SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2018-03-27 15:13:01	The Top Vulnerabilities Exploited by Cybercriminals (lien direct)	Cybercriminals are shifting their focus from Adobe to Microsoft consumer products, and are now concentrating more on targeted attacks than on web-based exploit kits. Each year, Recorded Future provides an analysis of criminal chatter on the dark web in its Top Ten Vulnerabilities Report. It does this because it perceives a weakness in traditional vulnerability databases and scanning tools -- they do not indicate which vulnerabilities are currently being exploited, nor to what extent. Reliance on vulnerability lists alone cannot say where patching and remediation efforts should be prioritized. "We do this analysis because the sale and use of exploits is a for-profit industry," Recorded Future's VP of technical solutions, Scott Donnelly told SecurityWeek. This means that exploit developers have to sell their products, while other criminals have to buy them -- and this leads to the chatter that Recorded Future analyzes. "If you're a cybercriminal trying to make money, you have to discuss it. If you hold back too much you're not going to make any money; so, there's a necessity for the criminals to stick their heads up a little bit -- and we can take advantage of that and call out some of the big conversations." It assumes a correlation between chatter about a vulnerability with active exploitation of that vulnerability -- an assumption that common sense rather than science suggests is reasonable. Donnelly is confident that his firm's knowledge of and access to the dark web is statistically valid. Nation-state activity is specifically excluded from this analysis, because, he says, "If you're a nation-state with an exploit, or if you're a third-party supplier of exploits to a nation state, you're less likely to talk about it in a general criminal forum." At the macro level, this year's analysis highlights a move away from Adobe vulnerabilities towards Microsoft consumer product vulnerabilities. While Flash exploits have dominated earlier annual reports, seven of the top ten (including the top five) most discussed vulnerabilities are now Microsoft vulnerabilities. "As Adobe Flash Player has begun to see its usage significantly drop, this year we find that it's a lot of Microsoft consumer products that are seeing heavy exploitation," says Donnelly. The three most used vulnerabilities are CVE-2017-0199 (which allows attackers to download and execute a Visual Basic script containing PowerShell commands from a malicious document), CVE-2016-0189 (which is an old Internet Explorer vulnerability that allows attackers to use an exploit kit to drop malware, such as ransomware), and CVE-2017-0022 (which enables data theft). A second major takeaway from the analysis is that 2017 has seen a significant drop in the development of new exploit kits. "This has been noticed before," Donnelly t	Guideline
	2018-03-27 14:36:05	Axonius Uses Existing Tools to Find, Secure Devices (lien direct)	Axonius emerged from stealth mode on Tuesday with a platform designed to help organizations identify and secure all the devices on their network by leveraging existing security and management tools. The company aims to bridge the gap between device discovery and vulnerability assessment products with a solution that combines data from existing tools in an effort to provide a centralized view of all devices and help enterprises ensure that all their systems are patched. Vulnerability assessment tools may be efficient in identifying and prioritizing systems that need patching, but they often don't have access to all devices due to the fragmented nature of corporate environments. Axonius says its Cybersecurity Asset Management Platform can leverage combinations of nearly 30 tools from various vendors in order to discover all the devices on a network, obtain information about those systems, and ensure that they are not neglected by vulnerability scanners. The company has created what it calls “adapters” to integrate tools from Microsoft, Amazon, Cisco, enSilo, ESET, Forcepoint, Fortinet, IBM, Juniper, McAfee, ManageEngine, Qualys, Rapid7, Splunk, Symantec, VMware and others into its platform. New adapters will be added in the future based on customers' needs – the company is currently working on integrating tools from Carbon Black, Cylance, ObserveIT, CrowdStrike and others. Adding new adapters is in most cases an easy task given that most vendors provide APIs. The company told SecurityWeek that it's unlikely for an organization that has a problem with fragmentation and visibility not to have at least some of the supported tools – for example, Microsoft's Active Directory can be found in most companies. Security teams can manually query devices to ensure that they adhere to their organization's policies, but they can also configure the platform to automatically alert them via email or syslog whenever a device that fits specified criteria is detected. In addition to helping organizations gain full visibility into the devices on their network, Axonius says its platform can also be used to enforce policies. Employees can manually choose to either bloc	Guideline
	2018-03-27 11:29:02	(Déjà vu) Intel CPUs Vulnerable to New \'BranchScope\' Attack (lien direct)	Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks. The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University. Similar to Meltdown and Spectre, BranchScope can be exploited by an attacker to obtain potentially sensitive information they normally would not be able to access directly. The attacker needs to have access to the targeted system and they must be able to execute arbitrary code. Researchers believe the requirements for such an attack are realistic, making it a serious threat to modern computers, “on par with other side-channel attacks.” The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures. Experts showed that the attack works even if the targeted application is running inside of an Intel SGX enclave. Intel SGX, or Software Guard Extensions, is a hardware-based isolated execution system designed to prevent code and data from getting leaked or modified. BranchScope is similar to Spectre as they both target the directional branch predictors. Branch prediction units (BPUs) are used to improve the performance of pipelined processors by guessing the execution path of branch instructions. The problem is that when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate the direction of a branch instruction executed by the targeted application. The BPU has two main components – a branch target buffer (BTB) and a directional predictor – and manipulating either one of them can be used to obtain potentially sensitive data from the memory. Intel recently published a video providing a high level explanation of how these attacks work. Researchers showed on several occasions in the past how BTB manipulation can be used for attacks, but BranchScope involves manipulation of branch predictors. “BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit,” the researchers explained in their paper. The researchers who identified the BranchScope attack method have proposed a series of countermeasures that include both software- and hardware-based solutions. Dmitry Evtyushkin, one of the people involved in this research, told SecurityWeek that while	Guideline
	2018-03-27 11:02:00	McAfee Enhances Product Portfolio, Unveils New Security Operations Centers (lien direct)	Since emerging from Intel as a standalone cybersecurity company in April 2017, McAfee has consistently made multiple new product announcements simultaneously. It has continued that model this week with a new version of the Enterprise Security Manager (ESM 11), and enhancements to Behavioral Analytics, Investigator, Advanced Threat Defense, and Active Response. Significantly, it has also unveiled two new security operation centers (SOCs) that combine physical and cybersecurity into the McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. This is McAfee using its own products for its own organization: McAfee 'eating its own dog food' as its own Customer Zero. The SOCs have a triple purpose -- to protect McAfee; to use McAfee products in a live scenario to provide practical feedback to the developers; and to provide an educational environment for customers to see McAfee SOC products in live action rather than choreographed simulation. The 'practical feedback' also provides an illustration of a key principle in McAfee's product philosophy: man and machine integration, each learning from and benefiting the other. "The big deal for the McAfee Security Fusion Centers," writes McAfee CISO Grant Bourzikas in an associated blog, "is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems." The Fusion Centers also, of course, demonstrate McAfee's faith in its own products. The new ESM 11 architecture shares large volumes of raw, parsed and correlated security events to allow threat hunters to quickly search recent events, while storing the data for future forensic and compliance requirements. The architecture is horizontally scalable with active/active availability through the addition of extra ESM appliances or virtual machines. Behavioral Analytics provides machine learning technology to discover high risk events that might otherwise be missed by human hunters. It distills billions of events down to hundreds of anomalies and then to 'a handful of prioritized threat leads' -- highlighting the signal in the noise -- and integrating with the McAfee product portfolio and other third-party SIEMs. Investigator shares data with open source and third-party tools to streamline workflows and improve collaboration. Active Response has been enhanced by integration with Investigator to help analysts scope the impact of a threat across endpoints in real-time. Integration with Advanced Threat Protection also allows analysts to view sandbox reports and IoCs from a singl	Guideline		★★★★
	2018-03-27 05:59:03	(Déjà vu) Canadian Firm Linked to Cambridge Analytica Exposed Source Code (lien direct)	Source code belonging to Canada-based digital advertising and software development company AggregateIQ has been found by researchers on an unprotected domain. The exposed files appear to confirm reports of a connection between AggregateIQ and Cambridge Analytica, the controversial firm caught in the recent Facebook data scandal. On March 20, Chris Vickery of cyber risk company UpGuard stumbled upon an AggregateIQ subdomain hosting source code for the company's tools. The files, stored using a custom version of the code repository GitLab, were accessible simply by providing an email address. The exposed information included the source code of tools designed for organizing information on a large number of individuals, including how they are influenced by ads, and tracking their online activities. The files also contained credentials that may have allowed malicious actors to launch damaging attacks, UpGuard said. The nature of the exposed code is not surprising considering that the firm is said to have developed tools used in political campaigns around the world, including in the United States and United Kingdom. AggregateIQ has been linked by the press and a whistleblower to Cambridge Analytica, a British political consulting and communications firm said to be involved in the presidential campaigns of Donald Trump and Ted Cruz, and the Brexit “Vote Leave” campaign. Cambridge Analytica recently came under fire after it was discovered that it had collected information from 50 million Facebook users' profiles and used it to create software designed to predict and influence voters. Facebook has suspended the company's account after news broke, but the social media giant has drawn a lot of criticism, both from customers and authorities. According to some reports, AggregateIQ was originally launched with the goal of helping Cambridge Analytica and its parent company SCL Group. In a statement published on its website over the weekend, AggregateIQ denied reports that it's part of Cambridge Analytica or SCL. It has also denied signing any contracts with the British firm and being involved in any illegal activity. However, there appears to be some evidence that Cambridge Analytica owns AggregateIQ's intellectual property, and the files discovered by UpGuard also seem to show a connection. For example, two of the AggregateIQ projects whose source code was exposed contained the string “Ripon,” which is the name of Cambridge Analytica's platf	Guideline
	2018-03-26 18:30:02	Ukrainian Suspected of Leading Carbanak Gang Arrested in Spain (lien direct)	A Ukrainian national suspected of being the leader of a gang that used Carbanak malware to steal a significant amount of money from banks worldwide has been arrested in Spain, Europol and the Spanish government announced on Monday. According to authorities, the man is believed to be the mastermind of an operation that resulted in losses totaling over €1 billion ($1.24 billion). The hackers targeted over 100 financial organizations in more than 40 countries around the world, stealing up to €10 million ($12.4 million) in a single heist. The suspect was arrested in Alicante, Spain, following an investigation conducted by the Spanish National Police and supported by Europol, private cybersecurity firms, and law enforcement agencies in the United States, Romania, Belarus and Taiwan. Spain's interior ministry identified the suspect as Ukrainian national “Denis K” and noted that he ran the operation with help from three Russian and Ukrainian nationals. The mastermind of the operation had been working from Spain, and he found his accomplices online, but they never met in person. The gang targeted ATMs in Spain's capital city of Madrid in the first quarter of 2017, stealing half a million euros. Police seized computers, jewelry worth €500,000 ($620,000), documents, and two luxury vehicles following Denis K's arrest. Bank accounts and two houses valued at roughly €1 million ($1.24 million) were also blocked. The cybercrime group, tracked as Carbanak, Anunak and Cobalt, has been around since at least 2013 and its activities were first detailed in 2014. According to Spain's interior ministry, investigations into the group started in 2015. According to Europol, the cybercriminals started out by using a piece of malware they had dubbed Anunak. They later improved their malware, a version that the cybersecurity industry has dubbed Carbanak. Starting with 2016, they launched more sophisticated attacks using a custom version of the penetration testing tool Cobalt Strike. It's worth noting that this is not the only cybercrime group known to use the Carbanak malware. The hackers delivered their malware to bank employees using spear-phishing emails. Once the malware was deployed, it gave attackers access to the compromised organization's internal network, including servers controlling ATMs. The cybercriminals used their access to these servers to remotely instruct ATMs to dispense cash at a predetermined time, when the group's mules would be nearby to collect the money. They also transferred funds from the targeted bank to their own accounts, and modified balances to allow members of the gang to withdraw large amounts of money at cash mac	Guideline
	2018-03-26 17:46:02	Former Barclays CISO to Head WEF\'s Global Center for Cybersecurity (lien direct)	Troels Oerting to Head the Global Centre for Cybersecurity The 48th annual meeting of the World Economic Forum (WEF) at Davos, Switzerland, in January announced the formation of a new Global Centre for Cybersecurity. Today it announced that Troels Oerting will be its first Head, assuming the role on April 2, 2018. Oerting has been the group chief information security officer (CISO) at Barclays since February 2015. Before that he was head of the European Cybercrime Centre (EC3) -- part of Europol formed in 2013 to strengthen LEA response to cross-border cybercrime in the EU -- and head of the Europol Counter Terrorist and Financial Intelligence Center (since 2012). He also held several other law enforcement positions (such as Head of the Serious Organised Crime Agency with the Danish National Police), and also chaired the EU Financial Cybercrime Coalition. Oerting brings to WEF's Global Center for Cybersecurity a unique combination of hands-on cybersecurity expertise as Barclay's CISO, together with experience of and contacts within European-wide cyber intelligence organizations, and a deep knowledge of the financial crimes that will be of particular significance to WEF's members. It is a clear statement from the WEF that the new center should be taken seriously. “The Global Centre for Cybersecurity is the first global platform to tackle today's cyber-risks across industries, sectors and in close collaboration with the public sector. I'm glad that we have found a proven leader in the field who is keen and capable to help us address this dark side of the Fourth Industrial Revolution,” said Klaus Schwab, founder and executive chairman of the World Economic Forum. WEF's unique position at the heart of trans-national business, with the ear of governments, provides the opportunity to develop a truly global approach to cybersecurity. Most current cybersecurity regulations and standards are based on national priorities aimed against an adversary that knows no national boundaries. The aims of the new center are to consolidate existing WEF initiatives; to establish an independent library of best practices; to work towards an appropriate and agile regulatory framework on cybersecurity; and to provide a laboratory and early-warning think tank on cybersecurity issues. Related: World Economic Forum Announces New Fintech Cybersecurity Consortium Related: World Economic Forum Publishes Cyber Resil	Guideline
	2018-03-26 15:27:02	One Year Later, Hackers Still Target Apache Struts Flaw (lien direct)	One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers. The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1. The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a remote and unauthenticated attacker to execute arbitrary OS commands on the targeted system. The first exploitation attempts were spotted one day after the patch was released, shortly after someone made available a proof-of-concept (PoC) exploit. Some of the attacks scanned servers in search of vulnerable Struts installations, while others were set up to deliver malware. Guy Bruneau, researcher and handler at the SANS Internet Storm Center, reported over the weekend that his honeypot had caught a significant number of attempts to exploit CVE-2017-5638 over the past two weeks. The expert said his honeypot recorded 57 exploitation attempts on Sunday, on ports 80, 8080 and 443. The attacks, which appear to rely on a publicly available PoC exploit, involved one of two requests designed to check if a system is vulnerable. Bruneau told SecurityWeek that he has yet to see any payloads. The researcher noticed scans a few times a week starting on March 13, coming from IP addresses in Asia. “The actors are either looking for unpatched servers or new installations that have not been secured properly,” Bruneau said. The CVE-2017-5638 vulnerability is significant as it was exploited by cybercriminals last year to hack into the systems of U.S. credit reporting agency Equifax. Attackers had access to Equifax systems for more than two months and they managed to obtain information on over 145 million of the company's customers. The same vulnerability was also leveraged late last year in a campaign that involved NSA-linked exploits and cryptocurrency miners.	Guideline	Equifax
	2018-03-26 14:12:04	(Déjà vu) Pentagon Looks to Counter Ever-stealthier Warfare (lien direct)	The US military has for years enjoyed a broad technological edge over its adversaries, dominating foes with superior communications and cyber capabilities. Now, thanks to rapid advances by Russia and China, the gap has shrunk, and the Pentagon is looking at how a future conflict with a "near-peer" competitor might play out. Air Force Secretary Heather Wilson recently warned that both Russia and China are experimenting with ways to take out the US military's satellites, which form the backbone of America's warfighting machine. "They know that we are dominant in space, that every mission the military does depends on space, and in a crisis or war they are demonstrating capabilities and developing capabilities to seek to deny us our space assets," Wilson said. "We're not going to let that happen." The Pentagon is investing in a new generation of satellites that will provide the military with better accuracy and have better anti-jamming capabilities. Such technology would help counter the type of "asymmetric" warfare practised by Russia, which combines old-school propaganda with social media offensives and cyber hacks. Washington has blamed Moscow for numerous cyber attacks, including last year's massive ransomware attack, known as NotPetya, which paralyzed thousands of computers around the world. US cyber security investigators have also accused the Russian government of a sustained effort to take control of critical US infrastructure systems, including the energy grid. Russia denies involvement and so far, such attacks have been met with a muted US military response. - Public relations shutdown - General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain. He also warned that the military still does not have clear authorities and rules of engagement for when and how it can conduct offensive cyber ops. "Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace, we need to have the authorities to respond," Hyten told lawmakers this week. Hyten's testimony comes after Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, last month said President Donald Trump had no	Guideline	NotPetya
	2018-03-26 13:19:01	(Déjà vu) Energy Sector Most Impacted by ICS Flaws, Attacks: Study (lien direct)	The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab. The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations. Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities. Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61). Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology. Learn More at SecurityWeek's ICS Cyber Security Conference As for the types of vulnerabilities, nearly a quarter are web-related and 21 percent are authentication issues. A majority of the flaws have been assigned severity ratings of medium or high, but 60 weaknesses are considered critical based on their CVSS score. Kaspersky pointed out that all vulnerabilities with a CVSS score of 10 are related to authentication and they are all easy to exploit remotely. Kaspersky said 265 of the vulnerabilities can be exploited remotely without authentication and without any special knowledge or skills. It also noted that exploits are publicly available for 17 of the security holes. The company has also shared data on malware infections and other security incidents. In the second half of 2017, Kaspersky security products installed on industrial automation systems detected nearly 18,000 malware variants from roughly 2,400 families. Malware attacks were blocked on almost 38 percent of ICS computers protected by the company, which was slightly less than in the second half of the previous year. Again, the energy sector was the most impacted. According to the security firm, roughly 40 percent of the devices housed by energy organizations were targeted.	Guideline	Wannacry	★★★★★
	2018-03-26 05:39:04	IETF Approves TLS 1.3 (lien direct)	The Internet Engineering Task Force (IETF) last week announced the approval of version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol. The Internet standards organization has been analyzing proposals for TLS 1.3 since April 2014 and it took 28 drafts to get it to its current form. TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network. There are nearly a dozen major functional differences between TLS 1.2 and TLS 1.3, including ones that should improve performance and eliminate the possibility of certain types of attacks, such as the recently disclosed ROBOT method. The most important changes have been described by the IETF as follows: The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC. A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties. Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy. All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers.	Guideline
	2018-03-24 02:20:05	(Déjà vu) UK Regulators Search Cambridge Analytica Offices (lien direct)	British regulators on Friday began searching the London offices of Cambridge Analytica (CA), the scandal-hit communications firm at the heart of the Facebook data scandal, shortly after a judge approved a search warrant. Around 18 enforcement agents from the office of Information Commissioner Elizabeth Denham entered the company's London headquarters at around 8:00pm (2000 GMT) to execute the warrant. The High Court granted the raid request less than an hour earlier, as Denham investigates claims that Cambridge Analytica may have illegally harvested Facebook data for political ends. A full explanation of the legal ruling by Judge Anthony James Leonard will be issued on Tuesday, according to the court. "We're pleased with the decision of the judge," Denham's office said on Twitter. "This is just one part of a larger investigation into the use of personal data and analytics for political purposes," it added in a statement. "As you will expect, we will now need to collect, assess and consider the evidence before coming to any conclusions." The data watchdog's probe comes amid whistleblower accusations that CA, hired by Donald Trump during his primary campaign, illegally mined tens of millions of users' Facebook data and then used it to target potential voters. Fresh allegations also emerged Friday night about the firm's involvement in the 2016 Brexit referendum campaign. Brittany Kaiser, CA's business development director until two weeks ago, revealed it conducted data research for Leave.EU, one of the leading campaign groups, via the UK Independence Party (UKIP), according to The Guardian. 'I was lying' Kaiser, 30, told the newspaper she felt the company's repeated public denials it ever worked on the poll misled British lawmakers and the public. "In my opinion, I was lying," she said. "In my opinion I felt like we should say, 'this is exactly what we did.'" CA's suspended chief executive Alexander Nix told MPs last month: "We did not work for Leave.EU. We have not undertaken any paid or unpaid work for them, OK?" Nix was suspended this week following the Facebook revelations and a further media sting in which he boasts about entrapping politicians and secretly operating in elections around the world through shadowy front companies.	Guideline
	2018-03-23 12:42:03	Pwner of a Lonely Heart: The Sad Reality of Romance Scams (lien direct)	Valentine's Day is a special holiday, but for victims of romance scams it is a tragic reminder, not only of love lost, but financial loss as well. According to the FBI Internet Crime Complaint Center (IC3), romance scams accounted for $230 million in losses in 2016. Men and women may jokingly refer to their significant other as their “partner in crime,” but when it comes to romance scams, this joke may become a sad reality. In additional to financial losses, many scammers may convince their victims to become money mules or shipping mules, directly implicating them in illegal behavior. Recently, Agari researchers identified a woman in Los Angeles that has sent nearly half a million dollars to a scammer that she has never even met. Even worse, this woman knowingly cashes bad checks and fake money orders on his behalf. The FBI has warned her to stop, yet it is unlikely she will do so. The victims of romance scams are typically women in their 40s to 50s, usually divorced or widowed and looking for a new relationship. They are targeted by scam artists on dating web sites, who have the ability to refine their searches for women that fit their target demographics. The scam artists create profiles of charming and successful men to engage these lonesome women. Dating sites frequently ask what women are looking for in a partner, so it is easy for the scammer to say exactly what they need to seem like “Mr. Right.” Once these scammers engage with their victims, there are an inevitable variety of excuses why they can't meet – claims of overseas military service or mission trips are common, and help to further cement the supposed righteousness of the scammer. After a few months of correspondence, the scammer will claim a supposed tragedy: a lost paycheck or medical fees are common – and request a small loan. The typical loss in these scams is $14,000, not to mention the considerable psychological damage – victims of romance scams frequently withdraw from their social circles, embarrassed by the stigma. Even worse, such as the case of our anonymous victim, some of these scams can continue on for years, with frequent requests for financial support. Once trust is established with their victims, these scammers may also to begin to use them as “mules” to cash fake checks, make deposits, accept shipment of stolen goods, and more. In the case of our anonymous victim, her family has pleaded with her to stop sending her suitor more money, and the FBI has warned her that her behavior is illegal; and yet she persists.	Guideline	Equifax Yahoo
	2018-03-22 16:54:01	(Déjà vu) You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report (lien direct)	The cost of having an organization targeted by a distributed denial of service (DDoS) attack for an hour is as low as $10, cybersecurity firm Armor says. The low cost of launching such attacks results from the proliferation of cybercrime-as-a-service, one of the most profitable business models adopted by cybercriminals over the past years. It allows criminals-wannabe to employ the resources of established cybercriminals for their nefarious purposes, including malware distribution, DDoS-ing, spam, and more. All that miscreants have to do is to access underground markets or forums and hire the desired cybercrime service to conduct the malicious actions for them. And while the incurred financial losses total billions or even more for affected organizations, the price of hiring such a service is highly affordable to anyone. According to Armor's The Black Market Report: A Look into the Dark Web	Guideline
	2018-03-22 16:21:01	GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries (lien direct)	GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform. The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities. The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE's Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email. When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories. The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues. The initial scan conducted by GitHub revealed more than 4 million vulnerabilities in over 500,000 repositories. Affected users were immediately notified and by December 1, roughly two weeks after the launch of the new feature, more than 450,000 of the flaws were addressed either by updating the affected library or removing it altogether. According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers. “Since [December 1], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days-that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.” GitHub was recently hit by a record-breaking distributed denial-of-service (DDoS) attack that peaked at 1.3 Tbps, but the service was down for less than 10 minutes. Related: GitHub Enforces Stronger Encryption Related: Slack Tokens Leaked on GitHub Put Companies at Risk	Guideline
	2018-03-22 15:30:01	(Déjà vu) Iran-linked Hackers Adopt New Data Exfiltration Methods (lien direct)	An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered. The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in	Guideline	APT 34
	2018-03-22 15:10:01	Security Practitioners: 10 Signs You Need to be More Direct (lien direct)	Conflict isn't Pleasant, But Sometimes it Can be Healthy and Necessary When Done Properly and Respectfully Living and working in different cultures gives you a broader perspective across a variety of different areas than you might have attained otherwise. It is one of the things I am most grateful for professionally and has taught me to appreciate that each culture has its own advantages and disadvantages. There is one particular aspect of some cultures that I think we in security can learn a lot from. Which cultural aspect am I referring to? Directness. Those of you who know me know that I am very direct and that I am a big proponent of directness. Directness is something that some cultures do better than others. So how can we as security practitioners identify areas in which directness can help us improve? I present: 10 signs you need to be more direct. 1. Bad ideas hang around: I remember watching the challenger explosion on television. After the investigation, groupthink was found to be one of the reasons that the launch was allowed to go ahead, despite known risks. People were simply afraid to state their concerns directly. While the stakes are certainly lower in your security organization, the principle holds true. If people are afraid to be direct, it often results in bad ideas hanging around far longer than they need to. Whereas in a direct culture, a bad idea can be considered and politely dismissed in a relatively short amount of time, in an indirect culture, it may linger far longer than it should. That results in valuable resources being spent on activities that don't provide much value. 2. Good ideas don't come forward: In a similar manner, if people are afraid to be direct, it often keeps them from suggesting new ideas. Perhaps the solution to that big problem you've been worried about is found in the thoughts of one of your team members. But if it stays there, it doesn't do you any good. 3. The team has no idea where it stands: Security teams need to know that the work they're doing adds value to the organization, improves its security posture, and helps mitigate risk. In order to gauge where they stand, the security team needs to know what success in each of those areas means. The only way I know of to communicate what success means is to do so directly. That enables the team to make progress more effectively. 4. Strategic direction and goals are unclear: Building on number 3, communicating strategic direction and goals clearly and directly helps the team understand where the organization is going and what success means. Not surprisingly, that clarity will assist the security team in maturing far more quickly and efficiently. 5. Everything is above average - always: I always love it when I hear people tell me that everyone on their team is exception	Guideline
	2018-03-22 06:06:00	Google, Twitter Security Chiefs Leaving Companies (lien direct)	Michael Coates, the chief information security officer (CISO) of Twitter, announced on Wednesday that he has decided to leave the social media giant. Google security chief Gerhard Eschelbeck has also announced his departure. Coates, who joined Twitter in January 2015, says he will co-found a cybersecurity startup, but has not shared any details. According to his LinkedIn profile, Coates has been working in cybersecurity since 2004, including at Motorola, Aspect Security and Shape Security. Between March 2010 and October 2013, he led Mozilla's Security Assurance program. Until recently he was on the global board of directors of the OWASP Foundation, and is presently on the board of several organizations, including Comprehend Systems, Synack, and Vendor Security Alliance. The Verge reported that Joseph Camilleri, a senior manager for information security and risk, will act as interim CISO at Twitter following Coates' departure. Eschelbeck, vice president of security and privacy engineering at Google, also announced his departure on Wednesday, but has not shared his plans for the future. Eschelbeck, known online as lcamtuf, previously held leadership positions at McAfee, Qualys, Webroot and Sophos. He joined Google in October 2014. The announcements made by Eschelbeck and Coates come just days after reports that Facebook CISO Alex Stamos is leaving the social media giant in the wake of internal clashes over how to deal with the platform being used to spread misinformation. “Despite the rumors, I'm still fully engaged with my work at Facebook,” Stamos said in response to a New York Times article on his alleged departure from Facebook. “It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.” Related:	Guideline
	2018-03-21 18:20:04	Growing Mistrust Threatens Facebook After Data Mining Scandal (lien direct)	As Facebook reels from the scandal over hijacked personal data, a movement to quit the social network gathered momentum Wednesday, portending threats to one of the most powerful internet firms. In a sign of the mood, one of those calling it quits was a high-profile co-founder of the WhatsApp messaging service acquired by Facebook in 2014 for $19 billion. "It is time. #deletefacebook," Brian Acton said in a tweet, using the hashtag protesting the handling of the crisis by the world's biggest social network. The WhatsApp co-founder, who now works at the rival messaging application Signal, posted the comment amid a growing uproar over revelations that Facebook data was harvested by a British political consulting firm linked to Donald Trump's presidential campaign. "Delete and forget. It's time to care about privacy," he said. The huge social network also faces investigations on both sides of the Atlantic over its data practices, and a handful of lawsuits which could turn into class actions that may prove a costly distraction for Facebook. It remains to be seen whether the uproar would lead to any significant departures, but the topic was active on social media, including on Facebook itself. Donella Cohen, a Weather Channel product manager, posted on her Facebook page that she would be off the network by midnight. "The latest revelations are showing just how corrupt and detrimental to society this particular platform is," she wrote. "I hope that a new social network emerges. One that isn't so greedy as to corrupt the political process in the name of the almighty dollar." - Fabric of internet - Yet analysts noted Facebook is unlikely to fade quickly because of how it is woven into the fabric of the internet, with "like" buttons on websites, comments sections for news articles and an ad network that delivers messages to those who are not Facebook members. The #deleteFacebook movement "is a social media feedback loop from the public -- we saw the same thing with #deleteUber," said Jennifer Grygiel, a communications professor at Syracuse University. "Sure, some people will delete Facebook, but to truly delete Facebook would mean that users would need to delete Facebook, Instagram, WhatsApp, and Messenger. This is not realistic for most people given how social media has been integrated into everyday life." Sandra Proske, head of communications for the Finla	Guideline	Uber
	2018-03-21 16:02:05	(Déjà vu) Android Trojan Leverages Telegram for Data Exfiltration (lien direct)	A newly discovered Android Trojan is abusing Telegram's Bot API to communicate with the command and control (C&C) server and to exfiltrate data, Palo Alto Networks security researchers warn. Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The threat is similar to the previously observed IRRAT Trojan, which uses Telegram's bot API for C&C communication only. Still active in the wild, IRRAT masquerades as applications supposedly informing users on the number of views their Telegram profile received (something that Telegram doesn't actually allow for). After the app's first launch, the malware creates and populates a series of files on the phone's SD card, which it then sends to an upload server. The files contain contact information, a list of Google accounts registered on the phone, SMS history, a picture taken with the front-facing camera, and a picture taken with back-facing camera. The malicious app reports to a Telegram bot, hides its icon from the phone's app menu, and continues to run in the background, waiting for commands. TeleRAT, on the other hand, creates two files on the device, one containing various device information (including system bootloader version number, available memory, and number of processor cores), and another containing a Telegram channel and a list of commands, Palo Alto Net	Guideline
	2018-03-21 02:30:00	U.S. Military Should Step Up Cyber Ops: General (lien direct)	Washington - US efforts to conduct offensive and defensive operations in cyberspace are falling short, a top general warned Tuesday amid ongoing revelations about Russian hacking. General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain, also noting that the military still lacks clear rules of cyber engagement. "We have to go much further in treating cyberspace as an operational domain," Hyten told the Senate Armed Services Committee. "Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace we need to have the authorities to respond." Hyten noted, however, that the US had made some progress in conducting cyber attacks on enemies in the Middle East, such as the Islamic State group. His testimony comes weeks after General Curtis Scaparrotti, commander of NATO forces in Europe, warned that US government agencies are not coordinating efforts to counter the cyber threat from Russia, even as Moscow conducts a "campaign of destabilization." And last month, Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, said President Donald Trump had not yet ordered his spy chiefs to retaliate against Russian interference in US elections. The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media. It also accuses Moscow of stealing hacking secrets of the US intelligence community -- while US cyber security investigators have accused the Russian government of a sustained effort to take control of critical US infrastructure systems including the energy grid. Hyten added the military needs clear authorities and rules of engagement so operators know when and how to respond to attacks. "We need to have specific rules of engagement in cyber that match the other domains that we operate in," Hyten said. "We need to delegate that authority all the way down so we can deal with threats that exist that challenge the United States."	Guideline
	2018-03-21 01:24:01	(Déjà vu) AMD Says Patches Coming Soon for Chip Vulnerabilities (lien direct)	AMD Chip Vulnerabilities to be Addressed Through BIOS Updates - No Performance Impact Expected After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors. CTS Labs, which was unheard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method. CTS Labs claimed that a number of vulnerabilities could be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware. “AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” the chipmaker wrote in an update on Tuesday. “It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.” AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations. AMD attempte	Guideline	Equifax
	2018-03-20 20:26:04	Virsec Raises $24 Million in Series B Funding (lien direct)	Virsec, a cybersecurity company that protects applications from various attacks, today announced that it has closed a $24 million Series B funding round led by tech investment firm BlueIO. This latest funding round brings the total amount raised to-date by the company to $32 million. The company previously raised $1 million in seed funding and $7 million in a Series A funding round. Virsec explains that its technology can protect applications by protecting processes in memory and pinpointing attacks in real-time, within any application. In more detail, the company explains that its Trusted Execution technology “maps acceptable application execution, and instantly detects deviations caused by attacks.” “The battleground has shifted in cybersecurity and the industry is not keeping up,” said Atiq Raza, CEO of San Jose, California-based Virsec. “With our deep understanding of process memory, control flow, and application context, we have developed a revolutionary solution that stops attacks in their tracks, where businesses are most vulnerable – within applications and processes.” Additional investors participating in the round include Artiman Ventures, Amity Ventures, Raj Singh, and Boston Seed Capital. (function() { var po = document.createElement("script"); po.type = "text/javascript"; po.async = true; po.src = "https://apis.google.com/js/plusone.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s); })(); Tweet	Guideline	Equifax
	2018-03-20 16:06:00	The Security Spending Paradox (lien direct)	A Zero Trust Security Model Allows Organizations to Align Their Security Investments With What Works Best In a few weeks, security professionals from all around the world will descend on San Francisco for RSA Conference 2018 to discuss new approaches to information security and how to prevent being victimized by cyber-attacks. As always, the expo halls will be filled with the latest technologies, ranging from Artificial Intelligence, Container Security, Threat Intelligence, and Threat Hunting to Next-Gen Endpoint Security. But are these emerging technologies providing the effectiveness that is needed to defend against today's dynamic cyber threats? According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. This statistic confirms that organization are incorporating emerging technologies in their existing security stack to minimize their cyber risk exposure. Meanwhile we're experiencing a continuous increase in security incidents. Are these security investments paying dividends? The security spending paradox is reflected in several recent research studies. For example, a Dow Jones Customer Intelligence study finds that 62 percent of CEOs believe malware is the biggest threat to their organization. In another report, the 2018 Scalar Security Study, respondents rate Network Security (61%) or Traditional Endpoint Protection (49%) of higher (perceived) effectiveness than identity assurance and access controls (18%). Similar results were published by 451 Research in the 2018 Thales Data Threat Report, where network security (83%) and endpoint security (70%) scored highest in perceived effectiveness. These incongruent findings illustrate a lack of consensus in the industry on which attack vectors pose the biggest risk to organizations and the “identity crisis” in security. Many organizations don't realize the impact that identity and access management has when it comes to minimizing the risk of suffering a data breach. A post-mortem analysis of the top data breaches in 2017, reveals that compromised identity was the primary vector in these cyber-attacks. As a matter of fact, a whopping 81% of hacking-related breaches leverage either stolen, default, or weak passwords. In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches.	Guideline
	2018-03-19 18:07:00	Facebook Rocked by New Data Breach Scandal (lien direct)	Facebook shares plunged Monday following revelations that a firm working for Donald Trump's presidential campaign harvested data on 50 million users, as analysts warned the social media giant's business model could be at risk. Calls for investigations came on both sides of the Atlantic after Facebook responded to the explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British communications firm hired by Trump's 2016 campaign. "This is a major breach that must be investigated. It's clear these platforms can't police themselves," Democratic Senator Amy Klobuchar said on Twitter. Expressing "serious concern regarding recent reports that data from millions of Americans was misused in order to influence voters," Klobuchar and Republican Senator John Kennedy called for Facebook chief Mark Zuckerberg and other top executives to appear before Congress, along with the CEOs of Google and Twitter. In Europe, officials voiced similar outrage. Vera Jourova, European Commissioner for Justice, Consumers and Gender Equality, called the revelations "horrifying, if confirmed," and vowed to address her concerns while travelling to the United States this week. In Britain, parliamentary committee chair Damian Collins said both Cambridge Analytica and Facebook had questions to answer following what appears to be a giant data breach, carried out in an attempt to influence voters' choices at the ballot box. "We have repeatedly asked Facebook about how companies acquire and hold on to user data from their site, and in particular whether data had been taken from people without their consent," Collins said in a statement. "Their answers have consistently understated this risk, and have also been misleading to the committee." 'Systemic problems' On Wall Street, Facebook shares skidded 7.7 percent in midday trade amid concerns about pressure for new regulations that could hurt its business model. Brian Wieser at Pivotal Research said the revelations highlight "systemic problems at Facebook," but that they won't immediately impact Facebook revenues. Still he said "risks are now enhanced" because of the potential for regulations on how Facebook uses data for advertising and monitoring users. According to a joint investigation by The New York Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through the use of a personalit	Guideline
	2018-03-19 12:43:01	(Déjà vu) Facebook Suspends Trump Campaign Data Firm Cambridge Analytica (lien direct)	Facebook says it has suspended the account of Cambridge Analytica, the data analysis firm hired by Donald Trump's 2016 presidential campaign, amid reports it harvested the profile information of millions of US voters without their permission. According to the New York Times and Britain's Observer, the company stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box. Also suspended were the accounts of its parent organization, Strategic Communication Laboratories, as well as those of University of Cambridge psychologist Aleksandr Kogan and Christopher Wylie, a Canadian data analytics expert who worked with Kogan. Cambridge Analytica was bankrolled to the tune of $15 million by US hedge fund billionaire Robert Mercer, a major Republican donor. The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer. "In 2015, we learned that ... Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe," Facebook said in a posting late Friday by its vice president and deputy general counsel Paul Grewal. Kogan also improperly shared the data with Wylie, it said. Kogan's app, thisisyourdigitallife, offered a personality prediction test, describing itself on Facebook as "a research app used by psychologists." Some 270,000 people downloaded the app, allowing Kogan to access information such as the city listed on their profile, or content they had "liked." "However, the app also collected the information of the test-takers' Facebook friends, leading to the accumulation of a data pool tens of millions-strong," the Observer reported. Facebook later pushed back against the claim of a data breach, issuing a fresh statement on Saturday that suggested the misused data was limited to those who voluntarily took the test. "People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked," Grewal said. Cambridge Analytica meanwhile said it was in touch with Facebook "in order to resolve this matter as quickly as possible." It blamed the misuse of data on Kogan and said it has since deleted all the data it received from a company he founded, Global Science Research (GSR). "No data from GSR was used by Cambridge Analytica as part of the services it provid	Guideline
	2018-03-19 12:24:04	Preventing Business Email Compromise Requires a Human Touch (lien direct)	Human-powered Intelligence Plays a Critical Role in Defending Against Socially Engineered Attacks The FBI's Internet Crime Complaint Center (IC3) declared Business Email Compromise (BEC) the “3.1 billion dollar scam” in 2016, an amount which then grew in the span of one year into a “5 billion dollar scam.” Trend Micro now projects those losses in excess of 9 billion dollars. It's an understatement to say BEC scams and the resulting damages are on the rise. But with cybersecurity spending across all sectors at an all-time high, how is such an unsophisticated threat still costing otherwise well-secured organizations billions of dollars? Unlike the numerous types of attacks that incorporate malware, most BEC scams rely solely on social engineering. In fact, its use of trickery, deception, and psychological manipulation rather than malware is largely why BEC continually inflicts such substantial damages. Since most network defense solutions are designed to detect emails containing malware and malicious links, BEC emails often land directly in users' inboxes. And when this happens, the fate of an attempted BEC scam is in the hands of its recipient. Indeed, BEC underscores why even the most technically sophisticated cyber defenses aren't always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security-it requires humans to understand the threat. Here's why: Human-Powered Intelligence Trumps Automation Since socially engineered attacks such as BEC are designed to exploit human instincts and emotions, human-powered intelligence naturally plays a critical role in defending against these attacks. I've written previously about the limitations of so-called automated intelligence and why human expertise and analysis are irreplaceable. BEC epitomizes this notion. After all, intelligence offerings that rely solely on automation tend to comprise little more than technical indicators of compromise (IoCs). BEC campaigns can have IoCs-but they tend to be less technical and more nuanced, often pertaining to an attacker's syntax, dialect, or other behavioral characteristics. While an IoC for a phishing campaign, for example, might be an email address, an IoC for a BEC campaign could be the phrase an attacker uses to open or sign off the email. Automated intelligence offerings and traditional network security solutions are generally not desig	Guideline	Wannacry
	2018-03-19 05:23:04	Hacker Adrian Lamo Dies at Age 37 (lien direct)	Adrian Lamo, the former hacker best known for breaching the systems of The New York Times and turning in Chelsea Manning to authorities, has died at age 37. His passing was announced on Friday by his father, Mario Lamo, on the Facebook page of the 2600: The Hacker Quarterly magazine. “With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son…” he wrote. Lamo had been living in Wichita, Kansas, and he was found dead in an apartment on Wednesday. The cause of death is not known, but representatives of local police said they had found nothing suspicious, The Wichita Eagle reported. Lamo broke into the systems of companies such as Yahoo, AOL, Comcast, Microsoft and The New York Times in an effort to demonstrate that they had been vulnerable to hacker attacks. He was arrested in 2003 and in early 2004 he pleaded guilty to computer crimes against Microsoft, The New York Times, and data analytics provider LexisNexis. He was sentenced to six months' detention at the home of his parents. Lamo drew criticism in 2010 after he reported Chelsea Manning (at the time U.S. Army intelligence analyst Bradley Manning) to the Army for leaking a massive amount of classified documents to WikiLeaks. Related: Bradley Manning Sentenced to 35 years‎ Related: Famed Hacker Barnaby Jack Dies Days Before Black Hat Conference (function() { var po = document.createElement("script"); po.type = "text/javascript"; p	Guideline	Yahoo
	2018-03-16 17:23:00	(Déjà vu) VMware Patches DoS Vulnerability in Workstation, Fusion (lien direct)	VMware informed customers on Thursday that it has patched a denial-of-service (DoS) vulnerability in its Workstation and Fusion products. Details of the flaw and proof-of-concept code have been made public. In its advisory, VMware said the vulnerability affects Workstation 12.x and 14.x on all platforms, and Fusion 8.x and 10.x on OS X. Patches are included in Workstation 14.1.1 and Fusion 10.1.1. A workaround that involves setting a password for the VNC connection can be applied to Workstation 12.x and Fusion 8.x releases. The flaw, tracked as CVE-2018-6957, was discovered by Lilith Wyatt of Cisco Talos. VMware says it can be exploited to cause a DoS condition by opening a large number of VNC sessions. VNC, which is used in VMware products for remote management and automation purposes, must be manually enabled for the exploit to work. While VMware has classified the vulnerability as “important,” Cisco Talos has assigned it a CVSS score of 7.5, which puts it in the “high severity” category. In its own advisory, Cisco said an attacker can trigger an exception on a targeted server and cause the virtual machine to shut down by initiating numerous VNC sessions. “Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables. The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events,” Talos explained. The code uses a variable to count the locks and ensure that their number is not too high. Wyatt discovered that each TCP connection to the VNC increments this variable twice, and initiating a large number of connections will eventually lead to a DoS condition and a shutdown of the VM. Cisco's advisory includes a one-line PoC exploit. VMware sponsored the recent Pwn2Own 2018 hacking competition and offered up to $70,000 for VMware Workstation exploits. However, none of the contestants targeted the company's products. At last year's event, white hat hackers did disclose exploits that included VMware virtual machine escapes. Related: VMware Addresses Meltdown, Spectre Flaws in Virtual Appliances Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products	Guideline
	2018-03-15 15:28:01	\'Panama Papers\' Law Firm Shuts Down Operations (lien direct)	The law firm at the heart of the "Panama Papers" global tax evasion scandal that brought down two world leaders announced Wednesday it would shut down operations, citing negative press and what it called unwarranted action by authorities. "Reputational deterioration, the media campaign, the financial consequences and irregular actions by some Panamanian authorities have caused irreparable damage, resulting in the total ceasing of public operations at the end of this month," Mossack Fonseca said in a statement. But it added a smaller group would continue working to address requests from authorities and other public and private groups. Last August, co-founder Jurgen Mossack acknowledged the firm had closed most of its offices abroad after its damaged credibility caused business to flounder. Related: Panama Papers - Massive Data Leak Exposes Corrupt World Leaders and Tax Havens April 3, 2016 marked the beginning of the "Panama Papers" scandal -- a leak of 11.5 million files from Mossack Fonseca's digital archive that revealed how wealthy and influential figures across the world had created offshore businesses to safeguard assets. The information was obtained by German newspaper Sueddeutsche Zeitung, who shared it with the International Consortium of Investigative Journalists. It was released as a searchable database, with revelations continuing to be unearthed to this day. Icelandic prime minister Sigmundur David Gunnlaugsson was forced to resign after it was revealed his family had offshore accounts -- while former Pakistani prime minister Nawaz Sharif was disqualified for life from office after being implicated in the documents. Other figures implicated included former British premier David Cameron, football star Lionel Messi, Argentina's President Mauricio Macri, Spanish filmmaker Pedro Almodovar, to name but a few. At least 150 investigations were opened in 79 countries to examine possible tax evasion and money laundering, according to the US-based Center for Public Integrity. Related: The Panama Papers Wake Up Call No active ads were found in t47 -->	Guideline
	2018-03-15 01:38:04	Palo Alto Networks to Acquire CIA-Backed Cloud Security Firm Evident.io for $300 Million (lien direct)	Network security firm Palo Alto Networks (NYSE: PANW) on Wednesday said that it has agreed to acquire cloud security and compliance firm Evident.io for $300 million in cash. Palo Alto Networks currently has several security offerings that cater to cloud environments, including its VM-Series virtualized next-generation firewalls, API-based security for public cloud services infrastructure, and Traps for host-based security. Pleasanton, Calif.-based Evident.io's flagship Evident Security Platform (ESP) helps customers reduce cloud security risk by minimizing the attack surface and improving overall security posture. ESP can continuously monitor AWS and Microsoft Azure deployments, identify and assess security risks, provide security teams with remediation guidance, along with providing security auditing and compliance reporting by analyzing configurations of services and account settings against security and compliance controls. “Once integrated with the Palo Alto Networks cloud security offering, customers will be able to use a single approach to continuous monitoring, comprehensive storage security, and compliance validation and reporting,” explained Tim Prendergast, CEO & Co-Founder of Evident.io. Evident.io is backed by Bain Capital Ventures, True Ventures, Venrock, Google Ventures, and In-Q-Tel, the not-for-profit venture capital arm of the CIA. The acquisition is expected to close during Palo Alto Networks fiscal third quarter, subject to satisfaction of customary closing conditions. Evident.io's co-founders, Tim Prendergast and Justin Lundy, will join Palo Alto Networks.	Guideline	Equifax
	2018-03-14 15:42:02	The Value of Threat Intelligence is Clear, But Are You Capturing It All? (lien direct)	Take Relevance Into Account When Analyzing Threat Data Parents are nervous. High school seniors are nervous. It's that time of year again when college decision letters and emails start to arrive. We all know there's tremendous value in education, and a college degree is a pre-requisite for many career paths. But which school is the best fit? Will your child get the most value possible from his or her college experience? For each student, what defines and drives value from the college experience is different. It may be studying in an environment where they feel comfortable and can thrive; attending a university that offers a major in a field they want to pursue; having an opportunity to play the sport they love and excel in; or any number and combination of factors. Likewise, we all know there is tremendous value in threat intelligence, and various factors come into play to create value. The recent SANS 2018 Cyber Threat Intelligence Survey (PDF) finds 81% of cybersecurity professionals affirm that threat intelligence is providing value and helping them do their jobs better. The millions of threat-focused data points available, the many sources of global threat data we subscribe to, and the internal threat and event data from our layers of defense and SIEMs provide a significant amount of threat intelligence. But are we capturing all the value we can to truly strengthen our defenses and accelerate detection and response? As I've said before, not all threat intelligence is equal. Threat intelligence that is of value to your organization, may not be of value to another. How do you get the most value from your threat intelligence? It comes down to relevance, and that's determined by your industry/geography, your environment and your skills/capabilities. Industry/Geography. Threat data focused on attacks and vulnerabilities specific to your industry and geography is much more relevant than generic data that includes threats that target a specific sector and/or region you are not in. External threat feeds such as those from national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry, can prove useful. Complementing the data in your central repository with data from these types of sources can help reduce noise and allow you to focus on threats occurring locally in your sector. Environment. Depending on your environment or infrastructure, some indicators are more relevant than others. For example, if your workforce is highly distributed and endpoint protection is key, hashes are important because they enable you to detect malicious files on those devices. On the network, domain names and IPs are more relevant indicators allowing you to track suspicious traffic. To get the most value from your threat intelligence, you need tools that aggregate indicators in a c	Guideline	Deloitte
	2018-03-14 15:17:04	Former Equifax CIO Charged With Insider Trading (lien direct)	The United States Securities and Exchange Commission (SEC) said it has charged Jun Ying, former chief information officer (CIO) of a business unit of Equifax, with insider trading in connection with the massive data breach disclosed in late 2017 that put millions of customers at risk. The SEC alleges that before Equifax's public disclosure of the breach in September 2017, Ying exercised all of his vested Equifax stock options and then sold the shares, taking proceeds of roughly $1 million. By selling his shares before public disclosure of the data breach, Ying avoided more than $117,000 in losses, the SEC says. According to the SEC's complaint, Jun Ying, who reportedly was next in line to be the company's global CIO, allegedly used confidential information provided to him by the company to conclude that Equifax had suffered a serious breach that exposed sensitive personal information of more than 148 million U.S. customers. The Atlanta-based company has been under fire for not explaining why it waited more than a month to warn affected customers about a risk of identity theft and fraud. Questions were also raised after four Equifax executives sold stock worth $1.8 million just prior to public disclosure of the hack. Equifax claimed that the execs had been unaware of the breach when they sold shares. “As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC's Atlanta Regional Office. “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Ying has been charged with violating the antifraud provisions of the federal securities laws and seeks repayment of ill-gotten gains plus interest, penalties, and injunctive relief. “Upon learning about Mr. Ying's August sale of Equifax shares, we launched a re	Guideline	Equifax
	2018-03-14 13:01:00	(Déjà vu) Cyber-Attack Prevention Firm Solebit Raises $11 Million (lien direct)	Tel Aviv-based cyber-attack prevention firm Solebit Labs, currently establishing new global headquarters in Silicon Valley, has announced completion of an $11 million Series A funding round led by ClearSky Security. Solebit was founded in 2014 by Boris Vaynberg, Meni Farjon, and Yossi Sara -- all of whom graduated from Israel's IDF technology units. The funding announced today will be used to accelerate adoption and deployment of the SoleGATE Security Platform from the new headquarters in Silicon Valley. SoleGATE is an attack prevention system that can be used as a replacement or alternative to traditional endpoint protection systems. Such systems typically rely on either malware signatures or malware behavioral analysis engines -- with or without benefit of machine learning AI algorithms-- to detect malware; and both of these approaches can be evaded by zero-day fileless attacks. SoleGATE is an attack prevention system that uses neither signatures nor behavioral analysis to detect malicious code before it enters the network. Instead, it creates a logical 'no code zone' that inspects every data stream for executable code, no matter how encrypted or hidden. By inspecting every data stream, malicious code has nowhere to hide, and cannot evade detection. Solebit claims that it has a false positive rate of less than 0.002%. “Attackers still possess the edge, particularly in zero-day attacks, despite considerable security investment,” said Vaynberg, CEO of Solebit. “DvC (Solebit's patent-pending inspection engine) assumes that there is no legitimate reason for executable code to be present in any data file. DvC also accurately identifies and blocks malicious active content using advanced flow analysis, de-obfuscation techniques and deep content evaluation, to reveal threat intent within any data file covering machine, operating system and application levels, thereby rendering such sandbox-evading malware harmless to the enterprise.” SoleGATE is a virtual appliance that can analyze data streams at high speed. For large companies, "SoleGATE supports both vertical and horizontal scaling," Vaynberg told SecurityWeek. "Each SoleGATE virtual appliance can scan many files concurrently (based on number of CPU cores dedicated to the virtual appliance) and customers can use multiple SoleGATE instances working in Active-Active mode." The technology is closer in concept to Content Disarm and Reconstruct (CDR) solutions than it is to standard malware detection products -- but still has fundamental differences. "The SoleGATE DvC engine analyzes the binary content of each scanned file and reaches a conclusive verdict regarding the file, whether it is malicious or not. It covers a wide range of file formats, does not change anything in the scanned file and, of course, there is no effect on user experience," explained Vaynberg. "CDR, however, is reconstructing the file, assumi	Guideline
	2018-03-13 21:33:02	(Déjà vu) Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash (lien direct)	Security updates released by Adobe on Tuesday patch several vulnerabilities in the company's Dreamweaver, Flash Player and Connect products. Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier. The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon. The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program. In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe's knowledge. The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it's related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user. The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws. Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea. Microsoft's Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers. Related: Adobe Patches 'Business Logic Error' in Flash Player Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw Related:	Guideline
	2018-03-13 20:36:05	Microsoft Patches Over Dozen Critical Browser Flaws (lien direct)	Microsoft's Patch Tuesday updates for March 2018 fix a total of 75 vulnerabilities, including more than a dozen critical flaws affecting the company's Edge and Internet Explorer web browsers. All the security holes rated critical this month affect the web browsers. A vast majority of the issues have been described as remote code execution flaws that exist due to the way browser scripting engines handle objects in memory. The only critical vulnerability that cannot be exploited for arbitrary code execution can lead to disclosure of information that can be leveraged to further hack the targeted system. Two of the flaws patched by Microsoft have been publicly disclosed before patches became available, but they are only rated as “important,” and there is no evidence of malicious exploitation. These bugs are a denial-of-service (DoS) issue in ASP.NET and a privilege escalation in Exchange. The Zero Day Initiative (ZDI) pointed out that the Exchange vulnerability exists in the Outlook Web Access (OWA) component and it can be exploited for phishing attacks. Another interesting privilege escalation flaw affects the Windows installer and it allows an authenticated attacker to run arbitrary code with elevated permissions. “At first glance, this doesn't seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability,” ZDI said in a blog post. “However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It's always easier to convince someone to install 'GreatNewGame.exe' instead of 'EvilMalware.exe'.” Another noteworthy vulnerability is CVE-2018-0886, a remote code execution bug affecting the Credential Security Support Provider (CredSSP) protocol. In addition to applying Microsoft's patch, users also need to make some settings changes in order to fully mitigate potential attacks. Microsoft's latest security updates also patch vulnerabilities in Hyper-V, Access, Identity Manager, SharePoint, and Windows. The company has also updated the Flash Player components present in its products to address a couple of flaws fixed on Tuesday by Adobe. Related: Microsoft Patches Zero-Day Vulnerability in Office Related: Microsoft Patches Critical Vulnerability in Malware Protection Engine Related:	Guideline
	2018-03-13 16:21:05	Blocking of Broadcom-Qualcomm Tie-up Highlights 5G Security Fears (lien direct)	The unusual move by President Donald Trump blocking a proposed takeover of Qualcomm by Singapore-based chip rival Broadcom highlights growing concerns about the rise of Chinese competitors in the telecom sector and related national security issues. Trump issued an order Monday barring the proposed $117 billion acquisition, citing credible evidence such a deal "threatens to impair the national security of the United States." Trump's order made no mention of China, but an earlier letter from the US Treasury warned that a takeover might hurt US leadership in 5G, or fifth-generation wireless networks now being deployed, and consequently pose a threat to US security. "It's a real threat," said James Lewis, a former US national security official who is now vice president at the Center for Strategic and International Studies in Washington. "Every administration since 2002 has figured out we are vulnerable to Chinese espionage if they control the infrastructure. Qualcomm and to some degree Cisco are the last two that keep the US in the game when it comes to telecom, and we don't want to lose them." The takeover, which would have been the largest in the tech sector, was under investigation by the normally secretive Committee on Foreign Investment in the United States (CFIUS). Last week's Treasury letter said a takeover of Qualcomm could lead to a loss of US influence in 5G standards, opening the door for Chinese firms like Huawei to dominate. "Huawei is maybe the only company that offers a full range of 5G products," Lewis said. "It is positioning itself to be the number one provider of 5G equipment." Broadcom said it "strongly disagrees" a tie-up could raise national security concerns, and had pledged to invest to ensure US leadership in 5G, the superfast networks crucial to robotics, connected cars and other smart devices. Lewis said it was possible US intelligence found something to warrant concern over the deal even as Broadcom was taking steps to redomicile in the United States by April 3, which would negate a CFIUS investigation. "Maybe it's money, maybe it's control, maybe it's something we don't know that would justify this kind of extreme action," Lewis said. - Fear of Huawei -	Guideline
	2018-02-23 12:08:02	Report Highlights Challenges of Incident Response (lien direct)	False Positives Lead to a Surprising Number of Incident Response Investigations	Guideline
	2018-02-22 15:36:01	Do Business Leaders Listen to Their Own Security Professionals? (lien direct)	Survey Shows a Disconnect Between Business Leaders and Security Professionals A new research report published this week claims, "A disconnect about cybersecurity is causing tension among leaders in the C-suite -- and may be leaving companies vulnerable to breaches as a result."	Guideline
	2018-02-22 11:05:05	Cryptocurrency Fraud: In the Midst of a Gold Rush, Beware of Scammers (lien direct)	Bitcoin is the pioneer and obvious leader in the cryptocurrency market. But in 2017 alternative coins, or “altcoins,” began to transform the market. Nearly 1,500 cryptocurrencies are currently in circulation, and new altcoins emerge every week with Monero, Zcash and Ethereum among the top challengers to Bitcoin.	Guideline
	2018-02-21 15:20:05	North Korea Cyber Threat \'More Aggressive Than China\': US Firm (lien direct)	North Korean hackers are becoming more aggressive than their Chinese counterparts, a leading US cybersecurity firm warned Tuesday, as it identified a Pyongyang-linked group as an "advanced persistent threat".	Guideline Cloud	APT 37
	2018-02-16 18:14:01	Global Powers Must Address \'Episodes of Cyberwar\': UN Chief (lien direct)	World leaders must lay the groundwork on how countries respond to cyberattacks that have proven to be a daunting threat, whether by state actors or criminal enterprises, UN secretary general Antonio Guterres said Friday.	Guideline
	2018-02-16 09:14:00	BGP Flaws Patched in Quagga Routing Software (lien direct)	Several vulnerabilities that could lead to denial-of-service (DoS), information disclosure, and remote code execution have been patched this week in the Quagga routing software suite.	Guideline
	2018-02-09 19:00:01	Facebook Increases Bug Bounty Payout After Audit (lien direct)	Facebook decided to increase a researcher's bug bounty payout after discovering that that a bug he reported could lead to account takeover.	Guideline
	2018-02-08 16:14:45	Malware is Pervasive Across Cloud Platforms: Report (lien direct)	Leading Cloud Service Providers and Majority of AV Engines Failed to Detect New Ransomware Variant	Guideline
	2018-02-02 16:57:03	Kaspersky Patches Vulnerabilities in Secure Mail Gateway (lien direct)	Kaspersky Lab this week released an update for its Secure Mail Gateway to resolve a series of vulnerabilities that could lead to account takeover, code execution, and privilege escalation.	Guideline
	2018-01-07 15:47:36	NSA Contractor Pleads Guilty in Embarrassing Leak Case (lien direct)	A former contractor for the US National Security Agency's elite hacking group has agreed to plead guilty to removing classified documents in a case that highlighted a series of disastrous leaks of top-secret NSA materials.	Guideline
	2017-12-17 17:43:14	French Aerospace Giant Thales Acquires SIM Maker Gemalto (lien direct)	French aerospace and defence group Thales said Sunday it has bought European SIM manufacturer Gemalto in a bid to become a global leader in digital security.	Guideline
	2017-12-04 14:41:42	Google to Warn Android Users on Apps Collecting Data (lien direct)	Google is stepping its fight against unwanted and harmful applications on Android up and will soon alert users on apps and websites leading to apps that collect personal data without their consent.	Guideline
	2017-11-29 18:39:21	Canadian Pleads Guilty to Hacking Yahoo (lien direct)	A 22 year-old Canadian national accused of carrying attacks on Yahoo pleaded guilty on Tuesday to charges returned by a grand jury in the Northern District of California in February 2017.	Guideline	Yahoo	★★★

Last update at: 2024-05-15 15:08:04
See our sources.

To see everything: Our RSS (filtrered)