Online election interference has become such a concern that one company has now launched a product to help protect against it. ZeroFOX has announced a security suite to safeguard political candidates and campaigns from online threats.
The ZeroFOX Election Protection Solution analyzes data across social media and other online sources, including the deep web (the closed surface websites that aren't publicly searchable) and the dark web (usually .onion sites accessed via Tor). It searches for fake accounts, phishing attacks and threats of physical harm, along with malware links and malicious domains and websites.
ZeroFOX has a situational awareness team that helps to address fake or online content and take it down from campaign-owned digital platforms in real time. It will also work with social media networks to remove content that violates the networks' terms of service (ToS), says ZeroFOX CTO Mike Price.
"ZeroFOX bridges customers to the social networks, requesting that ToS-violating content be taken down where appropriate," he says. "The social networks are the entities that ultimately decide how to respond to any given piece of content. If they agree that a piece of content violates ToS and should be taken down, then it is generally quickly taken down. "
Users of the product first determine which candidates and website to protect, and then configure rules from a library of pre-built policies to watch for spoof accounts, takeovers and inappropriate content, including online threats.
ZeroFOX also claims to be the first offering a deepfake detection solution as part of the product. That technology, announced at the Black Hat conference last week, uses artificial intelligence to look for fake videos. The company also donated its AI deepfake detection toolkit, Deepstar, to the open source community to help others train AI data sets that can help spot fake videos.
Election interference using digital platforms continues to be a concern in various regions. Last month, a Senate Intelligence Committee report found that Russia had probably infiltrated voting infrastructures in all 50 states over the last few years. Another report found San Mateo County's election systems vulnerable to hijacking and propagating disinformation. In May, a report from SecurityScorecard found political parties in several countries badly failing at protecting their election systems.
In Europe, the EU issued a statement earlier this year calling out election disinformation campaigns by Russia, China, North Korea, and Iran.
Companies using decoy systems to lure hackers away from legitimate targets spot hackers in their networks much more quickly than those who don't, according to a survey released today. The study, conducted by analyst company Enterprise Management Associates (EMA) and commissioned by deception technology vendor Attivo Networks, found that companies using deception techniques detected hackers on the network almost two months sooner than those that didn't use the techniques.
Deception technology attempts to throw attackers off the trail by offering up decoy assets for them to attack. Modern solutions include things like fake credentials, browser histories and registry entries, which lure attackers to decoy systems. They are typically invisible to legitimate network users but accessible via dual-use tools like PowerShell, which attackers often use to traverse networks.
EMA surveyed 208 respondents, ranging from IT managers through to CISOs and line-of-business managers, across various sectors. Roughly half of the organizations (55%) used deception technology. Of those that did, around half used commercial solutions, while 18% relied on traditional honeypots or honey nets and 30% used homegrown or open source solutions.
One of the most significant differences in the effects of deception technology was on dwell time (the length of time that attackers lurk in the company network). On average, respondents who had discovered attackers in their infrastructure reported a 31.9-day dwell time. Users of deception technology who considered themselves highly familiar with it reported a dwell time of 5.5 days in their networks, compared with nonusers, who said that companies faced a 60.9-day dwell time.
Those that used deception technology most often created decoy IT infrastructure systems like LDAP servers and IT network devices like switches and routers. Almost one in five (19%) of respondents emulated these systems, with enterprise applications like CRM and ERP coming a close second at 15%. They most often deployed decoy technology in cloud-hosted systems and applications, followed by their own applications and servers.
The use of deception technology also played a part in how companies discovered breaches. On average, 26% of respondents learned of them from outsiders. Fewer than one in five (18%) companies using deception technology found out about it this way, compared to 36% of the companies that didn't use it.
Clickjacking is alive and well, hijacking browsers that visit hundreds of popular websites, according to research released this week. A paper published by researchers at the Chinese University of Hong Kong, Microsoft Research, Seoul National University, Purdue University, and Pennsylvania State University, found that many of the world's most popular sites are still fooling visitors into following deceptive links to unexpected destinations.
Clickjacking is a well-established technique in which third-party scripts or browser extensions can hijack users' clicks, redirecting them to alternate locations. Online crooks can use them to download malware to a victim's computer or to commit advertising fraud, redirecting clicks to online ads and earning commission.
Advertising click fraudsters used to use online bots to automatically click online ads at scale, but ad networks got wise to this practice. Instead, attackers have recently begun redirecting legitimate page clicks from real users, the paper says.
Observer found 613 websites using 437 third-party scripts that intercepted user clicks. That may not sound like many, but the websites collectively received 43 million daily visits, according to the paper.
These scripts tricked users into following links by disguising them as legitimate site content. Observer spotted 3,251 clickjacking destination URLs, with 36% related to online advertising.
Attackers used three devious techniques to intercept user clicks. One involved intercepting hyperlinks by tampering with tags or embedding hyperlinks in huge page elements that covered at least 75% of the browser window. The second used event handlers such as navigation event listeners, which would open the malicious URL when the user clicked anything on a page.
The final technique was visual deception, which either mimicked legitimate page content such as Facebook Like buttons or put a transparent overlay element over legitimate content. Attackers could use either approach to send hijack a user's click on a button or other page element.
Security researchers have found a stealthy new cryptocurrency mining malware variant which was used as part of an attack that infected almost an entire organization.
After being notified of unstable applications and network slowdowns in a client organization, security firm Varonis decided to investigate further.
“Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” it explained in a blog post.
“Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman’.”
Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.
Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers.
The injection payload is designed to execute a cryptocurrency miner and stay hidden, said Varonis.
It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.
The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.
Varonis believes the cryptocurrency mining malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.
“None of the malware samples had any lateral movement capabilities, though they had spread across different devices and network segments,” the firm explained. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), it would have been more efficient to use the PHP-Shell to move laterally and infect other devices in the victim’s network.”
However, it also claimed there were no coding similarities between the two, or communications capabilities between the crypto-mining malware and PHP shell.
The malware authors could be French speaking, given the language was present in some of the code.
Varonis urged firms worried about crypto-jacking to: keep operating systems up-to-date; monitor network traffic and web proxies; maintain anti-virus on endpoints; keep an eye on DNS and CPU activity; and have an incident response plan ready and tested.
While around a third of 18-year-olds have been accepted for a university place through UCAS, new opportunities have been opened for cybersecurity experience.
Although statistics from UCAS show that 28.5% of the 18-year-old population have been accepted through UCAS, with 33,630 international students from outside the EU and 26,440 students from within the EU accepted, there is an overall 1% decrease in the number of people placed on undergraduate courses in the UK so far.
However, options exist for those students looking for a career path into cybersecurity, which “are a really good alternative to the stress of Clearing” according to CREST president Ian Glover.
He told Infosecurity that cybersecurity higher apprenticeships are not only an alternative route for those who do not get the choice of first or second university course, but they provide an excellent way to get a degree, along with work experience and without having to take on large student loans.
“Programs like the government’s cyber apprenticeships that provide structured learning, with assessed work activities, result in qualifications and experience that allow young people to enter and progress in the cybersecurity profession,” he said. “It also opens up a career in cybersecurity to a far wider and more diverse group of young people.”
Also offering opportunities today is Immersive Labs, who is offering free access to its cyber-skills development platform. Backed by Goldman Sachs and developed by an ex GCHQ trainer, the technology will give students access to a purpose-built set of ‘labs’ which drop the user into entry-level cybersecurity challenges.
Each lab is run through the browser and drops the student into a simulated incident which appears as it would to a security team in a company, and encourages them to teach themselves the skills to progress.
James Hadley, Immersive Labs founder and CEO, said: “The world is crying out for cybersecurity talent, yet the majority of ways we are trying to train these people are broken. While university can be a valuable path for some, its rigid conditions can also be exclusive.
“Not everyone wants to sit in a classroom learning passively. My experience at GCHQ taught me the best cyber-talent is creative and curious; they learn by breaking things and thinking on their feet. Unfortunately, this jars with traditional teaching methods, which I fear is leading to an unnecessary talent drain. We have opened up our platform to give these individuals an opportunity to learn.”
The offer remains open for today and for a week after to those who can prove they haven’t got into their first choice of university via a sign-up form on the website. The labs will stay available for six months and will be periodically updated with new content.
Hackers claim to have stolen 700,000 customer records from Choice Hotels thanks to an exposed MongoDB instance, it has emerged.
The US-based chain, which runs franchised outlets in over 40 countries worldwide, is now being held to ransom after the hackers left a note demanding 0.4 Bitcoin (around $3800) in payment for the data, which they claimed to have copied.
Security researcher Bob Diachenko worked with security firm Comparitech to discover the database, which was left completely exposed online. However, hackers had already got there. It was only left online for four days without password protection before attackers found the account.
Although the database held 5.6 million records in total, Choice Hotels told Comparitech that most of these related to test data. Of the 700,000 genuine records stolen, names, email addresses and phone numbers of customers are among the details taken.
The server itself is said to have been owned and managed by a third party who was working with the hotel chain on a new “tool.”
“We have discussed this matter with the vendor and will not be working with them in the future,” Choice Hotels told Comparitech in an email.
“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr Diachenko’s assistance in helping us identify any gaps.”
Diachenko believed the ransom note was left by an automated script set up specifically to target exposed MongoDB databases, although it didn’t succeed in wiping the data.
This is only the latest of many similar incidents involving unsecured MongoDB instances.
This year alone, hundreds of millions of individuals have had their personal data exposed, including 200 million Chinese CVs, 12.5 million Indian mothers, and 808 million records from an email validation firm.
Unsurprisingly, hackers are getting wise to these misconfigurations: earlier this month it was revealed that attackers stole 2.1 million records from a Mexican bookstore, demanding a ransom.
KnowBe4 security awareness advocate, Javvad Malik, argued that the Choice Hotels incident is yet another example of user error.
“While Choice Hotels may be correct in that the data was hosted by a third party and none of their servers were compromised, it does not change the fact that it was their customer data which was breached,” he added. “It has an obligation to ensure the security of its customer data whether its kept by themselves, or handed over to a third party.”
The woman allegedly responsible for the massive breach of customer data at Capital One stole data from 30 other organizations, according to new information from prosecutors.
In a new court filing, they alleged that Paige Thompson stole terabytes of information from enterprises, educational institutions and other organizations, although she claims not to have sold or distributed any of it to others.
The information is being revealed as part of efforts by prosecutors to persuade the judge to deny bail.
It alleges that Thompson has a history of threatening behavior, including threats to kill others and herself. She is also said to have harassed a couple for seven years, forcing them to obtain a protection order.
Investigators found the new information on data breaches on servers in Thompson’s bedroom.
“That data varies significantly in both type and amount. For example, much of the data appears not to be data containing personal identifying information,” the court filing explained.
“At this point, however, the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity. The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.”
It’s claimed that the Capital One breach affected over 100 million American and Canadian customers, including consumers and small businesses.
The trove included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.
Although Thompson most recently held a position as software engineer with Amazon Web Services, the cloud provider reportedly said that the breach of its client Capital One was not the result of any insider knowledge. It is said to have been made possible by a misconfigured web application run by the bank on AWS infrastructure.
A detention hearing at a federal court in Seattle is set for August 22.
Anti-malware company Trend Micro has patched a flaw in its password manager that could have enabled an attacker to run their own code on a user's computer with the highest possible access privileges.
Available for the iOS, Android, Windows and Mac platforms, Trend Micro Password Manager stores login credentials, features one-click login and form-filling capabilities and synchronizes with the cloud so that people can use it across different devices. It is available as a free service for up to five passwords. Users pay to store more credentials. They can buy the product on its own or as an optional part of Trend Micro's Premium Security and Maximum Security solutions.
SafeBreach found an issue with pwmSvc.exe, a central control service that runs with privileged user account status. If compromised, this could enable an attacker to escalate privileges to the system level. Because this software is signed by Trend Micro, compromising it would allow an attacker to bypass its application white list. It could also be used as a persistent attack mechanism because it automatically starts when the computer boots, SafeBreach said in its analysis.
The researchers noticed that the program tried to load a missing DLL file from the default Python directory, which can be included in the PATH environment variable (PATH is a variable that tells the computer in which directories to find executable programs).
The program relied on the PATH variable when loading the DLL instead of specifying an absolute path. It also didn't check for a digital certificate when loading DLL files.
SafeBreach researchers were able to compromise the system by adding the Python directory to the PATHvariable and then using it to store an unsigned DLL file. This enabled them to piggyback their own code on Trend Micro's program, which would run it for them with elevated privileges.
An attacker could use this technique to compromise a system, they warned. "The service provides him with the ability to operate as NT AUTHORITYSYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer," they wrote.
SafeBreach reported the flaw to Trend Micro on July 23, and the vendor patched it and released a new version on July 31. It also published a security bulletin of its own today addressing the issue.
Cloud-based back-end services are letting mobile app developers down, according to research announced this week. Even when app developers are careful about their own code, the online services that they use introduce vulnerabilities on a regular basis.
The research, from the Georgia Institute of Technology and The Ohio State University, studied the top 5,000 apps on the Google Play Store. It found that between them, they were using 6,869 server networks across the world.
They scanned cloud-based back-ends and found 1,638 vulnerabilities, of which 655 were zero-days not listed in the National Vulnerability Database. These included SQL injection, cross-site scripting and external XML entity attacks. Some of the apps affected had over 50 million installations, according to their paper.
Mobile apps access back-end services using third-party software-development kits (SDKs) and APIs. Developers use some of them explicitly, but many others are hidden in imported third-party libraries. The apps that use these services communicate with them invisibly. Users don't know what the services are doing or exactly which servers their phones are talking with when their apps fetch content and advertisements.
"Due to the inherent complexity of cloud-based backends, deploying and maintaining them securely is challenging. Consequently, mobile app developers often disregard prudent security practices when choosing cloud infrastructure, building, or renting these backends," the researchers said.
This opens up the apps to additional vulnerabilities that could compromise locally running code or leak user data, they added, citing the compromise of the British Airways website, which allowed attackers to steal data from the app.
The researchers scanned the apps with a tool called SkyWalker, which they will soon make available for app developers to audit the cloud-based tools that they are building into their apps.
They will present their findings at the USENIX Security Symposium in Santa Clara, California, which runs August 14–16, 2019.
A biometric building access system used by thousands of companies around the world has exposed 23 gigabytes of data, representing over 27.8 million records, researchers revealed today. The BioStar 2 product, used by such organizations as the UK Metropolitan Police, made information, including fingerprints and facial recognition images, publicly available.
Researchers from VPN advice company vpnMentor say they uncovered the data, exposed in the BioStar 2 web-based security platform. It stores biometric data used to access physical facilities at thousands of sites around the world. Customers use it to access secure areas of buildings and to log employees movements for time and attendance purposes.
BioStar 2 is also integrated into third-party systems such as Nedap's AEOS access control system, which is used by over 5,700 organizations in 83 countries. The UK Metropolitan Police is among them.
Exposed data included not just unencrypted employee usernames and passwords but also over a million fingerprint records and facial recognition images. The researchers could see records of employee movements throughout physical facilities, along with their start dates and security clearance levels, their home address and emails.
vpnMentor discovered the exposed data mostly unencrypted in an Elasticsearch database. The team could access it via a browser and could manipulate the URL to extract the data, they said in a report published today.
Affected companies include home decor and DIY supplier Tile Mountain in the UK and Power World Gyms, a gym franchise in India and Sri Lanka, which stored over 113,000 user records and fingerprints in the database.
Suprema, the company that makes BioStar 2, was supremely uncooperative, according to vpnMentor, which tried several times to contact the company by email. "Eventually, we decided to reach out to BioStar 2’s offices by phone. Again, the company was largely unresponsive," said vpnMentor. "Upon speaking to a member of their German team, we received a mumbled reply that 'we don’t speak to vpnMentor', before the phone was suddenly hung up."
Suprema didn't respond to queries from Infosecurity Magazine either. However, the company eventually fixed the problem yesterday, eight days after vpnMentor first contacted it.
vpnMentor warned that cyber-criminals could use the information to mount phishing attacks or sell it on the dark web. They could also use it to gain physical access to thousands of facilities around the world.
"A hacked building’s entire security infrastructure becomes useless. Anybody with this data will have free movement to go anywhere they choose, undetected," they said.
BioStar 2 users should change their dashboard passwords immediately and notify employees to change their personal passwords, said the researchers. However, the exposure of a centralized biometric database highlights a deeper problem, warned Charity Wright, cyber-threat intelligence analyst and researcher at threat protection company IntSights Cyber Intelligence.
"Suprema is really lucky that security researchers discovered this and disclosed it ethically. If they determine that hackers have accessed these open servers, the damage will be catastrophic," she said. "Unlike credentials, biometrics can be stolen and used to hack people's 2FA. These are plain-text passwords and real fingerprints that can be used to mimic the victims' login information, and we are talking about over 1.5 million locations where this technology is used."
Microsoft has patched 93 unique CVEs this month, and although there are no zero-days or publicly disclosed flaws, there’s plenty to keep sysadmins busy, according to experts.
Top of the list are two wormable RDP flaws CVE-2019-1181/1182) similar to the Bluekeep bug discovered earlier this year, which require urgent patching as an infection could spread without user interaction.
Elsewhere it’s a fairly light patch load by recent standards: there are 31 critical vulnerabilities and 65 rated as important.
“On the critical list are several Remote Code Execution (RCE) vulnerabilities including those that affect Hyper-V and Remote Desktop Services, services that are often exposed publicly. There are also RCE vulnerabilities in Outlook and Word where a maliciously crafted document or email could allow an attacker to execute their code,” explained Trustwave.
“Luckily the Outlook vulnerability can't be triggered by the simply using the Preview pane. A similar RCE affects .LNK or 'shortcuts' files, where an attacker could craft a malicious shortcut and would only need to get their target or victim to click on it to execute their code. There is also an RCE vulnerability in both DHCP servers and clients that could be triggered with a malicious DHCP lease request or response.”
“This tampering vulnerability has a CVSS score of 9.3. It requires specialised hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked,” he explained. “Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry.”
Elsewhere, Adobe released eight new updates including critical bulletins for Creative Cloud and Experience Manager and fixes for Acrobat and Acrobat Reader flaws, as well as a non-security update for Flash.
British Airways has come under fire from the security community again, this time after a vulnerability in its e-ticketing system was found to be exposing passenger’s personal information (PII).
Security firm Wandera claimed in a blog post yesterday that the airline was sending out unencrypted check-in links to customers which contained booking reference and surname in the URL itself.
“Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information,” the firm explained.
With access to a customer’s account, hackers could then access further identity info including full name, itinerary, email address, phone number and much more – all valuable for use in potential follow-on phishing attacks and identity fraud.
Back in February, Wandera found the same vulnerability in check-in links sent by Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa and Transavia.
The firm recommended airlines use one-time tokens for direct links within emails and require explicit user authentication for all steps where PII is accessible and editable.
The news comes as BA is still reeling from a proposed £183m GDPR fine following security failings that allowed Magecart attackers to harvest customer details from its website.
Cesar Cerrudo, CTO at pen testers IOActive, argued that the focus for developers is too often on usability, performance and scalability rather than security.
“What is forgotten is just how sensitive the data being stored is,” he added.
“Yet while it is common practice for airlines to use third-party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps.”
Israel Barak, CISO at Cybereason, praised BA for acknowledging the incident and promising to fix it.
“This is hardly a knock-out punch for the airlines. For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over,” he added.
“As an industry, until we can start making cybercrime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive pay-outs.”
The UK’s financial regulator has agreed to give the country’s payments and e-commerce providers more time to comply with new user authentication rules mandated by PSD2.
The Financial Conduct Authority (FCA) said yesterday that it would provide card issuers, payments firm and online retailers with an 18-month timeline to implement the Strong Customer Authentication (SCA) checks.
This is in line with the opinion of the European Banking Authority (EBA), which recently admitted that more time was needed to implement SCA given its complexity and a lack of preparedness in the market.
Originally set for a September 14 deadline, SCA will force any firms accepting payments online to ensure they apply two-factor authentication checks on their customers. In many cases, this will come in the form of the popular 3-D Secure option.
However, exceptions are made for low value payments (under €30), recurring payments such as subscriptions, customers who have whitelisted merchants they trust, and low-risk transactions. The latter requires a real-time risk assessment on each payment, and therefore advanced fraud screening tools.
The FCA will now not take action if any firms don’t meet the September 2019 deadline, as long as they can demonstrate “there is evidence that they have taken the necessary steps to comply with the plan.”
“The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster,” explained Jonathan Davidson, executive director at the FCA.
“While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
Jason Tooley, chief revenue officer at Veridium, said the delay was disappointing.
“Financial institutions and payment service providers have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate,” he argued.
“Whilst it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher value payments will enable consumers to benefit from safer and more innovative electronic payment services. The impact on consumers must not be overlooked by the lengthy delay in enforcement; SCA will mean consumers are more confident when buying online – not act as a deterrent to sales as some have incorrectly suggested.”
Canada has launched a cybersecurity certification program to try and get small to midsize enterprises (SMEs) up to speed with a basic level of protection.
Launched at the University of New Brunswick's Canadian Institute for Cybersecurity by Minister of Finance Bill Morneau, CyberSecure Canada is a voluntary program that will help small organizations achieve a minimum required level of cybersecurity, according to the government.
The initiative requires Canadian SMEs to stick to a baseline set of cybersecurity controls developed by the Canadian Centre for Cyber Security. These controls include establishing an incident response plan, regularly patching operating systems and applications, using security software and securely configuring devices. Other measures in the list include using strong user authentication, offering employee awareness training and backing up and encrypting data.
Those passing the certification can display a mark showing that they have demonstrated compliance with the controls. Those businesses will also be listed on the program's website.
The Canadian government uses six certification bodies to check that companies have implemented the controls properly: Cyber Security Canada, Bell Canada, Bulletproof Solutions, Siemens, SourcetekIT, and WatSec. If businesses are using products and services from these companies that already meet the security controls, then some of the companies may certify them for free, the government's website says. Others may charge anywhere from a few hundred dollars to several thousand.
The certification lasts for two years, at which point businesses must go through the certification process again to continue using the certification mark.
The move follows growing concern over the cybersecurity preparedness of Canadian SMEs. In October, the Canadian Internet Registration Authority (CIRA) launched its 2018 Cybersecurity Security Survey, which gauged cybersecurity responses from 500 individuals at SMEs across Canada. It found that 40% of respondents had experienced a cyber-attack in the prior 12 months. Of the respondents, 88% were concerned with the prospect of future attacks, and 71% didn't have a formal software patching policy.
Google took another step toward ditching passwords as a login mechanism this week by announcing support for password-free access to some of its own services from Android phones. In a blog post on Monday, it demonstrated how users could access its cloud-based password manager using the new feature.
Users will be able to verify their identities by scanning their fingerprints on suitably equipped Android devices. While users have been able to access their phones using their fingerprints in the past, the new feature allows them to access back-end Google services as well.
The underlying technology uses standards underpinning FIDO2, which is a password-free log-in technology created by the FIDO Alliance. The underlying technologies, FIDO Client to Authenticator Protocol (CTAP) and W3C's WebAuthn, work together to authenticate the user on the phone and on the back-end site. The user creates a digital token by authenticating themselves on the phone, which CTAP then uses it to authenticate with the browser. WebAuthn then sends a digital token to the back-end service, logging the user in.
To use the service, the phone must be running Android 7 (Nougat) or later and set up with a personal Google account. The device must also be running a valid screen lock.
Google's FIDO2 support also lets users log into services using a hardware key, such as its own Titan Bluetooth-enabled device.
This latest announcement marks another step in Google's support of FIDO2. In February, it adopted the standard for Android apps.
Google rolled out the feature on Pixel devices on Monday and said that other Android devices would get the feature in the coming days.
Other companies have also made strides toward password-free access. In May, Microsoft achieved FIDO2 certification for Windows Hello, its biometric-capable login system included in Windows 10. This enables users to log into their Microsoft accounts using a hardware security key. The company also allowed Firefox users to log into their Microsoft accounts using FIDO2, with support for Google's Chrome to follow.
Just as exploits for Microsoft's BlueKeep bug make it into the wild, the company has announced another set of vulnerabilities in Windows that is equally dangerous – and this time, it also affects Windows 10 systems.
Microsoft announced the bugs, along with an associated set of patches, as part of its monthly Patch Tuesday release. The vulnerabilities lie in Remote Desktop Services (RDS), the Windows service that enables users to use a computer from a different location. RDS uses the remote desktop protocol (RDP), and an attacker can get full access to a system by sending a malicious RDP request to the victim's computer.
These new vulnerabilities can compromise a computer without the user doing anything, which means that they can spread quickly and autonomously. Attackers can use them to create worms that spread like wildfire online.
This makes the new vulnerabilities very similar to Bluekeep, the existing RDP-based worm that Microsoft announced and patched on May 14, 2019. However, that vulnerability (CVE-2019-0708) didn't affect Windows 10. These flaws (CVE-2019-1181, 1182, 1222 and 1226) do.
"At this time, we have no evidence that these vulnerabilities were known to any third party," said Microsoft in a blog post announcing the move, but it also sent a clear message: Patch now.
The announcement comes just a day after the Australian Signals Directorate's Cyber Security Centre warned that someone had published a way to exploit BlueKeep. It said: "A security researcher under the Twitter handle @zerosum0x0 has recently disclosed his Remote Desktop Protocol (RDP) exploit for the BlueKeep vulnerability to Metasploit. The disclosure, once made available to the public, is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems."
The researcher in question made that submission at least two weeks ago:
RE: #BlueKeep @Metasploit. I performed a full knowledge transfer of my notes/code to the MSF core team. The release timeline is out of my hands and up to Rapid7 discretion. I've been too busy to work on it for over a month anyways; fresh eyes and polish. Thanks for understanding. pic.twitter.com/hXvpqbUYam— @zerosum0x0 July 31, 2019
Microsoft had also warned people repeatedly to patch those vulnerabilities, most recently on August 8, when it said that some 400,000 endpoints remained unprotected.
BlueKeep had been a difficult bug to exploit, although several security companies said that they had successfully produced proof of concept code internally. It isn't yet clear how difficult it will be to exploit the latest flaws or how quickly someone will produce and publish workable code.
Security researchers have warned organizations that unsolicited blank emails could be a warning sign they are being actively targeted by BEC scammers.
Crane Hassold, senior director at the Agari Cyber Intelligence Division (ACID), explained in a new blog post that “lead validation and processing” is a crucial part of the attack chain in which gang members take raw leads and validate, add info to and organize them.
While some use commercial lead generation services to identify and validate targets, others might manually send “probing” emails to check the legitimacy of raw target data. These typically blank messages might contain the subject “i” and are only designed to see if they delivered successfully.
They’re usually sent in non-work hours when they’re more likely to be missed, Hassold said.
“If no bounce notification is received, the target’s email address is assumed to be valid and operational. In the case of Curious Orca, once this contact information has been validated, their name, email address, and title are added to one of the hundreds of consolidated text files containing verified targets,” he continued.
“In many cases, this file includes supplemental information about the CEO at the target company who will be impersonated in the BEC attack.”
Sometimes, even if the address is invalid, the scammer may try other variations, possibly using legitimate marketing tools to suggest new combinations.
The sheer time and effort required to do all of this manually shows the increasing professionalization of BEC campaigns, Hassold claimed.
“A single Curious Orca associate has sent blank reconnaissance emails to more than 7800 email addresses at over 3200 companies in at least 12 countries including Australia, Canada, Denmark, Hong Kong, Israel, Italy, the Netherlands, Papua New Guinea, Singapore, Sweden, the UK and the US since August 2018,” he revealed.
“The validated contact information collected by this actor has contributed to a master targeting database that contains more than 35,000 financial controllers and accountants at 28,000 companies around the world.”
To regain the initiative against BEC attackers, IT teams could configure their email settings to raise the alarm when individuals receive blank messages, or even disable email bounce messages to external senders, disrupting their reconnaissance work, Agari said.
Industry stakeholders are considering reducing the lifespan of HTTPS certificates to just 13 months, around half of the current duration, in order to improve security.
The CA/Browser Forum proposal would seek to make the changes from March 2020. It comes after certificate lifetimes were reduced from 39 to 27 months back in March 2018.
Proponents argue that doing so would make it harder for the black hats, as it would reduce the length of time stolen certificates could be used for. It could also force companies to use the latest and most secure encryption algorithms available.
However, not everyone is on board: Digicert standards technical strategist, Timothy Hollebeek, argued that “it is far from clear” there’s any security benefit in reducing TLS/SSL certificate lifespans.
“This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates,” he added.
“Another benefit that is sometimes suggested is that shorter lifetime certificates allow quicker transitions when the compliance rules change. Two-year certificate lifetimes mean that certificates that are issued today will still be around two years from now. But isn’t it the responsibility of those managing the certificate ecosystem to come up with compliance rules that can endure for at least that long?”
The changes would also significantly ramp up the costs for organizations, Hollebeek argued, although they could always use free services like Let’s Encrypt.
“We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes,” he said. “The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real.”
UK police have warned that organized crime gangs (OCGs) are increasingly turning their attention to online fraud, even as they registered success in taking many of them down this year.
Some 13 OCGs were dismantled in the first half of 2016, double the number of a year ago, according to the latest figures from banking group UK Finance.
This is the work of the Dedicated Card and Payment Crime Unit (DCPCU), a specialized police force funded by the UK finance industry and comprised of officers from the Met and City of London police plus UK Finance and the Home Office.
In so doing, the unit has apparently helped prevent or disrupt £6.8m in fraud in the first six months of 2019, out of an estimated total of £600m since the DCPCU was set up in 2002.
Some 39 fraudsters were convicted following investigations and £330,000 in assets seized – also double the amount from the first half of 2018.
Although the DCPCU said it is stepping up its efforts to combat cyber-fraud, by reaching out to other organizations and government, it warned of an influx of organized crime into the space.
“These figures are testament to the hard work of the DCPCU officers who are on the frontline in the fight against fraudsters. The criminals involved are becoming increasingly organized and dangerous. We are seeing gangs involved in drug trafficking and firearms offences turning to fraud, targeting victims across the UK,” said new DCPCU boss, detective chief inspector Gary Robinson.
“These criminals are exploiting new technologies to commit fraud, posting adverts on social media to try and recruit money mules. It’s particularly shameful that young people are being targeted in this way by these fraudsters. Meanwhile, vulnerable and elderly customers are also being tricked into handing over their money through callous scams.”
Just last week the FBI warned that romance scammers are increasingly tricking their victims into becoming money mules.
The DCPCU said it would be engaging more closely with social media firms to take down fraudsters’ profiles, and with telcos to combat SIM swap fraud.
The challenges of government and enterprise IT security have been documented in a multitude of reports over the years, but what is the state of IT security within American schools?
At the DEF CON 27 conference in Las Vegas, 18-year-old Bill Demirkapi detailed how he discovered multiple vulnerabilities within several different software applications used in his school, including Blackboard's Community Engagement software and Follett's Student Information System. He started finding the issues when he was 16 years old and continued his research until he graduated in spring 2019.
The bugs ranged in severity and type and included SQL injection, as well as XML inclusion vulnerabilities. While the bugs varied the ultimate impact, Demirkapi said that he could have taken personally identifiable information or even changed his grades.
"I knew that there was a lot of schools using the software," Demirkapi said. "My method of finding vulnerabilities was...really inadequate and nonprofessional. It was just looking at pages and trying to mess with the parameters."
Among the simple flaws that he was able to discover was improper access control to the student information system. Demirkapi explained that most properties of the system were incremented, with a simple approach, making it easy to identify a student. Additionally he discovered a local file inclusion flaw.
He explained that when downloading their schedule or report card, users would be redirected to a servlet called toolResult.do.
"After running a tool or attempting to download a file shared with the user, a request to toolResult.do is made," Demirkapi said. "By modifying the fileName parameter to the proper path escape, an attacker can access any file on the system."
Within Blackboard's Community Engagement software, Demirkapi said that he found what he referred to as "SQL injections galore," the end result of which also enabled him to gain unauthorized access. Again, he noted that he really didn't know what he was doing but was still able to find issues.
"Essentially, I grabbed a list of links through a crawler and using Chrome Web Tools, I would then try and find interesting parameters to play around with and see how the server reacted when it received unexpected input," he said. "For parameters that responded to characters commonly used in SQL injection, I put them through SQLmap."
SQLmap is popular open-source tool that easily enables users to test for and exploit SQL injection conditions in software. The Blackboard system that Demirkapi accessed involved more than just his own school and had over five million students and teachers in the system spread across over 5,000 schools.
Demirkapi was quick to note that in his own research he only looked at his own data and did not look at or take anyone else's information. He commented that any other information that was gathered was metadata, such as the number of rows in a database.
"The primary reason I kept investigating is because the database had my records too," he said. "I felt obligated to determine the extent for the impact to my own records and the records of my peers."
Not only was Demirkapi meticulous in trying to be responsible about only accessing his own data, he also attempted to be responsible in his disclosure to both his school and the impacted vendor, with mixed results. After attempting to get the attention of his school with a disclosure notice that was only supposed to go to his school's IT team but ended up going to every school in his district, Demirkapi said he was suspended from school for two days.
Demirkapi learned from that initial experience and made future disclosures via the CERT Coordination Center, which made the disclosure process a bit easier getting things fixed, though he still faced some hurdles.
During his presentation, he noted that he had contacted Blackboard before giving his DEF CON presentation and was advised to share a statement in the presentation, which he did.
"Blackboard is always working hard to improve both the security of our products, as well as the processes and procedures we leverage in support of security," the company stated.
Wrapping up, Demirkapi said that it's important for schools to take data security seriously and hold software vendors accountable. "Don't fall for marketing," he said. "Just because they say they take care of data doesn't mean they do."
Demirkapi added that in his view there needs to be more regulations to keep children's data safe, since they can't defend their own data. "If a 16 year old can find a breach affecting millions of students and teachers, what would a nation–state find?" he asked.