting outbound traffic will not only block this attack, but they will also enable better detection of inbound attacks.

The system, by correlating bi-directional traffic, can easily highlight inbound traffic that weren’t in fact sent from the service provider.

During the recent Memcached attacks, Allot’s bi-directional, inline DDoS Secure solution successfully detected and prevented such attacks observed in multiple customer networks worldwide.

 

Below is an example:

 

So, while this year’s flu season may be winding down, DDoS is just gearing up. New vectors, new vulnerabilities and ever-growing volumetric attacks are just a matter of time. Get protected – inline and on time!

The post The Flu and DDoS, From an Epidemic to a Solution appeared first on IT SECURITY GURU.

7 Sins of Security Metrics

If you are at the water cooler muttering “But that’s EXACTLY the graph they asked for.” Enter SIN#1… “Get me a plot of x versus y, colour-coded by z!” They sounded so sure when they asked you, so you created what they wanted, showed it to them, and they hated it. Ok, a bit melodramatic. But in my experience, building the metrics people ask for rarely delivers the insight they want. Why? Often, when someone asks for a metric, they are in the process of working out if there’s value in a question they’d like to ask of their data. Until they see the result, they don’t know if the output will give them what they’re after; AKA the “I’ll know it when I see it” problem.

 

As data scientists / analysts, we need to build metrics that address the questions our stakeholders need answering. If they aren’t entirely clear on either what those questions are, or what questions are most valuable to answer, or whether the metric they’ve asked for is the best way to answer a question, the process of iterating through analysis in the hope of striking gold will be excruciating for everyone involved. If stakeholders don’t have enough definition around the problem they are trying to solve (this is more common than you’d think!) we need to help them. Because if we just build the plot they ask for, we’re essentially crossing our fingers that the work we do will be valuable.

 

“Personally, I find this fascinating.” Oh, the woe. It’s SIN#2… Ah yes. The discovery of fascinating stuff that no one can do anything about. If we don’t produce metrics that are engaging for our audience and useful from their perspective … If a team can’t take our analysis, act on it, and see an improvement … Well, then our charts will be disheartening. And no one likes a metric that makes them miserable.

 

As people who love analysing data, it can be easy to run down metrics rabbit holes, digging around in data indefinitely, exploring things that look like they could uncover some new level of understanding in the information we have. (This is also true when you have done the hard work to create a great set of metrics, but mountains of possible analysis options remain.) We always need to keep the goal of a metric in mind when we spend time picking data apart, which translates to firstly avoiding things that, in retrospect, were pet projects and secondly knowing when we’ve reached ‘good enough for now’ on the level of resolution we have on a problem. The people funding our efforts will have patience if they can see progress, but not if they end up with 30 plots that may be intellectually fascinating, but fail to provide high-value insights they can act on.

 

“It’s ‘actionable insight’, so the team will find it really useful.” Because it’s not like security teams have enough stuff on their to-do list already, it’s SIN#3… A problem with the over-abused word ‘actionable’ in security marketing is there’s a big difference between something that’s actionable, and something that’s worth acting on. Good security metrics don’t enumerate all the possible things that could be changed to make an estate more secure. They get stakeholders engaged around problems they have, that they have the power and budget to solve. Ideally, they also show a clear set of actions that can deliver the greatest improvement to security performance or risk exposure. If metrics deliver a prioritized list of 1000 actions, it’s likely there will be no buy-in from departments already swamped with lists of things to do. (Sure, your 1000 things may be added to their list… just right at the bottom). A single action that deals with 1000 problems will get far more traction. And yes, developing metrics that do this is far from trivial.

 

“I think a decrease in this percentage means that thing we did was good … right?” Welcome to the ambiguity of SIN#4… Ok so we’ve got a high value, actionable metric that addresses something it’s important to change! Hooray! But will our metric track the full impact of our actions? Can external factors affect the data and make things look better (or worse) than they are? For example, a good performance metric should clearly reflect action we’ve taken to improve it. If the scope of such a metric is too broad, a change in its value may be ambiguous and, therefore, hard to attribute. Example: if we’re using the total number of vulnerabilities on our estate as a proxy for our patching rate, Patch Tuesday will boost this number and make our performance look like it’s gotten worse, even if the number of vulnerabilities patched per week has remained constant. Note: This is not a good metric for this scenario! If we’re not measuring something that changes predictably when we make progress, we’ll find ourselves having to endlessly explain metrics to people, and the whole point of a metric is to give stakeholders clarity on the situation.

 

“Our operations teams use these metrics, the CISO’s metrics focus on something else.” Beware the divergence of SIN#5… Sure, a metric can be broken down differently for different stakeholders, but the metrics themselves cannot be ‘different’. Metrics will need to be tailored for different stakeholders, particularly in terms of their granularity and scope, but there must be a common thread running through them.

 

There are two aspects to this. The first is a shared view all the way from the Technology Risk Committee to IT Operations teams of what a set of metrics relating to a risk or performance measure tell them about options for actions or priorities they need to act on. The second is what we call “data lineage” within this shared view. Data lineage is, essentially, the ability to drill down from a high-level metric (i.e. that Execs have on their dashboard), all the way to the raw records metrics are built from (i.e. where actions are taken at operational level). Unless you nail this, you end up with a disconnect between the metrics Executives are given to make budget and resource decisions, the actions that are taken at operational level, and the ability to link the two from one reporting period to the next.

 

“We’re confident that the data is complete.” But of course you are! It’s SIN#6… A tendency to ‘trust not verify’ data sources that are curated by someone (a database that has stripped out ‘irrelevant’ fields from an API, the CMDB that is considered a golden source of truth), can lead to dangerous assumptions. And we know what assumptions make out of you and me… The thing is that people often have very strong feelings about data they either own or curate. It’s personal to them, and they’ll often balk at suggestions that it may not be accurate. However, if we don’t triage assumptions about a data source’s accuracy and trustworthiness, we can end up fundamentally undermining our analysis. At best, this leads to arguments about accuracy from people affected by a metric, and subsequent re-analyzing that takes up valuable time. At worst, it leads to a collapse in confidence of all future analysis.

 

“I think this data would look lovely in a Pie Chart” AAAAARGHHHH! Avert your eyes! It’s SIN#7… You did all this great analysis and then presented it in a pie chart?! Pies are for eating, not for charting. With that outburst over, there is a serious point here. Everyone has a preference for how they like to receive information. Stacked bar charts, doughnut charts. The list of visualisations people ask for that make data scientists grit their teeth is lengthy. To communicate risk or security performance with clarity, we have to be willing to fight our corner about why a particular visualisation is poorly suited to delivering the information decision makers need, whether at operational or strategic level.

 

We also need to select visualisations and construct data journeys that give people the insight they need. But if we don’t help our stakeholders understand the visualizations they are looking at, if we don’t show them how they link to decisions, if we don’t give them the context for our analysis and how we’re presenting it, we’re expecting our audience to make leaps in understanding that we often take for granted after staring at the data for weeks

The post 7 Sins of Security Metrics appeared first on IT SECURITY GURU.

Malware infecting 50,000 Minecraft accounts (and possibly more)

Minecraft, the immensely popular world-building game with more than 74 million players, has a malware problem. Users who download skins for their avatars, from the official Minecraft website, are unwittingly allowing malicious code onto their computers.
Currently, nearly 50,000 Minecraft accounts are known to be infected with the malware which is designed to reformat a person’s hard drive and delete backup data and system programs.

View Full Story

ORIGINAL SOURCE: Alphr

The post Malware infecting 50,000 Minecraft accounts (and possibly more) appeared first on IT SECURITY GURU.

Major tech corporations sign Cybersecurity agreement

Dozens of major technology companies including Microsoft, Facebook, Cisco, and SAP have signed onto a pledge to protect their users around the globe against cybersecurity threats and to abstain from helping any government launch a cyber attack.

View Full Story

ORIGINAL SOURCE: ZDNet

The post Major tech corporations sign Cybersecurity agreement appeared first on IT SECURITY GURU.

Commonwealth to be more cyber secured

The UK Prime Minister will today announce up to £15 million to help Commonwealth countries strengthen their cyber security capabilities and help to tackle criminal groups and hostile state actors who pose a global threat to security, including in the UK.
View Full Story

ORIGINAL SOURCE: Gov.uk

The post Commonwealth to be more cyber secured appeared first on IT SECURITY GURU.

Transavia keeps business flying with One Identity

One Identity, a proven leader in helping organisations get identity and access management (IAM) right, is helping Dutch low-cost airline, Transavia streamline business processes. Through its One Identity Active Roles deployment for a hybrid Active Directory environment, Transavia is able to save roughly 10 minutes per user on provisioning and de-provisioning tasks covering hundreds of extra staff during peak travel seasons.

Air travel companies experience extreme seasonal loads, taking on thousands of short-term staff as demand increases, and then releasing them during the quieter months.  For example, Trasavia hires an extra 400 staff each summer that all require access to business applications – whether systems for on-board merchandise sales or navigation tools – and each employee needs to be added to the company’s IT systems so they can do their jobs.

The Transavia service delivery team estimated that it deals with 1,500-2,000 changes in user roles each year.  The manual cost in time required to make these changes historically proved to be a significant drain on resources.

“We used to provision user roles manually, but this took far too long — 10–15 minutes per user,” said Anders Kok, service delivery manager at Transavia. “We wanted to automate the whole process, so we spoke to One Identity.

“Active Roles was a great fit for our business,” continued Kok. “We now have user groups in Active Directory for cabin crew, cockpit, and technical maintenance, and all the information feeds in automatically from our HR system. When a new person starts, their mailbox is there, the account is there, and basic rights are all there. They can get working straightaway.”

But, he said, the big win is in quality improvement. “A manual process has a high error rate of 20-30 percent, whereas in the automated One Identity solution this is reduced to a minimum.”

Transavia has also been able to get support from One Identity through its transition to the cloud, augmenting its on-premises Active Directory deployment with the cloud-based Azure Active Directory.

“One Identity Active Roles is the ideal identity and access management solution to address the user lifecycle management challenges of Active Directory and Azure Active Directory that Transavia had faced,” said Jackson Shaw, vice president of product management at One Identity. “Active Roles allows Transavia to overcome the shortfalls of native tools and manual processes by using automation for the creation, modification, and removal of user accounts across the hybrid AD environment. This level of consistency, security, and efficiency is something that most organisations lack when relying on native tools.”

One Identity continues to act as a trusted advisor to Transavia, assisting with its user lifecycle challenges.

“We rely on the excellent advice from One Identity Services…  One Identity knows our business and our idiosyncrasies, so we listen when it challenges our decisions,” concluded Kok.

The post Transavia keeps business flying with One Identity appeared first on IT SECURITY GURU.

GDPR Is Coming, So What Now for WHOIS Domain Registration Data?

When the European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018, what will happen to currently-available domain registration data in WHOIS? The GDPR restricts how personal data about natural persons residing in the European Union can be collected, used and transferred, and it defines “personal data” very broadly. Today, anyone […]… Read More

The post GDPR Is Coming, So What Now for WHOIS Domain Registration Data? appeared first on The State of Security.

Intel announced the new Threat Detection Technology and Security Essentials

Intel announced a new Threat Detection Technology and a framework of critical root-of-trust hardware security capabilities in its chips.

Intel continues to innovate its products, the tech giant announced two new technologies, the Threat Detection Technology (TDT) and Security Essentials.

The Threat Detection Technology leverages the silicon-level telemetry and functionality to allow security products detect sophisticated threats.

The new Intel Threat Detection Technology (TDT) includes two main capabilities, the Accelerated Memory Scanning and Advanced Platform Telemetry.

The Accelerated Memory Scanning feature allows anti-malware solutions to use Intel’s integrated GPU to scan and detect fileless malware attacks without having any impact on performance and power consumption.

Microsoft will integrate the Accelerated Memory Scanning feature into Windows Defender Advanced Threat Protection (ATP) within a couple of weeks.

According to Intel researchers, using the GPU instead of the CPU to scan the memory will allow frequent scanning reducing the impact on performance, Intel tests revealed that the CPU usage dropped from 20 percent to as little as 2 percent.

“The first new capability is Accelerated Memory Scanning. Current scanning technologies can detect system memory-based cyberattacks, but at the cost of CPU performance.” reads the announcement published by Intel

“With Accelerated Memory Scanning, the scanning is handled by Intel’s integrated graphics processor, enabling more scanning, while reducing the impact on performance and power consumption. Early benchmarking on Intel test systems show CPU utilization dropped from 20 percent to as little as 2 percent”

The second Intel Threat Detection Technology is Intel Advanced Platform Telemetry that was designed to include cloud-based machine learning and endpoint data collection to improve threat detection.

“Intel Advanced Platform Telemetry combines platform telemetry with machine learning algorithms to improve the detection of advanced threats, while reducing false positives and minimizing performance impact.” continues Intel.

The New Intel Advanced Platform Telemetry technology will first be integrated into Cisco Tetration, a solution designed to provide data center security and cloud workload protection.

Intel has announced Security Essentials, a set of critical root-of-trust hardware security capabilities in Intel chips, including Core, Xeon and Atom processors.

“These capabilities are platform integrity technologies for secure boot, hardware protections (for data, keys and other digital assets), accelerated cryptography and trusted execution enclaves to protect applications at runtime.” continues Intel“This standard set of capabilities will accelerate trusted computing as customers build solutions rooted in hardware-based protections.”

intel Threat Detection Technology-security essentials-solution

Pierluigi Paganini

(Security Affairs – Intel, Threat Detection Technology)

The post Intel announced the new Threat Detection Technology and Security Essentials appeared first on Security Affairs.

SN 659: Never a Dull Moment

This week we discuss AMD's release of their long-awaited Spectre variant 2 microcode patches, the end of Telegram messenger in Russia, the on-time arrival of Drupalgeddon2, Firefox and TLS v1.3, the new and widespread UPnProxy attacks, Microsoft's reversal on no longer providing Windows security updates without A/V installed, Google Chrome's decision to prematurely remove HTTP cookies, the Android "patch gap", renewed worries over old and insecure Bitcoin crypto, new attacks on old IIS, a WhatsApp photo used for police forensics, and an IoT vulnerability from our "you can't make this stuff up" department.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsors:

The connected workforce: The importance of protecting home and corporate networks

In an age when data breaches are occurring increasingly frequently, it’s critical that chief information security officers and other IT admins don’t disregard the risk employees’ at-home activities can pose to their business security posture.

In the current corporate and employee landscape, workers are leveraging a variety of endpoints from a range of different locations to access enterprise systems and assets. Staff members are no longer chained to their desks, and many employers and workers alike have begun taking advantage of work-from-home and other remote styles that enable them to operate outside of the office.

This approach comes with considerable benefits, including lower overhead costs for employers, and greater job satisfaction and productivity for staff members. For these reasons, and more, it's no wonder why nearly 4 million Americans now work from home for at least half of their work week.

However, when businesses do enable their workforce to complete mission-critical tasks from places and networks other than their main office, there are certain considerations to make, namely when it comes to data security.

Bringing work home, bringing threats to work 

Some of the biggest risks recently are threats related to employees' home networks, or networks at public places like coffee shops, airports, hotels and more. As ComputerWeekly contributor Peter Ray Allison pointed out, security vulnerabilities stemming from workers' at-home internet connections are very real, and are also some of the most overlooked threats in the current security landscape.

There are numerous different scenarios associated with employee home network threats that can result in risks to corporate systems, assets and intellectual property. Whether a home network doesn't include adequate protection, or user activity opens gaps in security, ensuring protection of both home and enterprise networks is absolutely imperative.

"It is something that we are coming across more and more," Digital Pathways CEO Colin Tankard told Allison. "Devices are being exploited and [companies] find that something unusual is going on. It is only when they do a little bit more investigating that they realize somebody or something is monitoring what they are doing."

"CISOs other IT admins shouldn't disregard the risk employees' at-home activities can pose to their business security posture."

In an age when data breaches are occurring increasingly frequently, it's critical that chief information security officers and IT admins don't disregard the risk employees' at-home activities can pose to their business security posture.

Unsecured home routers

One way that this threat can take hold is when employees don't have the appropriate security in place with their home routers. As Trend Micro pointed out in this report on the Most Noteworthy Home Network Security Threats of 2017, the router serves as a hub for all connected devices, including the smartphones, laptops and other endpoints workers leverage at home and at work for corporate purposes. In this way, if robust security isn't in place at this critical juncture, employees leveraging their home network for work activity could be opening themselves up to considerable risk. Worst of all, a device infected at home could potentially impact the entire enterprise network once the staff member brings the endpoint back to the office for work.

Some issues to be aware of here are:

  • Incorrectly configured networks: This can extend to a range of different factors, but the bottom line is that an incorrectly configured network can provide an easy open door for malicious actors.
  • Default or weak passwords: If employees don't adjust the security credentials of their routers and keep the default password in place – or use a password that is considerably easy to guess – it presents low hanging fruit for hackers. It's imperative that default credentials are replaced with strong passwords once the home network equipment is deployed.
  • Firmware updates: Not updating devices with the latest patches can also create easily exploitable vulnerabilities that result in significant security gaps and other problems.

Cryptocurrency mining

As Trend Micro research shows, hackers aren't just seeking out unsecured routers to infect home networks – routers and other devices are also being leveraged for Bitcoin and other cryptocurrency mining. In fact, this threat was the most detected network event seen in 2017.

The fact that makes this threat particularly notable is that it isn't just routers that are being used to support cryptocurrency mining – other devices including home computers (14,586), tablets (358), smartphones (981), game consoles (314), IP cameras (573) and printers (219) are also being leveraged for their CPU power as well.

"Cryptocurrency-mining malware, for instance, are capable of infecting devices to illicitly mine for crypto currency," Trend Micro researchers noted in the report. "Such malware can spread the same way other malware types spread, e.g., through spam emails and malicious URLs, and take advantage of the computing power of multiple devices to increase yield from mining."

Like nearly any other security risk, a threat like this could potentially spread from home devices to corporate assets. When CPU and computing power is tied up by cryptocurrency mining activity, businesses aren't able to achieve the level of performance their users require.

malwareEmployees' at-home networks could pose risks to enterprise security.

Brute force attacks via Remote Desktop Protocol

Malicious actors are increasingly leveraging Remote Desktop Protocol (RDP) capabilities to spur brute force logins of home devices. Once a hacker has broken into a home device in this manner, he or she is able to execute malware that could spread to enterprise networks the next time the device is used at the office.

RDP enables a user to interact with a system as if they are a local user, providing access to the operating system and applications. In this way, a hacker could remotely access login capabilities, and use brute force to breach and glean details about users and who has control of what devices.

"The risk lies in the network, when a hacker is able to gain access to the RDP without the user admin knowing," Trend Micro researchers explained. "The home network is where all the connected devices and stored data lie."

Real-world case: Daughter's email access results in company network infection

These issues impact more endpoints and assets than CISOs might realize. In one real-word instance, an employee took his work laptop home to continue his corporate pursuits from outside the office. The device was also used by the man's daughter, however, to access her email. One message that she accessed unfortunately included Sircam, an infection that spreads through open networks.

Because the employee's daughter opened the infected email attachment, the work laptop was then infected with Sircam. Making matters worse, the man was unaware, and took his laptop back to the office and connected to the company network. This allowed Sircam to spread from the infected endpoint to the corporate network.

Luckily for the employee and the small business he worked for, the infection was spotted on the company network and systems were disconnected before it could spread further or damage machines. The instance did result in downtime for the company, during which the network had to be cleansed and employees were unable to access mission-critical assets.

Overall, it's important to ensure that employees take the appropriate security precautions when taking part in work activity from their home networks. To find out more, check out Trend Micro's report and connect with our team of security experts today.

The post The connected workforce: The importance of protecting home and corporate networks appeared first on .

Windows 10 Update Will Support More Password-Free Logins

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.

Read more of this story at Slashdot.

DevSecOps Survey Reveals Heightened Interest In Automated Security

The 5th annual DevSecOps community survey for 2018 from Sonatype reveals heightened interest in DevSecOps practices after the recent surge of high profile breaches as well as highlights security integration statistics among teams with mature DevSecOps workflows. In this blog post, we’ll discuss some of the important findings from the survey of 2,076 IT professionals […]… Read More

The post DevSecOps Survey Reveals Heightened Interest In Automated Security appeared first on The State of Security.

Equifax was not an isolated incident: the danger of Web apps

Nowadays it is possible to do almost anything from a Web browser, thanks to the expansion of cloud computing. Previously, users had to download, install and run programs for almost any task. Yet now, thanks to Web applications, simply having a browser is sufficient: we use Web applications to check email, make presentations, watch TV series and movies, edit images, etc., both at home and at work.

In the sights of cybercriminals

The increasing proliferation of Web applications has not gone unnoticed by cybercriminals. In recent months, these applications have gained popularity as a vector for attacks in numerous security incidents. The Verizon Data Breach Report 2017 highlights two figures that illustrate how popular these attacks have become: almost 3 out of 10 security breaches were caused by attacks on Web applications, and the rate of security breaches stemming from Web application security flaws increased by 300 percent between 2014 and 2016.

In a world that now goes around thanks to Web applications, those with inadequate security have become highly attractive targets for cybercriminals who want to find a simple way of infiltrating corporate networks. Although companies benefit in various ways from the capabilities of Web applications, the prevalence of security vulnerabilities is exposing companies to significant risks. The most revealing case of the negative consequences of not ensuring the security of such tools is that of Equifax.

 The Equifax case: the data of more than 147 million customers exposed

The security breach suffered by this credit reportiing company in September 2017 was one of the biggest data thefts in history. The company had until recently admitted that data of some 145.5 million users had been leaked, although they have now adjusted that figure up to 147.9 million.

The question is though, could such an attack have been prevented? The answer is simply, yes. Equifax left the door open to cybercriminals by not updating Apache Struts, an open-source Web application development framework. By not applying patches, a vulnerability allowed hackers to reveal the social security numbers, postal addresses and even driving license numbers of millions of people. This illustrates how the failure to follow basic security measures, such as patching the software used by a company, can have tremendous consequences. As Zane Lackey, a leading expert in Web application security explains, there are two lessons to be learned from the attack on Equifax. Firstly, that 99 percent of the time attacks happen due to common and simple errors: unpatched systems, weak passwords , malware on an endpoint, etc. And secondly, that security risks have shifted from the network to the application and endpoint layer.

The time has come to protect Web applications

If you don’t want your company to become the next Equifax, you should keep an eye out for these types of common attacks and take appropriate measures to keep them at bay.

According to Imperva, cross-site scripting or XSS vulnerabilities accounted for the highest number of Web application vulnerabilities in 2017. In fact, they have doubled in number compared to 2016. These attacks inject malicious scripts into vulnerable websites and allow attackers to steal sensitive data or even take control of devices. Imperva predicts that they will continue to be the most frequent attacks in 2018.

Another frequent attack is SQL injection. SQL programming language is so commonly used to manage and share information across applications, that cybercriminals see it as a perfect opportunity to perform attacks by entering their own SQL commands into databases. As many servers that store critical data from Web applications use SQL to manage communication with the data, hackers enter commands that allow them to edit, steal or delete this information.

In addition to the danger of external Web applications, internal Web applications also pose serious security risks, and they are an even easier target once an attacker has managed to gain access to the internal network.

To ensure the security of your company is not compromised by vulnerabilities in Web applications, the priority must be to design these applications securely from the outset. To this end, you can follow these tips: store raw data and encrypt it when rendering it, avoid non-secure frameworks (or update the ones you use, unlike Equifax!) and JavaScript calls that avoid encryption, etc. You should also provide developers with tools that let them see how their Web applications are being attacked, so they can react accordingly.

Another essential measure is to encrypt all data. WAFs (Web application firewalls) are not the panacea and they will not provide 100 percent protection, but encrypting information can frustrate potential attacks.

Finally, install a security solution that provides detailed visibility into all the activity that takes place on endpoints, continuously monitoring all running processes and applications. Panda Adaptive Defense protects you from the dangers of Web applications and prevents your company from becoming the next Equifax.

The post Equifax was not an isolated incident: the danger of Web apps appeared first on Panda Security Mediacenter.

10 steps to better security awareness part 1: prep your phishing test

Last month, we blogged about how security awareness training can help to improve an organisation’s defences. Since then, there’s been more evidence showing just how effective phishing can be for attackers – and why it’s important to teach users to watch for it.

In one recent simulation test, the security company Positive Technologies sent more than 3,300 phishing emails. It found that 17 per cent of workers fell for the fake message which contained malicious links. If it had been real, this would have let criminals take over the victim’s computer and access their company’s systems. Separately, the security company Ironscales has warned that phishing attacks are evolving into more intelligent and targeted threats.

Security awareness training can help to minimise the business risk from phishing. David Prendergast has an extensive background in security awareness and organisational change across financial services, technology and healthcare. “I’ve always tried to be the bridge between the techies and punters. I translate tech speak for users from receptionist to the board level and say ‘here’s what this means’,” he explains.

David has just joined the BH Consulting team as a senior consultant and he shared his thoughts on making awareness initiatives effective. (And because we’re in the age of internet-eroded attention spans, we’ve helpfully gathered them into 10 steps. Here are the first five; part two will feature the second five steps.)

Get approval

“The first thing I did was seek support from senior management, because it means the programme can go company-wide. I even carried out a simulated phishing attack against the board,” says David. “It also gives you the freedom to carry out the programme at the right time, and I had no interference on the content of the phishing mail I developed.” Speaking of which…

Test first

Try different versions of content. An email appearing to come from HR around review time is always a tempting lure. As a rule, the shorter the message, the greater the likelihood that it will fool people. Longer messages have more room for mistakes that savvy users will spot. “You have to do a lot of testing to make sure the phishing email won’t get caught out by the organisation’s anti-phishing tools,” adds David.

Don’t say when

Like the Spanish Inquisition (or the Monty Python version anyway), the element of surprise is essential. Once you have permission, don’t run the test when people expect it, because that could skew your results. “Don’t set dates because you may want to test management who gave you authority to do this,” David says.

Build trust

Security awareness is like parenting. If a child inadvertently does something wrong, and tells the parent who reprimands them, then guess what? They’re far less likely to confess the next time. “It’s the same with awareness training. If a user has clicked on an email they shouldn’t have, they’ll never report it if they think they’ll get into trouble,” David says. “I wanted people to report suspicious emails to me, or to the service desk. Clicking on a link is not a bad thing, it means you’ve learned more. Remember the goal is to improve defences, not to punish mistakes.” Which leads to the next point…

Don’t point the finger

This exercise is not about putting people in proverbial stocks so everyone else can chuck rotten vegetables at them. Surprisingly, most people don’t take public humiliation well. “I can’t stress this enough: don’t focus on the people who clicked. Don’t name and shame, even if management ask you to,” says David. And do you really think you’ll change their behaviour for the better by treating them that way? Instead, focus on the behaviour you want to improve.

Stay tuned for part two, where we’ll give five steps to follow up on your phishing tests with effective awareness training. Don’t forget to follow us on Twitter for regular updates.

 

The post 10 steps to better security awareness part 1: prep your phishing test appeared first on BH Consulting.

Routers being hijacked to redirect users to malware

Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.
According to Kaspersky Labs telemetry data, these were small-scale attacks, as crooks only hijacked traffic from just 150 unique IP addresses, redirecting users to malicious sites around 6,000 times between February 9 and April 9, 2018.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post Routers being hijacked to redirect users to malware appeared first on IT SECURITY GURU.

TaskRabbit has been hacked

TaskRabbit, the mobile marketplace that matches freelance labor with local demand, has apparently been hacked. Both the company’s website and app were down at time of writing and notifications had been sent out to users warning of a security issue.
View Full Story

ORIGINAL SOURCE: Gizmodo

The post TaskRabbit has been hacked appeared first on IT SECURITY GURU.

Russia to blame for global cyber attack

The United States and Britain on Monday accused Russia of launching cyber attacks on computer routers, firewalls and other networking equipment used by government agencies, businesses and critical infrastructure operators around the globe.

View Full Story

ORIGINAL SOURCE: Reuters

The post Russia to blame for global cyber attack appeared first on IT SECURITY GURU.

New Accenture study finds 87 per cent of focused cyberattacks are prevented

With ransomware and distributed denial of service (DDoS) attacks on the rise, the average number of focused cyberattacks per organisation has more than doubled this year compared to the previous 12 months (232 through January 2018 versus 106 through January 2017). In the face of these growing cyber threats, organisations are demonstrating far more success in detecting and blocking them, according to a new study from Accenture (NYSE: ACN).

 

Yet, despite making significant progress, only two out of five organisations are currently investing in breakthrough technologies like machine learning, artificial intelligence (AI) and automation, indicating there is even more ground to be gained by increasing investment in cyber resilient innovations and solutions.

 

The study was conducted from January to mid-March 2018 and investigated focused attacks defined as having the potential to both penetrate network defences and cause damage, or extract high-value assets and processes from within organisations. Despite the increased pressure of ransomware attacks, which more than doubled in frequency last year, the study found organisations are upping their game and now preventing 87 per cent of all focused attacks compared to 70 per cent in 2017. However, with 13 per cent of focused attacks penetrating defences, organisations are still facing an average of 30 successful security breaches per year which cause damage or result in the loss of high-value assets.

 

“Only one in eight focused cyberattacks are getting through versus one in three last year, indicating that organisations are doing a better job of preventing data from being hacked, stolen or leaked,” said Kelly Bissell, managing director of Accenture Security. “While the findings of this study demonstrate that organisations are performing better at mitigating the impact of cyberattacks, they still have more work to do. Building investment capacity for wise security investments must be a priority for those organisations who want to close the gap on successful attacks even further. For business leaders who continue to invest in and embrace new technologies, reaching a sustainable level of cyber resilience could become a reality for many organisations in the next two to three years. That’s an encouraging projection.”

 

Security Teams Find Breaches Faster

It’s also taking less time to detect a security breach; from months and years to now days and weeks. On average, 89 per cent of respondents said their internal security teams detected breaches within one month compared to only 32 per cent of teams last year. This year, 55 per cent of organisations took one week or less to detect a breach compared to 10 per cent last year.

 

Although companies are detecting breaches faster, security teams are still only finding 64 per cent of them, which is similar to last year, and they’re collaborating with others outside their organisations to find the remaining breaches. This underscores the importance of collaborative efforts among business and government sectors to stop cyberattacks. When asked how they learn about attacks that the security team has been unable to detect, respondents indicated that more than one-third (38 per cent) are found by white-hat hackers or through a peer or competitor (up from 15 per cent, comparatively, in 2017). Interestingly, only 15 per cent of undetected breaches are found through law enforcement, which is down from 32 per cent the previous year.

 

Addressing Cybersecurity from the Inside Out

On average, respondents said only two-thirds (67 per cent) of their organisation is actively protected by their cybersecurity program. And, while external incidents continue to pose a serious threat, the survey reveals that organisations should not forget about the enemy from within. Two of the top three cyberattacks with the highest frequency and greatest impact are internal attacks and accidentally published information.

 

When asked which capabilities were most needed to fill gaps in their cybersecurity solutions, the top two responses were cyber threat analytics and security monitoring (46 per cent each). Organisations realise the benefits derived from investing in emerging technologies. A large majority of respondents (83 per cent) agree that new technologies such as artificial intelligence, machine or deep learning, user behaviour analytics, and blockchain are essential to securing the future of organisations.

 

Five steps organisations can take to achieve cyber resilience include:

  1. Build a strong foundation. Identify high value assets and harden them. Ensure controls are deployed across the organisational value chain, not just the corporate function.
  2. Pressure test resilience like an attacker. Enhance red defence and blue defence teams with player-coaches that move between them and provide analysis on where improvements need to be made.
  3. Employ breakthrough technologies. Free up investment capacity to invest in technologies that can automate your defences. Utilise automated orchestration capabilities and advanced behavioural analytics.
  4. Be proactive and use threat hunting. Develop strategic and tactical threat intelligence tailored to your environment to identify potential risks. Monitor for anomalous activity at the most likely points of attack.
  5. Evolve the role of CISO. Develop the next generation CISO — steeped in the business and balancing security based on business risk tolerance.

 

For the 2018 State of Cyber Resilience study, Accenture surveyed 4,600 enterprise security practitioners representing companies with annual revenues of $1 billion or more in 15 countries. The purpose of the study is to understand the extent to which companies prioritise security, the effectiveness of current security efforts and the adequacy of existing investments. More than 98 per cent of respondents were sole or key decision-makers in cybersecurity strategy and spending for their organisation. For the purposes of this research, a cyber resilient business applies fluid security strategies to respond quickly to threats, to minimise damage and continue to operate under attack. It can therefore introduce innovative offerings and business models securely, strengthen customer trust, and grow with confidence.

The post New Accenture study finds 87 per cent of focused cyberattacks are prevented appeared first on IT SECURITY GURU.

Mining for Trouble: Cryptocurrency and Cyber Security

Cryptocurrency is not a new presence in the world of cyber security. For years cryptocurrencies have been the ransom of choice for hackers looking to make money from cyber attacks. However, over the last six months, we have seen a new strategy from hackers: crypto mining malware. This new motive for hackers has risen in prominence significantly with a 27% increase in use in the first quarter of 2018 and it is on the fast-track to becoming the number one cause of cyber attacks. So, it is incredibly important that enterprise IT security staff get an understanding of what crypto mining is, why it has increased in prominence and what they can do to stop it.

For those who don’t know what crypto mining entails allow us to enlighten you. Cryptocurrencies are virtual money that exists online, kept in crypto wallets and transferable via the use of Blockchains. But unlike physical money which has a governing body in charge of its distribution and printing, cryptocurrencies can be made by anyone. Making cryptocurrency is not easy though. If the average person could generate it, from his or her simple desktop computer at home, then the market would be inflated and the value of the currency diminished. To make just one coin of cryptocurrency requires an absurd amount of computer resources and time, meaning mining it is limited to big business and people heavily invested in the technology to do so.

How crypto mining then relates to cyber security is obvious. Even if someone has the technology to mine cryptocurrencies, the amount of computer power needed makes the entire process very time-consuming. Most people don’t have access to industrial computers or enough computers all running at once to mine the currency. It is this issue that has led crypto mining malware to become so prominent as hackers have discovered the solution to their problems is to secretly install mining software onto the computers of bystanders through malware and then let the infected computers do all the hard work.

The big difference between crypto mining and past cyber attacks around cryptocurrencies is that hackers are not stealing cryptocurrency or demanding it as a payment. As mentioned above, they are using software so that they can use the computers of their unsuspecting victims to do the mining while the hacker reaps the rewards. This method is a lot safer for hackers and can continue as long as they don’t get caught.

Crypto mining was made even easier last September when a bug in the Coinhive software, a crypto mining software, allowed it to be used to distribute malware. Since then reports have found that the frequency of crypto mining attacks on corporations has increased by 500%. In February three of the most wanted malware were crypto mining related and a new report for the first quarter of 2018 is showing that crypto mining is soon to take over ransomware as the biggest cyber threat to enterprises.

The question for enterprises now is how to fight back? In the end, crypto mining malware is still malware and so the methods that all enterprises should already be incorporating – like antivirus, traffic monitoring and mitigation, training employees and so forth – will deal with malware designed to mine cryptocurrency. What enterprises need to be aware of is whether or not they are infected and if so how to deal with it.

Unlike ransomware where the hacker will make his or her presence known, crypto mining malware aims to remain hidden and continue leeching from your computer’s resource and so IT security experts will have to be more proactive in their approach and actively search for the mining software hidden in their network. The main sign that your computer is infected is how slow it will be running, thanks to the mining software using up the CPU. If your computer isn’t performing properly then scan it, look for anomalies, and look for signs of malware. You may just find a little miner chipping away.

Crypto mining and cryptocurrencies, in general, are not going away any time soon so it is important that businesses adapt to the changing cyber security landscape rather than hoping the situation will solve itself or assuming nothing will change.

The post Mining for Trouble: Cryptocurrency and Cyber Security appeared first on IT SECURITY GURU.

RAT Gone Rogue: Meet ARS VBS Loader

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

 

Researchers at Flashpoint have seen and analysed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

 

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behaviour likens ARS VBS Loader to a remote access Trojan (RAT), giving it behaviour and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

 

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

 

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

 

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

 

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

 

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.

 

The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

 

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

 

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

 

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

The post RAT Gone Rogue: Meet ARS VBS Loader appeared first on IT SECURITY GURU.

The Cybersecurity Tech Accord: Time to Come Together to Combat Digital Threats

At Trend Micro we’re committed to making the world a safer place in which to exchange digital information. In fact, we’ve been protecting our customers from the ever-evolving threat landscape for nearly 30 years. But we know we can and must do more as an industry to combat the challenges we face today. That’s why we’re a founding member of a monumental new pact with some of the world’s biggest security and technology companies.

The Cybersecurity Tech Accord demonstrates a commitment by key industry players like us to become more than the sum of our parts. By working together we can make an even bigger impact in helping protect global consumers and organizations from cybercrime and nation-state hacking. 

The $8 trillion problem

Turn on the TV, open a newspaper or browse the web and you’ll read the same thing: cyberattacks are everywhere today. Trend Micro alone blocked over 66.4 billion online threats last year, more than 631 million of which were ransomware-related. Then there’s crypto-jacking, info-stealing malware, phishing, zero-day exploits — the list of threats facing internet users today is immense, and it will only continue to grow and evolve.

What does this mean for organizations? The risk of huge financial and reputational damage: legal costs, regulatory fines, customer attrition, and much more. We predict that cumulative losses from Business Email Compromise (BEC) attacks alone will hit $9 billion this year. In fact, the cybercrime industry is predicted to cost the global economy as much as $8 trillion by 2022. 

Four steps to a more secure world

That’s why key industry players have come together to form the Cybersecurity Tech Accord: the largest-ever joint commitment by private sector technology and security companies to protect customers and improve cybersecurity. It’s built around four key tenets: 

Stronger defense: We will help protect users and organizations around the world, wherever they are. 

No offensive support: We will not help governments to launch cyberattacks or undermine the security of our products by tampering with them. Incidents such as the WannaCry ransomware attacks of 2017, which leveraged alleged nation-state-developed exploits, have shown how easily government-level offensive capabilities can lead to mass attacks on innocent businesses and consumers. 

Capacity building: We’ll all do more to help developers and those who use their technology improve their ability to protect themselves — via new features and best practices. 

Collective action: All members of the accord will work together via formal and informal partnerships with other industry players, civil society, researchers and more to share intelligence, manage vulnerability disclosures and combat malware. 

Trend Micro’s pledge

As a founding member of the accord, Trend Micro is keenly aware of the positive power of industry-wide collaboration. The 28 companies currently on board include companies like Cisco, Facebook, HP, Intel, Microsoft, Nokia, Oracle, Siemens, and Trend Micro, and together represent a market capitalization of more than $1.8 trillion. Each will be able to contribute different expertise to benefit the whole.

Part of the value Trend Micro will bring is in leveraging our world-leading vulnerability detection and threat intelligence capabilities in known, new and forward-looking threats. We’ll play an active role in coordinating vulnerability disclosures across the group, collaborating via shared intelligence and enabling other members to identity vulnerabilities in their own systems earlier on.

No one of us alone can solve the problems that cybercrime and nation-state hacking have brought to the world. But together we have a chance — through partnerships, collective action and determination. It’s time to make technology work for us, not the bad guys.

The post The Cybersecurity Tech Accord: Time to Come Together to Combat Digital Threats appeared first on .

Arm your users with knowledge to spot phishing attacks – for free!

Attendees to the Black Hat 2017 security conference said their #1 security concern and most time-consuming activity was phishing and social engineering attacks. That’s no surprise with the increase in Business Email Compromise (BEC) attacks and with most ransomware being delivered by email. But Black Hat Attendees also said the weakest link in their security strategy was end users who are susceptible to phishing and social engineering.

[source: https://www.blackhat.com/docs/us-17/2017-Black-Hat-Attendee-Survey.pdf]

That’s why we’ve introduced a new free service, Phish Insight. With it, businesses of all sizes will finally be able to generate exactly the information they need to craft more effective security awareness and training programs. Best of all, it is completely free!

The top threat vector

Email is still the biggest threat vector impacting organizations today. Trend Micro’s Smart Protection Network blocked more than 66.4 billion threats in 2017 and over 85 percent of these were emails containing malicious content. Phishing is among the most common tactics used by cybercriminals. Employing social engineering tactics, they typically aim to trick the user into clicking on a malicious link or opening a malware-laden attachment. This in turn could lead to a ransomware download or even be the first stage in a more covert info-stealing operation designed to lift customer data or highly sensitive intellectual property.

In 2017, 94 percent of all ransomware blocked by Trend Micro was distributed via email. What’s more, the latest stats from Verizon claim that phishing represented 93 percent of all data breaches recorded in 2017. BEC is another rising threat to the organization which relies on tricking the end user, this time into making corporate wire transfers to the hacker, who is impersonating the CEO or other senior executives. Trend Micro predicts such scams will lead to cumulative losses in excess of $9 billion this year.

On the frontline

As social engineering and phishing tactics play an ever greater role in cyber-attacks, the stakes will only increase. The share price of one aerospace company is said to have fallen 38 percent after it was hit by a BEC attack which resulted in losses of over €50m ($62m). So what’s the answer? Clearly we need to get better at strengthening our weakest link in the cybersecurity chain: our employees.

Unfortunately, unlike technology, staff can’t be patched. But with the right kind of education programs they can be taught how to spot email scams. According to Verizon, 4 percent of targets in any given phishing campaign will click on it. That may not sound like much. But it only takes one misplaced click to potentially land your organization in trouble.

Introducing Phish Insight

We know that awareness and education programs are an important complement to cybersecurity tools and technologies. But how do you go about crafting an effective program? This is where insight into user behavior becomes crucial.

Phish Insight allows you to quickly and easily generate that insight — completely free of charge. Organizations of all sizes can get started: all they need is one administrator and a few minutes to create a phishing campaign. They can select recipients choose a template according to behavior or topic for phishing, and even customize the phishing exercise by subject, graphics, language and so on. Admins can also set the duration of the awareness “campaign.”

Once the campaign is underway, insight will be fed back via detailed stats in the Monitoring Center. IT Teams can see who has been caught at an employee level and can also identify if certain departments or regions are more at risk than others. It’s this information that they can then use to improve training programs. How they do this is up to the customer, but next steps could include issuing an automatic email alert if they are successfully phished, and/or routing them to online training on phishing awareness. The premium version is free upon request and also includes an Outlook plugin which adds a button for users to alert their security team of suspicious emails.

“We count on Trend Micro as a security partner, with that comes the expectation that they will deliver the latest methods to detect, assess and react to threats,” said Niall O’Beaglaoi Business Development Manager with Smarttech, “Their newest tool, Phish Insight, has provided invaluable information on how users perceive and interact with phishing emails.”

For 30 years Trend Micro has been working to make the world safer to exchange digital information. We’re making this service available free of charge because there’s a real opportunity here to radically improve baseline security for countless organizations. Humans are creatures of habit, and If you can persuade them to adopt good practices then you’ll be taking a massive step on the road to a more proactive cybersecurity posture. That all begins with better insight: with Phish Insight.

The post Arm your users with knowledge to spot phishing attacks – for free! appeared first on .

DNS-Based Threats: Cache Poisoning

The Domain Name System (DNS) is the cornerstone of communication for the internet. Navigating to the sites you access every day often starts with a DNS request. Cybercriminals recognize the value of DNS and may look for ways to abuse improperly secured DNS to compromise its uptime, integrity or overall response efficacy—which makes DNS an important area for enforcing security and protecting against threats.

One such threat: cache poisoning.

When a DNS request is made, the query is routed to a recursive name server. If the domain name navigation information is cached, the recursive name server sends the response directly back to the user with the appropriate information, so they can go to the intended destination. If the information is not present in the cache, the recursive name server queries other DNS servers to find the information needed to answer the original query.

Cybercriminals understand how to manipulate DNS caching and may take advantage of unsecured servers through cache poisoning. Cache poisoning can occur when a cybercriminal sends fake (spoofed) DNS responses to a target recursive name server (resolver), pretending they came from an authoritative name server, a forwarder, or even a recursive name server to a client stub. When malicious information is cached on the recursive name server, the names on the server are considered “poisoned.”

Cybercriminals use cache poisoning to redirect traffic to fraudulent websites and other unintended destinations. Cache poisoning is considered dangerous because it does not require significant bandwidth, processing resources, or technical expertise to execute, and an attacker doesn’t need to be in the data path to launch cache poisoning attacks. Furthermore, a fraudulent address can reside on a recursive name server for hours, days or weeks before it is discovered.

When a poisoned cache connects an unsuspecting user or device to a fraudulent site, cybercriminals can do a variety of things such as, obtain sensitive data and other confidential information, steal user credentials and passwords, eavesdrop on communications, plant malicious software or display images and text that defame a legitimate brand or provide misleading information.

One solution to address cache poisoning is the implementation of DNS security extensions (DNSSEC). DNSSEC is the main security mechanism that protects the integrity of DNS records and helps safeguard the end-to-end integrity and authenticity of DNS responses.

As DNS attacks grow in frequency and impact, organizations can no longer afford to overlook DNS security as part of their overall defense-in-depth strategy. As with IT security in general, no single tactic can address the entire DNS threat landscape or secure the complete DNS ecosystem. The key is to assess risks, identify security gaps and develop a plan to strengthen the security of both your inbound and outbound DNS.

For more information on the importance of DNS in the security ecosystem, and considerations for securing DNS in your organization with DNSSEC and other solutions, please download our free white paper, “Framework for Resilient DNS Security,” here.

The post DNS-Based Threats: Cache Poisoning appeared first on Verisign Blog.

UK GCHQ spy agency warns telcos of the risks of using ZTE equipment and services

The UK GCHQ intelligence agency warns UK telcos firms of the risks of using ZTE equipment and services for their infrastructure.

The alert was issued by the National Cyber Security Centre that said the Chinese firm “would present risk to UK national security that could not be mitigated effectively or practicably”.

Let’s remind that the ZTE is a state-owned enterprise and many experts highlighted the risks of using its products.

The Agency did not provide further details about the threat to UK telco infrastructure, it only explained that at the time it is not possible to mitigate the risks of adopting the Chinese equipment.

“NCSC assess[es] that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated,” reads the statement issued by the GCHQ.

The problems for ZTE are not ended, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced that Chinese firm has been banned from purchasing goods from US companies. This root cause is that ZTE was discovered violating Iran and North Korean sanctions.

ZTE, such as Huawei, are considered as potential threats by the US Government too,  but differently from ZTE has worked with UK intelligence to demonstrate that its products don’t represent a threat. Huawei created a Cyber Security Evaluation Centre, also known as “the Cell,” in Banbury to allow intelligence the review of its products and software.

“HCSEC fulfilled its obligations in respect of the provision of assurance that any risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated,” reads the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board: annual report 2017.

ZTE

In March, UK suspended ZTE from the immigration scheme used by foreign companies to allow foreign nationals to work locally.

The news was reported in exclusive by El Reg that wrote: “The Home Office has suspended the Tier 2 visa sponsor license for the Chinese state-owned telecomms giant, the fourth largest supplier of telecommunications equipment in the world.”

“The Register understands that ZTE had not fulfilled its duties under the Tier 2 scheme, which includes a “robust compliance system”.”

While experts have never discovered a backdoor in Huawei devices, in 2012 researchers spotted a critical security hole in ZTE phones.

“ZTE Corp, the world’s No.4 handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns, said one of its mobile phone models sold in the United States contains a vulnerability that researchers say could allow others to control the device.” reported the Reuters at the time.

Pierluigi Paganini

(Security Affairs – GCHQ, intelligence)

The post UK GCHQ spy agency warns telcos of the risks of using ZTE equipment and services appeared first on Security Affairs.

Using intelligence to advance security from the edge to the cloud

Brad Smith holds up a microcontroller unit
Brad Smith, Microsoft president and chief legal officer, holds up a microcontroller unit (MCU) at Microsoft’s security news briefing on April 16, 2018.

We are living in a world where almost everything is becoming connected, whether it’s the electrical grid, phone system, our cars, or the appliances that heat our home or chill our food.  As this Internet of Things (IoT) continues to proliferate, so does the threat of debilitating cyber-attacks, like last year’s devastating ransomware attacks that damaged, destroyed and disrupted systems around the world. And these attacks are only growing more sophisticated – and commonplace.  

We recognize that we and others in the tech sector have the first responsibility to address these issues. After all, we build the products.  We operate the platform.  We unfortunately are the battlefield in many ways.  We are the first responders.  At Microsoft and at many of our peers, our security professionals are the ones that answer the call, scramble onto airplanes, and stay by our customer’s side until their issues are resolved. Trust is the underpinning of our relationship with our customers, and we recognize that we must earn and maintain that trust every single day.  

That’s why this year at RSA in San Francisco, Microsoft is announcing new offerings to take security more squarely to where it needs to go and where it has not effectively gone before – the edge. Today we’re unveiling a series of new services and features that will better harden not only our intelligent cloud but also the billions of connected devices that live on its edge. And we’re supporting these advances with new offerings that will making security easier for our customers to manage.    

Azure Sphere: Extending security to the Internet of Things

Over the past 15 years, we’ve repeatedly taken steps to strengthen security protection not only for Windows and Office software, but also to harden our Xbox chipsets. We’re now combining this expertise and these advances to secure at the silicon level the billions of connected devices that will sit on the edge of the world’s computing network.

Applying new advances by our security researchers, we are introducing security protection for the next generation of cloud and edge devices powered by microcontroller units (MCUs). This growing class of cloud-connected devices – 9 billion of which ship every year – run tiny MCU chips that will power everything from kitchen appliances and toys to industrial equipment on factory floors. This next wave of connected devices is increasingly intelligent and connected. They will improve daily life in countless ways, but if they’re not secure, they will make people, communities and countries vulnerable to attack in more ways than ever before.

Today we’re announcing Azure Sphere, the industry’s first holistic solution for securing MCU-based devices from the silicon to the cloud. This solution brings together three critical pieces and advances: 

  • First, Azure Sphere is based on Microsoft’s development of an entirely new class of MCUs with more than five times the power of legacy MCUs. We’ll license the IP for these new MCUs royalty free to silicon manufacturers, removing barriers for silicon partners who want to develop and manufacture Azure Sphere chips. Already MediaTek is producing Azure Sphere-certified silicon, with more partners to follow.  
  • Second, Azure Sphere will bring to these new chips a new customized operating system built for IoT security. This OS incorporates a custom Linux kernel that has been optimized for an IoT environment and reworked with security innovations pioneered in Windows to create a highly secured software environment. 
  • Finally, Azure Sphere will feature a turnkey cloud security service that guards every Azure Sphere device, including the ability to update and upgrade this security protection for a 10-year lifetime of the device. Importantly, Azure Sphere will work alongside any cloud  private or proprietary so that customers can continue to use their existing data infrastructure while adopting Azure Sphere’s groundbreaking security for their devices. 

This combined approach to Azure Sphere brings together the best of hardware, software and services innovation. It is open to any MCU chip manufacturer, open to additional software innovation by the open source community and open to work with any cloud. In short, it represents a critical new step for Microsoft by integrating innovation across every aspect of technology and by working with every part of the technology ecosystem, including our competitors. We believe this holistic solution will bring to IoT devices better security, resilience and developer agility than anything on the market today. 

Simplifying security through new cloud offerings 

In the past, some enterprises were hesitant to move to the cloud because of perceived security risks. Today, customers appreciate that the cloud is almost certainly more secure than on-premise environments. The result is that customers trust the security of their enterprise to us, so they can focus on their core business.   

Over the past year we’ve focused on strengthening Microsoft 365 so it not only helps our customers be more collaborative and productive, but also makes it easier to secure IT infrastructure against a growing range of threats. Because Microsoft 365 is a cloud service, we’re able to rapidly develop and deploy new security innovations based on learnings and insights coming from our Microsoft Intelligent Security Graph. Today we’re announcing four cloud-based advances that will enable customers to use Microsoft 365 to strengthen further their security protection: 

  • The most time consuming and challenging work in security operations today is identifying and fixing threats before they spread. That’s why we’re announcing new automated threat detection and remediation tools to help simplify and streamline this process. With Windows Defender Advanced Threat Protection (ATP) automated investigation and remediation capabilities, in the upcoming Windows 10 update, systems can automatically go from alert to investigation to remediation in a fraction of the time it used to take. 
  • Another important aspect of responding to security threats involves controlling access to sensitive data without impacting productivity. We’re announcing a new step today to help ensure that compromised devices can’t access sensitive data on a customer’s network, by connecting a feature called Conditional Access to Windows Defender ATP for an added layer of device risk-level assessment. It means that customers can now limit access to mission-critical information if risks such as malware are detected at the individual device level, while automatic remediation tools address the problem. 
  • We’re complementing these advances with a new and advanced security tool to help customers manage their overall security environment. Microsoft Secure Score provides a single dashboard and summary score that makes it easier for organizations to quickly determine which controls to enable to help protect users, data and devices, as well as compare their results with other organizations with similar profiles using machine learning.  
  • Security increasingly is a team sport not only within an enterprise but across the customer network. Intelligence data, in particular, gets better with additional signals coming in, and so we’re increasing the ability for customers and partners to collaborate with us, with one another and with their own customers. Today we’re announcing the preview of a new Microsoft Graph security API for connecting to Microsoft products powered by the Microsoft Intelligent Security Graph. The new security API provides an integration point that allows technology partners and customers to greatly enhance the intelligence of their products to speed up threat investigation and remediation. Already, leading companies like Palo Alto Networks, PwC and Anomali are exploring the security API for their own solutions. And because we’re committed to collaborating with customers and partners to enable integration between Microsoft’s security technology and the broader ecosystem, we are also announcing the new Microsoft Intelligent Security Association. This new program streamlines our engagement on all things security and allows technology partners to benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products. 

Security is a shared responsibility 

All of the advances we’re announcing today reflect another essential fact of life. Security has become a shared responsibility. We believe that Microsoft has an important responsibility and is in a unique position to help address the world’s security issues and contribute to long-term solutions. But no one has anything close to a monopoly on good security ideas or expertise. More than ever, the continuing rise in security threats requires that we work together in new ways across the tech sector and with customers and governments.  

That’s why we’re committed not only to greater security collaboration at the technology level, but also to advancing the public security policies the world needs. 

RSA offers the entire industry an important opportunity each year to talk about the challenges of cybersecurity. We need more of these conversations. Even more, we need action. That’s why we continue to advocate around the world to interpret and build on existing international laws and ultimately establish a Digital Geneva Convention to protect civilians against cyber-attacks. And it’s why just last week we launched Microsoft’s Defending Democracy Program, based on a new team at Microsoft dedicated to working with governments, technology companies, academia and civil society to address cyber-related threats and interference in democratic processes.   

Today’s big security challenges require bold ideas. Whether it’s strengthening our products, using data to better identify and disrupt threats, or working with customers on their own cyber-resilience, we are committed to delivering world-class security to customers and partners. And we are committed to working across the tech industry and public sector to improve our shared defense of the technology infrastructure on which the world depends.

The post Using intelligence to advance security from the edge to the cloud appeared first on The Official Microsoft Blog.

Massive Ransomware attack cost City of Atlanta $2.7 million

According to Channel 2 Action News that investigated the incident, the ransomware attack on the City of Atlanta cost it at least $2.7 million.

In the last weeks, I wrote about a massive ransomware attack against computer systems in the City of Atlanta.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

Investigators believe that hackers initially compromised a vulnerable server, then the ransomware began spreading to desktop computers throughout the City network. Crooks demanded a payment of 6 Bitcoin, around $51,000 at the current rate,

New Atlanta Chief Operating Officer Richard Cox said that several departments have been affected.

No critical infrastructure and services seem to be affected, the departments responsible for public safety, water, and airport services are operating as normal, however.

City of Atlanta ransomware

How much cost this attack on the City of Atlanta?

According to Channel 2 Action News that investigated the incident, the ransomware attack cost the city at least $2.7 million.

“They were probably not as protected as we probably thought they were,” Georgia State University cybersecurity researcher Don Hunt said.

Channel 2 investigative reporter Aaron Diamant obtained new records that allowed the media outlet to estimate the overall cost of the attack.

The $2.7 million cost includes eight emergency contracts that were signed just after the malware compromised the city networks.

“They’ve got some really big players on the team there, and they’re spending a lot of money, so the depth of the problems that they had are probably enormous,” Hunt said.

The leaders of the City of Atlanta signed a $650,000 contract with cybersecurity firm SecureWorks that was involved in the incident response.

Accessing the records the journalist discovered that the leaders signed other contracts as reported in the above image, a $600,000 contract with management consultant Ernst and Young for advisory services and another $730,000 to Firsoft.

“That’s absolutely construction work. What they’re looking to do is not revamping the system, they’re starting from scratch and going from the ground up again,” Hunt added.

“You’re talking about the possibility of privacy being violated. It could be an indicator that you’ve got a deeper problem inside or potentially a deeper problem that you want to get ahead of right away,” 

Pierluigi Paganini

(Security Affairs – City of Atlanta, ransomware)

The post Massive Ransomware attack cost City of Atlanta $2.7 million appeared first on Security Affairs.

Myspace vs. Facebook: the good old days?

Many people have fond memories of ye olde Myspace dotte comme, and those rose-splashed spectacles seem to have grown ever larger in light of the recent Facebook happenings.

In recent days, I’ve seen many declaring their love for all things Tom, and how everything was just one huge barrel of laughs and good times on the fledgling social network. In the showdown of Myspace vs. Facebook, articles are appearing that explain how Tom “beat” Zuckerberg in the long run.

However, a variety of popular memes and more general good vibes based on this sentiment clash with a somewhat more complicated picture of events.

Here’s the thing: I was around at that time, neck deep in social network research from about 2006 to 2010, and one of my main stomping grounds was indeed Myspace. During that time, I wrote about an astonishing amount of problems on the platform. I was responsible for getting a few of them fixed, having a number of bad actors thrown off, and causing lots of problems for adware vendors using so-called Web 2.0 as a testing ground for bogus installs, as well as creating similar headaches for malware authors popping everything from drive-by attacks to worms.

If you missed all of that action, or you simply weren’t around at the time, you might think the current social network bonfire we have on our hands is an entirely new phenomenon. I felt it was worth revisiting the land that time forgot (uh, a decade ago) and seeing what, exactly, was going on.

Way back when

Social network scams are now pretty samey, and new-fangled original attacks are fairly rare. Back in the early days of Myspace, everything was new and exciting, and even the most basic of survey scams or spam comments on someone’s profile page could potentially elicit a gasp or three. In 2006/7, the only people really attempting to harness the huge numbers of social media users were adware vendors and the odd malware author.

Over time, that would shift away from adware to hacks, trolls, and social engineering, leaving everything looking a bit scorched earth…not just on Myspace, but gradually across many other major social network platforms, too.

We begin our exploration of a complicated picture of events with a jaunt back to 2006.

2006: worms, adware, and get rich quick schemes

Looks like our DeLorean has indeed arrived in 2006, because Justin Timberlake is on the radio bringing Sexyback, Superman Returns to cinemas (when he probably shouldn’t have), and Twilight is going wild on bookshelves. Meanwhile our 3-year-old, 2.0 hangout space is starting to run into increasingly frequent trouble.

One of the first major social network worms ripped through Myspace courtesy of a worm hidden inside a Quicktime file. Alterations to infected profiles were made, utterly confusing the profile owners, and it seemed to spread in a manner similar to the first Orkut worm, even coming back to life after a profile clean out. The financial gain here was, in part, due to Zango adware being bundled with the infection file via the worm-creating affiliate who put the whole thing together.

In fact, Zango were caught up in another Myspace fiasco when they claimed they weren’t specifically targeting the platform for installs, despite the uncovering of an affiliate email suggesting just that. Here’s an extract, and the focus on animated gifs and cheery distractions is wonderfully quaint:

“MOVING GIFS. This really gets people’s attention and vistors [sic] love this sh**,” one tip reads. Another: “Highlight the html code and embed one of the videos. This will make it automatically pop when the visitor reaches that page. This will lead to a lot more thinking to themselves: ‘hmm, this looks like a cool video. I’ll watch this. CLICK.'”

“More profitably, go to a bunch of your friends who have popular profiles and pay them (it’s up to you so much. One of my partners said 5$…maybe offer to split the money with them?) to put a zango video into their profile through your site. This will give you hundreds of extra installs a day,” the e-mail reads. “This probably works even better than having them on your actual site.”

Moving away from adware vendors. In 2018, malvertising is a big deal—but it’s also a rather old one. We can go back to 2006 and see the infamous WMF exploit being used to install malicious files via banner ads on Myspace, with up to “one million” installs across the thousand or so sites it was loading on. After a couple of years of a fresh new approach to interacting online, people with a taste for cash have moved into town and they have other ideas. Things will straighten themselves out next year, right?

2007: Battle of the bands and glory hunters

One of the wheels has fallen off the DeLorean, but we’re still hitting 88MPH, which is just as well because Shrek 3 and Spider-Man 3 are going off the rails in the cinema, and Rihanna has lost her umbrella. While we’re talking about music…

Most social networks have learned to keep profile page edit functionality to a minimum, or use templates, but Myspace was pretty much the king of “do what you want.” It’s hard to think of another social network that had so eminently editable a profile page. You could do all sorts of custom HTML tricks, hide elements, include new ones, overlay everything with huge sparkly gifs and half a dozen MIDI files—it was great (relatively speaking).

The flip side of this is that bad people could do the same thing.

In 2007, a large number of big name musicians with huge followings, and many smaller bands too, had their Myspace pages compromised. A quick splash of custom HTML later, and clicking anywhere on the page would redirect to rogue sites hosted in China offering up a variety of malicious installs. It was never established what, exactly, was the point of entry for the scammers but if it was a phishing campaign then it was sustained, targeted, and made life very difficult for musicians plying their trade.

Meanwhile, it would have been very handy if Justin Timberlake had brought Sexyback in 2007 instead, because I could have used it to work in a reference to another spate of high-profile compromises. The N*Sync golden boy fell victim to defacements, alongside Hilary Duff and Tila Tequila (if you weren’t nostalgically flopping around in 2007, you definitely are now). These attacks were much more about a sense of “look what we can do,” as opposed any financial gain, and that trend definitely began a steady curve upwards as we limp into 2008.

2008: Trolling, tracking, and hacks

Okay, the DeLorean is somewhat ablaze, and I’ve lost my novelty Tom bobblehead down the back of the seat, but we’re still mostly in one piece. Hunger Games is all the rage in bookstores, Katy Perry is all over the charts, and The Dark Knight is the best chaos-laden Batman movie you’ll ever see (no really, it is). Speaking of chaos…

Myspace had a big problem with troll groups, some of whom I covered in an IRISSCON talk last year. Back then, there weren’t many online sources of help for things like suicide prevention, drug addiction, or other forms of abuse. Myspace groups were, for many, the go-to place for help and advice. Trolls would show up and bomb the boards with gore pictures and worse, and many of the support groups set their boards to private, making them harder to find.

You know what’s bad? Support groups that are hard to find.

After the boards went into lockdown, someone coded up something called the Lottery Browser, which allowed you to click a button and be dumped into a private group at random. Things became problematic quite quickly after that. Harassment campaigns, targeted attacks, even some individuals who kept a sort of “suicide scoreboard,” claiming they were trying to encourage people to kill themselves for Internet kudos points. Myspace eventually fixed this one, too.

An offshoot from the same group created a few lines of code allowing someone visiting your Myspace profile to be auto-subscribed to your video channel. In practice, this meant that you could see, at a glance, if security researchers or law enforcement were checking you out. This was very common on Myspace, and many local law enforcement officers would create profiles and friend people in their area. Nothing says “burn your hard drives” like Officer Jones showing up on your follow list if you’re up to no good.

Myspace had actually blocked most, if not all, IP trackers on profiles, meaning someone couldn’t send you a bogus link and grab an IP. However, it’s arguably more useful to know specifically who is being subscribed to your video list. One of the solutions to this was adding the video portion of the Myspace URL to your hosts file; Myspace eventually fixed this, too, after I brought it to their attention.

In short, things were a bit of a mess, and while social networks of the time had slowly come to terms with malware attacks and adware vendors, the less visible types of social engineering/trolling were a tough nut to crack.

2009: Goodbye Myspace, Hello Facebook

We’ve done it now. The DeLorean is on fire and the book charts are awash with more Hunger Games and Maze Runners. I refuse to watch Avatar, and Beyonce is all about putting a ring on it. I’m trapped in a land of people slowly losing interest in Myspace, while the “like” counter continues to rise for the somewhat cooler juggernaut that is Facebook.

Look, I am definitely not watching Avatar.

Instead, let me direct you to a diagnosis, because Dr. Boyd detects a terminal lack of Myspace scams in exchange for…Facebook privacy control concerns! Honesty boxes! Phishing! These examples are anecdotal and specific to my own research, but in general 2009 felt like a shift away from the elder network onto a portal increasingly holding all the cards. I’m not sure when I wrote my last batch of “lots of problems on Myspace, and here they are” blog posts, but at this point Facebook and Twitter were the places to be. Sorry, Tom.

No stone left unturned

Actually, we have a dump-truck sized stack of rocks we haven’t poked yet. I didn’t get chance to mention 2005’s Samy worm, the near half a million “private” photos that appeared in a Torrent, the 20 year long collection of independent privacy assessments, or…well…you get the idea.

I love social networks. I think they’re great, for the most part. But the ones we have now probably have just as many problems as the sites we’ve abandoned. The specifics may differ, but ultimately none of them are perfect, and the notion that everything was ideal back in the day is a potentially dangerous one.

Those who ignore history are doomed to stand around next to a crater-shaped DeLorean complaining about Avatar. Thankfully, the music is great.

The post Myspace vs. Facebook: the good old days? appeared first on Malwarebytes Labs.

Week in security (April 09 – April 15)

Last week, we took a look at a malware-campaign called FakeUpdates, methods to use secure instant messaging, the inner workings of a decryption tool, and some Facebook spam campaigns.

We also published our first quarterly Malwarebytes Labs CTNT report of 2018.

Other news

  • A security researcher discovered a flaw in P.F.Changs Rewards website. (Source: AkshaySharmaUS@medium.com)
  • Security Consultant Xavier Mertens described a suspicious use of certutil.exe. (Source: InfoSec Handlers Diary Blog)
  • A significant number of Cisco devices belonging to organizations in Russia and Iran were hacked by a group calling itself JHT. (Source: The Hacker News)
  • Facebook CEO Mark Zuckerberg spoke at a joint hearing of the US Senate judiciary and commerce committees in Washington, DC. (Source: siliconrepublic)
  • A vulnerability in Microsoft Outlook allowed hackers to steal a user’s Windows password. (Source: ThreatPost)
  • A malware gang is going for identity theft and phony tax refunds by targeting CPAs. (Source: Krebs on Security)
  • Researchers sinkholed the infamous EITest infection chain. (Source: SecurityWeek)
  • A Microsoft network engineer was charged with money laundering linked to Reveton computer ransomware. (Source: SunSentinel)
  • Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip’s SPI Flash memory. (Source: Bleeping Computer)
  • An old and flawed Javascript crypto-library could allow Bitcoin theft. (Source: The Register)

Stay safe, everyone!

The post Week in security (April 09 – April 15) appeared first on Malwarebytes Labs.

Hackers Stole a Casino’s High-Roller Database Through a Thermometer in the Lobby Fish Tank

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses." Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

Read more of this story at Slashdot.

Are We Taking Our Online Privacy Seriously Enough?

Technology has become the lens through which we perceive and experience day-to-day life. Take the smartphone as an example. What used to be a technological rarity and business-oriented tool has become the nexus of our personal and recreational lives. Pew Research Center has found that more than three-quarters (77 percent) of Americans currently own and […]… Read More

The post Are We Taking Our Online Privacy Seriously Enough? appeared first on The State of Security.

RSA Conference 2018: Fun Telco History in SF

Welcome to SF everyone! As the RSA Conference week begins, which really is a cluster of hundreds of security conferences running simultaneously for over 40,000 people converging from around the world, I sometimes get asked for local curiosities.

As a historian I feel the pull towards the past, and this year is no exception. Here are two fine examples from hundreds of interesting security landmarks in SF.

Chinese Telephone Exchange

During a period of rampant xenophobia in America, as European immigrants were committing acts of mass murder (e.g. Deep Creek, Rock Springs) against Asian immigrants, a Chinese switchboard in 1887 came to life in SF (just before the Scott Act). By 1901 it moved into a 3-tier building at 743 Washington Street. Here’s a little context setting for a Chinese Telephone Exchange being separate from other telephone services in America:

Today when you visit Chinatown in SF you may notice free tea tastings are all around. This is a distant reminder of life 100 years ago, as a San Francisco Examiner report describes in 1901:

Tea and tobacco are always served to visitors, a compliment of hospitality which no Chinese business transaction is complete

At it’s peak of operation about 40 women memorized the names and switching algorithms for 1,500 lines in five dialects of Chinese, as well as English of course. Rather than use numbers, callers would ask to be connected to a person by name.

The service switched over 13,000 connections per day until it closed in 1949. Initially only men were hired, although after the 1906 earthquake only women were. Any guesses as to why? An Examiner reporter in 1901 again gives context, explaining that men used anti-competitive practices to make women too expensive to hire:

The Chinese telephone company was to put in girl operators when the exchange was refitted, and doubtless it will be done eventually. The company prefers women operators for many reasons, chiefly on account of good temper.

But when the company found that girls would be unobtainable unless they were purchased outright, and that it would be necessary to keep a platoon of armed men to guard them, to say nothing of an official chaperon to look after the proprieties, the idea of girl operators was abandoned.

“They come too high,” remarks the facetious general manager, “but in the next century we’ll be able to afford them, for girls will be cheaper then.”

Pacific Telephone Building

One of the first really tall developments in SF, which towered above the skyline (so tall it was used to fly weather warning flags and lights) for the next 40 years, were the Pacific Telephone offices. At 140 Montgomery Street, PacTel poured $4 million into their flagship office building for 2,000 women to handle the explosive growth of telephone switching services (a far cry from the 40 mentioned above at 743 Washington Street).

By 1928, the year after 140 New Montgomery was completed, the San Francisco Examiner declared “with clay from a hole in the ground in Lincoln, California, the modern city of San Francisco has come.”

It was modeled after a Gottlieb Eliel Saarinen design that lost a Chicago competition, and came to life because of the infamous local architect Timothy Pflueger. Pflueger never went to college yet left us a number of iconic buildings such as Olympic Club, Castro Theater, Alhambra Theater, and perhaps most notably for locals, a series of beautiful cocktail lounges created in the prohibition years.

PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds

An anonymous reader quotes Bleeping Computer: In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds... When the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files. Users can unlock it either by entering a secret unlock code displayed on the screen -- or by playing PlayerUnknown's Battlegrounds. The ransomware checks to see if you played PlayerUnknown's Battlegrounds by monitoring the running processes for one named "TslGame"... Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim's files. This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files.

Read more of this story at Slashdot.

Recommended Reading: Facebook’s influence on Instagram

Instagram looks like Facebook's best hope
Sarah Frier,
Bloomberg Businessweek

With all the attention on Mark Zuckerberg's visit to DC this week, it can be easy to lose sight of an important detail: Facebook also owns Instagram. Of course, this means it also has access to the photo-sharing app's massive user base. Bloomberg Businessweek has a detailed look at the relationship between the two companies as Instagram approaches 1 billion total users.

Are your Android devices updated? Researchers say maybe no

Probably you don’t know that many Android smartphone vendors fail to roll out Google’s security patches and updates exposing the users to severe risks.

Researchers at Security Research Labs (SRL) that the problem also involves major vendors, including HTC, Huawei, and Motorola.

In some cases, manufacturers roll out incomplete security patches leaving the devices vulnerable to cyber attacks.

“Phones now receive monthly security updates. Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.” reads the blog post published by the SRL team. 

The popular SRL experts Karsten Nohl and Jakob Lell presented the findings of the research at the Hack In The Box security conference in Amsterdam, the Netherlands.

The experts pointed out that that, even if Google is able to install some security patched over-the-air without vendor interaction, in some cases the fixes affect low-level faulty software components, such as drivers and system libraries, and this process needs the involvement of manufacturers.

The experts explained that some Android devices receive only half of the monthly updates, in some cases only from Google and none from the manufacturer.

The following table shows the average number of missing Critical and High severity patches before the claimed patch date (Samples – Few: 5-9; Many: 10-49; Lots: 50)
Experts clarified that some phones are included multiple times with different firmware releases.

android devices patches

Researchers at SRL explained that the only way to discover what is installed on your device is to take a look at what is included in the monthly fixes from Google verify that most important updates are present on the device.

The good news for users is that the failure in patch management is some cases is not enough for an attacker to remotely compromise an Android device and bypass defense mechanisms like Android’s sandbox and ASLR.

“Modern operating systems include several security barriers, for example, ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone.” continues the researchers.

“Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.”

I suggest you read the research paper for more details.

Pierluigi Paganini

(Security Affairs – Android devices, security patches)

The post Are your Android devices updated? Researchers say maybe no appeared first on Security Affairs.

The Long, Slow Demise of Credit Card Signatures Starts Today

Last year, all four major U.S. payment providers -- Mastercard, Visa, American Express and Discover -- announced plans to remove the requirement that merchants collect signatures for card transactions. Those plans officially go into effect today, or Saturday in the case of Visa. CNET reports: [D]on't despair if you actually like writing your signature at retail stores, because their ultimate demise will likely take a while. The change is only optional, with merchants, not customers, given the new power to decide whether to get rid of signatures. So, if asked to sign, please don't insist to your next cashier that you no longer need to -- it won't work. Also, plenty of retailers will likely want to keep signatures, particularly if their workers are paid based on a lot of tips, or they sell pricey items. Still, the change marks a clear awareness from payment providers that the signature doesn't really work as a strong protector against fraud. The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.

Read more of this story at Slashdot.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 9, 2018

The interviewing process can be mentally draining. You have to look your best, say the right things, and prove that you’re the best person for the job. When I interview candidates, I love to come up with the one crazy question that isn’t on the usual list of questions that might be asked. I probably won’t be able to use it now since I’m going to disclose it here, but here goes: “If you were a tree, what type of tree would you be and why?” I don’t expect candidates to be experts in forestry or dendrology because there is no right or wrong answer, but I do like to hear what people can come up with off the top of their head. If you think that question is weird, how about this one? “Is it ever possible that (a== 1 && a ==2 && a==3) could evaluate to true in JavaScript?” Jasiel Spelman from our Zero Day Initiative came across this question on a post he read that is being asked during interviews at major tech firms. He takes a stab at answering the question in his latest blog: Inverting Your Assumptions: A Guide to JIT Comparisons. You can read it here: https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons. Microsoft Security Updates There are seven new zero-day filters covering four vendors in this week’s Digital Vaccine (DV) package. Microsoft released 67 security patches covering Internet Explorer (IE), Edge, ChakraCore, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Malware Protection Engine. Of these 67 CVEs, 24 are listed as Critical, 42 are rated Important, and one is listed as Moderate in severity. Seven of these CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month’s security updates from Dustin Childs’ April 2018 Security Update Review from the Zero Day Initiative:

CVE # Digital Vaccine Filter # Status
CVE-2018-0870 31038
CVE-2018-0871 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0887 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0890 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0892 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0920 31039
CVE-2018-0950 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0956 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0957 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0960 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0963 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0964 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0966 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0967 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0968 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0969 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0970 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0971 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0972 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0973 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0974 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0975 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0976 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0979 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0980 31040
CVE-2018-0981 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0986 31136
CVE-2018-0987 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0988 31041
CVE-2018-0989 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-0990 31061
CVE-2018-0991 31061
CVE-2018-0993 31043
CVE-2018-0994 31044
CVE-2018-0995 31060
CVE-2018-0996 31069
CVE-2018-0997 31076
CVE-2018-0998 31077
CVE-2018-1000 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1001 31075
CVE-2018-1002 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1003 31079
CVE-2018-1004 31080
CVE-2018-1005 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1007 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1008 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1009 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1010 31081
CVE-2018-1011 31074
CVE-2018-1012 31072
CVE-2018-1013 31070
CVE-2018-1014 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1015 31067
CVE-2018-1016 31064
CVE-2018-1018 31060
CVE-2018-1019 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1020 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1022 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1023 31062
CVE-2018-1026 31063
CVE-2018-1027 31066
CVE-2018-1028 31073
CVE-2018-1029 31068
CVE-2018-1030 31071
CVE-2018-1032 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1034 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-1037 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8116 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2018-8117 Vendor Deemed Reproducibility or Exploitation Unlikely

Zero-Day Filters There are nine new zero-day filters covering five vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Apple (2)

 

 

  • 31139: ZDI-CAN-5525: Zero Day Initiative Vulnerability (Apple Safari)
  • 31141: ZDI-CAN-5526: Zero Day Initiative Vulnerability (Apple Safari)

Foxit (3)

  • 31143: ZDI-CAN-5527: Zero Day Initiative Vulnerability (Foxit Reader)
  • 31145: ZDI-CAN-5528,5331: Zero Day Initiative Vulnerability (Foxit Reader)
  • 31146: ZDI-CAN-5529: Zero Day Initiative Vulnerability (Foxit Reader)

Hewlett Packard (2)

  • 30919: HTTP: HP Application Lifecycle Management ActiveX Insecure Method Exposure Vulnerability(ZDI-12-170)
  • 31036: HTTPS: HP iNode Management Center iNodeMngChecker.exe Buffer Overflow Vulnerability (ZDI-11-232)

Microsoft (1)

  • 31048: HTTP: Microsoft Office Excel XLSX File Memory Corruption Vulnerability (ZDI-10-025)

Trend Micro (1)

  • 31147: ZDI-CAN-5533,5534: Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway)

Missed Last Week’s News? Catch up on last week’s news in my weekly recap.

The post TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 9, 2018 appeared first on .

US discusses authorizing cyber attacks outside “war zone”

In a nutshell, traditional definitions of war linked to kinetic action and physical space are being framed as overly restrictive given a desire by some to engage in offensive attacks online. The head of NSA is asking whether reducing that link and authorizing cyber attack within a new definition of “war” would affect the “comfort” of those holding responsibility.

“[On offense] the area where I think we still need to get a little more speed and agility — and as Mr. Rapuano indicated it is an area that is currently under review right now — what is the level of comfort in applying those capabilities outside designated areas of hostility,” Rogers asked out loud.

“I don’t believe anyone should grant Cyber Command or Adm. Rogers a blank ticket to do whatever you want, that is not appropriate. The part I am trying to figure out is what is the appropriate balance to ensure the broader set of stakeholders have a voice.”

Rapuano also referenced challenges associated with defining “war” in the context of cyber, which can be borderless due to the interconnected nature of the internet.

“In a domain that is so novel in many respects, and for which we do not have the empirical data and experience associated with military operations per say particularly outside areas of conflict, there are some relatively ambiguous areas around ‘well what constitutes traditional military activities,'” said Rapuano. “This is something that we are looking at within the administration and we’ve had a number of discussions with members and your staffs; so that’s an area we’re looking at to understand the trades and implications of changing the current definition.”

While I enjoy people characterizing the cyber domain as novel and border-less, let’s not kid ourselves too much. The Internet has far more borders and controls established, let alone a capability to deploy more at speed, given they are primarily software based. I can deploy over 40,000 new domains with high walls in 24 hours and there’s simply no way to leverage borders as effectively in a physical world.

Even more to the point I can distribute keys to access in such a way that is spans authorities and bureaucratically slows any attempts to break in, raising a far stronger multi-jurisdictional border to entry than any physical crossing.

We do ourselves no favors pretending technology is always weaker, not allowing for the prospect of it being stronger, and forgetting that Internet engineering is less novel and more a revision of prior attempts in history (e.g. evolution of transit systems).

Home secretary urges UK businesses to up their game against cyber crime

Cyber crime is a shared responsibility between businesses, industry experts and individuals, the UK home secretary, Amber Rudd, has declared. Speaking at the National Cyber Security Centre’s CyberUK 2018 conference in Manchester on Thursday, Rudd said the UK government is committed to promoting EU cyber cooperation post-Brexit in a new cyber incident classification.

View Full Story

ORIGINAL SOURCE: V3

The post Home secretary urges UK businesses to up their game against cyber crime appeared first on IT SECURITY GURU.

Suppressing the Adversary via Threat Hunt Teams

As the Chief Cybersecurity Officer for Carbon Black, I am witnessing a brave new world in cyberspace. Global cyber insurgencies continue unabated with reports of wide-scale data breaches and politico-hacking happening quickly and often. Personal data and financial information is regularly being hijacked. The energy sector is increasingly vulnerable to risk, with the recent cyberattack on the Energy Services Group (ESG) knocking systems offline.

Here at Carbon Black we firmly believe that decreasing dwell time of these insurgencies is imperative in 2018.  In order to achieve this goal, organisations must embrace the threat huntThe extradition of Russian elite cybercriminal Nikulin is a historic example of this. As a member of the Russian cyber-militia, he had been an influential member for close to a decade. He leveraged his expertise beyond monetary gain to show homage to the regime as a politico-hacker.

It is crucial that every organisation sets up a threat hunt team. The team must be multidisciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a cyberattack is paramount.)

It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and tactics, techniques and procedures (TTPs).

Firstly, your organisation must develop a threat profile. This will help a hunter know where to prioritise hunting (and ultimately where to start hunting). Secondly, you must apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.

As your team gels, you can then develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm. To uphold the security of your organisation through effective threat hunting, it is important the team undertakes the following steps:

  1. Assess threat intel from IPs, domains and hashes applied to historical data.
  2. Query similar threads that are not identical matches in historical data.
  3. Anomaly detection through continuous analysis of unfiltered data from the endpoint.

A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behaviour analytics must be employed as it is critical to baseline “normal” network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait.

A hunter must position themselves on the “high ground”, defined by greater situational awareness. Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data. From that vantage, one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.

Step I: Go Historical. – take in tactical threat intel of domains, hashes, and IPs and be able to search the last 30 days. Hash values may have low false positive rates but they are easy for an attacker to change.  Domains and IPs may have a ton of false positives.

Stage II: Move up the pyramid of pain – change the threat-intel language to move toward TTPs (action or behaviour). Time is a critical component.

Stage III:  Moving to anomaly-based hunting – algorithmic threat hunting; this involves analysing changes in behaviour versus similarities to previously seen.

Threat hunt teams should evaluate users with higher levels of access to a network’s “crown jewels” and subsequently deploy deception grids around these users and hosts. It is important to remember, static defences without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy threat hunting.

The post Suppressing the Adversary via Threat Hunt Teams appeared first on IT SECURITY GURU.

Nation State attacks 500% slower to evict from networks and can remain undetected for years

Cybersecurity specialist Secureworks is today releasing its Incident Response Insights Report.

The global report which pulls from real-world incidents unearths some surprising truths of the cybersecurity landscape; including the most targeted industries and preferred hacking tools used by cybercriminals. The report also hones in on the increasing complexity of nation state attacks.

Let me know if you’d like to speak to the authors of the report, Senior Security Researcher, Mike McLellan and/or Senior Security Researcher, Matthew Webster, who will be able to provide unique insight into the cybercriminal landscape and report findings.

 

Main research findings

 

  • The top three industries most impacted by targeted cyber threats were manufacturing, technology, and government
  • The average time it took to evict nation state attacks was 500% greater than the time to evict non-targeted threats, due to the often entrenched nature of adversaries plus the necessity to fully understand the extent of the threat actor’s capability and access
  • On average, these targeted cyber threats remained undetected in an organisation’s IT networks for 380 days. In fact, Incident responders frequently encountered threat actors that had access to compromised environments for months, sometimes even years
  • Phishing continues to be a hackers’ favorite method for gaining access into organisations. 40% of the incidents Secureworks conducted began with a phishing email
  • Financially-motivated criminal activity far outweighs government-sponsored threat actors and insider threats, with 83% of attacks being financially motivated
  • Compared to North America and the APJ region, organisations within EMEA adopted a far more reactive security approach to cyber threats rather than proactive
  • When a threat actor becomes aware of an eviction attempt, it can quickly become a complex game of ‘cat and mouse’ with threat actors aiming to avoid the attention of the respond

 

Secureworks Incident Response

Secureworks Incident Responders log 250 billion events every day, and help hundreds of organisations navigate through complex and high-risk incidents. This report shares best practices and valuable lessons learned over the past year from real-world incidents, and unearths the risks, remedies, and best practices for defending against cyber threats.

The post Nation State attacks 500% slower to evict from networks and can remain undetected for years appeared first on IT SECURITY GURU.

Outdated security solutions are putting businesses at risk of evolved cyberthreats

The latest trends in cybercrime have seen it all — advanced exploits allegedly developed by high-profile threat actors used in massive ransomware attacks, creativity of spam and phishing attacks on trending topics, and attacks relying heavily on social engineering or legitimate software used as cyber weapons. This evolution of cyberthreats calls for evolution in cybersecurity. The new Kaspersky Endpoint Security for Business is another landmark in this journey: more next generation detection with dynamic machine learning, increased visibility and granular security controls including vulnerability management, credentials protection and integration with EDR.

Next generation technologies in a completely new design

To maintain the highest standards of protection, which have been proven by independent researchers and thousands of customers worldwide, Kaspersky Endpoint Security for Business continues to evolve its detection techniques. This year’s innovation is supported with enhanced dynamic machine learning, allowing the detection of malicious activity in real-time. Other next generation technologies in the product include: Behavioral Detection, HIPS, Exploit Prevention and Remediation Engine.

A variety of broader security controls is supplemented with new capabilities. Those include an added mechanism that guards system-critical processes and prevents credential leakage against the use of mimikatz-like tools. Combined with other measures, this helps to protect businesses from current trending threats, like WannaMine, that hijack computers and use their resources to mine cryptocurrencies.

Vulnerability and Patch Management component allows for automated vulnerability elimination, including detection and prioritisation, patch and update downloads, testing and distribution. This reduces the risk of vulnerabilities in popular software being used by cybercriminals. Due to its automation features, this component also relieves security teams from unnecessary manual routine related to systems management and makes the process transparent.

The completely redesigned user interface visualises layers of protection and security components, showing the status and effectiveness of various next generation technologies — which allows customers to make sure that each protection layer is enabled and working.

Granular security management and complete visibility

Every organisation’s IT is a unique mix of systems, networks and devices — and IT security needs to fit into existing infrastructure and protect every element of it. New Kaspersky Endpoint Security for Business adds a wide variety of security controls for servers that are managed from a single point — including extended protection from ransomware, external traffic protection and Default Deny mode for Microsoft Windows Server, Exploit Prevention and Firewall configuration. These capabilities, available for both workstations and servers, allow for unified security management on the customer’s side.

A new level of visibility is achieved through full native integration with Kaspersky Endpoint Detection and Response. Due to this innovation, Kaspersky Endpoint Security for Business in combination with Kaspersky EDR can be used as an endpoint EDR agent for collection of metadata and IoCs. This innovation benefits businesses’ abilities to conduct a thorough investigation and remediation, should a serious cybersecurity incident occur.

Mobility management improvements include enhanced visibility through monitoring of protection across devices, simplified deployment and management via third-party EMM-systems for Android devices.

Scalability and flexible deployment on the customer’s side

The new version takes another major step towards improving manageability and deployment for customers among larger businesses. The product now brings Enterprise-ready scalability allowing for the management of up to 100,000 endpoints through a single server installation.

Combined with optimised performance and reduced resource consumption in the new light Cloud mode, this makes the product suitable for a company of any size and security needs: from mid segment to large corporations.

Alex Tai, CEO and Team Principal, DS Virgin Racing, comments: ‘We’re excited to partner with Kaspersky Lab. We all know that motorsport comes with inherent risks both sporting and technical, as such it is crucial to have the utmost confidence in every aspect of security and safety. We’re glad to find a trusted partner that takes away our cybersecurity concerns through proven quality of its products and technologies.’

Russ Madley, UK Head of Channel at Kaspersky Lab, says: “The ever-changing threat landscape means every business faces unique risks and challenges, even with the most advanced anti-malware protection in place. As threats continue to grow in complexity, it’s important cybersecurity companies continue to ensure their customers are protected with the most up to date security software. Kaspersky Endpoint Security is the latest addition that will help organisations address the growing number of challenges they face. Businesses can be assured that they will be quickly notified of malicious activity in real-time if a threat is detected.”

The product is available globally under both traditional and subscription licensing. Kaspersky Lab’s partners can address all regional pricing inquiries. More information about Kaspersky Security for Business and particular applications inside each edition is available on the global website.

The post Outdated security solutions are putting businesses at risk of evolved cyberthreats appeared first on IT SECURITY GURU.

Navigating the Tech Industry’s ‘Great Shakeout’: Expert’s Advice for Securely Migrating to the Cloud

All indications suggest organizations’ adoption of the cloud is going to ramp up considerably in the next few years. According to Cisco’s Global Cloud Index: Forecast and Methodology (2016–2021) white paper, cloud data centers will process 94 percent of workloads and compute instances by 2021. Close to three-quarters of those resources will be Software-as-a-Service (SaaS) […]… Read More

The post Navigating the Tech Industry’s ‘Great Shakeout’: Expert’s Advice for Securely Migrating to the Cloud appeared first on The State of Security.

Uber’s 2016 Breach Affected More Than 20 Million US Users

An anonymous reader quotes a report from Bloomberg: A data breach in 2016 exposed the names, phone numbers and email addresses of more than 20 million people who use Uber's service in the U.S., authorities said on Thursday, as they chastised the ride-hailing company for not revealing the lapse earlier. The Federal Trade Commission said Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. "After misleading consumers about its privacy and security practices, Uber compounded its misconduct," said Maureen Ohlhausen, the acting FTC chairman. She announced an expansion of last year's settlement with the company and said the new agreement was "designed to ensure that Uber does not engage in similar misconduct in the future." In the 2016 breach, intruders in a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver's license numbers, the FTC said in a complaint. Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.

Read more of this story at Slashdot.

Lessons in Secrets Management from a Navy SEAL

Good insights from these two paragraphs about the retired Rear Admiral Losey saga:

Speaking under oath inside the Naval Base San Diego courtroom, Little said that Losey was so scared of being recorded or followed that when the session wrapped up, the SEAL told the Navy investigator to leave first, so he couldn’t identify the car he drove or trace a path back to his home.

[…]

…he retaliated against subordinates during a crusade to find the person who turned him in for minor travel expense violations.

You Think Discovering a Computer Virus Is Hard? Try Naming One

Like astronomers who discover new stars, security experts who first identify computer bugs, viruses, worms, ransomware and other coding catastrophes often get to name their finds. Such discoveries now number in the thousands each year, so crafting a standout moniker can be a serious challenge. From a report: Two years ago, German security firm SerNet GmbH figured a punchy name for their bug discovery would give the company a publicity jolt. They called it Badlock, designed a fractured-lock logo and set up a website. The marketing push backfired when some security experts decided Badlock wasn't that bad. Cynical hackers called it Sadlock. "We would not do this again," says SerNet Chief Executive Johannes Loxen of the branding blitz, which he says was overkill because a relatively small number of people were affected by Badlock. Hackers are no fans of marketing. They brand things in their own way. Puns and historic references are the name of the game. "They see it as a kind of grass-roots initiative," says Gabriella Coleman, an anthropologist who teaches courses on hacker culture at McGill University in Montreal. Some venerable names that have stood the test of time: The Love Bug, for the worm that attacked millions of Windows personal computers in 2000, and Y2K, a turn-of-the-century programming scare that didn't live up to its hype. Many names tend more toward geekspeak. The title of hacker magazine 2600 is a tip of the hat to 2600 hertz, the frequency old-school hackers reproduced to trick AT&T phone lines into giving them free calls. Computer worm Conficker is an amalgam of "configure" and a German expletive. Code Red is named after the Mountain Dew drink researchers guzzled while investigating the worm.

Read more of this story at Slashdot.

NIST Cybersecurity Framework Series Part 5: Recover

Following response efforts to a detected cybersecurity incident, CISOs must ensure the organization can recovery quickly.

The best way to stop a cyber attack is to prevent it from taking place in the first place. While this is certainly true, the level of sophistication and persistence seen among today's hackers can often negate this strategy.

A proactive approach to data security is an absolute must, but chief information security officers and their teams must also know how to respond to a threat when it is detected, as well as how to recover after the incident.

Over the course of this series, we've been taking a close look at the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. This framework includes five functions with the purpose of creating a more unified and standardized approach to infrastructure security. So far, we've covered the first four functions:

  1. Identify.
  2. Protect.
  3. Detect.
  4. Respond.

The final piece of this formula comes in the form of the Recover function.

nist framework

Respond: NIST definition

After a cybersecurity incident has been detected and the CISO and his or her team carry out response efforts in order to contain the threat and mitigate the damage, the next step revolves around recovery.

According to the NIST Framework, the Recover function includes developing and putting procedures in place for resilience, as well as to "restore any capabilities or services that were impaired due to the cybersecurity event."

Similar to the Detect and Respond functions, timeliness is key when it comes to Recover. Any interruption to key systems and services can result in a number of damaging consequences for the business, its employees, as well as its clients and business partners. An inability to access critical data or utilize essential applications and platforms can translate to considerably reduced productivity, missed opportunities to connect with current and potential customers.

The Recover function is imperative, and the ability to carry out the associated actions quickly can help reduce the overall impact and prevent damage to the business's reputation.

Recover: Categories

Efforts connected with the Recover function are just as they are described: The purpose is to ensure that the business can recuperate following an attack, and that any impacted systems are able to rebound and activity can return to normal.

Categories under the Recover function include:

  • Recovery planning: The CISO and his or her stakeholders lead as the recovery plan is carried out. Depending on timing, this can occur while the event is still taking place, or after the incident has ended. Again, the key here is timeliness – any systems or platforms impacted by the incident must be addressed and support restored.
  • Improvements: It's important that lessons learned during the incident are identified and utilized to update and improve upon recovery plans. The CISO and his team should spearhead these efforts, and work to ensure the quickest response and recovery possible.
  • Communications: The final part of this function includes coordinating efforts with internal and external stakeholders, where necessary. The CISO and his or her team should communicate recovery plans and processes with internal managers and the executive team. In addition, communication efforts can include working with internet and managed services providers, technology vendors and other owners of attacked systems to support public relations and mitigate damage to the company's reputation.

According to Federal News Radio contributor Jamie Hynds, response and recovery are two areas in which many businesses should look to improve. A survey from SolarWinds found that 12 percent of companies feel that their response and recovery plans and efforts following detection of an attack were "not at all mature."

Because a cybersecurity incident can result in considerable damage – to company intellectual property, to critical systems used to support daily operations, and to the company's overall reputation – it's imperative that CISOs take the time to ensure that their organization is able to recover effectively after a breach.

"[A]gencies must step up their disaster recovery efforts in the event of a successful threat," Hynds wrote. "Taking days to recover from an attack … is simply not an option."

Recover in the real world: Destructive attacks

While many different types of cybersecurity incidents can be considered damaging, some are more destructive than others. These include, namely, events wherein critical systems are made inaccessible or unusable, as well as when data is compromised or removed. In the cases of these particularly calamitous attacks, a quick recovery that includes the fast restoration of any impacted systems is critical.

One instance that illustrates this revolves around distributed-denial-of-service attacks. During these events, hackers bombard systems with a flurry of requests to overwhelm and crash it. In this way, the supported website or platform is inaccessible and unusable.

Last year saw one of the largest DDoS attacks to date against GitHub. Attackers hit the website with 1.35 Tbps of traffic, surpassing the former largest DDoS to date at 1.2 Tbps. As Trend Micro reported, these already damaging instances are becoming increasingly dangerous, as hackers have begun including ransom notes demanding cryptocurrency payments within the flood of traffic.

In these cases, the ability of the organization to recover quickly is imperative. Interruption to website access of this kind can reflect poorly on the business and heavily impact its overall reputation. This is particularly true when the website supports client-facing functions – restoring access to these in as streamlined a manner as possible can help mitigate the damage.

Another particularly destructive attack came in the form of the NotPetya attack, which presented itself as a typical ransomware infection – but was far more dangerous. As Trend Micro pointed out, this threat was especially vicious as the malware was able to use forced backdoor and other strategies to spread on its own. What's more, as opposed to traditional ransomware motivated by financial gain, NotPetya simply worked to destroy, breaking systems whether or not victims paid the ransom.

"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet," CSO Online contributor Josh Fruhlinger explained. "[O]n computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair."

NotPetya provides a perfect example of the importance of a quickly-executed recovery plan. The faster an organization is able to recover following an attack, the less damage hackers are able to inflict on the business, its customers and partners, and its brand reputation.

"Are you sure you really recovered?" asked Ed Cabrera, Trend Micro Chief Cybersecurity Officer.  "This is one of the hardest questions that CISOs have to answer when recovering from a data breach or cyber attack.  The current threat of destructive digital extortion attacks requires organizations to have comprehensive disaster recovery plans."

The NIST Framework can provide a valuable series of steps and processes for CISOs and their stakeholders to follow in order to shore up and unify their cybersecurity plans. To find out more about how to build out your company's infrastructure protection procedures and solutions, connect with the experts at Trend Micro today.

The post NIST Cybersecurity Framework Series Part 5: Recover appeared first on .

Radware Blog: Can Security Be Efficient Without Expertise or Intelligence?

Threats evolve fast, don’t lag behind! I recently returned from a business trip to an exotic destination, which is also a massive emerging market depending on how you look at it. The folks I’ve met do not seem to face other challenges than what you see in mature markets, but I could easily relate to […]

The post Can Security Be Efficient Without Expertise or Intelligence? appeared first on Radware Blog.



Radware Blog

SAP April 2018 Security Patch Day address critical flaws in web browser controls in SAP Business Client

SAP released the April 2018 Security Patch Day, a collection of ten security patches that also address critical vulnerabilities in web browser controls in SAP Business Client.

SAP also released 2 updates to previously released security notes, one note was rated Hot News, 4 were rated High Priority, and 7 were rated Medium Priority.

The most common vulnerability type is Implementation Flaw.

April 2018 Security Patch Day

Below the list of security notes released on the April 2018 Security Patch Day:

Note# Title Priority CVSS
2622660 Security updates for web browser controls delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
Hot News 9.8
2587985 Denial of Service (DOS) in SAP Business One
Related CVE – CVE-2017-7668
Product – SAP Business One, Versions – 9.2, 9.3
High 7.5
2376081 Update to Security Note released on August 2017 Patch Day: Code Injection vulnerability in Visual Composer 04s iviews
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2552318 Update 1 to Security Note 2376081
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2537150 [CVE-2018-2408Improper Session Management in SAP Business Objects – CMC/BI Launchpad/Fiorified BI Launchpad
Product – SAP Business Objects
Versions – 4.0, from 4.10, from 4.20, 4.30
High 7.3
2614141 [CVE-2018-2409Improper session management when using SAP CP Connectivity Service and Cloud Connector
Product – SAP Cloud Platform Connector
Version – 2.0
Medium 6.3
2595800 [CVE-2018-2403Multiple Security Vulnerabilities in SAP Disclosure Management
Related CVEs – CVE-2018-2404CVE-2018-2412CVE-2018-2413
Product – SAP Disclosure Management
Version – 10.1
Medium 5.4
2372688 [CVE-2018-2405] Cross-Site Scripting in Solution Manager Incident Management Workcenter
Product – SAP Solution Manager
Versions – 7.10, 7.20
Medium 5.4
2582870 [CVE-2018-2410Cross-Site Scripting (XSS) Vulnerability in SAP Business One Browser Access
Product – SAP Business One
Version – 9.20, 9.30
Medium 5.4
2201710 Update to Security Note released on September 2015 Patch Day:Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products
Product – Sybase PowerBuilder, Version – 12.6
Product – SMP, Version – 2.3
Product – Agentry, Version – 6.0
Product – SAP Open Switch, Version – 15.1
Product – SAP Open Server, Versions – 15.7, 16.0
Product – SDK for SAP ASE, Version – 16.0
Product – SYBASE SOFTWARE DEV KIT, Version – 15.7
Product – SYBASE IQ, Version – 15.4
Product – SAP IQ, Version – 16.0
Product – Sybase SQL Anywhere, Versions – 12.0.1, 16.0
Product – SAP SQL Anywhere, Version – 17.0
Product – SAP SQL Anywhere OnDemand, Version – 1.0
Product – SAP ASE, Versions – 15.7, 16.0
Product – SAP Replication Server, Version – 15.7
Product – SYBASE ECDA, Version – 15.7
Product – SAP HANA Smart Data Streaming, Version – 1.0
Product – SAP Complex Assembly Manufacturing, Version – 7.2
Product – SAP Data Services, Version – 4.2
Medium 5.4
2560132 [CVE-2018-2406Unquoted windows search path vulnerability in Crystal Reports Server, OEM Edition
Product – SAP Crystal Reports Server, OEM Edition
Versions – 4.0, 4.10, 4.20, 4.30
Medium 5.3
2598687 Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework
Related CVE – CVE-2009-3960
Product – SAP Control Center and SAP Cockpit Framework
Medium 4.3

The most severe note, tracked as 2622660, addresses multiple issues in the web browser controls used to display pages in SAP Business Client 6.5 PL5. The vulnerabilities affect the browser controls for Microsoft’s Internet Explorer (IE) and the open source Chromium.

“The bugs concern vulnerabilities in web browser controls that are used to display pages in SAP Business Client 6.5 PL5. Web browser controls are programmable building blocks that software developers use to embed web pages in their applications.” reads the analysis of the Onapsis firm.

“The latter has been determined to show multiple weaknesses like memory corruption, information disclosure and more. Although the SAP note does not explicitly mention it, similar security flaws can be expected for IE,”

The April 2018 Security Patch Day also addresses a DoS flaw, tracked as CVE-2017-7668, in SAP Business One.

“An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component.” reads the analysis published by the firm ERPScan. “For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks.”

SAP also fixed an improper session management (CVE-2018-2408) affecting SAP Business Objects.

SAP also addressed a code injection vulnerability in SAP Visual Composer that could be exploited by attackers to inject code into the back-end application by sending a specially crafted HTTP GET request to the Visual Composer.

 

Pierluigi Paganini

(Security Affairs – April 2018 Security Patch Day, SAP)

The post SAP April 2018 Security Patch Day address critical flaws in web browser controls in SAP Business Client appeared first on Security Affairs.

Holding Facebook Executives Responsible for Crimes

Interesting write-up on Vox about the political science of Facebook, and how it has been designed to avoid governance and accountability:

…Zuckerberg claims that precisely because he’s not responsible to shareholders, he is able instead to answer his higher responsibility to “the community.”

And he’s very clear, as he says in interview after interview and hearing after hearing, that he takes this responsibility very seriously and is very sorry for having violated it. Just as he’s been sorry ever since he was a first-year college student. But he’s never actually been held responsible.

I touched on this in my RSA presentation about driverless cars several years ago. My take was the Facebook management is a regression of many centuries (pre-Magna Carta). Their primitive risk control concepts, and executive team opposition to modern governance, puts us all on a path of global catastrophe from automation systems, akin to the Cuban Missile Crisis.

I called it “Dar-Win or Lose: The Anthropology of Security Evolution

It is not one of my most watched videos, that’s for certain. Talks where I framed the risk from AI code as poetry, an aesthetic performance failure, always garner far more attention than my references like this one to human behavior and anthropology.

How to Fix a Hacked WordPress Site

Getting hacked is among the most discouraging experiences you’ll deal with as a website owner. No matter how secure your site is, there is always a chance that your site may get hacked. According to Forbes, about 30,000 websites are hacked every day, and who knows if/when hackers will target your site next. Many new […]… Read More

The post How to Fix a Hacked WordPress Site appeared first on The State of Security.

Ex GCHQ Director formally joins the advisory board of Immersive Labs

Immersive Labs has today confirmed ex-GCHQ Director, Robert Hannigan, as chairman of its advisory board. This is a key appointment for Immersive Labs, given Robert’s excellent understanding of the cyber threat landscape both in the UK and globally. It is also a strong endorsement of Immersive Labs innovative gaming approach to cyber security training and talent retention with someone of Robert’s calibre joining the organisation.

During his tenure as director of GCHQ, a number of key initiatives were introduced, including the formation of the National Cyber Security Centre (NCSC) which was part of Robert’s long-term cyber security strategy to improve the UK’s cyber defence – the first of its kind in the UK.

Today the NCSC continues to collaborate with the UK’s defence and intelligence agencies, as well as international partners, feeding into Robert’s vision to make the UK one of the safest places to live and do business online.

In recent years, Robert’s focus has included efforts to fill the cyber skills gap. He has always been a staunch advocate of the Immersive Labs practical learning environment, previously stating:

“Identifying, developing and measuring practical cyber security skills is the great challenge for all companies today. The Immersive Labs approach is the most exciting thing I’ve seen in this space: scalable, agile and appropriate to the way a new generation learns. It has the potential to disrupt and transform this crucial market.”

Welcoming Robert to Immersive Labs advisory board, its CEO James Hadley said, “It’s fantastic to welcome Robert onto the Immersive Labs team. He is a perfect fit to lead our advisory board, having already been instrumental in helping us grow our academies as well as our commercial proposition.”

Immersive Labs is exhibiting at the RSA conference in San Francisco next week, demonstrating its game changing enterprise skills platform. Visit www.immersivelabs.com to find out more.

The post Ex GCHQ Director formally joins the advisory board of Immersive Labs appeared first on IT SECURITY GURU.

Sharing the Journey to GDPR Compliance

Customer data is everything at Trend Micro. As a global cybersecurity leader, protecting customer data is what we do for a living, which is why it’s important for us to put into practice what we talk to our customers about.

As a demonstration of our commitment to protecting our millions of customers, we treat all of our sensitive customer data as if it were our own. We implement the same security practices that we recommend to our customers, and take the same stance on protecting data that we believe they should take. This means that we are leveraging state-of-the-art security capabilities – many of our own – across the company, combined with updated policies, procedures, and employee awareness.

With this philosophy in place, security has evolved at Trend Micro to the point of not just saying no – we’re now able to confidently say “yes” to new and exciting projects , and we want our customers to be able to do the same. Something which is rarely talked about is that the GDPR can be about the potential of being able to do more, enabling more business opportunities faster than ever before.

The GDPR is also giving us the opportunity to show our customers that we’re driving the same road to compliance that they are. We’re not just trying to sell them state-of-the-art solutions that may help with compliance; we are a large company that specializes in security and we are implementing the same processes as they do. In sharing our journey to GDPR compliance, we are hoping to show our customers the benefits and the results of this process.

Watch the video to hear from our COO, Kevin Simzer, on how we value protecting customer data, and how we implement the same measures that we talk about to our customers.

Video Schedule

4/18 – HR: See how the GDPR affects our employees, and what we’ll do to ensure they have a good understanding of the regulation.

4/25 – Marketing Operations: Learn how our Marketing Operations team ensures that our customer data is protected across all external platforms.

5/2 – Products and Services: Hear from Bill McGee, SVP Cloud Security, on how we’re always evolving to deliver state-of-the-art capabilities in our products, and how we help our customers deliver their portion of the shared security responsibility of cloud environments.

5/9 – Sales and Channel Enablement: See how important it is that our existing partners understand GDPR, and how we help them find the tools needed to achieve GDPR compliance.

The post Sharing the Journey to GDPR Compliance appeared first on .

AMD and Microsoft release microcode and operating system updates against Spectre flaw

AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

AMD and Microsoft released the microcode and security updates for Spectre vulnerabilities.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

amd spectre flaw

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

“Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows.” reads the announcement published by AMD. “For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year.”

Microsoft initially released Spectre security patches for AMD-based systems in January, but it was forced to suspend them due to instability issues.

AMD experts highlighted that is quite difficult to exploit the Spectre Variant 2 on AMD chips, for this reason, it worked with partners to provide a combination of microcode and OS updates.

“While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” continues the announcement.

AMD customers can install the microcode by downloading BIOS updates provided by manufacturers, while Windows 10 updates are included in the Microsoft April Patch Tuesday.

Windows 10 updates released by Microsoft on Tuesday include Spectre Variant 2 mitigationsfor AMD devices. According to AMD, the support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing.

For Linux systems, AMD states that mitigations for GPZ Variant 2 were made available to its Linux partners and have been released to distribution earlier this year.

Pierluigi Paganini

(Security Affairs – Microsoft, Spectre)

The post AMD and Microsoft release microcode and operating system updates against Spectre flaw appeared first on Security Affairs.

New authentication standards aim to make the web more secure

A pair of authentication standards published this week have received endorsement from Mozilla, Microsoft and Google: the WebAuthn API, and the FIDO Alliance’s Client-to-Authenticator Protocol. The aim of WebAuthn and CTAP is to offer an authentication primitive that doesn’t rely on server-stored passwords, since a user’s fingerprint or even their unlock pattern is safer for both user and Web site owner.

View Full Story

ORIGINAL SOURCE: The Register

The post New authentication standards aim to make the web more secure appeared first on IT SECURITY GURU.

Cloud adoption placed on hold

Enterprises are adopting the cloud much faster than their security teams can keep up – and misunderstanding about cloud environments is pervasive. The 2018 Enterprise Cloud Trends Report from iboss surveyed IT decision makers and office workers in US enterprises and found that 64% of IT decision makers believe the pace of software as a service (SaaS) application adoption is outpacing their cybersecurity capabilities.

View Full Story

ORIGINAL SOURCE: Infosecurity Magazine

The post Cloud adoption placed on hold appeared first on IT SECURITY GURU.

UK Govt clamping down on Dark Web crime

The National Cyber Security Centre’s CYBERUK conference in Manchester will be the backdrop for the launch of a £9m fund to increase cyber capabilities and tackle organised crime online, focusing on those who use anonymous and hidden online services for illegal activities such as hacking, people trafficking, selling weapons and drug dealing.

View Full Story

ORIGINAL SOURCE: Sky News

The post UK Govt clamping down on Dark Web crime appeared first on IT SECURITY GURU.

Facebook warned of Russian hacking back in 2016

Facebook detected Russian government hackers targeting the Facebook accounts of campaign officials before the 2016 presidential election, Mark Zuckerberg revealed during a congressional hearing on Tuesday.

View Full Story

ORIGINAL SOURCE: Motherboard

The post Facebook warned of Russian hacking back in 2016 appeared first on IT SECURITY GURU.

YouTube videos hacked

A number of high-profile music videos disappeared from YouTube and had their titles and hold images defaced, after the video streaming website was targeted by hackers. This includes the most viewed video of all time ‘Despacito’ by Luis Fonsi and Daddy Yankee.

View Full Story

ORIGINAL SOURCE: Guardian

The post YouTube videos hacked appeared first on IT SECURITY GURU.

Bitdefender survey shows Right Size EDR, not SOC needed to address Security Flaws

Bitdefender, a leading global cybersecurity technology company protecting 500 million users worldwide, today announced the results of its latest survey, showing that more than half of CISOs worldwide (65 percent UK) are worried about a global skills shortage. Sixty-nine percent of respondents around the globe also reported that their team is under resourced, with more than half of respondents in all markets but Italy reporting that their IT security team is too small. Seventy-two percent of information security professionals admitted that their IT team experienced agent and alert fatigue, and 33 percent of UK respondents said their budget could not accommodate infrastructure expansion.

 

The Bitdefender survey explores CISOs’ needs in the prevention-detection-response-investigation era and reveals how the lack of visibility, speed, and personnel affects the development of stronger security practices in companies with both over-burdened and under-resourced IT teams. The survey polled 1,050 people responsible for purchasing IT security within companies in the US and Europe.

 

Half of the CISOs surveyed worldwide admitted their company was breached in the past year, but one sixth of those respondents don’t know how the breach occurred. Fifty-seven percent of UK respondents had experienced an advanced attack or malware outbreak. One quarter of all respondents expect this issue to continue, and think their company is likely to face an ongoing security breach without them knowing it. Using existing security tools, UK CISOs believe 63 percent of advanced attacks can be prevented, detected, and isolated, but anticipate it would take three weeks to detect any such attack.

 

With the global cost of cybersecurity breaches expected to reach $6 trillion by 2021, analysts have seen companies’ security spending start migrating from prevention-only approaches to focus more on detection and response. Gartner expects that spending on enhancing endpoint detection and response (EDR) capabilities will become a key priority for security buyers through 2020.

 

Better tools needed for rapid detection and response

CISOs agree that prevention is faulty, but investigation is a burden. EDR capabilities can provide improved detection and response approaches to prolific security incidents, and using automation can help to address the global shortage of cybersecurity professionals. Specifically, EDR tools best fit resource-strapped businesses with lean IT teams that operate without a Security Operation Center (SOC). However, half of IT executives worldwide said that managing EDR tools is difficult or very difficult. In both the US and UK, 49 percent of all endpoint alerts triggered by monitoring and response techniques turned out to be false alarms. Sixty-nine percent of UK respondents in companies with no SOC said speed to investigate suspicious activities is one of their toughest challenges. Spotting an ongoing breach also means fighting alert fatigue caused by noisy traditional security solutions. It’s a race against time when filtering security alerts, which can be especially difficult if the organization is understaffed and overburdened. 38% of UK respondents, and one third of respondents across all markets, said that lack of proper security tools is the main obstacle that prevents rapid detection and response during a cyberattack.

 

Time is of the Essence

On average, 82 percent of security professionals in Europe and the US say that reaction time is a key differentiator in mitigating cyberattacks. CISOs attest that time is of the essence when isolating the incident to prevent spreading (68 percent), identifying how the breach occurs (55 percent), and evaluating losses and the impact of the breach (51 percent). CISOs agree that delayed response to a cyber incident can also make it harder to accurately identify the initial time of attack and assess the timeframe (30 percent), understand the motivation for the cyberattack (19 percent), or improve the incident response plan for future attempts (17 percent).

 

“Today’s resource- and skill-constrained IT security teams need an endpoint detection and response (EDR) approach that allows for less human intervention and a higher level of fidelity in incident investigations,” Bitdefender’s VP of Enterprise Solutions Harish Agastya said. “EDR for everyone can be achieved through a funnel-based approach of prevention-detection-investigation-response, leaving the EDR layer to focus on threats further down the funnel in the unknown or potential threat category, and IT teams to focus solely on the alerts and tasks that are truly significant.”

 

Bitdefender security specialists strongly advise enterprise CISOs consider: the importance and value of an integrated prevent-detect-investigate-respond-evolve approach to endpoint security.

 

  • Prevent: block all known bad and a high percentage of unknown bad automatically at pre-execution and on-execution layers without needing manual intervention
  • Detect: Gain visibility into suspicious events that could lead to an attack early by built-in intelligence from threat protection engines and analysis of a stream of behavioral events from an endpoint event recorder
  • Investigate: aided by root cause and contextually relevant information on the class of threat that is detected (via the built-in intelligence), the reason of detection (via threat analytics), and ultimate verdict (via an integrated sandbox)
  • Respond: via intuitive incident response interface that enables remedial actions immediately and widely across the enterprise without needing deep expertise
  • Evolve: enables the feedback loop from current detection to future prevention via in-place policy tuning and fortification

The post Bitdefender survey shows Right Size EDR, not SOC needed to address Security Flaws appeared first on IT SECURITY GURU.

Patch Tuesday Commentary, Chris Goettl, Director of Product Management, Security at Ivanti

Microsoft has released updates today including 65 vulnerability fixes.  While there are no Zero Day exploits in the April patch release, there were a couple of Zero Days identified between March and April Patch Tuesdays, which we will mention in a moment.  There is one public disclosure this month in SharePoint Server. The challenging aspect of this month is that there are enough critical vulnerabilities in the Operating System, browser updates, and in Office that all three should be prioritized.

While the CVE-2018-1038 vulnerability was identified between March and April Patch Tuesday’s, it should be a top priority for anyone who has Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems. If you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this Elevation of Privilege vulnerability.

Microsoft also released an update to the Malware Protection Engine that resolved a remote code execution vulnerability that was identified. The fix for this is simply to update to the latest definitions. For the majority of environments using Microsoft’s Malware Protection Engine, this would have happened automatically. In the article, they identify the minimum definition version needed to resolve this issue, which is Version 1.1.14700.5.

There are multiple critical vulnerabilities in the Windows Operating System, Internet Explorer and Edge browsers, and on Office this month.  There are a few critical kernel vulnerabilities resolved, several Microsoft graphics and TrueType font driver vulnerabilities resolved and a host of critical browser vulnerabilities resolved.

Microsoft has lifted the AV compliance key from the rest of the Windows OS updates in all but some vaguely mentioned edge cases. If you recall, the introduction of the Meltdown\Spectre mitigation updates caused a number of blue screens on systems running AV engines that were interacting with the kernel in unexpected ways.  Microsoft introduced this key to prevent the blue screen scenarios from occurring, but required customers to jump through hoops if their AV vendor did not apply the key or if they were not running AV on a system. That restriction is now fully removed.

On the non-Microsoft front Adobe has released several updates today including an update for Adobe Flash Player.  The Flash update resolves three critical vulnerabilities and three important vulnerabilities. Adobe Flash Player can show up in many forms on a single system. It can be installed on the system and as a plug-in in the major browsers, so to fully plug these vulnerabilities you may need to apply multiple updates on a single system.

Oracle is going to be releasing their quarterly Critical Patch Update next week on Tuesday, April 17th.  Expect an update for Java. We strongly urge rolling out Java updates as they release. Java may not be as highly targeted as it once was, but it is still a low-hanging fruit target for Threat Actors. The recent SamSam Ransomware attacks are good examples. SamSam is able to exploit a variety of software vulnerabilities including some in Java. Attackers know that Java is one of those products that lags behind updates, leaving a number of exploits open.

The post Patch Tuesday Commentary, Chris Goettl, Director of Product Management, Security at Ivanti appeared first on IT SECURITY GURU.

Are you ready to handle the Crisis Comms when you get breached?

You are just about to go to sleep when you get a text from your SOC team: code RED. They have discovered your company has suffered a serious breach and you need to decide what to do.  At this point, you are either in the position of having prepared for such an event and your team will follow checklists and playbooks. As part of this process, the team will inform the appropriate Execs on what the situation is and they will be ready to communicate the right information to the people who need to know using a tried and tested Crisis Comms plan. OR you do not have a plan, let alone a tested one, and panic mode sets in….

 

I am not going to go into all the reasons why you need to be prepared to handle Crisis Communications during a cyber incident, the most important thing to know is that it will make the difference between your organisation’s reputation and brand being damaged far more than it needs to be.   The other key issue is that how the breach notification process is handled could make a massive difference to mitigating the fine from regulators.

 

So what Crisis Communications plans and processes do you need to have in place to handle a breach?  Firstly, a cross functional crisis management team (including the board) needs to be established.  From there, a monitoring strategy can be put in place to mandate who is responsible for determining when an incident has occurred and how serious it is as well as a developing a plan for the crisis – which may work best as a series of checklists or a playbook.

 

Some important things at this point to consider are how to prepare for different breach scenarios (ie is it employee or customer data affected? IP theft? Ransomware? etc…).  This will influence your strategy with the different audiences.  Don’t forget to do practice runs with your internal and external comms teams and include media training where necessary.

 

Once you have done the ground work what goes into a comms plan?

 

  • Prepare crisis checklist to deal with potential scenarios
  • Create a timeline so everyone knows who will do what when
  • Team consults with legal and forensics team to determine what incident it is and establish who it affects
  • Can you keep it under wraps? (hint: this is not usually an option!!)
  • What are your regulatory responsibilities to disclose?
  • Which stakeholders are affected?
  • Who is responsible for communicating with each group and in what order?
  • If a regulator is involved, how can you minimise a fine by demonstrating appropriate action taken?
  • If customers are involved, what is the impact on them and how should they be informed?
  • If the press are involved, how will you manage the communications?

 

It is also important to note that social media can exponentially increase if not responded to quickly and appropriately, so it will need to be determined who is responsible for these interactions.  Keep in mind that messages must be consistent, so you will need to brief managers and employees, especially customer facing teams.  In addition, it will be helpful to prepare:

 

  • An FAQ on incident scenarios
  • Media trained spokespeople
  • An external comms plan with statements on anticipated likely breach scenarios developed by team
  • An internal comms plan

 

Check and review these plans quarterly with the team to see if your organisation’s risk profile has changed.

 

Finally, breathe; keep Calm and Carry on and you will get through it.  It is not a case of if, it is a case of when a breach will happen in your organisation. As breaches become more common, what counts is how you handle them that will set you apart as a leader in your organisation (and worthy of having that place at the boardroom table!)

 

If you would like to get some first-hand advice, I am organising a panel on Crisis Communications in a post-GDPR world at the IT Security Analyst and CISO Forum’s CISO Debates 2018 on Wednesday 2nd May 2018 in London.

 

With the EU’s General Data Protection Regulation (GDPR) on the horizon, what does the board need to make sure they are communicating to employees, customers and stakeholders should the worst happen and a data breach occurs? This discussion will offer best practice advice, what to steer clear of and when to notify when dealing with a data breach event.

 

Moderator: Lee Munson

Neil Stinchcombe, Eskenzi PR

Jonathan Armstrong, Partner, Cordery

Mark Deem, Partner, Cooley (UK) LLP

Sue Milton, Managing Director, SSM Governance Associates

 

Register for free here: https://www.eventbrite.ie/e/it-security-analyst-and-ciso-forums-ciso-debates-2018-tickets-43847984502?aff=es2

The post Are you ready to handle the Crisis Comms when you get breached? appeared first on IT SECURITY GURU.

Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site

 

Microsoft has released April Patch Tuesday security updates that address 66 vulnerabilities, five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Hackers can compromise your computer just visiting a malicious website or clicking a malicious link.

Microsoft has released April Patch Tuesday that addresses 66 vulnerabilities, 24 of which are rated critical and five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Microsoft April Patch Tuesday includes the fix for five critical remote code execution vulnerabilities in Windows Graphics Component (CVE-2018-1010-1012-1013-1015-1016) that are related to improper handling of embedded fonts by the Font Library.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” reads the advisory for the CVE-2018-1013.

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.”

The flaws were discovered by Hossein Lotfi, a security researcher at Flexera Software. and affect all versions of Windows OS to date.

Microsoft also addressed a denial of service vulnerability in Windows Microsoft Graphics that could be exploited by an attacker to cause a targeted system to stop responding. This vulnerability tied the way Windows handles objects in memory.

Microsoft April Patch Tuesday also addressed a critical RCE vulnerability, tracked as CVE-2018-1004, that resides in the Windows VBScript Engine and affects all versions of Windows.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” read the security advisory published by Microsoft.

April Patch Tuesday

Microsoft security updates also address a total of six vulnerabilities in Adobe Flash Player, three of which were rated critical.

Users need to apply security updates as soon as possible to protect their systems.

Pierluigi Paganini

(Security Affairs – Microsoft April Patch Tuesday, hacking)

The post Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site appeared first on Security Affairs.

Hackers Defaced Some of Vevo’s Most Popular Music Videos

Yesterday hackers managed to deface a number of music videos listed on multiple VEVO YouTube channels.

Some of the affected content included the 2017 hit song, and currently most-watched YouTube video of all times, ‘Despacito’ by Luis Fonsi and Daddy Yankee. After recently becoming the first video in the YouTube history to top over the 5-billion views milestone, the Spanish-language song was briefly taken down by the hackers. Tens of other musical videos posted by VEVO featuring high-profile pop icons such as Shakira, Drake, Taylor Swift, Chris Brown, Maroon 5, Adele, DJ Snake, Katy Perry were also affected by the cyber-attack. All defaced videos were from VEVO accounts on YouTube.

The hackers who call themselves with nicknames Prosox and Kuroi’SH managed to change the thumbnails of some of the music videos with an intimidating gang image from the Netflix TV show called Casa de Papel (also known as Money Heist). The pictures showed a group of people wearing masks and pointing guns. The cyber gang also included various politically influenced slogans such as ‘Free Palestine ‘ and added their nicknames to the titles of some VEVO videos. Briefly, VEVO’s front page was retitled to “X – Hacked by Kuroi’SH & Prosox.”

After spotting the unusual activity, YouTube and VEVO worked hand in hand to contain the situation. The identities of the hackers who performed the cyber-attack are currently unknown. Hours after the incident Google-owned YouTube released a statement reminding its users that even though VEVO videos are on YouTube, and Google has roughly 7% stake at VEVO, VEVO does not belong to YouTube, and YouTube was not hacked. Briefly explained, YouTube is a platform that allows everyone to upload content, and VEVO is a joint venture run by Universal Music Group, Warner Music Group, and Sony Music Entertainment. VEVO keeps its content on separate servers, and only lists music videos of performers contracted with Universal Music Group and Sony Music Entertainment.

The videos are then syndicated to YouTube and VEVO website.

After a particularly rough night for VEVO, the situation is currently under control! Earlier today the American video hosting service provider released a statement confirming the defaced videos are back on their website. Our investigation shows the view counters on YouTube were not affected either, and after the brief take-down Despacito rose from the ashes to continue being the most watched YouTube video ever.

While things may be back to normal for VEVO, the hackers who claimed responsibility for the breach are aiming shots at many video influencers and even at YouTube’s CEO. In a tweet sent yesterday, they claimed that they’ve managed to access the accounts of Colombian singer Shakira and video-sharing website’s CEO Susan Wojcicki. The Twitter account that made the claims was later suspended. Currently, there is no proof that any of these statements are true.

Even though this looks like a prank, it shows how vulnerabilities could be used against people and businesses. Panda security reminds you of the importance of having quality antivirus software installed on all your connected devices. The better equipped you are, the harder it will be for hackers to gain access to information stored on your cell phone, tablet, laptop, Mac or a PC.

Download your Antivirus

The post Hackers Defaced Some of Vevo’s Most Popular Music Videos appeared first on Panda Security Mediacenter.

Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash

Adobe April Security Bulletin Tuesday is out, the company has addressed four critical vulnerabilities in the Flash Player.

Adobe April Security Bulletin has addressed a total of 19 vulnerabilities in its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.

The company has released the Flash Player version 29.0.0.140 that fixed four critical flaws and two issues rated as important.

The flaws addressed with the Adobe April Security Bulletin Tuesday include a use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that could be exploited by remote attackers to execute arbitrary code on the target system and that could lead information disclosure.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Below the vulnerability details

Vulnerability Category Vulnerability Impact Severity CVE Number
Use-After-Free Remote Code Execution Critical CVE-2018-4932
Out-of-bounds read Information Disclosure Important CVE-2018-4933
Out-of-bounds read Information Disclosure Important CVE-2018-4934
Out-of-bounds write Remote Code Execution Critical CVE-2018-4935
Heap Overflow Information Disclosure Important CVE-2018-4936
Out-of-bounds write Remote Code Execution Critical CVE-2018-4937

Adobe acknowledged Google white hat hackers Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero for reporting the CVE-2018-4936, CVE-2018-4935, CVE-2018-4934, CVE-2018-4937 flaw.

Adobe April Security Bulletin Tuesday

The CVE-2018-4933 vulnerability was reported by willJ of Tencent PC Manager, while the CVE-2018-4932 flaw was reported by Lin Wang of Beihang University.

The good news is that according to Adobe, there is no evidence of malicious exploitation in the wild.

Adobe also addressed three moderate and important cross-site scripting (XSS) flaws in the Experience Manager.

Adobe also fixed a critical memory corruption flaw (CVE-2018-4928) in Adobe InDesign CC that was reported by Honggang Ren of Fortinet’s FortiGuard Labs. Ren discovered a memory corruption flaw that could be exploited for arbitrary code execution.

Adobe also fixed an out-of-bounds read vulnerability and a stack overflow issue in Adobe Digital Editions and five flaws in ColdFusion.

The last issue covered by the company is a same-origin method execution bug in the Adobe PhoneGap Push plugin.

Pierluigi Paganini

(Security Affairs – Adobe April Security Bulletin Tuesday, hacking)

The post Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash appeared first on Security Affairs.

On the Job Evolution is a Requirement of a CISO

So you are a CISO. Now what? What got you there will not keep you there. The time for evolution is here. Much like special operations, operators of “CISO” are continually evolving. “You have to be uncommon among the uncommon.” Once you get to that level, you need to stand out even more. For example, […]… Read More

The post On the Job Evolution is a Requirement of a CISO appeared first on The State of Security.

SN 658: Deprecating TLS 1.0 & 1.1

This week we discuss Intel's big Spectre microcode announcement, Telegram is not long for Russia, the US law enforcement's continuing push for "lawful decryption", more state-level net neutrality news, Win10's replacement for "Disk Cleanup", a bug bounty policy update, some follow-up to last week's Quad-1 DNS conversation, why clocks had been running slow throughout Europe... then a look at the deprecation of earlier version of TLS and a big Cisco mistake.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsors:

Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files

Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.

Read more of this story at Slashdot.

YouTube hack defaces music videos from Drake, Taylor Swift (updated)

If you were in the midst of a music video marathon this morning, you probably got a rude surprise. Hackers (one claiming to have used a script) defaced numerous top music videos, including Luis Fonsi and Daddy Yankee's record-setting "Despacito" as well as clips from Drake, Katy Perry, Shakira, Taylor Swift and others. In many cases, the intruders swapped out the thumbnails with their own (such as a threatening gang image from a Netflix show) and altered show titles. The incident appears to be under control as we write this, but it no doubt panicked more than a few fans and artist representatives.

Via: The Verge

Source: Prosox (Twitter)

Independent lab tests again prove the excellence of Trend Micro Mobile Security for Android

Submitted by Ian Grutze

For the fourth year in a row, as shown in AV Comparatives’ Anti-Virus Comparative Android Test 2018 – January 2018, Trend Micro Mobile Security for Android shows it provides 100% protection against malware. In this independent lab test, more than 200 mobile security products were tested by AV Comparatives against some 2,000 malicious apps—a test inspired by the lab’s discovery that many so-called mobile security apps are nothing of the sort, offering little or no protection, despite having good user reviews on the Google Play Store. Along with its 100% protection rating, Trend Micro Mobile Security for Android also had zero false alarms, and its level of protection outperformed other well-known security apps, such as those developed by Webroot, Cheetah Mobile, Lookout, and Malwarebytes, as well as Google Play Protect (whose protection rating was only 75.3%—that is, 24.7% less effective than Trend Micro Mobile Security).

In a similar way, Trend Micro Mobile Security for Android achieved AV-TEST’s Certification Award for delivering 100% protection in real-time lab tests against the latest Android malware, as shown in the lab’s AV-TEST Product Review and Certification Report – Jan/2018, where the program was tested against 2,766 malware samples. In fact, the same 100% detection rate was true for the latest Android malware discovered during the four weeks of testing leading up to the January 2018 test. In these independent lab tests, Trend Micro Mobile Security blocked some 2,842 malware samples, achieving the maximum 6.0 Protection Score out of a possible 6.0. In addition, Trend Micro Mobile Security for Android achieved 6.0 out of 6.0 in the Usability category, which tracks Performance characteristics, as well as the number of false warnings during installation and usage of legitimate apps from Google Play Store and other third-party app stores.

Figure 1. AV-TEST Product Review and Certification Report – Jan/2018

Independent lab testing of anti-virus programs, as conducted by AV-COMP or AV-TEST, is a key way for users to cross-check any protection claims made by anti-virus companies or programmers. In lab test after test, Trend Micro Mobile Security consistently ranks among the top performers, providing independent proof of the quality of its protection.

For more information on the AV-COMP tests, you can view the results here: AV-COMP: January 2018.

For more information on the AV-TEST tests, you can view the results here: AV-TEST: January 2018.

For more information, or to purchase Trend Micro Mobile Security for Android (as well as for iOS), go to Trend Micro Mobile Security Solutions.

The post Independent lab tests again prove the excellence of Trend Micro Mobile Security for Android appeared first on .

Careful! HTTPS is not synonymous with security

HTTPS-PANDA-SECURITY

HTTPS (HTTP Secure) is an adaptation of the hypertext transfer protocol (HTTP), the basis of the World Wide Web. Netscape initially created it in 1994 for use in its browser. It aimed to safely establish connections and transfer data on websites. Since its inception, the number of pages adopting it has not ceased. Statoperator estimates  that, of the million websites visited in the world, more than 315,000 use HTTPS. But does HTTPS really make a website safe? How can you be safe from attacks?

How does HTTPS work?

HTTPS pages use SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols to encrypt connections. As a result, servers and clients connect ng HTTP, but with an SSL or TLS connection which encrypts data requests, connections and transfers. In theory, this makes websites with a simple HTTP safer, as being encrypted reduces the chances of a third-party carrying out attacks or interfering with connections. You can identify an HTTPS website by the green padlock next to its URL in a browser.

The dangers of phishing

Just because the transfer of information is encrypted in HTTPS does not necessarily mean that the website you are visiting is safe. The clearest example of this is phishing. A website could spoof the identity of another original website to try to gather user data and take advantage of said data. It could then attempt to obtain an HTTPS certificate that prevents third-parties from intervening in the transfer of data. As a matter of fact, nearly 25% of phishing attacks are carried out on HTTPS websites.

Therefore phishing implies a serious risk for all corporate settings: employees that do not take the necessary precautionary measures and become victims of a phishing attack could be handing over confidential information, such as banking details, which could put your company at serious risk.

How to prevent phishing attacks

Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4, one of the most popular business cybersecurity and simulated phishing platforms. He believes that, in general users are “the weakest link“. Attackers trick employees to click on dangerous links or download malware. 

The best way to prevent phishing attacks is education and awareness training, beginning by encouraging good cybersecurity habits at a company. By doing this, employees become a line of defense when firewalls and detection systems fail to detect a threat.

One way to teach good habits is by simulating phishing attacks. These usually simulate email attacks, since 91% of phishing attacks are carried out through email. But it is also advisable to practice with fake websites. Obviously, it is also a good idea to use examples of phishing attacks carried out with HTTPS websites.These simulations allow users to make mistakes risk-free and, with practice, learn how to recognize common characteristics of phishing attacks.

The most important patterns employees should recognize to prevent phishing attacks are:

  • Email subjects: according to a study from KnowBe4, security alerts, vacation and sick time policy and package delivery are the most common phishing email subjects. Employees should learn the defining traits of authentic emails from their company and from providers in their contact list.
  • URL: this is a very distinctive trait. A URL of a fraudulent website often contains terms that are similar to the original website. Sometimes they only vary slightly. It’s important for employees to pay special attention to the URL to make sure it is authentic.
  • Language: although it is not a defining trait, many phishing emails and websites are written in a different language than companies use or are poor translations.
  • Forms and data requests: before giving away company data through a form or responding to a request, employees should make sure there are no other habitual channels for sending information and, of course, they should verify they website’s authenticity.

In any case, the best advice to stay protected from phishing attacks is for everyone involved at an organization to be careful. Making sure all content is authentic is always a good idea. Lastly, if these preventative measures fail, it is also advisable to have a comprehensive solution that offers real-time monitoring of your corporate network and prevents attacks before they occur, such as Panda Adaptive Defense. In case of human error, these types of solutions minimize the impact of a phishing attack on a company.

The post Careful! HTTPS is not synonymous with security appeared first on Panda Security Mediacenter.

The Role That IT Security Teams Need to Play in Connected Hospitals

The WannaCry outbreak that reportedly raked in US$1B in damage costs also forced doctors to cancel scheduled appointments, among other things, brought on warranted concern over pervasive ransomware attacks that could stem from oft-overlooked components of healthcare networks—exposed medical cyber assets and third-party partners.

It’s a well-known fact that advances in medical technology and information systems are key reasons for the rise in life expectancy worldwide. Integrated modern diagnostic, monitoring, and treatment systems that allow information to quickly and efficiently flow through are enabling cooperative patient care. What some may not know, however, is that the hospital information system is the backbone of this data flow. It caters to aspects of hospital operations beyond medical services—administrative, financial, record keeping, and even legal processes. And as we have learned time and again, any sufficiently complex system that combines or builds on individual systems is bound to introduce weaknesses and broaden the attack surface.

Our latest joint research with HITRUST, Securing Connected Hospitals, highlights two crucial aspects of the healthcare ecosystem that IT teams need to consider as part of their overall security strategy—exposed devices and third-party partners.

We may think hospitals would be extremely sensitive to device exposure on the internet because of the fines that the Healthcare Insurance Portability and Accountability Act (HIPAA) and similar regulations impose for data exposure violations. But when we looked for healthcare-related cyber assets using Shodan, we were surprised to find a large number of exposed hospital systems.

[READ: For more details on exposed medical devices and systems]

Aside from the risks brought on by unsecured medical devices and systems online, healthcare organizations also run the risk of compromise via weaknesses in the supply chain. Exposure stemming from security gaps in the supply chain could put connected hospitals at risk of threats such as device firmware attacks, mHealth mobile app compromise, and source code compromise during manufacturing, among others.

[READ: For more details on supply-chain-related connected hospital threats]

Healthcare organizations are beginning to understand the risk of suffering a cyberattack that will affect hospital operations (staff schedule database, hospital paging, building controls, and other systems), data privacy (patient and employee personally identifiable information [PII], patient diagnosis and treatment data, insurance and financial information, etc.) and patient health (diagnoses, treatments, and monitoring data of patients). Operational risks of cyberattacks are the new norm. Threat actors can abuse, steal and monetize exposed medical devices and supply chain weaknesses, including PII, intellectual property, research findings, and others and monetize the stolen data in various ways (identity theft, privacy violation, financial fraud, among others). Even more menacing is the exponential growth of digital extortion attacks that are affecting hospitals resulting in operational downtime that result in life and safety risks to patients and financial losses, including penalties, reputation damage, and legal troubles.

It’s true, healthcare IT teams have competing priorities, making it critical to use risk-based strategies. The HITRUST Alliance’s Common Security Framework (CSF) does exactly this. It provides a risk-based approach that is prescriptive not descriptive and harmonizes and cross-references standards from the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Payment Card Industry (PCI), and HIPAA. HITRUST even offers a free assessment tool—MyCSF.

Adopting frameworks such as the CSF is just a start to help hospital systems stay up and running to deliver life-preserving services and securing said systems from malicious actors. But we can’t stress the importance of evaluating risks enough, as threats can interrupt operations and cause financial damage. So we recommend starting with sound security architecture and using technical solutions such as network segmentation, breach detection and next-generation firewalls/Unified Threat Management (UTM) gateways, and dynamic threat intelligence among others as a baseline.

[READ: For a complete list of recommended technical solutions]

To address the also-critical human aspect, healthcare IT teams should conduct regular social engineering drills and provide training for all employees and relevant third-party partners. An incident response protocol and team, consisting of people from different hospital departments, should be established. This team should be ready to act at a moment’s notice when a breach is discovered.

To address supply-chain-specific threats, we recommend that healthcare IT teams perform vulnerability assessments of new medical devices and include authentication using Network Access Control (NAC) before allowing network access in bring your own device (BYOD) programs, among others.

[READ: For a complete list of supply-chain-specific recommendations]

As highlighted in our latest joint research with HITRUST, Securing Connected Hospitals, healthcare organizations, to stay secure while remaining connected, need to address two aspects of their networks as part of their overall security strategy—exposed devices and third-party partners.

The post The Role That IT Security Teams Need to Play in Connected Hospitals appeared first on .

CISO Chat – Rick Orloff, Chief Security Officer at Code42

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

Leading this week’s CISO Chat is Rick Orloff, Chief Security Officer at Code42 who believes the biggest concern related to GDPR going into effect in May is that it’s untested.

 

As a CISO, what is your objective? What is the goal of information security within your organisation?

As a CXO, you must have a clear view of the entire business, including technology, operations and data flow. The ability to detect and mitigate risk as well as comply with government and industry regulations also is essential. While it’s impossible to completely eliminate risk from any organisation, CISOs must constantly assess and quantify their attack surface and understand how hackers might try to exploit their environments. This includes addressing human behaviors as part of the attack surface and enabling employees so they can operate freely in a secure environment. Knowing how to support and empower employees to perform their roles in the best way possible is a major factor in successfully safeguarding a business.

 

What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?

The answer is vulnerabilities. You need to focus on process and framework to manage vulnerabilities. If you successfully manage and remediate vulnerabilities, you may not have to worry about the threats. That said, situational awareness is key to a good program. Knowing what new threats are emerging is very important.

 

With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?

We embraced and prepared for GDPR early on.

 

I believe the biggest concern related to GDPR going into effect in May is that it’s untested. We will need to wait and see how regulators will hold companies accountable and respond when a breach is reported. Most businesses, particularly public companies, have embraced the need to comply with the regulation, so the open question now is: what will happen if they violate it?

 

Social media is everywhere. So how much of it is a security issue in the workplace?

Social media is not going away, ever. It’s part of the DNA of the modern-day employee base. Employees use it professionally and personally. Employees and kids concerned about their futures need to understand the risks of integrating social media with their careers. It’s mostly a security and training issue related to defining its boundaries and compartmentalising the accounts and the data being shared. Offering training programs that engage pen-testers who employ social engineering, running spoof phishing attacks and more, all can be smart ways to educate employees about the importance of adequate data protection.

 

What would your no.1 piece of cyber security advice be as we begin 2018?

As it relates to the software development lifecycle, we need to make sure our organisations design with security in mind – and we need to make it a top priority. A meaningful software security program works to eliminate technical debt, holds firm on software security standards and remains current on patch management. If you do this, you can significantly reduce your vulnerabilities.

 

Today, IoT and AI have become a real big focus for organisations with almost every device, toy and appliance created having technology built in. Worryingly, security seems to be an afterthought in IoT. Why is this the case and how can this be changed?

IoT devices – along with endpoints like laptops and computers – are adding to an already dispersed attack surface. With laptops, tablets and mobile phones, we upgrade the operating systems and receive patches regularly. On the other hand, once deployed, IoT devices are largely unmanaged. Most IoT devices don’t provide a mechanism for their owners to upgrade the firmware or otherwise mitigate security risks as they become known or anticipated. So, if you have a home firewall and have an IoT connected refrigerator, oven or saltshaker, these devices are behind your firewall with a connection to the outside world and there’s little management. That means, an attacker can try to compromise your oven in order to gain lateral movement to the other devices connected inside the house, i.e., baby monitor, computer, webcam, etc.

 

Lack of management isn’t the only factor driving a lack of IoT security. There are a couple of other reasons why security for IoT devices seems to be an afterthought. One is that the most popular IoT devices today are designed to deliver an experience or service and tend to have low cost and essentially disposable components. Ensuring the security of these devices would drive the cost up for consumers. Another reason is there aren’t defined security requirements for IoT devices. Until these basic conditions change, it is unlikely that IoT devices will become secure.

 

How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?   

High tech companies need to provide a lucrative path for employees to develop cyber skills and opportunities to grow organically. To become a next-gen cybersecurity professional, you must work your way up the ladder and be well-versed in multiple domains. You must have enough knowledge about general infrastructure, data correlation, actionable intelligence, networks, incident response and risk models to lead a team.

 

What’s your worst security nightmare? What would be your plan to prevent and mitigate it?  

My worst security nightmare is the same as it was in 2001 – that is, a bad actor would take encryption software and point it not just at endpoints, but also at corporate data on the servers or in the cloud. To prevent this type of scenario, you must have a meaningful recovery program that extends beyond backup. While backup is a requirement for recovery, it does no good if it takes you ninety days to recover.

 

How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding of the work you and your team do?
Even two years ago, boardroom conversations about security weren’t as meaningful as they are today. It was not unusual for CSOs/CISOs to get 10 minutes on a board agenda once a year. In some cases, they might not even attend the meeting. Instead, a CIO might present one or two security slides on their behalf.

 

With the rise of cyberattacks, however, security’s role in the boardroom has changed. CXOs/CIOs together with their boards are mutually engaged in security discussions. Boards want to understand how security programs are being measured and whether CEOs are supporting them. In fact, many boards are seeking to fill positions with security executives in order to help advance their understanding of security.

 

Rick Orloff, Chief Security Officer at Code42

Rick brings to Code42 more than 20 years of deep information security experience. Prior to joining Code42, Rick was Vice President and Chief Information Security Officer at eBay, led and built a variety of global security programs at Apple (AAPL), and directed global security at Lam Research (LRCX). Rick is currently an active member of several advisory boards focused on new and emerging security technology companies.

Throughout his career, Rick has driven meaningful and actionable results across a range of security areas, including global threat management, cyber intelligence, geospatial correlation of data and security operations centres.

The post CISO Chat – Rick Orloff, Chief Security Officer at Code42 appeared first on IT SECURITY GURU.

The digital transformation roadblock: existing IAM solutions are creating major barriers to digital technology adoption

Digital transformation is a much-hyped business buzzword, driven by the adoption of cloud IT services around the world. This hype has seen enterprises scramble to become more digitally agile in a fight to stay competitive. In fact, a new study by OneLogin[2], the industry leader in Unified Access Management, reveals that 92% of UK enterprises have developed a digital transformation strategy, with over two-thirds of those surveyed expecting to deploy up to 100 new commercial SaaS apps and on-premise apps in the next twelve months alone. However, there is a fundamental flaw in their progress to a more digital future – navigating and securing the digital network across a combination of legacy IT, on-premise and cloud platforms. This is where Identity and Access Management (IAM) solutions have a role to play, but are falling short of unifying all corners of the corporate network.

 

With more cloud applications coming into the corporate network and employees switching between on-premise and cloud applications daily, the corporate network has become more complex than ever before. It is therefore unsurprising that almost 90% of the 250 IT decision makers surveyed see IAM as an important, if not critical, part of their digitalisation strategy.

 

Yet the survey results reveal a strong link between the barriers to digital transformation and the pain points they feel with their current IAM solution. Key barriers to digital transformation include a fear of spiralling costs (40%), legacy systems (46%) and project complexity (37%) and the major pain points for existing IAM solutions are cost (43%), complexity (45%) and fragmented access control for multiple environments (22%).

 

Enterprises need IAM to progress their digital transformation strategies, but there is clear demand for a solution that supports every end-point of the complex corporate network, regardless of whether it’s cloud-based or on-prem.

 

To combat this issue head-on and unify the corporate network through one single solution, OneLogin has announced the newest addition to its unified platform: OneLogin Access. The solution lets customers manage access for traditional on-premise applications through a “single pane” management console that also manages access for cloud applications.

 

“Never has it been more critical — or more complex — to securely manage access across the explosion of distributed applications, data, and intelligence,” said OneLogin CEO Brad Brooks. “Our Unified Access Management Platform featuring OneLogin Access is purpose-built for hybrid customer environments. Historically, a customer’s only option was building a cumbersome, multi-vendor, prohibitively expensive solution. That all changes today.”

Companies can now modify access privileges across all applications in real time vs. days or weeks, and slash access management costs by 50% or more — all with a single Unified Access Management Platform. This platform unifies access management not only for applications, but also for networks and devices, using SaaS infrastructure to synchronise all corporate users and user directories.

The post The digital transformation roadblock: existing IAM solutions are creating major barriers to digital technology adoption appeared first on IT SECURITY GURU.

Healthcare will become digitised by 2030 to keep services alive, experts predict

Within ten years your medical check-up could involve more interaction with sensors, cameras and robotic scanning devices than human doctors and nurses, as healthcare organisations re-build services around the Internet of Things (IoT), according to a new report by Aruba, a Hewlett Packard Enterprise company.

 

The ‘Building the Hospital of 2030’ report, features the results of interviews carried out with senior healthcare leaders and futureologists. It explains both the likelihood, and the need, for the healthcare industry to create smarter workplaces that incorporate mobile, cloud and IoT technology, and explores the ways in which this will transform the patient experience and improve clinical care.

 

The study makes five key predictions for how the industry will transform by 2030, including:

 

  1. Patient self-diagnosis: Using app-based and wearable tools to monitor your health and even carry out your own scans, patients will finally have the ability to self-diagnose a wide number of conditions at home, without needing to visit a surgery or hospital.

 

  1. The automated hospital: Hospital check-in will feature imaging technology that can assess your heart rate, temperature and respiratory rate from the moment you walk in, followed by sensors that can perform a blood pressure and ECG test within 10 seconds, and lead to an automatic triage or even diagnosis right there and then.

 

  1. Health professionals double their free time: Doctors and nurses, who are currently spending up to 70% of their time on administrative work, will be able to quickly analyse scans or patient records via their mobile device, freeing up huge amounts of their day to focus on patient care.

 

  1. Digital data repositories: Devices will automatically integrate with your digital patient records, automatically updating on your condition and treatment, giving caregivers a richer, real-time, readily-accessible data to make more better decisions.

 

  1. Acceptance of AI: As artificial intelligence (AI) starts to play an increasing role in diagnosis and treatments, public support will grow to the extent that you will be willing to be diagnosed by machine – provided that services are designed and implemented around patients, the benefits are explained, and permission is sought.

 

Explaining the ability of AI to enhance medical, care, UCL Professor, Dr. Hugh Montgomery said: “Within ten years, you may be able to essay around 50,000 different blood proteins from a single drop, and make much quicker, or even automatic, diagnoses. That’s radical and in no way happens at the moment. I might get 30 variables, today.”

 

On the topic of patient self-care, Digital Health Futurist, Maneesh Juneja adds: “Let’s say you are diagnosed with diabetes or high blood pressure in 10 years time. Once you’ve been diagnosed, a lot of the monitoring of how you’re taking your medication could be done without the healthcare system seeing you as frequently. They could track your data in real-time and know if you’re deviating from your recommended diet or treatment plan, then send you a digital nudge on your smartwatch or augmented reality glasses.”

 

Such advances are far from science-fiction, argues the report, and could prove vital in the struggle to better care for an ageing population: UN figures suggest that the population of over 60s will have increased 56% by 2030, greatly increasing the need for more efficient health services.

 

“We’re in for a massive transformation and disruption in the next 5-10 years for two reasons,” said Hugh Montgomery. “Firstly the technology’s changing that fast, and secondly, there’s this massive pressure to get it out there. Because if we don’t, health services are going to fall over.”

 

Digitising and securing the hospital

 

Recognising the need to modernise, healthcare organisations are already beginning the journey towards digitisation, says the report. Aruba’s own research finds that nearly two thirds (64%) of healthcare organisations have begun to connect patient monitors to their network, and 41% are connecting imaging or x-ray devices. Such measures are the building blocks for an Internet of Things (IoT) strategy, with potentially millions of interconnected medical, wearable and mobile devices sharing up-to-date information that can be more easily shared and used to provide higher quality care.

 

However, the approach is currently fraught with risk. 89% of healthcare organisations that have adopted an IoT strategy, have experienced an IoT-related data breach. With the explosion of new technology devices appearing over the course of the next decade, a key challenge for organisations will be to maintain visibility of all devices connecting to their network and sharing medical data, in order to apply strict security rules.

 

 

Morten Illum VP EMEA at Aruba, concludes: “The rise of digital health services is about improving patient experiences, and increasing accuracy and quality of care. Above all else, that is what we think healthcare providers and members of the public should be excited about. But data security risk is emerging as one big challenge here. That’s why these changes take time to deploy, and we expect to see healthcare companies partnering with technology providers to negotiate both technological and cultural change in the coming years. With the benefits that are on offer, it is certainly worth the effort.”

The post Healthcare will become digitised by 2030 to keep services alive, experts predict appeared first on IT SECURITY GURU.