Info Security

Subscribe to Info Security  feed
Updated: 45 min 9 sec ago

Capture the Flag Competition Aims to Trace Missing Persons

Thu, 11/14/2019 - 18:58
Capture the Flag Competition Aims to Trace Missing Persons

Cyber professionals will compete to find leads in real missing persons cases in a competition in Washington, DC, next month. 

SANS Institute has teamed up with non-profit organization Trace Labs to host the Open-Source Intelligence (OSINT) Missing Persons Capture the Flag (CTF) in partnership with local, state, and federal law enforcement agencies.

Participants, working in teams of up to four people, will gather fresh intelligence on several specific missing persons cases from publicly available data on social media, forums, government records, and even the dark web.

Points will be awarded in exchange for each piece of data uncovered that was previously unknown to law enforcement. 

At the end of the contest, Trace Labs will generate an intelligence report from the OSINT, which will be passed to the law enforcement agencies responsible for these cases.

Up to seventy-five ethical hackers and information security professionals from within the SANS community are expected to compete at the event, which will take place December 13–14. 

The first ever crowdsourced OSINT for Missing Persons CTF event was held in Toronto on July 28, 2018. Since then, Trace Labs has partnered with law enforcement, not-for-profits, and industry conferences to run over 25 similar events across five countries, bringing together over 2,000 industry professionals to work on over 200 missing persons cases.

Explaining how missing persons cases are selected for the competitions, Adrian Korn, director of OSINT operations & strategic initiatives at Trace Labs, told Infosecurity Magazine: "When we take on missing cases, we look for ones that have a significant digital footprint available. These are cases where a person has been reported missing in the past 10 years as this is the time period where social media and smartphone usage has grown the most.

"We do our best to include cases of different backgrounds and from different regions in our events. Since our efforts are all focused on looking at the public online activity of a missing person, we work with law enforcement to take on cases where they have seen significant online activity from the missing person."

Korn said the details of which cases would feature at December's event would remain secret until the day of the competition; however, he was able to confirm that the cases involve a combination of missing youths and adults from across the US who went missing within the past decade.  

Asked how he would respond to comments that gamifying the search for missing persons could be construed as disrespectful, Korn said: "The Trace Labs model was built to attract as many skilled cyber professionals as possible to expedite the collection of OSINT on the missing persons cases we work. With so many of these cyber professionals possessing valuable skills and using them on 'simulated' hacking competitions called 'CTFs' we saw an opportunity to refocus their efforts to do real social good. 

"With this in mind, the decision to gamify these events is solely a motivating factor for participants that we then turn into interest to continue helping with the search after the contest is over through our Trace Labs community."

Categories: Cyber Risk News

Boom in Lookalike Retail Domains

Thu, 11/14/2019 - 18:40
Boom in Lookalike Retail Domains

New research into domains registered with a trusted TLS certificate has found lookalike domains outnumber legitimate retails sites by more than 2:1.

In a study conducted by researchers at Venafi, suspicious domains targeting 20 major retailers in the US, UK, France, Germany, and Australia were analyzed. Researchers found over 100,000 lookalike domains that use valid TLS certificates to appear safe and trustworthy. 

Threat actors use fake domains, cunningly rendered to appear legitimate, to steal personal data and financial information from unsuspecting online shoppers. The domains are created using URLs that vary by only a few characters from the addresses used by the genuine stores they are imitating.   

According to Venafi’s research, growth in the number of lookalike domains has more than doubled since 2018. Among the top 20 online German retailers, researchers detected almost four times more lookalike domains than authentic domains.

In America, just one of the country's top 20 retailers had over 12,000 lookalike domains being used to con its customers. 

Researchers tied the increase in lookalike domains to the availability of free TLS certificates, such as the ones available from Let's Encrypt, which were used by 84% of the lookalike domains. 

Jing Xie, senior threat intelligence analyst for Venafi, said: "No organization should rely exclusively on certificate authorities to detect suspicious certificate requests. For example, cyber attackers recently set up a lookalike domain for NewEgg, a website with over 50 million visitors a month. The lookalike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers."

Researchers urged online retailers to protect their customers by searching for suspicious domains and reporting them to the anti-phishing service Google Safe Browsing and to the Anti-Phishing Working Group (APWG). 

Researchers see no end to the profitable practice of domain spoofing. 

"Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future," concluded Xie. "In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates."

Categories: Cyber Risk News

Apple Employee Texts Himself Customer's Nude

Thu, 11/14/2019 - 16:36
Apple Employee Texts Himself Customer's Nude

A California woman has issued a warning on Facebook after discovering that an Apple store employee texted himself an intimate photo from her phone. 

Gloria Fuentes took her phone into the Valley Plaza Apple store in Bakersfield, California, on November 4 to get the screen repaired.

Before handing her phone over to a man on the tech team, Fuentes had taken the precaution of removing social media apps and financial information from the device. 

On November 5 on Facebook, Fuentes wrote that she had intended to delete all the photos from her phone too but had forgotten to do so in her haste to make it to the store after her original appointment time was unexpectedly brought forward. 

"So I go in, I give the guy my phone he’s messing around with it for quiet [sic] a while and I didn’t really pay any mind to it because I just figured he’s doing his job, looking into my insurance info or whatever," wrote Fuentes.

The employee asked Fuentes for her passcode twice before eventually handing her phone back to her unfixed and advising her to contact her phone company to arrange a repair. 

Fuentes wrote: "I walk in my house turn on my phone about to text someone and realize there’s a message to an unsaved number!!!!! I open it and instantly wanted to cry!!! This guy went through my gallery and sent himself one of my EXTREMELY PERSONAL pictures that I took for my boyfriend and it had my geolocation on so he also knows where I live!!!"

The intimate shot had been taken a year earlier and was one of around 5,000 photos on Fuentes' phone. 

"He had to have scrolled up for a while to get to that picture," wrote Fuentes.

Disgusted by her discovery, Fuentes returned to the Apple store to speak to the man. 

Fuentes wrote: "I went back to the store and confronted him and he admits to me that this was his number but that 'he doesn't know how that pic got sent!!' The manager just said he’d look into it."

Not knowing the full extent or ramifications of the incident was of great concern to Fuentes. 

"I have no idea if he sent more than the picture that he forgot to delete and I have no clue what he's going to do with them," wrote Fuentes.

"This makes me cry thinking about it but I think he needs to be held accountable and anyone else that has had him work on their phone should be aware of the fact that there’s a possibility that he’s done this to them!!" 

In an emailed statement, Apple told The Washington Post, "We are grateful to the customer for bringing this deeply concerning situation to our attention. Apple immediately launched an internal investigation and determined that the employee acted far outside the strict privacy guidelines to which we hold all Apple employees. He is no longer associated with our company."

Categories: Cyber Risk News

Shamoon-Slingers APT33 in Secret New Operations

Thu, 11/14/2019 - 11:50
Shamoon-Slingers APT33 in Secret New Operations

Security researchers are warning oil and aviation industry organizations to be on their guard after spotting a notorious Iranian APT group using private VPNs to keep its activity hidden.

APT33 has been linked to the infamous Shamoon destructive malware which knocked out tens of thousands of PCs at Saudi Aramco in 2012 and has been deployed across Europe and the Middle East since.

Now Trend Micro has observed the group using a dozen command and control (C&C) servers in a highly obfuscated attack targeting a narrow group of organizations in the US, Asia and Middle East.

The group has been ramping up operations since 2018 with attacks on a UK and European oil company as well as supply chain organizations, the vendor claimed in a new blog post.

Already infected this year are a private American company that offers national security-related services, US universities, a military-linked US organization and several victims in the Middle East and Asia.

Although the malware linked to the small botnets used by the group is limited mainly to downloading and running additional malware, APT33 is going to great lengths to stay hidden.

“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains,” said Trend Micro.

“The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.”

The setting up of private VPNs is easily done via open source software such as OpenVPN, plus rented servers. However, by using this technique, the group’s efforts have actually become easier to track once the researchers discovered which exit nodes the VPNs are using.

They’re apparently being used to hide reconnaissance of possible future victims including oil company suppliers, and other research.

“APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums,” said Trend Micro. “APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry.”

The vendor urged regular patching, employee security training, least privilege access policies and multi-layered protection for oil and utilities firms.

Categories: Cyber Risk News

Healthcare Malware Infections Soar 60% from 2018

Thu, 11/14/2019 - 10:30
Healthcare Malware Infections Soar 60% from 2018

Cyber-criminals are increasingly focusing data stealing and ransomware attacks on healthcare organizations (HCOs), with detected infections increasing by 60% from 2018 to the first three quarters of this year, according to Malwarebytes.

The security vendor’s Cybercrime tactics and techniques: the 2019 state of healthcare report makes for concerning reading for IT security professionals in the sector.

It claimed that hackers are attracted by the high ROI offered by patients’ PII, and the large number of endpoints and connected devices, which offers an extensive attack surface. They also know that cybersecurity is often treated as an afterthought, with legacy systems, poor patch management, staff with little security know-how and unprotected devices all serving to make hospitals even more attractive targets.

Threat detections grew 45% between Q2 and Q3 2019, with Trojan malware the most popular type, increasing 82% over the period thanks mainly to the activity of Emotet and TrickBot.

These are often used to drop ransomware onto victim networks, Malwarebytes claimed.

Top attack methods noted by the firm included exploiting unpatched flaws in third-party software and using social engineering such as phishing emails to deliver malicious links and attachments.

Malwarebytes also warned that innovative new IoT devices could expand the average HCO's attack surface even further if security is not built-in from the very start.

It goes without saying that the impact of cyber-attacks on HCOs could be severe.

A new report out last week claimed that data breaches at hospitals led to an increase in the 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year. This was mainly due to the period of remediation and clean-up required following an incident, which may have impeded the work of doctors, the authors said.

The report warned that “ransomware attacks might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”

Categories: Cyber Risk News

Alleged $20M Carding Forum Mastermind Faces US Charges

Thu, 11/14/2019 - 09:49
Alleged $20M Carding Forum Mastermind Faces US Charges

A Russian national is facing charges of running a $20m carding forum after being extradited from Israel to the US.

Aleksei Burkov, 29, arrived at Dulles International Airport on Monday after being arrested initially at Ben-Gurion airport in December 2015, and failing in his appeal attempts over subsequent years to avoid being shipped to the States.

According to an unsealed indictment, he is alleged to have run the Cardplanet site which sold mainly hacked payment card numbers, including those of many Americans. The Department of Justice claimed that fraudsters made over $20m from purchases using the stolen details.

Burkov is also charged with running a separate members-only site where sellers could advertise personally identifiable information (PII), malware, money laundering, hacking services and more. To keep the site under the radar of law enforcers and researchers, prospective members needed three existing members to vouch for them and around $5000, the DoJ claimed.

The Russian has been charged with wire fraud, access device fraud, and conspiracy to commit wire fraud, access device fraud, computer intrusions, identity theft and money laundering. He faces a maximum of 80 years in prison if convicted on all counts.

Law enforcers appear to be getting better at disrupting the activity of cybercrime marketplaces.

In February last year, global police swooped on 13 individuals arrested on suspicion of involvement in notorious carding forum 'Infraud' which is thought to have led to losses of over $530 million.

However, cyber-criminals are always one step ahead. News from McAfee last year revealed an increasing trend for downsizing from major dark web forums to smaller operations in order to build trust with buyers and stay under the radar.

Dark web sites also offer budding fraudsters all the tools and knowledge they need to get started.

Categories: Cyber Risk News

Multi-Party Cyber-Incidents Cost 13x More Than Single-Party Incidents

Wed, 11/13/2019 - 19:29
Multi-Party Cyber-Incidents Cost 13x More Than Single-Party Incidents

A new study has found that the financial losses caused by cyber-incidents affecting multiple parties are vastly more devastating than those that stem from any single-party incident. 

According to the Ripples Across the Risk Surface study, published today by Cyentia Institute, when compared to losses triggered by a single-party incident, the ripple effect costs that occur following multi-party incidents result in a total loss that is a whopping 13 times greater. 

Extreme losses, which sit above the 95th percentile, show an even larger discrepancy, with a loss of $16m for single-party incidents versus $417m for multi-party incidents.

The in-depth study, sponsored by RiskRecon, analyzed data from 813 cyber-incidents and closely examined their impact on numerous downstream organizations, described as secondary victims. A cyber-incident is defined in the study as an "event that compromises the confidentiality, integrity, or availability of an information asset."

The objective of this first-of-its-kind study was to raise market awareness of the far-reaching effects an incident such as a data breach can have as a result of the hyper-interdependencies of organizations.

Researchers plumbed historical data relating to 90,000 cyber-events from the cyber-loss database Advisen, finding that since 2008, 813 cyber-incidents had occurred in which at least three organizations were primary victims. 

As a result of these multi-party cyber-incidents, a further 5,437 downstream loss events occurred in which secondary organizations were impacted. In fact, downstream entities affected by multi-party incidents outnumbered primary victims by 850%.

In one single incident examined by researchers, 131 different organizations were affected. 

Researchers found that secondary organizations could be faced with losses equal to those experienced by primary victims. 

"Our analysis reveals little difference between losses reported by primary and secondary victim organizations of a cyber incident. This suggests that another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems," wrote researchers. 

Analysis into the specific industries most severely impacted by ripple events was conducted through Cyentia Institute’s adoption of the North American Industry Classification System. Based on this data, the sectors that possess the highest concentration of personal data and information (credit bureaus, banks, collection agencies, and hotels) account for nearly 60% of all organizations generating ripple effects. 

"Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization," said Kelly White, CEO and co-founder of RiskRecon.  

"Lacking proper third-party risk controls can contaminate the entire enterprise ecosystem where sensitive data is stored and shared."

Researchers projected that multi-party incidents will increase at an average rate of 20% per year.

Categories: Cyber Risk News

IRS to Mount Epic Cyber-Safety Campaign

Wed, 11/13/2019 - 18:19
IRS to Mount Epic Cyber-Safety Campaign

America's Internal Revenue Service is to launch a large-scale cyber-safety campaign to coincide with the busiest shopping period of the year.

According to the website Accountingtoday.com, the campaign by the IRS will begin on the Monday after Thanksgiving, commonly known to bargain hunters as Cyber Monday. 

"The campaign will emphasize to practitioners and taxpayers the potential dangers they face during the holiday shopping season and the filing season ahead," said Stephen Mankowski, national tax chair of the National Conference of CPA Practitioners.

"National Tax Security Awareness Week 2019 is slated to begin on Cyber Monday and run from December 2 through December 6," he continued. "This is the heaviest period of time when people are online and when phishing is most common."

YouTube videos will form a key part of the campaign, which will strongly urge taxpayers to only make purchases from known vendors and to regularly check their bank statements for any suspicious activity. 

Mankowski said that continued widespread ignorance of security best practices had been flagged as a concern during a recent meeting he attended with government officials in Washington, DC.

"During the recent Tax Forums, the IRS noted that a lot of people still are not aware of the basics of data security," he said. "The IRS has been making some headway, but much more is needed."

The news follows last month's efforts by the IRS to raise cybersecurity awareness within families as part of National Work and Family Month. 

On October 22, the IRS urged families and teens to stay vigilant in protecting personal information while connected to the internet. 

An IRS spokesperson wrote: "During National Work and Family Month, IRS is asking parents and families to be mindful of all the pitfalls that can be found by sharing devices at home, shopping online and through navigating various social media platforms. Often, those who are less experienced can put themselves and others at risk by leaving an unnecessary trail of personal information for fraudsters."

Cybersecurity "common-sense suggestions" shared by the IRS on their website include advice to always use a virtual private network when connecting to public Wi-Fi, a recommendation to encrypt sensitive files such as tax records stored on computers, and an admonition not to share personal information such as birthdate, address, age, and Social Security numbers online.

Categories: Cyber Risk News

Facebook Bug Turns on iPhone Cameras

Wed, 11/13/2019 - 17:38
Facebook Bug Turns on iPhone Cameras

Users of the Facebook app have complained after discovering a bug that causes their iPhone cameras to activate in the background when they use the app. 

Multiple people have taken to Twitter to report that using the Facebook app on their iPhone has caused the device's rear camera to switch on and run in the background.

Eagle-eyed users noted that the problem seemed to occur as they looked at photos and watched videos that appeared on their newsfeed.

It isn't clear whether the cameras activated by the bug were recording what they observed.

The earliest incident relating to the bug was recounted on Twitter by software tester @neo_qa on November 2. 

The concerned Facebook user wrote: "Today, while watching a video on @facebook, I rotated to landscape and could see the Facebook/Instagram Story UI for a split second. When rotating back to portrait, the Story camera/UI opened entirely. A little worrying . . ."

CNET were able to replicate the bug, and other Facebook users chimed in to say that they had experienced the same issue, with one Twitter user, @selw0nk, quipping that "It's not a bug, it's a feature."

At the beginning of this week, more users of Facebook took to Twitter to report another bug that seems to be affecting the latest version of the iOS. 

This time, users said that when they navigated away from an image they had opened in the Facebook app, they could see a thin slice of the camera's viewfinder. From this, they concluded that whenever the Facebook app is opened, the camera is activated in the background.

Twitter user @JoshuaMaddux wrote on November 10: "Found a @facebook #security & #privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed. Note that I had the camera pointed at the carpet."

The camera-related bugs have added fuel to the fire for people who believe that it's within the realm of possibility that Facebook might deliberately record its users as a way to gather information or target advertisements. 

After a week of silence regarding the first camera bug, Facebook's vice president of integrity Guy Rosen responded on Twitter to Maddux's November 10 tweet about the second bug. 

From his Android device, Rosen wrote: "Thanks for flagging this. This sounds like a bug, we are looking into it."

In a later tweet, Rosen said the camera bug had been created when an earlier bug was fixed.

"We recently discovered our iOS app incorrectly launched in landscape," Rosen wrote. 

"In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this."

Rosen later confirmed that nothing was uploaded to Facebook as a result of the camera-related bugs, because the camera was in preview mode. 

A fixed version of the app was submitted to the App Store yesterday.

Dr. Richard Gold, head of security engineering at Digital Shadows, commented: "Bugs such as these erode the already fragile trust between companies and the public, even though their origin might be completely innocuous."

Categories: Cyber Risk News

Airbus Launches Human-Centric Cybersecurity Accelerator

Wed, 11/13/2019 - 12:00
Airbus Launches Human-Centric Cybersecurity Accelerator

Airbus has announced the launch of a human-centric cybersecurity accelerator program. It will feature a dedicated team of human factor and cognitive psychology experts that will work in collaboration with the UK’s National Cyber Security Centre (NCSC) and a range of other partners to gain crucial insights into human-centric approaches for improving cybersecurity effectiveness. 

The Accelerator will offer placements for qualifying university students and establish collaboration opportunities with research teams and businesses to help make the UK one of the safest places to do business in cyberspace. 

The launch follows the opening of the Airbus Cyber Innovation Hub, located in Newport, Wales, in April 2019.

Dr Kevin Jones, chief information security officer of Airbus, said: “With increasingly sophisticated attacks being attempted every day, it simply isn’t possible to protect every user against every cyber-attack. We therefore need to think differently and identify ways for security to work with an organization’s people, to better protect against an array of threats.

“With the right tools and approach, employees can be the strongest link in an organization’s cyber-defense. Our work aims to put people-centric thinking at the heart of an organization’s security and we’re keen to hear from likeminded researchers and organizations who are interested in getting involved with our new Accelerator.”

Airbus was recently forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year.

Dr Ian Levy, technical director at the NCSC, said the new initiative is a welcome one and recognizes the importance of a multidisciplinary approach that puts people at the center of cybersecurity development.

“At the NCSC, we recognize the vital role employees have to play in an organization’s cyber-resilience and we are pleased to collaborate on this program.”

Categories: Cyber Risk News

Mexican Petrol Giant Pemex Hit by Ransomware

Wed, 11/13/2019 - 11:30
Mexican Petrol Giant Pemex Hit by Ransomware

Mexico’s state-owned petroleum giant Petróleos Mexicanos (Pemex) is insisting all operations are running normally after a suspected ransomware attack, despite reports to the contrary.

The firm claimed that operation and production systems remain unaffected and supply of fuel remains guaranteed. However, it admitted that an attack on Sunday did affect around 5% of its personal computers.

Reports, though, suggest the firm has been harder hit, with Pemex billing systems taken offline, forcing staff to rely on manual processes which means payment of staff and suppliers may be disrupted.

Invoices for fuel sent from Pemex storage facilities to gas stations were being filled in manually while some employees in the petrol giant’s refining business couldn’t access emails or get online on Tuesday, with computers running slowly, sources told Bloomberg.

Although an internal memo reportedly suggested Ryuk as the culprit, security experts have seen leaked ransom notes confirming that the attackers used the DoppelPaymer variant.

A Tor payment site revealed a ransom demand of 565 Bitcoins, (£3.9m, $5m).

The same ransomware is thought to have been used in an attack against Canada’s Nunavut territory earlier this month.

Pemex is the latest in a long line of big-name organizations targeted by ransomware this year. Norwegian aluminium giant Norsk Hydro suffered major outages after being struck in March. The firm later admitted that the attack may have cost it as much as $41m after production was disrupted.

German automation giant Pilz was crippled for over a week by ransomware last month, while US mailing technology company Pitney Bowes and French media conglomerate Groupe M6 admitted suffering attacks.

Over a quarter (28%) of UK firms were hit by ransomware over the previous 12 months, according to research from Databarracks published in July.

Categories: Cyber Risk News

US Border Officers Humbled by Fourth Amendment Ruling

Wed, 11/13/2019 - 10:30
US Border Officers Humbled by Fourth Amendment Ruling

Privacy groups are celebrating after a federal court ruled that suspicion-free searches of travellers’ electronic devices at the US border are unconstitutional.

The original lawsuit was filed by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and ACLU of Massachusetts, on behalf of 11 travellers whose smartphones and laptops were searched without suspicion on entry to the US.

According to the Boston court’s ruling, Customs and Border Control (CBP) and Immigration and Customs Enforcement (ICE) officers must now demonstrate suspicion of “illegal contraband” before being able to search an individual’s device.

According to EFF, searches at US ports have rocketed recently. It claimed that CBP carried out more than 33,000 last year, nearly four times the number from three years previously.

Esha Bhandari, staff attorney with the ACLU’s Speech, Privacy, and Technology Project, argued that travellers can now travel to the US without fear that the government will impinge on their privacy.  

“This ruling significantly advances Fourth Amendment protections for millions of international travellers who enter the United States every year,” she added. “By putting an end to the government’s ability to conduct suspicionless fishing expeditions, the court reaffirms that the border is not a lawless place and that we don’t lose our privacy rights when we travel.”

The EFF pointed to several cases where border guards had apparently abused their powers to search travellers coming into the US.

This includes one example where an officer rifled through privileged attorney-client communication on an individual’s electronic device, and another alleged case where a Harvard freshman was denied entry after the officer noted social media posts from his friends critical of the government.

Categories: Cyber Risk News

Microsoft Patches IE Zero-Day Bug

Wed, 11/13/2019 - 09:40
Microsoft Patches IE Zero-Day Bug

Microsoft released fixes for 75 vulnerabilities during this month’s patch update round, including one zero-day flaw in Internet Explorer.

The bug in question, CVE-2019-1429, exists in the way the scripting engine handles objects in memory in the browser, corrupting memory so an attacker can execute arbitrary code, according to Microsoft.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” it explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."

An attacker could also take advantage of compromised websites and those that accept or host user-provided content or ads, Microsoft continued.

Another one to watch is CVE-2019-1457, a publicly disclosed vulnerability in Excel which could bypass security features.

“An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability,” explained Ivanti director of security solutions, Chris Goettl.

“This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.”

Microsoft has also issued an advisory on a flaw in some Trusted Platform Modules (TPM) chipsets from STMicroelectronics, which may require a firmware update to the TPM.

Elsewhere, Adobe issued patches for 45 critical vulnerabilities in Acrobat and Reader that should be prioritized for workstations.

Categories: Cyber Risk News

Orvis Passwords Leaked Twice on Pastebin

Tue, 11/12/2019 - 19:18
Orvis Passwords Leaked Twice on Pastebin

Internal passwords belonging to American retailer Orvis were twice leaked online in a double data breach. 

Credentials belonging to the luxury fishing equipment purveyor were posted on the website Pastebin.com last month, according to investigative reporter Brian Krebs

A swathe of plaintext usernames and passwords relating to everything from firewalls and routers to database servers and even administrator accounts was exposed for several weeks. 

The leaked files from the Vermont-based retailer included credentials for security cameras, door controllers, door and alarm codes, and FTP credentials, and even showed the combination to a locked safe in the company's server room. 

Krebs was tipped off about the data breach in late October by Wisconsin-based security firm Hold Security. Company founder Alex Holden said an enormous file containing internal passwords relating to Orvis had been posted to Pastebin on October 4 and again on October 22.

Holden's finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online. However, a spokesperson for Orvis would only acknowledge that one much shorter breach had occurred.

Orvis spokesperson Tucker Kimball told Krebs: "The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. 

"We are leveraging our existing security tools to conduct an investigation to determine how this occurred."

Orvis is America's oldest mail-order retailer and was founded in 1856. The company has 69 retail stores and 10 outlets in the US plus a further 18 stores in the UK, and employs 1,700 people. 

How the passwords came to be on Pastebin is unknown, though potential sources could include an internal threat actor or a malicious or perhaps simply careless third party. 

Kelly White, CEO of RiskRecon, commented: "Security teams need to get into the mindset that their risk surface spans to all people, processes, and technology that touch their data, including subcontractors. Too often, organizations require less of their vendors and subcontractors than they do of their own personnel. 

"While employees are formally trained in handling of sensitive information and required to use corporate administered systems, subcontractors are not; no training in handling of sensitive data and allowed to use their own systems. When incidents like this happen, it is no surprise that existing security standards aren't met—the subcontractor likely wasn't even aware of them." 

Orvis did not reply to a request for further comment.

Categories: Cyber Risk News

PortSwigger Launches Web Security Academy

Tue, 11/12/2019 - 19:16
PortSwigger Launches Web Security Academy

PortSwigger has launched a free interactive training platform in an attempt to address the global shortage of cybersecurity talent. 

The makers of Burp Suite cut the ribbon on the new Web Security Academy last month following a soft launch of the platform in April 2019, which a PortSwigger spokesperson said had garnered "overwhelmingly positive user feedback."

The Web Security Academy features a vast amount of high-quality reading materials and interactive labs of varying levels of difficulty. Inside the free resource, users are able to access a safe testing environment in which to experiment without incurring any kind of legal risk.

Content will be continuously updated, with new topics and material added regularly to reflect the ever-changing nature of the cyber-threat landscape. Learning materials currently available on the site include labs on clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection.

Users of the new platform can track their progress and indulge in a little healthy competition via live leader boards. Learning is offered at a pace set by the user and without the pressure of deadlines, although the first user to finish each freshly released lab will get their name in the Hall of Fame and win some Burp Suite swag. 

After six months of being tested out and tweaked in beta, the Web Security Academy was officially launched on October 29. 

The academy is led by PortSwigger founder and CEO and author of The Web Application Hacker's Handbook, Dafydd Stuttard, along with PortSwigger's world-renowned research team.

"There has been huge demand for a third edition of The Web Application Hacker's Handbook. After much thought, I concluded that writing another paper book wasn't the right option today. Much better to produce an online edition that is interactive, actively maintained, and accessible to everyone. The Web Security Academy is exactly that," said Stuttard.

The launch of the new free training website follows news reported last week that global IT security skills shortages have now surpassed four million. 

Research conducted by recruitment firm Outsource found that since 2014, the number of organizations reporting a problematic security skills shortage has more than doubled, from 23% to 51%.

Categories: Cyber Risk News

Aqua Security Acquires CloudSploit

Tue, 11/12/2019 - 18:35
Aqua Security Acquires CloudSploit

CloudSploit has been acquired by Aqua Security for an undisclosed sum.

Aqua Security, the leading platform provider for securing container-based, serverless, and cloud native applications, announced the acquisition of security auditing and monitoring tool CloudSploit today. 

The American company said the addition of CloudSploit will enable them to expand into cloud security posture management (CSPM) and give their customers the option of continuous security monitoring.

Co-founded by Matthew Fuller and Josh Rosenthal, CloudSploit was built on open source foundations and has benefited from the contributions of cloud users and experts since its inception in 2015. 

CloudSploit’s SaaS-based platform allows customers to monitor their public cloud accounts and access an overview of their entire estate of cloud resources. It automatically manages cloud security risk and benchmarks against industry standards to ensure compliance.

CloudSploit works as an auditing tool to check the configuration state of services in users' IaaS accounts for potential misconfigurations that lead to security breaches. The platform also monitors activity in users' accounts for suspicious behavior and insider threats in real-time. 

"We are excited to add CloudSploit to Aqua’s cloud-native security portfolio," said Dror Davidoff, CEO of Aqua Security.  

"Aqua protects the world’s largest cloud native environments; with CloudSploit our customers can now continuously monitor and manage their cloud security posture across their multi-cloud infrastructures."

CloudSploit is the second open-source investment by Aqua since August, when the company announced its acquisition of Trivy Vulnerability Scanner

A spokesperson for Aqua Security said: "With the addition of CloudSploit and VM Security, Aqua’s customers can more effectively manage risk and protect against threats for their multi-cloud environments across the full application stack, from infrastructure, application workloads and code."

Aqua has also added significant new capabilities to its Cloud Native Security Platform (CSP), deepening protection of virtual machines. Aqua CSP now protects VMs for complete cloud workload protection.   

Aqua’s VM security solution delivers file integrity monitoring, machine image assurance, network discovery, and micro-segmentation to hosts for full visibility of infrastructure and application threats. Organizations can now protect their cloud native workloads from a single control panel for improved visibility and efficient remediation.   

Categories: Cyber Risk News

Microsoft to Extend California Privacy Law US-Wide

Tue, 11/12/2019 - 12:00
Microsoft to Extend California Privacy Law US-Wide

Microsoft has announced plans to extend the privacy provisions provided in a landmark new Californian state law to users across the US.

The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. It’s set to offer more GDPR-like protections and rights to the Golden State’s citizens, such as the ability to find out what personal information of theirs companies are collecting and to prevent it from being sold to third parties.

However, it doesn’t go as far as the EU legislation in terms of large fines for erring companies, its definition of personal information, the need for Data Protection Officers (DPOs) and other elements.

That said, it has come under heavy criticism from tech firms that make money from selling their customers’ personal information. There have also been efforts at a federal level to draft a new law which would supersede the Californian one, but lawmakers are split down party lines.

That’s offered Microsoft an opportunity to differentiate from much of the tech sector by supporting the CCPA US-wide, just as it has done by promising to extend GDPR protections to all customers.

“While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction,” explained Microsoft chief privacy officer, Julie Brill.

“We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the US.”

Categories: Cyber Risk News

UK Labour Party Hit By “Sophisticated” and “Large-Scale” Cyber-Attack

Tue, 11/12/2019 - 10:53
UK Labour Party Hit By “Sophisticated” and “Large-Scale” Cyber-Attack

The UK Labour Party has stated that it has been hit by a “sophisticated and large-scale cyber-attack” on its digital platforms.

As report by Sky News, a party spokesperson said that the attack failed to breach any data because of the party’s robust security systems.

“Security procedures have slowed down some of our campaign activities, but these were restored this morning and we are back up to full speed,” she said. “We have reported the matter to the National Cyber Security Centre.”

It is believed that the the attack was a Distribute Deniable of Service attack.

Commenting on the news, Corin Imai, senior security advisor at DomainTools, said: “This should be a significant concern to all voters in the UK regardless of their political viewpoints. During a General Election, it is imperative that the main political parties are all given a fair and impartial hearing, and considering the importance of digital campaigning in modern election cycles, a DDoS attack such as this could give other parties an advantage.

“While there is no indication of where this cyber-attack comes from, and it is obviously encouraging that the Labour party said these attempts failed, the incident is an example of just how susceptible to cyber-criminal activity our democratic process can be.”

Dean Ferrando, systems engineer manager – EMEA, at Tripwire, added: “Political organizations should boost their security resources in this particularly sensitive election period, and make sure they implement the necessary patches, system upgrades and security measures. There is always a danger that attacks on this scale are around the corner. It just means organizations need to be one (or four) steps ahead of the attackers.”

Categories: Cyber Risk News

Just a Third of Global Firms Are PCI DSS Compliant

Tue, 11/12/2019 - 10:45
Just a Third of Global Firms Are PCI DSS Compliant

The number of global organizations fully compliant with PCI DSS regulations has fallen for the second year in a row to just under 37%, according to a new report from Verizon.

The firm’s annual Payment Security Report (PSR) has tracked compliance levels for several years. This year’s was compiled from 302 PCI DSS engagements by Verizon Qualified Security Assessors (QSAs) with a range of organizations, including Fortune 500 and large multinationals firms, in over 60 countries.

The global compliance figure fell from 53% in last year’s report — a significant drop. APAC organizations appeared to be the best prepared, with 70% fully compliant. The figure fell to 48% in Europe and a disappointing 20% in the Americas.

Rodolphe Simonetti, global managing director for security consulting at Verizon, warned that while 2010-16 saw an increase in compliance levels, the trend is now reversing.

Featuring data from Verizon’s Threat Research Advisory Center (VTRAC), the report claimed that a compliance program without proper controls has a 95% chance of not being sustainable and is therefore a major target for attack.

“Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment,” Simonetti explained.

“We still see CISOs focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.”

The findings chime with a Security Scorecard report from 2018 which revealed that over 90% of US retailers were non-compliant with PCI DSS, failing four or more of the key requirements of the standard. Requirement six — dealing with maintaining secure systems and applications — was a problem for 98%.

Categories: Cyber Risk News

Most Security Pros Still Don’t Get Shared Responsibility: Report

Tue, 11/12/2019 - 10:01
Most Security Pros Still Don’t Get Shared Responsibility: Report

Some 60% of global security professionals misunderstand the concept of “shared responsibility” in the cloud, potentially putting their organizations at risk, according to Centrify.

The identity and access management (IAM) vendor polled 700 cybersecurity pros to compile its new report, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments.

It found that nearly two-thirds of respondents incorrectly believe that their cloud provider is responsible for securing privileged access. In fact, under the shared responsibility model espoused by Amazon Web Services, Microsoft Azure and others, the provider is only responsible for the infrastructure of the cloud itself — the hardware, software, networking and other functions.

Customers are responsible for security “in” the cloud, which includes customer data, apps, operating systems and network and firewall configurations.

The report also revealed that many organizations aren’t deploying a common security model or enforcing least privilege access, according to best practices.

What’s more, three-quarters (76%) are using more than one identity directory to manage cloud users, which Centrify claimed puts them at risk of “identity sprawl” and potential security gaps.

“As the enterprise threat-scape expands, organizations are faced with new challenges to secure modern attack surfaces, and this report makes it clear that the cloud is no exception,” said Tim Steinkopf, Centrify CEO.

“We know that 80% of data breaches involve privileged access abuse, so it’s critical that organizations understand what they are responsible for when it comes to cloud security, and take a least privilege approach to controlling privileged access to cloud environments. Too much access and privilege puts their workloads and data at risk.”

Some 60% of respondents said that security is their number one challenge when it comes to cloud migration projects. This is slightly at odds with a Nominet study from September that revealed CISOs believe the cloud to be as safe as on-premises infrastructure.

Categories: Cyber Risk News

Pages