What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-03-29 17:45:03 | "Fauxpersky" Credential Stealer Spreads via USB Drives (lien direct) | >A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason. Dubbed Fauxpersky, the keylogger was written in AutoIT or AutoHotKey, which are simple tools to write small programs for various automation tasks on Windows. AHK can be used to write code to send keystrokes to other applications, and to create a 'compiled' exe with their code in it. On systems infected with Fauxpersky, the security researchers discovered four dropped files, each named similarly to Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe. | |||
|
2018-03-29 16:04:02 | (Déjà vu) Panda Banker Trojan Goes to Japan (lien direct) | >The banking Trojan known as Panda Banker is now targeting financial institutions in Japan for what appears to be first time. Also known as Panda Zeus, the malware was first observed in 2016, based on the leaked source code of the infamous Zeus banking Trojan. The threat has been involved in multiple infection campaigns targeting users worldwide, including an attack that leveraged poisoned Google searches for malware delivery. Designed to steal user credentials via man-in-the-browser and webinjects that specify what websites to target and how, Panda Banker has received consistent, incremental updates ever since its first appearance on the threat landscape. The Trojan is being sold as a kit on underground forums, meaning that it has a large number of users. Cybercriminals using it target variou | Guideline | ||
|
2018-03-29 13:27:03 | (Déjà vu) Crypto Mining Rampant in Higher Education (lien direct) | >Figures from an analysis of 4.5 million monitored devices across 246 companies show that for every 10,000 devices and workloads, 165 contain active threats. The majority are given a low (113) or medium (18) threat priority; but 34 are ranked high or critical, requiring immediate attention. Deeper analysis of these figures in Vectra's 2018 Attacker Behavior Industry Report (PDF) shows the different stages of the attackers' kill chain found within different vertical industry sectors. Overall, 37% of detections denote C&C activity, 31% denote reconnaissance activity, 24% denote lateral movement, and 6% actual exfiltration attempts. The reducing numbers seem to indicate analysts' success at mitigating the detections as they progress. The remaining 3% of detections indicate botnet activity. Applied to the different vertical industries, the analysis shows the fewest threat detections are found in the technology sector (a total of 62 per 10,000 devices) the healthcare sector, (87 per 10,000), and in government (139 per 10,000). Standing out, however, is higher education -- with 542 detections per 10,000 devices. Most of these, 395, are considered low priority threats, and are related to crypto mining. "The number of low alerts in higher education is over three-times the normal rate, which is indicative of attacker behaviors that are opportunistic," explains the report. "Inversely, the technology industry has a low volume of devices prioritized as high or critical, which indicates cyberattackers do not often progress deep into the attack lifecycle." Other sectors that stop attacks in their early stages include government and healthcare -- indicating the presence of stronger policies, mature response capabilities and better control of the attack surface; possibly because of greater regulation and oversight in these sectors. The very high number of low priority threats in higher education is largely down to a spike in crypto mining. Higher education is unlike any other industry sector. Its users are not employees and are traditionally averse to outside control -- they will not automatically accept the security controls that can be applied to direct employees, and security teams can rarely impose them. At the same time, the student environment is an attractive target, especially for crypto mining. | |||
|
2018-03-29 12:10:04 | (Déjà vu) The CNN Factor Adds More Complexity to Security Operations (lien direct) | >Security Teams Need the Ability to Collaborate and Coordinate to Make Better Use of the Talent and Data They Already Have We all know that security teams are drowning in a sea of alerts, largely driven by a defense-in-depth strategy with layers of protection that aren't integrated and create a massive amount of logs and events. If you need further evidence, Cisco's 2018 Annual Cybersecurity Report (PDF) found that among organizations using 50+ vendors, 55 percent say orchestrating security alerts is very challenging and for those with 21-50 vendors, 43 percent are struggling. The result? On average, 44 percent of alerts are not investigated and of those investigated and deemed legitimate, nearly half (49 percent) go un-remediated! Compound that reality with the “CNN Factor” – global cyberattacks that garner widespread interest and trigger calls from management – and you've got a situation that is quickly becoming untenable. It isn't sufficient for security teams to prevent, detect and respond to attacks. Security teams also must be able to proactively investigate and understand what the latest, large-scale cyber campaign means to their organization. Yet Cisco's study finds, “One reason [alerts go un-remediated] appears to be the lack of headcount and trained personnel who can facilitate the demand to investigate all alerts.” So how can security teams handle the fallout from the headlines along with their daily list of “to-dos?” They need a force multiplier – the ability to collaborate and coordinate to make better use of the talent and data they already have. This will not only help them respond more effectively and efficiently to alerts, but also address the inevitable flurry of questions every time a large-scale attack happens and take action as needed. Collaborate. It isn't just security tools that are siloed, security teams typically operate in silos as well and that includes all the members of your threat intelligence program – threat intelligence analysts, security operations centers (SOCs) and incident handlers, to name a few. When one team member researches an event or alert and doesn't find information that is relevant to them, they tend to put that information aside and move on to the next task. But what if someone else in threat operations, conducting a separate investigation, could have benefitted from that work? Without the ability to collaborate as part of the workflow, key commonalities are missed so investigations take longer or hit a dead end. What's needed is a single, shared environment that fuses together threat data, evidence and users, so that all team members involved in the inve | Guideline | Deloitte | |
|
2018-03-29 05:54:04 | (Déjà vu) Severe Vulnerabilities Expose MicroLogix PLCs to Attacks (lien direct) | >Rockwell Automation has released patches and mitigations for several potentially serious vulnerabilities discovered by Cisco Talos researchers in its Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs).
According to Cisco Talos, the vulnerabilities can be exploited for denial-of-service (DoS) attacks, modifying a device's configuration and ladder logic, and writing or removing data on its memory module.
Since these controllers are typically used in industrial environments, including in critical infrastructure organizations, exploitation of the flaws could result in significant damage, Talos said.
The most serious of the flaws, based on their CVSS score of 10, are a series of access control issues that have been assigned a dozen CVE identifiers. A remote and unauthenticated attacker can exploit these vulnerabilities to obtain sensitive information, modify a device's settings, or change its ladder logic – all by sending specially crafted packets.
While exploiting many of these flaws requires that the controller's keyswitch is in REMOTE or PROG position, reading the master password and the master ladder logic works regardless of the keyswitch setting.
Learn More at SecurityWeek's ICS Cyber Security Conference
Another potentially serious flaw is CVE-2017-12088, which allows a remote attacker to cause the controller to enter a fault state and potentially delete ladder logic by sending specially crafted packets to the Ethernet port.
DoS vulnerabilities also exist in the device's program download and firmware update functionality, but these have been assigned only a “medium severity” rating.
Other issues considered less serious include a file-write vulnerability affecting a memory module, and a DoS flaw related to the session connection functionality.
While a CVE identifier has been assigned to the session communication bug, Rockwell says the system actually works as intended and no patches or mitigations are required.
Rockwell Automation has released firmware updates that address some of these flaws. The company has also proposed a series of mitigations that include migrating to more recent series of the MicroLogix 1400 controller, setting the keyswitch to “Hard Run” to prevent unauthorized changes to the device, and disabling impacted services.
Cisco has publi |
|||
|
2018-03-29 04:47:04 | Drupalgeddon: Critical Flaw Exposes Million Drupal Websites to Attacks (lien direct) | >All versions of the Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take complete control of affected websites in what may turn out to be Drupalgeddon 2.0.
While analyzing the security of Drupal, Jasper Mattsson discovered a serious remote code execution flaw that impacts versions 6, 7 and 8. This represents more than one million websites that can be hacked by a remote and unauthenticated attacker.
The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, Drupal developers warned.
The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and it's not supported since February 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation.
Besides updating their installations to the latest version, users can protect their websites against attacks by making some changes to the site's configuration. However, the required changes are “drastic.”
“There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a 'Basic Auth' password to prevent access to the site,” Drupal developers said.
Cloudflare also announced that it has pushed out a rule to its Web Application Firewall (WAF) to block potential attacks.
While no technical details have been made public, Drupal believes that exploits targeting the vulnerability will be created within hours or days, which is why it alerted users of the flaw and an upcoming patch one week in advance. This appears to have been a good strategy, but many websites may still remain vulnerable for extended periods of time.
In the case of the notorious Drupalgeddon vulnerability, hackers had used it to take control of websites nearly two years after a patch was released.
|
|||
|
2018-03-29 04:10:02 | macOS High Sierra Logs External Volume Passwords in Plaintext (lien direct) | >In macOS High Sierra, the passwords used for Apple File System (APFS)-encrypted external drives are logged and kept in on-disk log files, a security researcher has discovered. The APFS file system was introduced by Apple with the release of macOS High Sierra and is automatically applied to the startup volume when the platform High Sierra is installed on a computer with a solid-state drive (SSD). According to Apple, APFS provides strong encryption, fast directory sizing, space sharing, and improved file system fundamentals. The newly discovered vulnerability, Sarah Edwards reveals, impacts macOS 10.13 platform versions. Initially found when creating a new APFS volume, the bug appears to occur when encrypting previously created but unencrypted volumes as well. What the expert observed was that the password used for a newly created APFS-formatted FileVault Encrypted USB drive via Disk Utility could be found in unified logs in plaintext. | |||
|
2018-03-29 04:01:03 | Facebook Limits App Access to Users Data (lien direct) | >Facebook has announced a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access to user data. The changes were initially mentioned last week, when the social platform came under fire after reports emerged that millions of Facebook users' personal data was harvested by British firm Cambridge Analytica. Facebook CEO Mark Zuckerberg apologized for the incident last week and said tighter controls would be coming. Also last week, Facebook paused app review in preparation for the upcoming changes to its developer platform. The first of the announced privacy improvements have been already implemented, but more are planned for the near future. | |||
|
2018-03-28 16:41:01 | (Déjà vu) The Big Business of Bad Bots (lien direct) | Bad bots are big news largely because of the FBI investigation into Russia's involvement in the 2016 presidential election. But bad bots are a bigger problem than automated tweeting: 42.2% of all website traffic comes from bots; and 21.8% of it is down to bad bots. Distil Networks' 2018 Bad Bot Report, based on an analysis of hundreds of billions of bad bot requests, shows that bad bot traffic increased by 9.5% in 2017. Bad bots differ from good bots, whose traffic also increased by 8.8% to 20.4%. It means that only -- on average -- 57.8% of visiting traffic comes from a genuine human being interested in the website content. Good bots are those that all websites require. They include the search engine page indexing bots from Google and Bing, and they bring humans to the site. Bad bots, however, are secretive and nefarious. They come from outright criminals and commercial competitors; and their purpose is to detract and/or steal from the website. Distil highlights eight different bad bot functions: price scraping, content scraping, account takeover, account creation, credit card fraud, denial of service, gift card balance checking, and denial of inventory. They fall into three primary categories: competitive, organized criminal, and nuisance. Price scraping and content scraping are generally competitor attacks. Price scraping allows competitors to maintain price levels slightly lower to score more highly in search engine rankings. Content scraping is simply the theft of proprietary content to augment another site's own content. Account takeover bots are automated attempts at illegal log-ins. They can deliver brute-force attacks cycling through the most popular passwords to see if one of them works, or they can use the process known as credential stuffing. Distil reports a 300% increase in credential stuffing bad bots in the weeks following a new major credential theft. This involves the automatic application of stolen passwords on different websites. "Here," notes the report, "bot operators make two assumptions. The first is that people reuse their credentials on many websites. The second is that newly stolen credentials are more likely to still be active. This is why businesses should anticipate bad bots running those credentials against their website after every breach." Account creation bad bots simply generate vast numbers of new accounts -- for example, on Twitter -- to spam out messages or amplify propaganda. Credit card fraud bots test out credit card numbers, trying to identify missing information -- such as the expiry date and the CVV. The denial of service bad bot can be either competitive or nuisance. It can be used to reduce the performance of a competitor, or to disrupt the service of a small website either because of a grudge, or simply because it is possible. It can be effected either from a small number of attacking IP addresses, or from a la | |||
|
2018-03-28 15:47:02 | Webinar Today: Inside the Cyber Underworld (lien direct) | 
Inside the Cyber Underworld: Armor's Black Market Report
From credit card data to counterfeit passports, just about anything is available for the right price on the Dark Web. For three months, Armor's Threat Resistance Unit (TRU) research team pulled data from dozens of underground markets and forums to offer a look at how the market for cybercriminals' goods and services continues to thrive.
Please join SecurityWeek and Armor for a live webinar on March 28th at 2PM ET, as we walk through:
● The prices for stolen credit cards and bank information
● How cybercrime-as-a-service has shaped the threat landscape
● The sale of malware, exploits, code-signing certificates and more
● Why your social media accounts and airline rewards points are valuable to hackers
● How hackers profit from identity theft and the sale of false documents
Register Now
|
|||
|
2018-03-28 15:31:02 | Risky Business: The Fifth Element (lien direct) | Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways. The logic is to streamline the company's mitigation efforts and allow you to focus more time and investment where it matters most-on the unique risks inherent to the business. But there is a fifth element, and it is going to be in your future. While security-as-a-service for functions like WAF and DDoS protection are well-established, they are just the beginning of a new industry that is emerging around consumption-based security models. To a certain extent, security in the future is going to be Uberized, and for some situations, you may be able to get rid of your car entirely. No insurance. No maintenance. No hassles with parking. And you won't even have to wash it or vacuum crumbs out of the seat cracks. That is to say, you won't hire a company just for DDoS and WAF. You'll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC). And over time, you'll dial in your use of these services. Spin them up when they're needed most. Ratchet them back when they're not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it's time for an audit, enabling the company to increase its capacity without having a consulting service on site. All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships. And yes, I am going so far as to say this shift is inevitable, because it's being driven by some pretty clear economic pressures: Talent scarcity It's well-known that there are a lot of open job reqs in cybersecurity. I mean a lot-more than a million today. And according to Center for Cyber Safety and Education's 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022. In this market, finding the right person can take months. You either have to poach them from another company or develop them yourself. Development means trial by fire. I don't know about you, but I don't want trial by fire. And if you do steal a great hire from another company, the cost-benefit analysis is such that you're basically being driven to a vendor anyway, simply because the salary pressure makes it more cost-effective. There are also specific areas of | Uber | ||
|
2018-03-28 15:25:04 | Fileless Crypto-Mining Malware Discovered (lien direct) | Malicious crypto-miners have invaded the threat landscape over the past year, fueled by a massive increase in the value of crypto-currency. A recent attack discovered by security researchers from Minerva Lab used malware dubbed GhostMiner, which has adopted the most effective techniques used by other malware families, including fileless infection attacks. Focused on mining Monero crypto-currency, the new threat used PowerShell evasion frameworks – Out-CompressedDll and Invoke-ReflectivePEInjection – that employed fileless techniques to hide the malicious code. | |||
|
2018-03-28 15:10:02 | GoScanSSH Malware Targets Linux Servers (lien direct) | A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns. Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware's command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns. The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server. The actors behind this threat would target weak or default credentials used across a variety of Linux-based devices. Usernames used in the attack include admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and | |||
|
2018-03-28 14:21:03 | (Déjà vu) Critical Flaws Found in Siemens Telecontrol, Building Automation Products (lien direct) | Siemens informed customers this week that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw. One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS). The bugs affect Gemalto Sentinel LDK and they can be exploited for remote code execution and denial-of-service (DoS) attacks. The vulnerabilities were discovered by researchers at Kaspersky Lab and disclosed in January. The security firm warned at the time that millions of industrial and corporate systems may be exposed to remote attacks due to their use of the vulnerable Gemalto product. Siemens warned at the time that more than a dozen versions of the SIMATIC WinCC Add-On were affected. The company has now informed customers that some of its building automation products are impacted as well, including Siveillance Identity and SiteIQ Analytics, and Desigo XWP, CC, ABT, Configuration Manager, and Annual Shading. The German industrial giant has advised customers to update the LMS to version 2.1 SP4 (2.1.681) or newer in order to address the vulnerabilities. Learn More at SecurityWeek's ICS Cyber Security Conference A separate advisory published by Siemens this week informs customers of a critical vulnerability affecting TIM 1531 IRC, a communication module launched by the company nearly a year ago. The module connects remote stations based on SIMATIC controllers to a telecontrol control center through the Sinaut ST7 protocol. “A remote attacker with network access to port 80/tcp or port 443/tcp could perform administrative operations on the device without prior authentication. Successful exploitation could allow to cause a denial-of-service, or read and manipulate data as well as configuration settings of the affected device,” Siemens explained. The company said there had been no evidence of exploitation when it published its advisory on Tuesday. A third advisory published by Siemens this week describes a high severity flaw discovered by external researchers in SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC products. | |||
|
2018-03-28 12:39:00 | Facebook Announces New Steps to Protect Users\' Privacy (lien direct) | Facebook said Wednesday it will overhaul its privacy settings tools to put users "more in control" of their information on the social media website.
The updates include improved access to Facebook's user settings and tools to easily search for, download and delete personal data stored by Facebook.
Meanwhile, a new privacy shortcuts menu will allow users to quickly increase account security, manage who can see their information and activity on the site and control advertisements they see.
"We've heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed," chief privacy officer Erin Egan and deputy general counsel Ashlie Beringer said in a blog post.
"We're taking additional steps in the coming weeks to put people more in control of their privacy," they confirmed.
The new features follow fierce criticism after it was revealed millions of Facebook users' personal data was harvested by a British firm linked to Donald Trump's 2016 campaign -- although Facebook said they have been "in the works for some time."
Earlier this month, whistleblower Christopher Wylie revealed Cambridge Analytica created psychological profiles on 50 million Facebook users via a personality prediction app.
The app was downloaded by 270,000 people, but also scooped up their friends' data without consent -- as was possible under Facebook's rules at the time.
Egan and Beringer also announced updates to Facebook's terms of service and data policy to improve transparency about how the site collects and uses data.
|
|||
|
2018-03-28 12:26:03 | Kaspersky Open Sources Internal Distributed YARA Scanner (lien direct) | Kaspersky Lab has released the source code of an internally-developed distributed YARA scanner as a way of giving back to the infosec community. Originally developed by VirusTotal software engineer Victor Alvarez, YARA is a tool that allows researchers to analyze and detect malware by creating rules that describe threats based on textual or binary patterns. Kaspersky Lab has developed its own version of the YARA tool. Named KLara, the Python-based application relies on a distributed architecture to allow researchers to quickly scan large collections of malware samples. Looking for potential threats in the wild requires a significant amount of resources, which can be provided by cloud systems. Using a distributed architecture, KLara allows researchers to efficiently scan one or more YARA rules over large data collections – Kaspersky says it can scan 10Tb of files in roughly 30 minutes. “The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms,” Kaspersky explained. KLara provides a web-based interface where users can submit jobs, check their status, and view results. Results can also be sent to a specified email address. The tool also provides an API that can be used to submit new jobs, get job results and details, and retrieve the matched MD5 hashes. Kaspersky Lab has relied on YARA in many of its investigations, but one of the most notable cases involved the 2015 Hacking Team breach. The security firm wrote a YARA rule based on information from the leaked Hacking Team files, and several months later it led to the discovery of a Silverlight zero-day vulnerability. The KLara source code is available on GitHub under a GNU General Public License v3.0. Kaspersky says it welcomes contributions to the project. This is not the first time Kaspersky has made available the source code of one of its internal tools. Last year, it released the source code of Bitscout, a compact and customizable tool designed for remote digital forensics operations. Related: Kaspersky Launches New Security Product for Exchange Online | Guideline | ||
|
2018-03-28 11:03:05 | (Déjà vu) Microsoft Patches for Meltdown Introduced Severe Flaw: Researcher (lien direct) | Some of the Windows updates released by Microsoft to mitigate the Meltdown vulnerability introduce an even more severe security hole, a researcher has warned. Microsoft has released patches for the Meltdown and Spectre vulnerabilities every month since their disclosure in January. While at this point the updates should prevent these attacks, a researcher claims some of the fixes create a bigger problem. According to Ulf Frisk, the updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown, but they allow an attacker to easily read from and write to memory. He noted that while Meltdown allows an attacker to read megabytes of data per second, the new vulnerability can be exploited to read gigabytes of data per second – in one of the tests he conducted, the expert managed to access the memory at speeds of over 4 Gbps. Moreover, the flaw also makes it possible to write to memory. Frisk says exploitation does not require any sophisticated exploits – standard read and write instructions will get the job done – as Windows 7 has already mapped the memory for each active process. “In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher explained. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.” “Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he said. The researcher says anyone can reproduce the vulnerability using a direct memory access (DMA) attack tool he developed a few years ago. The attack works against devices running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. The issue did not exist before January and it appears to have been addressed by Microsoft with the March updates. Windows 10 and Windows 8.1 are not affected, Frisk said. SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds. Frisk previously discovered a macOS vulnerability that could have been exploited to obtain FileVault passwords, and demonstr | |||
|
2018-03-28 10:54:05 | The Malicious Use of Artificial Intelligence in Cybersecurity (lien direct) | 
Criminals and Nation-state Actors Will Use Machine Learning Capabilities to Increase the Speed and Accuracy of Attacks
Scientists from leading universities, including Stanford and Yale in the U.S. and Oxford and Cambridge in the UK, together with civil society organizations and a representation from the cybersecurity industry, last month published an important paper titled, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation.
While the paper (PDF) looks at a range of potential malicious misuses of artificial intelligence (which includes and focuses on machine learning), our purpose here is to largely exclude the military and concentrate on the cybersecurity aspects. It is, however, impossible to completely exclude the potential political misuse given the interaction between political surveillance and regulatory privacy issues.
Artificial intelligence (AI) is the use of computers to perform the analytical functions normally only available to humans – but at machine speed. 'Machine speed' is described by Corvil's David Murray as, “millions of instructions and calculations across multiple software programs, in 20 microseconds or even faster.” AI simply makes the unrealistic, real.
The problem discussed in the paper is that this function has no ethical bias. It can be used as easily for malicious purposes as it can for beneficial purposes. AI is largely dual-purpose; and the basic threat is that zero-day malware will appear more frequently and be targeted more precisely, while existing defenses are neutralized – all because of AI systems in the hands of malicious actors.
Current Machine Learning and Endpoint Protection
Today, the most common use of the machine learning (ML) type of AI is found in next-gen endpoint protection systems; that is, the latest anti-malware software. It is called 'machine learning' because the AI algorithms within the system 'learn' from many millions (and increasing) samples and behavioral patterns of real malware.
|
Guideline | ||
|
2018-03-28 03:19:00 | (Déjà vu) jRAT Leverages Crypter Service to Stay Undetected (lien direct) | In recently observed attacks, the jRAT backdoor was using crypter services hosted on the dark web to evade detection, Trustwave security researchers have discovered. Also known as Adwind, AlienSpy, Frutas, Unrecom, and Sockrat, the jRAT malware is a Windows-based Remote Access Trojan (RAT) discovered several years ago that has already infected nearly half a million users between 2013 and 2016. The threat has been hitting organizations all around the world and was recently spotted as part of | |||
|
2018-03-27 18:27:01 | Mozilla Isolates Facebook with New Firefox Extension (lien direct) | Mozilla today unveiled the "Facebook Container Extension", a new browser extension designed to help Firefox users reduce the ability of Facebook to track their activity across other web sites. The new extension, Mozilla says, will help users gain more control over their data on the social platform by isolating their identity into a separate container. Because of that, Facebook would find it more difficult to track users' activity on other websites via third-party cookies. The Facebook Container Add-On was launched in the light of news that Facebook at one point allowed applications to harvest large amounts of data on users and their friends and follows Mozilla's announcement that it has paused Facebook advertising until the social network improves the privacy of its users. The privacy scandal started with reports that Cambridge Analytica | |||
|
2018-03-27 18:11:01 | Pink-haired Whistleblower at Heart of Facebook Scandal (lien direct) | Instantly recognizable with his pink hair and nose ring, Christopher Wylie claims to have helped create data analysis company Cambridge Analytica before turning whistleblower and becoming "the face" of the crisis engulfing Facebook. Carole Cadwalladr, the Guardian journalist who worked with Wylie for a year on the story, described him as "clever, funny, bitchy, profound, intellectually ravenous, compelling. A master storyteller. A politicker. A data science nerd." The bespectacled 28-year-old describes himself as "the gay Canadian vegan who somehow ended up creating Steve Bannon's psychological warfare tool," referring to Trump's former adviser, whom the report said had deep links with Cambridge Analytica (CA). With Wylie's help, Cadwalladr revealed how CA scooped up data from millions of Facebook users in the US. They then used the information to build political and psychological profiles, in order to create targeted messages for voters. Facebook insists it did not know the data taken from its site were being used, but the revelations have raised urgent questions over how data of 50 million users ended up in CA's hands. Shares of the tech giant have since tumbled, with $70 billion (56 billion euros) wiped off in 10 days. - 'Walter Mitty' - Wylie studied law and then fashion, before entering the British political sphere when he landed a job working for the Liberal Democrats. Former Lib Dem colleague Ben Rathe had a less complementary description of Wylie, tweeting that he "thinks he's Edward Snowden, when he's actually Walter Mitty" -- a reference to a fictional character with a vivid fantasy life. Wylie became a research director for Strategic Communication Laboratories (SCL), the parent company of CA, in 2014. "I helped create that company," he said of CA in an interview with several European newspapers. "I got caught up in my own curiosity, in the work I was doing. It's not an excuse, but I found myself doing the research work I wanted to do, with a budget of several million, it was really very tempting," he told French daily Liberation. Initially, he enjoyed the globetrotting lifestyle, meeting with ministers from around the world. But the job took a dark turn when he discovered that his predecessor had died in a Kenyan hotel. He believes the victim paid the pri | |||
|
2018-03-27 17:04:04 | Statistics Say Don\'t Pay the Ransom; but Cleanup and Recovery Remains Costly (lien direct) | Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of those are now confident that they can prevent future attacks, and 68% say this is because they have replaced legacy AV with next-gen endpoint protection. Thes details come from a February 2018 survey undertaken by Vanson Bourne for SentinelOne, a next-gen provider, allowing SentinelOne to claim, "This distrust in legacy AV further confirms the required shift to next-gen endpoint protection in defending against today's most prominent information security threats." This is a fair statement, but care should be taken to not automatically confuse 'legacy AV' with all traditional suppliers -- many can also now be called next-gen providers with their own flavors of AI-assisted malware detection. SentinelOne's Global Ransomware Report 2018 (PDF) questioned 500 security and risk professionals (200 in the U.S., and 100 in each of France, Germany and the UK) employed in a range of verticals and different company sizes. The result provides evidence that paying a ransom is not necessarily a solution to ransomware. Forty-five percent of U.S. companies infected with ransomware paid at least one ransom, but only 26% had their files unlocked. Furthermore, 73% of those firms that paid the ransom were targeted at least once again. Noticeably, while defending against ransomware is a security function, responding to it is a business function: 44% of companies that paid up did so without the involvement or sanction of the IT/security teams. The attackers appear to have concluded that U.S. firms are the more likely to pay a ransom, and more likely to pay a higher ransom. While the global average ransom is $49,060, the average paid by U.S. companies was $57,088. "If the cost of paying the ransomware is less than the lost productivity caused by downtime from the attack, they tend to pay," SentinelOne's director of product management, Migo Kedem, told SecurityWeek. "This is not good news, as it means the economics behind ransomware campaigns still make sense, so attacks will continue." This is in stark contrast to the UK, where the average payment is almost $20,000 lower at $38,500. It is tempting to wonder if this is because UK companies just don't pay ransoms. In 2016, 17% of infected UK firms paid up; now it is just 3%. This may reflect the slightly different approaches in law enforcement advice. While LEAs always say it is best not to pay, the UK's NCSC says flatly, 'do not pay', while the FBI admits that it is ultimately the decision of each company. Paying or not paying, is, however, only a small part of the cost equation; and the UK's Office for National Statistics (ONS) provides useful figures. According the SentinelOne, these figures show that in a 12-month period, the average cost of a ransomware infection to a UK business was £329,976 ($466,727). With 40% of businesses with more than 1000 employees being infected, and 2,625 such organizations in the UK, the total cost of ransomware to UK business in 12 months was £346.4 m | Guideline | Wannacry | |
|
2018-03-27 15:35:02 | First OpenSSL Updates in 2018 Patch Three Flaws (lien direct) | The first round of security updates released in 2018 for OpenSSL patch a total of three vulnerabilities, but none of them appears to be serious.
OpenSSL versions 1.1.0h and 1.0.2o patch CVE-2018-0739, a denial-of-service (DoS) vulnerability discovered using Google's OSS-Fuzz service, which has helped find several flaws in OpenSSL in the past period.
The security hole, rated “moderate,” is related to constructed ASN.1 types with a recursive definition.
“Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion,” the OpenSSL Project said in its advisory.
Another moderate severity flaw, which only affects the 1.1.0 branch, is CVE-2018-0733. This is an implementation bug in the PA-RISC CRYPTO_memcmp function, and it allows an attacker to forge authenticated messages easier than it should be.
The OpenSSL Project learned about this vulnerability in early March from IBM. Only HP-UX PA-RISC systems are impacted.
Finally, OpenSSL 1.1.0h fixes an overflow bug that could allow an attacker to access TLS-protected communications. The vulnerability, CVE-2017-3738, was first disclosed in December 2017, but since an attack is not easy to carry out the issue has been assigned a low severity rating and it has only been patched now.
Four rounds of security updates were released for OpenSSL last year, and only one of the eight fixed vulnerabilities was classified as high severity.
|
Guideline | ||
|
2018-03-27 15:29:02 | (Déjà vu) New "ThreadKit" Office Exploit Builder Emerges (lien direct) | A newly discovered Microsoft Office document exploit builder kit has been used for the distribution of a variety of malicious payloads, including banking Trojans and backdoors, Proofpoint reports. The exploit builder kit was initially discovered in October 2017, but Proofpoint's researchers have linked it to activity dating back to June 2017. The builder kit shows similarities to Microsoft Word Intruder (MWI), but is a new tool called ThreadKit. In June 2017, the kit was being advertised in a forum post as being able to create documents with embedded executables and embedded decoy documents, and several campaigns featuring such documents were observed that month. The documents would perform an initial check-in to the command and control (C&C) server, a tactic also used by MWI. The documents were targeting CVE-2017-0199 and were focused on downloading and executing a HTA file that would then download the decoy and a malicious VB script to extract and run th | Guideline | ||
|
2018-03-27 15:13:01 | The Top Vulnerabilities Exploited by Cybercriminals (lien direct) | Cybercriminals are shifting their focus from Adobe to Microsoft consumer products, and are now concentrating more on targeted attacks than on web-based exploit kits. Each year, Recorded Future provides an analysis of criminal chatter on the dark web in its Top Ten Vulnerabilities Report. It does this because it perceives a weakness in traditional vulnerability databases and scanning tools -- they do not indicate which vulnerabilities are currently being exploited, nor to what extent. Reliance on vulnerability lists alone cannot say where patching and remediation efforts should be prioritized. "We do this analysis because the sale and use of exploits is a for-profit industry," Recorded Future's VP of technical solutions, Scott Donnelly told SecurityWeek. This means that exploit developers have to sell their products, while other criminals have to buy them -- and this leads to the chatter that Recorded Future analyzes. "If you're a cybercriminal trying to make money, you have to discuss it. If you hold back too much you're not going to make any money; so, there's a necessity for the criminals to stick their heads up a little bit -- and we can take advantage of that and call out some of the big conversations." It assumes a correlation between chatter about a vulnerability with active exploitation of that vulnerability -- an assumption that common sense rather than science suggests is reasonable. Donnelly is confident that his firm's knowledge of and access to the dark web is statistically valid. Nation-state activity is specifically excluded from this analysis, because, he says, "If you're a nation-state with an exploit, or if you're a third-party supplier of exploits to a nation state, you're less likely to talk about it in a general criminal forum." At the macro level, this year's analysis highlights a move away from Adobe vulnerabilities towards Microsoft consumer product vulnerabilities. While Flash exploits have dominated earlier annual reports, seven of the top ten (including the top five) most discussed vulnerabilities are now Microsoft vulnerabilities. "As Adobe Flash Player has begun to see its usage significantly drop, this year we find that it's a lot of Microsoft consumer products that are seeing heavy exploitation," says Donnelly. The three most used vulnerabilities are CVE-2017-0199 (which allows attackers to download and execute a Visual Basic script containing PowerShell commands from a malicious document), CVE-2016-0189 (which is an old Internet Explorer vulnerability that allows attackers to use an exploit kit to drop malware, such as ransomware), and CVE-2017-0022 (which enables data theft). A second major takeaway from the analysis is that 2017 has seen a significant drop in the development of new exploit kits. "This has been noticed before," Donnelly t | Guideline | ||
|
2018-03-27 14:36:05 | Axonius Uses Existing Tools to Find, Secure Devices (lien direct) | Axonius emerged from stealth mode on Tuesday with a platform designed to help organizations identify and secure all the devices on their network by leveraging existing security and management tools.
The company aims to bridge the gap between device discovery and vulnerability assessment products with a solution that combines data from existing tools in an effort to provide a centralized view of all devices and help enterprises ensure that all their systems are patched.
Vulnerability assessment tools may be efficient in identifying and prioritizing systems that need patching, but they often don't have access to all devices due to the fragmented nature of corporate environments.
Axonius says its Cybersecurity Asset Management Platform can leverage combinations of nearly 30 tools from various vendors in order to discover all the devices on a network, obtain information about those systems, and ensure that they are not neglected by vulnerability scanners.
The company has created what it calls “adapters” to integrate tools from Microsoft, Amazon, Cisco, enSilo, ESET, Forcepoint, Fortinet, IBM, Juniper, McAfee, ManageEngine, Qualys, Rapid7, Splunk, Symantec, VMware and others into its platform.
New adapters will be added in the future based on customers' needs – the company is currently working on integrating tools from Carbon Black, Cylance, ObserveIT, CrowdStrike and others. Adding new adapters is in most cases an easy task given that most vendors provide APIs.
The company told SecurityWeek that it's unlikely for an organization that has a problem with fragmentation and visibility not to have at least some of the supported tools – for example, Microsoft's Active Directory can be found in most companies.
Security teams can manually query devices to ensure that they adhere to their organization's policies, but they can also configure the platform to automatically alert them via email or syslog whenever a device that fits specified criteria is detected.
In addition to helping organizations gain full visibility into the devices on their network, Axonius says its platform can also be used to enforce policies. Employees can manually choose to either bloc |
Guideline | ||
|
2018-03-27 11:29:02 | (Déjà vu) Intel CPUs Vulnerable to New \'BranchScope\' Attack (lien direct) | Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks. The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University. Similar to Meltdown and Spectre, BranchScope can be exploited by an attacker to obtain potentially sensitive information they normally would not be able to access directly. The attacker needs to have access to the targeted system and they must be able to execute arbitrary code. Researchers believe the requirements for such an attack are realistic, making it a serious threat to modern computers, “on par with other side-channel attacks.” The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures. Experts showed that the attack works even if the targeted application is running inside of an Intel SGX enclave. Intel SGX, or Software Guard Extensions, is a hardware-based isolated execution system designed to prevent code and data from getting leaked or modified. BranchScope is similar to Spectre as they both target the directional branch predictors. Branch prediction units (BPUs) are used to improve the performance of pipelined processors by guessing the execution path of branch instructions. The problem is that when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate the direction of a branch instruction executed by the targeted application. The BPU has two main components – a branch target buffer (BTB) and a directional predictor – and manipulating either one of them can be used to obtain potentially sensitive data from the memory. Intel recently published a video providing a high level explanation of how these attacks work. Researchers showed on several occasions in the past how BTB manipulation can be used for attacks, but BranchScope involves manipulation of branch predictors. “BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit,” the researchers explained in their paper. The researchers who identified the BranchScope attack method have proposed a series of countermeasures that include both software- and hardware-based solutions. Dmitry Evtyushkin, one of the people involved in this research, told SecurityWeek that while | Guideline | ||
|
2018-03-27 11:20:03 | Why Does Data Exfiltration Remain an Almost Unsolvable Challenge? (lien direct) | From hacked IoT devices to corporate infrastructures hijacked for crypto-mining to automated ransomware, novel and sophisticated cyber-attacks are notoriously hard to catch. It is no wonder that defending against these silent and never-seen-before threats dominates our security agendas. But while we grapple with the challenge of detecting the unknown, data exfiltration - an old and very well-known risk - doesn't command nearly the same amount of attention. Yet data exfiltration happens, and it happens by the gigabyte.
As attackers improve their methods of purloining the sensitive data we trust our organizations to keep safe, one critical question remains: why does data exfiltration present the security community with such a formidable challenge?
Gigawatts and Flux Capacitors. Let's go Back in Time.
All data exfiltration attacks share one common trait: the early warning signs of anomalous activity on the network were present but traditional security failed to catch them. Regardless of level of subtlety, or the number of devices involved, perimeter tools missed the window of opportunity between impact and unauthorized data transfer – allowing for hundreds of gigabytes of data to be exfiltrated from the organization.
The Sony hack of 2014 brought the world to a startling halt when it was revealed that attackers had spent over a year leaking 100 terabytes of data from the network. The next year brought us the Panama Papers, where allegedly 2.6 terabytes of data were leaked, causing reputational damage to some of the world's most recognizable public figures. And in 2016, allegedly 80 gigabytes of data escaped from the Democratic National Committee's network, launching two years of skepticism and distrust around the US elections. Each of these cases of sizeable data exfiltration remained undetected for months, or even years – only to be discovered when the data had already long been lost.
When we look at this cycle of stealthy and silent data breaches, we have to ask ourselves: how can such tremendous amounts of data leave our corporate networks without raising any alarms?
Modern Networks: Living Organisms
The challenge in identifying indicators of data exfiltration lies partly in the structure of today's networks. As our businesses continue to innovate, we open the door to increased digital complexity and vulnerability – from BYOD to third party supply chains, organizations significantly amplify their cyber risk profile in the name of optimal efficiency.
Against this backdrop, our security teams are hard-pressed to identify the subtle telling signs of a data exfiltr |
Equifax | ||
|
2018-03-27 11:02:00 | McAfee Enhances Product Portfolio, Unveils New Security Operations Centers (lien direct) | Since emerging from Intel as a standalone cybersecurity company in April 2017, McAfee has consistently made multiple new product announcements simultaneously. It has continued that model this week with a new version of the Enterprise Security Manager (ESM 11), and enhancements to Behavioral Analytics, Investigator, Advanced Threat Defense, and Active Response.
Significantly, it has also unveiled two new security operation centers (SOCs) that combine physical and cybersecurity into the McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. This is McAfee using its own products for its own organization: McAfee 'eating its own dog food' as its own Customer Zero.
 The SOCs have a triple purpose -- to protect McAfee; to use McAfee products in a live scenario to provide practical feedback to the developers; and to provide an educational environment for customers to see McAfee SOC products in live action rather than choreographed simulation. The 'practical feedback' also provides an illustration of a key principle in McAfee's product philosophy: man and machine integration, each learning from and benefiting the other.
"The big deal for the McAfee Security Fusion Centers," writes McAfee CISO Grant Bourzikas in an associated blog, "is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems." The Fusion Centers also, of course, demonstrate McAfee's faith in its own products.
The new ESM 11 architecture shares large volumes of raw, parsed and correlated security events to allow threat hunters to quickly search recent events, while storing the data for future forensic and compliance requirements. The architecture is horizontally scalable with active/active availability through the addition of extra ESM appliances or virtual machines.
Behavioral Analytics provides machine learning technology to discover high risk events that might otherwise be missed by human hunters. It distills billions of events down to hundreds of anomalies and then to 'a handful of prioritized threat leads' -- highlighting the signal in the noise -- and integrating with the McAfee product portfolio and other third-party SIEMs.
Investigator shares data with open source and third-party tools to streamline workflows and improve collaboration.
Active Response has been enhanced by integration with Investigator to help analysts scope the impact of a threat across endpoints in real-time. Integration with Advanced Threat Protection also allows analysts to view sandbox reports and IoCs from a singl |
Guideline | ★★★★ | |
|
2018-03-27 05:59:03 | (Déjà vu) Canadian Firm Linked to Cambridge Analytica Exposed Source Code (lien direct) | Source code belonging to Canada-based digital advertising and software development company AggregateIQ has been found by researchers on an unprotected domain. The exposed files appear to confirm reports of a connection between AggregateIQ and Cambridge Analytica, the controversial firm caught in the recent Facebook data scandal. On March 20, Chris Vickery of cyber risk company UpGuard stumbled upon an AggregateIQ subdomain hosting source code for the company's tools. The files, stored using a custom version of the code repository GitLab, were accessible simply by providing an email address. The exposed information included the source code of tools designed for organizing information on a large number of individuals, including how they are influenced by ads, and tracking their online activities. The files also contained credentials that may have allowed malicious actors to launch damaging attacks, UpGuard said. The nature of the exposed code is not surprising considering that the firm is said to have developed tools used in political campaigns around the world, including in the United States and United Kingdom. AggregateIQ has been linked by the press and a whistleblower to Cambridge Analytica, a British political consulting and communications firm said to be involved in the presidential campaigns of Donald Trump and Ted Cruz, and the Brexit “Vote Leave” campaign. Cambridge Analytica recently came under fire after it was discovered that it had collected information from 50 million Facebook users' profiles and used it to create software designed to predict and influence voters. Facebook has suspended the company's account after news broke, but the social media giant has drawn a lot of criticism, both from customers and authorities. According to some reports, AggregateIQ was originally launched with the goal of helping Cambridge Analytica and its parent company SCL Group. In a statement published on its website over the weekend, AggregateIQ denied reports that it's part of Cambridge Analytica or SCL. It has also denied signing any contracts with the British firm and being involved in any illegal activity. However, there appears to be some evidence that Cambridge Analytica owns AggregateIQ's intellectual property, and the files discovered by UpGuard also seem to show a connection. For example, two of the AggregateIQ projects whose source code was exposed contained the string “Ripon,” which is the name of Cambridge Analytica's platf | Guideline | ||
|
2018-03-27 02:16:00 | (Déjà vu) FTC to Probe Facebook Over Privacy Practices (lien direct) | A US consumer protection agency said Monday it has opened an investigation into Facebook's privacy practices, another blow to the social network, which is struggling to deal with a growing crisis on misuse of private data. The Federal Trade Commission (FTC) confirmed news reports from last week that it had opened an inquiry over the harvesting of data on tens of millions of Facebook users by the British consulting group Cambridge Analytica. While the FTC normally refuses to comment on its probes, it took the unusual step of confirming a "non-public investigation" into Facebook over whether it mishandled private data or violated a 2011 agreement which settled an earlier probe. Acting FTC consumer protection chief Tom Pahl said the agency will look into whether Facebook violated its privacy promises or failed to comply with the US-EU agreement on data protection known as the Privacy Shield. The agency also will also determine if Facebook engaged "in unfair acts that cause substantial injury to consumers in violation of the FTC Act." The FTC suggested that Facebook could face new legal problems if it violated the consent decree with the consumer agency in 2011 settling charges that it deceived consumers on how it handled private data. "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements," Pahl said in the statement. "Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." Facebook shares reversed early losses and closed up 0.42 percent on Monday, after having lost some 14 percent last week. Separately, Senate Judiciary Committee chairman Charles Grassley said he had asked Facebook CEO Mark Zuckerberg to appear at a hearing on April 10 "to discuss Facebook's past and future policies regarding the protection and monitoring of consumer data." Grassley said he also invited Google CEO Sundar Pichai and Twitter CEO Jack Dorsey "to discuss the future of data privacy in the social media industry." - Germany to boost oversight - Germany's justice minister meanwhile said Monday that Facebook should face "stricter" oversight and be more transparent with its users. Speaking after a meeting with European Facebook executives in Berlin, Justice Minister Katarina Barley said the firm's assurances that it had already cracked down on the misuse of personal data were "not enough." | |||
|
2018-03-26 18:30:02 | Ukrainian Suspected of Leading Carbanak Gang Arrested in Spain (lien direct) | A Ukrainian national suspected of being the leader of a gang that used Carbanak malware to steal a significant amount of money from banks worldwide has been arrested in Spain, Europol and the Spanish government announced on Monday. According to authorities, the man is believed to be the mastermind of an operation that resulted in losses totaling over €1 billion ($1.24 billion). The hackers targeted over 100 financial organizations in more than 40 countries around the world, stealing up to €10 million ($12.4 million) in a single heist. The suspect was arrested in Alicante, Spain, following an investigation conducted by the Spanish National Police and supported by Europol, private cybersecurity firms, and law enforcement agencies in the United States, Romania, Belarus and Taiwan. Spain's interior ministry identified the suspect as Ukrainian national “Denis K” and noted that he ran the operation with help from three Russian and Ukrainian nationals. The mastermind of the operation had been working from Spain, and he found his accomplices online, but they never met in person. The gang targeted ATMs in Spain's capital city of Madrid in the first quarter of 2017, stealing half a million euros. Police seized computers, jewelry worth €500,000 ($620,000), documents, and two luxury vehicles following Denis K's arrest. Bank accounts and two houses valued at roughly €1 million ($1.24 million) were also blocked. The cybercrime group, tracked as Carbanak, Anunak and Cobalt, has been around since at least 2013 and its activities were first detailed in 2014. According to Spain's interior ministry, investigations into the group started in 2015. According to Europol, the cybercriminals started out by using a piece of malware they had dubbed Anunak. They later improved their malware, a version that the cybersecurity industry has dubbed Carbanak. Starting with 2016, they launched more sophisticated attacks using a custom version of the penetration testing tool Cobalt Strike. It's worth noting that this is not the only cybercrime group known to use the Carbanak malware. The hackers delivered their malware to bank employees using spear-phishing emails. Once the malware was deployed, it gave attackers access to the compromised organization's internal network, including servers controlling ATMs. The cybercriminals used their access to these servers to remotely instruct ATMs to dispense cash at a predetermined time, when the group's mules would be nearby to collect the money. They also transferred funds from the targeted bank to their own accounts, and modified balances to allow members of the gang to withdraw large amounts of money at cash mac | Guideline | ||
|
2018-03-26 17:46:02 | Former Barclays CISO to Head WEF\'s Global Center for Cybersecurity (lien direct) | Troels Oerting to Head the Global Centre for Cybersecurity The 48th annual meeting of the World Economic Forum (WEF) at Davos, Switzerland, in January announced the formation of a new Global Centre for Cybersecurity. Today it announced that Troels Oerting will be its first Head, assuming the role on April 2, 2018. Oerting has been the group chief information security officer (CISO) at Barclays since February 2015. Before that he was head of the European Cybercrime Centre (EC3) -- part of Europol formed in 2013 to strengthen LEA response to cross-border cybercrime in the EU -- and head of the Europol Counter Terrorist and Financial Intelligence Center (since 2012). He also held several other law enforcement positions (such as Head of the Serious Organised Crime Agency with the Danish National Police), and also chaired the EU Financial Cybercrime Coalition. Oerting brings to WEF's Global Center for Cybersecurity a unique combination of hands-on cybersecurity expertise as Barclay's CISO, together with experience of and contacts within European-wide cyber intelligence organizations, and a deep knowledge of the financial crimes that will be of particular significance to WEF's members. It is a clear statement from the WEF that the new center should be taken seriously. “The Global Centre for Cybersecurity is the first global platform to tackle today's cyber-risks across industries, sectors and in close collaboration with the public sector. I'm glad that we have found a proven leader in the field who is keen and capable to help us address this dark side of the Fourth Industrial Revolution,” said Klaus Schwab, founder and executive chairman of the World Economic Forum. WEF's unique position at the heart of trans-national business, with the ear of governments, provides the opportunity to develop a truly global approach to cybersecurity. Most current cybersecurity regulations and standards are based on national priorities aimed against an adversary that knows no national boundaries. The aims of the new center are to consolidate existing WEF initiatives; to establish an independent library of best practices; to work towards an appropriate and agile regulatory framework on cybersecurity; and to provide a laboratory and early-warning think tank on cybersecurity issues. Related: World Economic Forum Announces New Fintech Cybersecurity Consortium Related: World Economic Forum Publishes Cyber Resil | Guideline | ||
|
2018-03-26 16:46:03 | (Déjà vu) Watering Hole Attack Exploits North Korea\'s Flash Flaw (lien direct) | An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns. The targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea's Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week. By the end of February, cybercriminals were | |||
|
2018-03-26 15:27:02 | One Year Later, Hackers Still Target Apache Struts Flaw (lien direct) | One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers. The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1. The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a remote and unauthenticated attacker to execute arbitrary OS commands on the targeted system. The first exploitation attempts were spotted one day after the patch was released, shortly after someone made available a proof-of-concept (PoC) exploit. Some of the attacks scanned servers in search of vulnerable Struts installations, while others were set up to deliver malware. Guy Bruneau, researcher and handler at the SANS Internet Storm Center, reported over the weekend that his honeypot had caught a significant number of attempts to exploit CVE-2017-5638 over the past two weeks. The expert said his honeypot recorded 57 exploitation attempts on Sunday, on ports 80, 8080 and 443. The attacks, which appear to rely on a publicly available PoC exploit, involved one of two requests designed to check if a system is vulnerable. Bruneau told SecurityWeek that he has yet to see any payloads. The researcher noticed scans a few times a week starting on March 13, coming from IP addresses in Asia. “The actors are either looking for unpatched servers or new installations that have not been secured properly,” Bruneau said. The CVE-2017-5638 vulnerability is significant as it was exploited by cybercriminals last year to hack into the systems of U.S. credit reporting agency Equifax. Attackers had access to Equifax systems for more than two months and they managed to obtain information on over 145 million of the company's customers. The same vulnerability was also leveraged late last year in a campaign that involved NSA-linked exploits and cryptocurrency miners. | Guideline | Equifax | |
|
2018-03-26 14:12:04 | (Déjà vu) Pentagon Looks to Counter Ever-stealthier Warfare (lien direct) | The US military has for years enjoyed a broad technological edge over its adversaries, dominating foes with superior communications and cyber capabilities. Now, thanks to rapid advances by Russia and China, the gap has shrunk, and the Pentagon is looking at how a future conflict with a "near-peer" competitor might play out. Air Force Secretary Heather Wilson recently warned that both Russia and China are experimenting with ways to take out the US military's satellites, which form the backbone of America's warfighting machine. "They know that we are dominant in space, that every mission the military does depends on space, and in a crisis or war they are demonstrating capabilities and developing capabilities to seek to deny us our space assets," Wilson said. "We're not going to let that happen." The Pentagon is investing in a new generation of satellites that will provide the military with better accuracy and have better anti-jamming capabilities. Such technology would help counter the type of "asymmetric" warfare practised by Russia, which combines old-school propaganda with social media offensives and cyber hacks. Washington has blamed Moscow for numerous cyber attacks, including last year's massive ransomware attack, known as NotPetya, which paralyzed thousands of computers around the world. US cyber security investigators have also accused the Russian government of a sustained effort to take control of critical US infrastructure systems, including the energy grid. Russia denies involvement and so far, such attacks have been met with a muted US military response. - Public relations shutdown - General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain. He also warned that the military still does not have clear authorities and rules of engagement for when and how it can conduct offensive cyber ops. "Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace, we need to have the authorities to respond," Hyten told lawmakers this week. Hyten's testimony comes after Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, last month said President Donald Trump had no | Guideline | NotPetya | |
|
2018-03-26 13:19:01 | (Déjà vu) Energy Sector Most Impacted by ICS Flaws, Attacks: Study (lien direct) | The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab. The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations. Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities. Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61). Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology. Learn More at SecurityWeek's ICS Cyber Security Conference As for the types of vulnerabilities, nearly a quarter are web-related and 21 percent are authentication issues. A majority of the flaws have been assigned severity ratings of medium or high, but 60 weaknesses are considered critical based on their CVSS score. Kaspersky pointed out that all vulnerabilities with a CVSS score of 10 are related to authentication and they are all easy to exploit remotely. Kaspersky said 265 of the vulnerabilities can be exploited remotely without authentication and without any special knowledge or skills. It also noted that exploits are publicly available for 17 of the security holes. The company has also shared data on malware infections and other security incidents. In the second half of 2017, Kaspersky security products installed on industrial automation systems detected nearly 18,000 malware variants from roughly 2,400 families. Malware attacks were blocked on almost 38 percent of ICS computers protected by the company, which was slightly less than in the second half of the previous year. Again, the energy sector was the most impacted. According to the security firm, roughly 40 percent of the devices housed by energy organizations were targeted. | Guideline | Wannacry | ★★★★★ |
|
2018-03-26 12:25:00 | Drupal to Patch Highly Critical Vulnerability This Week (lien direct) | Drupal announced plans to release a security update for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28, 2018, aimed at addressing a highly critical vulnerability. The Drupal security team hasn't provided information on the vulnerability and says it won't release any details on it until the patch arrives. An advisory containing all the necessary information will be published on March 28. Before that, however, the team advises customers to be prepared for the update's release and to apply it immediately after it is published, given its high exploitation potential. “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” Drupal announced. The highly popular content management system (CMS) powers over one million sites and is used by a large number of e-commerce businesses. | |||
|
2018-03-26 05:39:04 | IETF Approves TLS 1.3 (lien direct) | The Internet Engineering Task Force (IETF) last week announced the approval of version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol. The Internet standards organization has been analyzing proposals for TLS 1.3 since April 2014 and it took 28 drafts to get it to its current form.
TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network.
There are nearly a dozen major functional differences between TLS 1.2 and TLS 1.3, including ones that should improve performance and eliminate the possibility of certain types of attacks, such as the recently disclosed ROBOT method. The most important changes have been described by the IETF as follows:
The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC.
A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties.
Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers.
|
Guideline | ||
|
2018-03-24 02:20:05 | (Déjà vu) UK Regulators Search Cambridge Analytica Offices (lien direct) | British regulators on Friday began searching the London offices of Cambridge Analytica (CA), the scandal-hit communications firm at the heart of the Facebook data scandal, shortly after a judge approved a search warrant. Around 18 enforcement agents from the office of Information Commissioner Elizabeth Denham entered the company's London headquarters at around 8:00pm (2000 GMT) to execute the warrant. The High Court granted the raid request less than an hour earlier, as Denham investigates claims that Cambridge Analytica may have illegally harvested Facebook data for political ends. A full explanation of the legal ruling by Judge Anthony James Leonard will be issued on Tuesday, according to the court. "We're pleased with the decision of the judge," Denham's office said on Twitter. "This is just one part of a larger investigation into the use of personal data and analytics for political purposes," it added in a statement. "As you will expect, we will now need to collect, assess and consider the evidence before coming to any conclusions." The data watchdog's probe comes amid whistleblower accusations that CA, hired by Donald Trump during his primary campaign, illegally mined tens of millions of users' Facebook data and then used it to target potential voters. Fresh allegations also emerged Friday night about the firm's involvement in the 2016 Brexit referendum campaign. Brittany Kaiser, CA's business development director until two weeks ago, revealed it conducted data research for Leave.EU, one of the leading campaign groups, via the UK Independence Party (UKIP), according to The Guardian. 'I was lying' Kaiser, 30, told the newspaper she felt the company's repeated public denials it ever worked on the poll misled British lawmakers and the public. "In my opinion, I was lying," she said. "In my opinion I felt like we should say, 'this is exactly what we did.'" CA's suspended chief executive Alexander Nix told MPs last month: "We did not work for Leave.EU. We have not undertaken any paid or unpaid work for them, OK?" Nix was suspended this week following the Facebook revelations and a further media sting in which he boasts about entrapping politicians and secretly operating in elections around the world through shadowy front companies. | Guideline | ||
|
2018-03-23 19:45:03 | (Déjà vu) Ransomware Hits City of Atlanta (lien direct) | A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected. The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused. Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks. A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27." SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier. Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working. Sometimes payment can be avoided by recovering data from backups | NotPetya Wannacry | ||
|
2018-03-23 19:20:04 | (Déjà vu) Facebook as an Election Weapon, From Obama to Trump (lien direct) | The use of Facebook data to target voters has triggered global outrage with the Cambridge Analytica scandal. But the concept is nothing new: Barack Obama made extensive use of the social network in 2008 and stepped up "micro-targeting" in his 2012 re-election effort. The unauthorized gathering of data on 50 million Facebook users by a British consulting firm that worked for Donald Trump has sparked intense debate on how politicians and marketers -- appropriately or not -- use such personal information. But Cambridge Analytica, the firm at the center of the firestorm, has stressed it is far from alone in using data gleaned online to precisely target voters. "Obama's 2008 campaign was famously data-driven, pioneered micro-targeting in 2012, talking to people specifically based on the issues they care about," the British firm said on Twitter. Former members of the Obama team fiercely dispute any comparison to the Cambridge Analytica case, in which an academic researcher is accused of scooping up a massive trove of data without consent using a Facebook personality quiz, and transferring it improperly to the firm. "How dare you!" tweeted Michael Simon, who headed Obama's micro-targeting team in 2008, in response to the firm. "We didn't steal private Facebook profile data from voters under false pretenses. OFA (Obama's campaign) voluntarily solicited opinions of hundreds of thousands of voters. We didn't commit theft to do our groundbreaking work." Jeremy Bird, a member of the 2012 Obama team, echoed those sentiments, warning: "Do not use the Obama campaign to justify your shady business." But while Cambridge Analytica's methods for acquiring data are in dispute, the underlying goal -- using social media to take the pulse of voters and find those who are persuadable -- was common to both campaigns. So-called micro-targeting, which borrows techniques from the marketing world, is as much about mobilizing voters and getting them to the polls as about changing minds. And micro-targeting long pre-dates the internet, with campaigns as early as 1976 using this method, according to Victoria Farrar-Myers, a political scientist and researcher at Southern Methodist University. Everyone who uses social media makes a decision to share some personal information, she says, although they "may not be fully aware of how people can utilize that." "Being able to micro-target a voter down to what magazine they read and what issues might make them turn out does have an advantage for a candidate when they're running for an election." | |||
|
2018-03-23 14:50:03 | U.S. Imposes Sanctions on Iranians for Hacking (lien direct) | The United States imposed sanctions on Friday on 10 Iranians and an Iranian company for alleged hacking of hundreds of universities in the US and abroad and the theft of "valuable intellectual property and data."
The Mabna Institute "engaged in the theft of personal identifiers and economic resources for private financial gain" and for the benefit of Iran's Islamic Revolutionary Guard Corps, the US Treasury Department said.
The two founders of the Mabna Institute were among the 10 people whose assets are subject to US seizure, it said.
The Justice Department said nine of the 10 had been indicted separately for conspiracy to commit computer intrusions and other crimes.
Since 2013, the Mabna Institute carried out cyber intrusions into the computer systems of 144 US universities, the Treasury Department said, and 176 universities in 21 foreign countries.
"For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps, Deputy Attorney General Rod Rosenstein said in a statement.
"The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America's ideas by infiltrating our computer systems and stealing intellectual property," Rosenstein added.
|
|||
|
2018-03-23 12:42:03 | Pwner of a Lonely Heart: The Sad Reality of Romance Scams (lien direct) | Valentine's Day is a special holiday, but for victims of romance scams it is a tragic reminder, not only of love lost, but financial loss as well. According to the FBI Internet Crime Complaint Center (IC3), romance scams accounted for $230 million in losses in 2016.
Men and women may jokingly refer to their significant other as their “partner in crime,” but when it comes to romance scams, this joke may become a sad reality. In additional to financial losses, many scammers may convince their victims to become money mules or shipping mules, directly implicating them in illegal behavior.
Recently, Agari researchers identified a woman in Los Angeles that has sent nearly half a million dollars to a scammer that she has never even met. Even worse, this woman knowingly cashes bad checks and fake money orders on his behalf. The FBI has warned her to stop, yet it is unlikely she will do so.
The victims of romance scams are typically women in their 40s to 50s, usually divorced or widowed and looking for a new relationship. They are targeted by scam artists on dating web sites, who have the ability to refine their searches for women that fit their target demographics.
The scam artists create profiles of charming and successful men to engage these lonesome women. Dating sites frequently ask what women are looking for in a partner, so it is easy for the scammer to say exactly what they need to seem like “Mr. Right.”
Once these scammers engage with their victims, there are an inevitable variety of excuses why they can't meet – claims of overseas military service or mission trips are common, and help to further cement the supposed righteousness of the scammer. After a few months of correspondence, the scammer will claim a supposed tragedy: a lost paycheck or medical fees are common – and request a small loan. The typical loss in these scams is $14,000, not to mention the considerable psychological damage – victims of romance scams frequently withdraw from their social circles, embarrassed by the stigma.
Even worse, such as the case of our anonymous victim, some of these scams can continue on for years, with frequent requests for financial support. Once trust is established with their victims, these scammers may also to begin to use them as “mules” to cash fake checks, make deposits, accept shipment of stolen goods, and more. In the case of our anonymous victim, her family has pleaded with her to stop sending her suitor more money, and the FBI has warned her that her behavior is illegal; and yet she persists.
|
Guideline | Equifax Yahoo | |
|
2018-03-23 12:05:01 | TrickBot Gets Computer Locking Capabilities (lien direct) | A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim's computer for extortion purposes, Webroot reports. First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list. Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB). Webroot now says that the malware attempts to leverage | |||
|
2018-03-22 18:44:01 | (Déjà vu) Worried About Being on Facebook? Some Options Explained (lien direct) | 
A snowballing Facebook scandal over the hijacking of personal data from millions of its users has many wondering whether it's time to restrict access to their Facebook information or even leave the social network altogether, with the #deletefacebook movement gaining traction.
Here are some options open to the worried Facebook user.
Put it to sleep
Putting a Facebook account on hold used to be difficult but has become a lot easier.
To deactivate their account, users need to go on their "settings" page, then on to "manage account", where they can "deactivate" their account. Facebook defines this action as putting activity "on hold".
The move disables a user's profile and removes their name and pictures from most things they have shared.
Some information may still remain visible, like a user's name in a friend's list, or messages exchanged with friends.
If they have second thoughts, users can easily restore a de-activated profile.
Kill the account
Deleting an account is a more radical step, as users will not be able to access it again once they've gone for that option.
Facebook warns users that it can take up to 90 days to purge the network of a user's posts.
Even so, some information is likely to stay online, for example messages sent to friends.
According to French data expert Nathalie Devillier there is also a chance that Facebook holds on to information about some users if asked to by US authorities in the name of national security.
Be more alert
Facebook users can check with the network how much of their personal information is accessible on the network.
In "settings", the option "download a copy of your Facebook data" allows a user to do just that.
Once Facebook has double-checked a user's password, the site compiles and then e-mails a compressed file.
The file gives an overview of the pictures and videos a user has posted, their downloaded apps, |
|||
|
2018-03-22 16:54:01 | (Déjà vu) You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report (lien direct) | The cost of having an organization targeted by a distributed denial of service (DDoS) attack for an hour is as low as $10, cybersecurity firm Armor says. The low cost of launching such attacks results from the proliferation of cybercrime-as-a-service, one of the most profitable business models adopted by cybercriminals over the past years. It allows criminals-wannabe to employ the resources of established cybercriminals for their nefarious purposes, including malware distribution, DDoS-ing, spam, and more. All that miscreants have to do is to access underground markets or forums and hire the desired cybercrime service to conduct the malicious actions for them. And while the incurred financial losses total billions or even more for affected organizations, the price of hiring such a service is highly affordable to anyone. According to Armor's The Black Market Report: A Look into the Dark Web | Guideline | ||
|
2018-03-22 16:21:01 | GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries (lien direct) | GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform. The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities. The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE's Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email. When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories. The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues. The initial scan conducted by GitHub revealed more than 4 million vulnerabilities in over 500,000 repositories. Affected users were immediately notified and by December 1, roughly two weeks after the launch of the new feature, more than 450,000 of the flaws were addressed either by updating the affected library or removing it altogether. According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers. “Since [December 1], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days-that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.” GitHub was recently hit by a record-breaking distributed denial-of-service (DDoS) attack that peaked at 1.3 Tbps, but the service was down for less than 10 minutes. Related: GitHub Enforces Stronger Encryption Related: Slack Tokens Leaked on GitHub Put Companies at Risk | Guideline | ||
|
2018-03-22 15:30:01 | (Déjà vu) Iran-linked Hackers Adopt New Data Exfiltration Methods (lien direct) | An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered. The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in | Guideline | APT 34 | |
|
2018-03-22 15:10:01 | Security Practitioners: 10 Signs You Need to be More Direct (lien direct) | Conflict isn't Pleasant, But Sometimes it Can be Healthy and Necessary When Done Properly and Respectfully Living and working in different cultures gives you a broader perspective across a variety of different areas than you might have attained otherwise. It is one of the things I am most grateful for professionally and has taught me to appreciate that each culture has its own advantages and disadvantages. There is one particular aspect of some cultures that I think we in security can learn a lot from. Which cultural aspect am I referring to? Directness. Those of you who know me know that I am very direct and that I am a big proponent of directness. Directness is something that some cultures do better than others. So how can we as security practitioners identify areas in which directness can help us improve? I present: 10 signs you need to be more direct. 1. Bad ideas hang around: I remember watching the challenger explosion on television. After the investigation, groupthink was found to be one of the reasons that the launch was allowed to go ahead, despite known risks. People were simply afraid to state their concerns directly. While the stakes are certainly lower in your security organization, the principle holds true. If people are afraid to be direct, it often results in bad ideas hanging around far longer than they need to. Whereas in a direct culture, a bad idea can be considered and politely dismissed in a relatively short amount of time, in an indirect culture, it may linger far longer than it should. That results in valuable resources being spent on activities that don't provide much value. 2. Good ideas don't come forward: In a similar manner, if people are afraid to be direct, it often keeps them from suggesting new ideas. Perhaps the solution to that big problem you've been worried about is found in the thoughts of one of your team members. But if it stays there, it doesn't do you any good. 3. The team has no idea where it stands: Security teams need to know that the work they're doing adds value to the organization, improves its security posture, and helps mitigate risk. In order to gauge where they stand, the security team needs to know what success in each of those areas means. The only way I know of to communicate what success means is to do so directly. That enables the team to make progress more effectively. 4. Strategic direction and goals are unclear: Building on number 3, communicating strategic direction and goals clearly and directly helps the team understand where the organization is going and what success means. Not surprisingly, that clarity will assist the security team in maturing far more quickly and efficiently. 5. Everything is above average - always: I always love it when I hear people tell me that everyone on their team is exception | Guideline |
To see everything:
