Info Security

Subscribe to Info Security  feed
Updated: 53 min 13 sec ago

Flaw in SymCrypt Can Trigger DDoS

Wed, 06/12/2019 - 15:33
Flaw in SymCrypt Can Trigger DDoS

A vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher.

“I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't,” Ormandy tweeted.

Now that we’ve entered into the 91st day, Ormandy has gone public with what he said is a relatively low severity bug. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g., ipsec, iis, exchange, etc.) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock,” Ormandy wrote in the Project Zero vulnerability report.

Ormandy noted that while it is a low-severity bug, it would be possibly to take down an entire Windows fleet relatively quickly if exploited. “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule,We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption," a Microsoft spokesperson wrote in an email.*  

"This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed. The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix,” said Adam Laub, SVP product management, STEALTHbits Technologies.

“When I first started in the industry nearly 15 years ago, patch management was very much the flavor of the day – much like privileged access management (PAM) and artificial intelligence (AI) technologies command significant mind share among security practitioners now. Sadly, the patch management problem persists despite advances in so many other areas of IT management, which could make this 'low severity' vulnerability a lot more pungent than it ought to be."

*June 12, 2019 3:38 PM: This article was updated to include comment from a Microsoft spokesperson.

Categories: Cyber Risk News

Flaw in SymCrypt Can Trigger DDoS

Wed, 06/12/2019 - 15:33
Flaw in SymCrypt Can Trigger DDoS

A vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher.

“I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't,” Ormandy tweeted.

Now that we’ve entered into the 91st day, Ormandy has gone public with what he said is a relatively low severity bug. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g., ipsec, iis, exchange, etc.) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock,” Ormandy wrote in the Project Zero vulnerability report.

Ormandy noted that while it is a low-severity bug, it would be possibly to take down an entire Windows fleet relatively quickly if exploited. Infosecurity reached out to Microsoft for comment, but the company has not responded.

"This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed. The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix,” said Adam Laub, SVP product management, STEALTHbits Technologies.

“When I first started in the industry nearly 15 years ago, patch management was very much the flavor of the day – much like privileged access management (PAM) and artificial intelligence (AI) technologies command significant mind share among security practitioners now. Sadly, the patch management problem persists despite advances in so many other areas of IT management, which could make this 'low severity' vulnerability a lot more pungent than it ought to be."

Categories: Cyber Risk News

XSS is Most Rewarding Bug Bounty as CSRF is Revived

Wed, 06/12/2019 - 11:45
XSS is Most Rewarding Bug Bounty as CSRF is Revived

Cross-site scripting (XSS) is the most rewarding security vulnerability, according to data on the number of bug bounties paid.

According to HackerOne’s top 10 most impactful security vulnerabilities, which have earned hackers over $54m in bounties and based on over 1400 HackerOne customer programs and 120,000 reported vulnerabilities, XSS is the most paid out vulnerability, followed by “improper authentication – generic” and “information disclosure.”
 
HackerOne’s Top 10 security vulnerabilities are:
 

  1. Cross-site Scripting - All Types (dom, reflected, stored, generic)
  2. Improper Authentication - Generic
  3. Information Disclosure
  4. Privilege Escalation
  5. SQL Injection
  6. Code Injection
  7. Server-Side Request Forgery (SSRF)
  8. Insecure Direct Object Reference (IDOR)
  9. Improper Access Control - Generic
  10. Cross-Site Request Forgery (CSRF)

In comparison to the current OWASP Top Ten, which was last refreshed in 2017, XSS only featured in seventh place in the last top 10. While SQL Injection, which was in the top position of the OWASP top 10, appeared in fifth place in HackerOne’s list.

Speaking to Infosecurity, Rahim Jina, COO of edgescan, said that from their stats XSS accounts for nearly 15% of application layer vulnerabilities found, showing a slight increase year on year.

“This is a vulnerability we nearly expect to find when we are assessing a web application (you tend to find multiple instances in an application, if you find them),” he said. “XSS has been around a long time and when highlighted, developers typically can resolve these, however we frequently see the same issues being introduced by these developers subsequently. I believe there is an educational problem here which needs to be addressed (people do get training, however they often seem to re-introduce XSS issues subsequently for whatever reason).”
 
Miju Han, director of product management at HackerOne, said: “We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.”
 
Cross-Site Request Forgery, which was removed from the last OWASP Top 10, having appeared in seventh place in the 2013 OWASP Top 10, was the tenth most paid bug for HackerOne.

Jina said that CSRF “is an interesting one” as last year it accounted for 1.75% of total app-layer vulnerabilities as found by edgescan and the reason cited by many here is that most of the modern web app frameworks include CSRF defenses built-in which can be enabled easily.

“Scanners tend to report this issue with high frequency, however when you actually look at the issue, the transaction may not be relevant – CSRF is about abusing a transaction in some meaningful way,” he said.

“Finding it may be relatively easy, however validating the real issue takes some effort. Additionally, due to the often complex nature of actually abusing such an issue successfully, these are often presented as lower risk items.”

Jina said that there is a slight increase in CSRF issues in general, as fixing them appears to be much easier and often simply turning on such a defense (if available in a given framework and is usually a configuration change) will protect the entire application in one go, as opposed to having to go into the code and fix each instance.

“We find that explaining the underlying risk and cause of CSRF issues can be confusing to developers and is often misunderstood.”

Categories: Cyber Risk News

Microsoft Fixes Four SandboxEscaper Zero-Days

Wed, 06/12/2019 - 11:01
Microsoft Fixes Four SandboxEscaper Zero-Days

Microsoft has released its latest monthly security updates and there are four fixes for zero-day threats published recently by SandboxEscaper.

In total Redmond fixed 88 vulnerabilities in this update round with 21 labelled critical.

The four zero-days are all elevation of privilege flaws which affected Windows: CVE-2019-1069 is a bug in the Windows Task Scheduler, CVE-2019-1064 is an elevation of privilege bug in Windows, CVE-2019-1053 is a vulnerability in Windows Shell which could allow elevation of privilege on the affected system by escaping a sandbox and CVE-2019-0973 is a flaw in Windows Installer.

The recently disclosed BlueKeep vulnerability (CVE-2019-0708) in RDP should also be a priority for system admins, after Microsoft warned that it could be “wormable” — that is, exploitable without the need for user interaction.

However, patching is just one part of the defense-in-depth approach IT security teams need to take, according to Ivanti director of security solutions, Chris Goettl.

“Currently around 1.6 million public facing RDP servers are under the attack of a botnet called GoldBrute. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration?” he explained.

“Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling network-level authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.”

Elsewhere, there’s one critical update for Flash Player this month, fixing a bug (CVE-2019-7845) which could allow arbitrary code execution on a victim’s machine. Adobe also announced patches for three critical ColdFusion vulnerabilities and seven Adobe Campaign bugs, one of which is critical.

Categories: Cyber Risk News

FBI: Don’t Trust HTTPS or Padlock on Websites

Wed, 06/12/2019 - 09:15
FBI: Don’t Trust HTTPS or Padlock on Websites

The FBI has been forced to issue an alert warning users that the sight of "HTTPS" and a padlock icon in the address bar may not be enough to prove the authenticity of a website.

The latest Public Service Announcement from the bureau’s public-facing Internet Crime Complaint Center (IC3) revealed that cyber-criminals are increasingly abusing trust in TLS-secured websites to improve the success rate of phishing attacks.

“They are more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts,” it warned.

“These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”

Corin Imai, senior security adviser at DomainTools, argued that the falling price of SSL-TSL certificates make it a no-brainer for malicious webmasters.

“Thankfully, education is the single security measure against which criminals can’t work around: an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon, is much harder to lure into giving away personal information or clicking on malware-spreading links,” she added.

“Organizations should therefore invest in solid training programs, which cannot be limited to a one-day workshop on what a phishing scam looks like, but need to be continuous, thorough and impactful.”

To that end, the FBI urged users to go back to basics, by not clicking on links in any suspicious-looking emails and to follow-up with the sender directly even if the contact is known.

Hackers are also hosting malware on cloud services such as Azure and benefiting from their HTTPS certificates indirectly this way, experts have revealed.

Categories: Cyber Risk News

Code Signing Shortcomings Leave Gaps for Hackers

Wed, 06/12/2019 - 08:27
Code Signing Shortcomings Leave Gaps for Hackers

Only a little over a quarter (28%) of global organizations have a clearly defined security process in place for code signing, potentially opening the door for hackers to steal and use these certificates in attacks, according to new Venafi research.

The security vendor polled 320 security professionals in the US, Canada and Europe to better understand the risks posed by code signing — the process used to secure software updates.

Although half said they were concerned that cyber-criminals are using forged or stolen code signing certificates to breach organizations, few enforce security policies at this layer. The figure for European respondents was even lower than the overall average, at just 14%.

What’s more, over a third (35%) admitted that they don’t have a clear owner for the private keys used in code signing.

The challenge is likely to become even more acute going forward, with 69% of firms saying they plan to increase usage of code signing in the coming year, according to Venafi.

The vendor’s vice-president of security strategy and threat intelligence, Kevin Bocek, argued that code signing certificates enabled both the notorious Stuxnet and ShadowHammer attacks to succeed.

“Security teams and developers look at code signing security in radically different ways. Developers are primarily concerned about being slowed down because of their security teams’ methods and requirements. This disconnect often creates a chaotic situation that allows attackers to steal keys and certificates,” he added.

“In order to protect themselves and their customers, organizations need a clear understanding of where code signing is being used, control over how and when code signing is allowed, and integrations between code signing and development build systems. This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”

Categories: Cyber Risk News

Radiohead Officially Releases Music Stolen in Hack

Tue, 06/11/2019 - 17:15
Radiohead Officially Releases Music Stolen in Hack

A week after receiving a ransom request for $150,000, alternative-rock band Radiohead decided to go live with the 18 hours of stolen music that was never intended for public consumption.

On June 5, Consequence of Sound reported that 18 hours of Radiohead’s music was leaked online. The band announced on June 11 that it has officially released the leaked material through Bandcamp and is donating the proceeds to the climate activist group Extinction Rebellion.

Band member Jonny Greenwood tweeted that a hacker stole minidisk archives of the band’s OK Computer sessions.

We got hacked last week - someone stole Thom’s minidisk archive from around the time of OK Computer, and reportedly demanded $150,000 on threat of releasing it.

So instead of complaining – much – or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion. Just for the next 18 days. So for £18 you can find out if we should have paid that ransom.

Never intended for public consumption (though some clips did reach the cassette in the OK Computer reissue) it’s only tangentially interesting. And very, very long. Not a phone download. Rainy out, isn’t it though?

Jonny

“Hackers holding data hostage is a growing concern for businesses as hackers have found out that crime does pay and people are willing to pay to regain control of their own data," said Matan Or-El, CEO of Panorays. "In their efforts to stop the hacker’s booming business, the FBI and industry experts strongly recommend to never to pay the ransom.

"Radiohead has taken an additional route – a creative one – to defeat hackers. Their method levels the playing field by beating hackers in their own game and simply releasing their album to the public.”

Categories: Cyber Risk News

SOCs Struggle with Staffing, Reporting and Visibility

Tue, 06/11/2019 - 17:03
SOCs Struggle with Staffing, Reporting and Visibility

Staffing remains an issue for security operations centers (SOCs), which continue to struggle with reporting and documentation while barely being able to stay afloat in a sea of alerts and false positives, according to the annual State of the SOC report from Exabeam.

The report found approximately one-third of respondents said that their SOC was understaffed by 6–10 people. “Nearly 50% of understaffed SOCs indicated they don’t have sufficient funding for technology, while respondents of larger SOCs said that despite recent or increased funding for technology, they recommend continued investment in newer, more modern technologies (39%),” the press release said.

In addition, shifting roles and responsibilities is a top challenge for SOC managers, with C-suite executives taking on the tasks of incident response and threat hunting, while frontline employees are completing fewer operational tasks.

Only 5% of respondents said they see all of the events in the security incident and event management (SIEM) system. Not having full visibility into events is a handicap for SOC managers, who reported that a lack of visibility leaves them more likely to miss security alerts. Because legacy applications are unable to log events, 39% of SOC personnel reported security alerts as the largest pain point that leaves the organization more vulnerable to cyber-attacks.

“There’s an idiom, ‘what you don’t know can’t hurt you.’ But in the information security business, that couldn’t be further from the truth. In fact, it’s what you don’t know – or worse, can’t see – that will significantly harm your business,” said Steve Moore, chief security strategist at Exabeam. “From our survey, an example of how this can manifest is general lack of environmental visibility in the form of too few logs – you can’t protect what you can’t see. Visibility, event context and automation play a key role in building relevant defense, so you can have a fighting chance against even the most sophisticated adversaries.”

Increasingly, SOC managers are placing greater value on soft skills, like communication, with 65% of respondents saying personal and social skills play a critical role in the success of a SOC. In addition, the report found that hard skills, such as threat hunting and data loss prevention, have also increased in importance.

Categories: Cyber Risk News

HaveIBeenPwned.com Open to Acquisition

Tue, 06/11/2019 - 16:43
HaveIBeenPwned.com Open to Acquisition

Since its inception in 2013, the website HaveIBeenPwned.com (HIBP) has grown exponentially – to the point where it is no longer feasible for one person to maintain, which is why Troy Hunt, the site’s creator, today announced that he is open to the possibility of an acquisition.

The prevalence of breaches, combined with the analysis he was doing and the scale of Adobe, is what sparked the idea for HIBP, Hunt said. “I wonder how many people know? Do they realize they were breached? Do they realize how many times they were breached? And perhaps most importantly, have they changed their password (yes, almost always singular) across the other services they use? And so Have I Been Pwned was born.”

In an exclusive interview with Infosecurity, Hunt joked that he has often been asked, "What would happen to the site if he were hit by a bus? ... Microsoft has my credit card, so the site would continue, but who would manage it?” Hunt said.

Fans of the site have applauded Hunt for “doing God’s work,” but the man is indeed a mere mortal. “It’s gotten to the point where the service has become enormously popular and the effort required to maintain it is exceeding my time availability,” Hunt said. “It’s also making it clear that there is a lot more to be done than I’m able to do on my own. There needs to be a better continuity plan than just one person doing this in their spare time.”

With 8 billion breached records included in its database, the site has nearly 3 million subscribers. “I’ve emailed those folks about a breach 7 million times, there are 120,000 people monitoring domains they’ve done 230,000 searches for and I’ve emailed them another 1.1 million times. There are 150,000 unique visitors to the site on a normal day, 10 million on an abnormal day, another couple of million API hits to the breach API and then 10 million a day to Pwned Passwords.”

Though there is no one organization Hunt is eyeing for acquisition, he did say that he will continue to be involved in the future of HIBP. “There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward,” Hunt wrote.

Categories: Cyber Risk News

FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

Tue, 06/11/2019 - 14:24
FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

FTSE 250+ organizations leave an average of 35 servers and devices exposed to the open internet, while 231 have “weak or non-existent” phishing defenses.

According to research by Rapid7, many companies in the FTSE 250+ indicate how many and which cloud service providers they use in their DNS metadata. The research found that 114 organizations use between two and seven cloud service providers. 

Tod Beardsley, director of research at Rapid7, told Infosecurity that this is the “best of the best of IT in Britain” and what stood out to him was the number of services exposed, and this was in the 30% range, however some companies expose thousands and others only a few.

He said: “We look at each company and ask how many versions of iOS or nginx are they running, or how many versions of Apache? Do they standardize on one version, which every company wants to do because it makes things a lot easier with a lot less overheads, or are they running 20 different versions of Apache, which tells me they have a really fragmented asset management processes and are not doing patches, and doing black box stuff .”

One “bright side” that Beardsley pointed out for the UK was fewer SMB servers, with only seven found in total.

Of the average 35 exposed services, Beardsley admitted that if he were managing a company’s IT and only found 35, he would be delighted as “it sounds really good” as when you get to 300-400 it becomes a full time job.

Elsewhere, 19% of the FTSE 250+ organizations are not enforcing SSL/TLS security. Beardsley said that there is a lack of 302 redirects from HTTP to HTTPS, and “a lot of clear text HTTP as the front page” for household brands. He admitted that for a country so determined to get him to accept cookies, this was surprising as it permitted injection attacks as well as Man-in-the-Middle attacks.

Asked if he felt whether this puts the FTSE 250+ in a positive light, Beardsley said that there is work to be done, and while the SMB and Telnet stats are a good thing, Rapid7 is seeing connections from FTSE 250+ companies to its honeypot “as if we are part of the same network so it is accidental self-compromise.”

Categories: Cyber Risk News

Welsh Man Gets Four Years for TalkTalk Attack

Tue, 06/11/2019 - 10:06
Welsh Man Gets Four Years for TalkTalk Attack

A Welsh man diagnosed with Asperger’s syndrome has been sentenced to four years behind bars for his role in a cyber-attack on TalkTalk which cost the company £77m.

Daniel Kelley, 22, from Llanelli, Carmarthenshire, will spend his sentence in a young offender institute after first pleading guilty to 11 offenses back in 2016.

These included: hacking the ISP and attempting to blackmail CEO Dido Harding and other executives, as well as “hacking his local college, encouraging and assisting hacking, possessing and offering to supply TalkTalk customer and other data and converting proceeds of blackmail from an Australian victim,” according to the Met Police.

“Kelley’s computers revealed from 2013 to 2015 that he had embarked on a cybercrime campaign hacking and blackmailing individuals and companies, attempting to sell compromised personal data online and committing cyber-attacks on infrastructure,” the London police force said.

“Over the three-year period, Kelley demanded over 753 Bitcoins valued at more than £123,700 successfully extorting £4400 in Bitcoins and attempted to conceal, convert and launder Bitcoins into cash. He had attempted to anonymize and conceal his identity and activities online using technology. As a result a significant amount of additional cybercrime offenses were identified and investigated by the Met.”

According to reports, Kelley turned to cybercrime after failing to get the grades he needed to get onto a computer course.

Kelley is just one of several people arrested following the 2015 attack on TalkTalk which led to the compromise of data on over 100,000 customers.

Another was a 17-year-old at the time, who admitted he hacked the firm to show off to friends.

The young age of the offenders is another indication that efforts are failing to get talented children to use their computing skills for positive ends.

At Infosecurity Europe last week, HaveIBeenPwned founder Troy Hunt urged: “We’ve got to do more to set kids back on the right path.”

Categories: Cyber Risk News

US Customs Contractor Hack Breaches Traveller Images

Tue, 06/11/2019 - 09:30
US Customs Contractor Hack Breaches Traveller Images

US Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.

The controversial agency first learned of the “malicious cyber-attack” on May 31.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

According to the agency, none of the stolen data has yet been spotted on the dark web, although it may be being traded on closed forums.

It’s believed that it covers tens of thousands of travellers for a period of over a month.

The name of the contractor is officially not being made public, although there are suggestions that it could be Perceptics, a firm that supplier license plate reading services for the government.

Robert Cattanach, a partner at the international law firm Dorsey & Whitney, argued that consumer rights in this area are limited, despite a new Californian privacy law designed to strengthen them (CCPA).

“Unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport there is very little anyone can do once their information has been stolen, and then often made available on the dark web. US Courts have been reluctant to award damages absent a showing of specific and concrete harm,” he argued.

“The CCPA does not apply to the US government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.”

Categories: Cyber Risk News

Chinese Uni Exposes 8TB+ of Email Metadata

Tue, 06/11/2019 - 09:08
Chinese Uni Exposes 8TB+ of Email Metadata

A prestigious Chinese university leaked over 8TB of email metadata via an unsecured Elasticsearch database, a researcher has revealed.

Cloudflare director, Justin Paine, discovered the database, which had no authentication, on May 22 after a simple Shodan search.

In total, there were 9.5 billion rows, which equated to 8.4TB of metadata from the popular open source Zimbra email platform. Although the database didn’t contain the subject line or body text of emails, it revealed a significant amount of detail, according to Paine.

“Based on the metadata I was able to locate all email being sent or received by a specific person. This data also included the IP address and user agent of the person checking their email. As such, I could locate all the IPs used and device type of a specific person,” he explained.

“Using this metadata I could see the high level details of a specific email exchange such as which email address was sending or receiving an email from a different email address.”

The data in question came from Shanghai Jiao Tong University, described online as the “MIT of the East,” with over 41,000 students. However, it acted promptly to secure the data once notified, Paine said.

He added that no students appeared to have had their data exposed in the leak.

The discovery is just the latest instance of a major privacy leak via an unprotected Elasticsearch database.

Back in November 2018, the personal information of nearly 82 million Americans was exposed online for at least two weeks after a similar find.

There was another spate of incidents in January this year, exposing millions more records belonging to banks, casinos and non-profits.

According to Elastic, the company behind Elasticsearch, these reports usually indicate that an individual or organization has “actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”

Categories: Cyber Risk News

Criminals Try to Schedule Spam in Google Calendar

Mon, 06/10/2019 - 18:05
Criminals Try to Schedule Spam in Google Calendar

A sophisticated scam is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications as well as through other Google services, including Photos and Forms, according to Kaspersky.

In these scams, criminals are exploiting Gmail calendar’s default feature that automatically adds calendar invitations and notifications.

Cyber-criminals reportedly send targets an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s screen, where the recipient is tempted to click on the link. However, the website to which they are delivered asks victims to enter their credit card details and add some personal information – which is sent straight to the scammers.

“Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through," a Google spokesperson wrote in an email*.

"We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters.” 

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky, in a press release.

“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”

Kaspersky advised that turning off the auto-add feature will help to prevent falling victim to the scam. “To do so, open Google Calendar, click the settings Gear Icon, then on Event Settings. For the ‘automatically add invitations’ option, click on the drop-down menu and select ‘No, only show invitations to which I've responded’. Below this, in the View Options section, make sure ‘Show declined events’ is NOT checked, unless you specifically wish to view these,” today’s press release said.

In addition to the Calendar service, scammers are also leveraging Google Photos, sending pictures that detail a large remittance that the recipient can receive if they reply to the email address supplied in the message.

“A photo of a nonexistent check should immediately betray the scammers’ intentions. The check states that some commission fee will unlock a much larger amount. After the victim pays up, the scammers simply vanish into the ether,” researchers wrote.

* June 12, 2019: This article was updated to include comment from Google.

Categories: Cyber Risk News

Criminals Try to Schedule Spam in Google Calendar

Mon, 06/10/2019 - 18:05
Criminals Try to Schedule Spam in Google Calendar

A sophisticated scam is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications as well as through other Google services, including Photos and Forms, according to Kaspersky.

In these scams, criminals are exploiting Gmail calendar’s default feature that automatically adds calendar invitations and notifications.

Cyber-criminals reportedly send targets an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s screen, where the recipient is tempted to click on the link. However, the website to which they are delivered asks victims to enter their credit card details and add some personal information – which is sent straight to the scammers.

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky, in a press release.

“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”

Kaspersky advised that turning off the auto-add feature will help to prevent falling victim to the scam. “To do so, open Google Calendar, click the settings Gear Icon, then on Event Settings. For the ‘automatically add invitations’ option, click on the drop-down menu and select ‘No, only show invitations to which I've responded’. Below this, in the View Options section, make sure ‘Show declined events’ is NOT checked, unless you specifically wish to view these,” today’s press release said.

In addition to the Calendar service, scammers are also leveraging Google Photos, sending pictures that detail a large remittance that the recipient can receive if they reply to the email address supplied in the message.

“A photo of a nonexistent check should immediately betray the scammers’ intentions. The check states that some commission fee will unlock a much larger amount. After the victim pays up, the scammers simply vanish into the ether,” researchers wrote.

Categories: Cyber Risk News

Data of 1m Users Lost in EmuParadise Breach

Mon, 06/10/2019 - 17:32
Data of 1m Users Lost in EmuParadise Breach

Community members have taken to social media to share the news that the accounts of more than 1 million gamers were reportedly leaked after EmuParadise suffered a data breach, according to multiple reports. 

Some of those impacted by the data breach of the retro gaming site, which used to host ROM, said that over the weekend, they started receiving notices that their accounts had been compromised in a data breach.

“The retro gaming website EmuPardise was breached in April 2018. The vBulletin forum exposed 1.1m email addresses, IP address, usernames and passwords stored as salted MD5 hashes. 71% of addresses were already in @haveibeenpwned,” haveibeenpwned.com tweeted.

The site boasts “a huge community, a vast collection of gaming music, game related videos (movies, fmvs, etc.), game guides, magazines, comics, video game translations and much much more!” Infosecurity has contacted EmuParadise and will update if the company responds.

“We know even less about this breach than most. We know the source of the database, and the fact that it exists, but there are no details about how the incident occurred,” said Tim Erlin, vice president of product management and strategy at Tripwire. "It’s been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited. Despite these known issues, MD5 has persisted for a long time.”

“It would be extremely rare to see new applications making use of MD5 for secure hashing. The problem is that there are so many legacy systems out there, following the modernized adage ‘if it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see this type of persistence.”


 

Categories: Cyber Risk News

Vectra Raises $100m in Series E Funding

Mon, 06/10/2019 - 16:37
Vectra Raises $100m in Series E Funding

After having experienced 104% growth in annual recurring revenue in 2018 over 2017, Vectra has today announced that it closed a $100 million funding round led by TCV, bringing the company’s total funding to date to more than $200 million, according to a June 10 press release.

The triple digit Series E funding, in which existing investors also participated, comes only one year after Vectra raised $36 million in Series D funding. The financing is expected to drive the company's growth and market expansion in what is estimated at a $12.7 billion cloud security market, according to Forrester Research.  

While critical security gaps leave organizations vulnerable, consumers continue to use online services for everything from entertainment to banking. Securing consumer data and preserving their privacy is critical to maintaining trust and preserving an organization’s reputation, a Vectra spokesperson said. The business impact of lost revenue and shareholder value as a result of consumer data breaches in the cloud are significant and are therefore making cloud security a board level priority.

“TCV has an extensive track record of partnering with enterprise security companies, including Rapid7 and Splunk, from growth stage to public,” said Tim McAdam, general partner at TCV and member of the Vectra board of directors. “In our research on the category, it became clear to us that Vectra was rapidly gaining momentum with customers by rethinking the way enterprises view both network and cloud security. The Vectra Cognito platform is poised to become requisite in the security infrastructure of multinational enterprises and midsize businesses alike.”

“The cloud has inherent security blind spots, making it imperative to eliminate cyber-risks as enterprises move their business to the cloud,” said Hitesh Sheth, president and chief executive officer at Vectra. “The Cognito platform enables them to stop hidden cyber-attacks in the cloud. We look forward to partnering with TCV and our existing investors as we continue our rapid growth.”

Categories: Cyber Risk News

UK Taxpayers Overwhelmed with Phishing Scams

Mon, 06/10/2019 - 10:30
UK Taxpayers Overwhelmed with Phishing Scams

HMRC has received over 2.6m reports of phishing attempts over the past three financial years, according to a new Freedom of Information (FOI) request from a think tank.

The tax office processed a total of 2,602,528 reports of phishing emails and texts as well as phone scams from 2016-19, according to Parliament Street. Although the worst year was 2016-17 (921,900), 2018-19 saw an increase of 15% over the previous year to reach 897,649.

The largest number were fraudulent emails spoofing tax rebate messages, which accounted for 1,957,003 reports over the three years. The worst year for these was 2016-17, accounting for 733,980.

Next came scam SMS messages, which accounted for 150,009 over the past three financial years — although the volume of these has dropped by almost half between 2016-17 and 2018-19, according to the report.

The number of phone scams reported to the tax office has soared alarmingly over the period: from just 407 in 2016/17, to 104,774 reports in 2018/19.

The number of taxpayers who admitted disclosing financial details to the phishers was 10,647 in 2016-17, but then dropped considerably in the succeeding years, to total 18,792 for the three years. That equates to a success rate of less than 1%.

Also reassuring is the number of phishing websites being reported for removal: 50,323 over the three years, with 2017/18 being the worst year with 19,198 reports.

The HMRC is said to be the government’s most abused ‘brand’ but it has been getting better at combating the fraudsters, having implemented DMARC in 2016, for example. This has helped the agency block hundreds of millions of phishing emails, while a Customer Protection Team works hard to follow-up reports from taxpayers to take down phishing sites.

However, the wider business community may be less well protected, according to Centrify VP, Andy Heather.

“These incidents are just a snapshot of techniques used by hackers to gain confidential financial information as well as credentials and passwords. In many cases we’re seeing fraudsters gaining access to company data, using legitimate user ID and log-in details, without raising suspicion,” he argued.

“For businesses, it’s time to face the reality that cyber-attackers now no longer hack in, they log in using credentials and passwords that are weak, stolen or in cases of phishing are simply handed over to them. Tackling this problem means adopting a zero-trust approach to all user-accounts, ensuring every employee who tries to access critical information is screened with the necessary password, location and authentication procedures to ensure they are who they say they are.”

Categories: Cyber Risk News

Microsoft Warns of Campaign Exploiting 2017 Bug

Mon, 06/10/2019 - 09:17
Microsoft Warns of Campaign Exploiting 2017 Bug

Microsoft has alerted users to a new campaign utilizing a vulnerability which was discovered and patched back in 2017 to download a backdoor Trojan to victim machines.

Spam emails have been detected in various European languages carrying malicious RTF attachments which feature an exploit for CVE-2017-11882, the computing giant said in a series of tweets on Friday.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates,” it said.

“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.”

Although the domain in question is currently out-of-service, hackers may in the future update the attack to connect to a working C&C domain. This could enable the download of additional payloads, leading to infection with ransomware or banking Trojans, information-theft and more.

“Office 365 ATP detects the emails and attachments used in this campaign. Windows Defender ATP detects the documents as Exploit:O97M/CVE-2017-11882.AD and the payload as Trojan:MSIL/Cretasker,” Redmond’s security team concluded.

“Other mitigations, like attack surface reduction rules, also block the exploit.”

The software flaw in question, which exists in Microsoft Office’s Equation Editor, has been incredibly popular since it was discovered a couple of years ago as it requires no user interaction to work.

It was used by APT34, an Iranian cyber espionage group, and just last week was spotted in attacks on central government targets delivering the Hawkball backdoor. It’s also been used to spread the infamous Cobalt malware and a RAT which uses the popular Telegram Messenger app for its command and control (C&C).

Categories: Cyber Risk News

GoldBrute Campaign Brute Forces 1.6m RDP Servers

Mon, 06/10/2019 - 08:55
GoldBrute Campaign Brute Forces 1.6m RDP Servers

Researchers have uncovered a large brute forcing campaign targeting upwards of 1.5 million remote desktop protocol (RDP) servers.

Renato Marinho, chief research officer at Morphus Labs, revealed the so-called “GoldBrute” campaign is controlled by a single C&C server, with which bots are exchanging data via AES encrypted WebSocket connections to port 8333.

Infected hosts will first be given instructions to download the bot code: a large, 80MB including the complete Java Runtime.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot,” Marinho continued.

“Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.”

Marinho claimed to have detected almost 1.6m targeted IP addresses from the C&C server — spread out across the world but located especially in Europe, the US and east Asia.

The news is a reminder that, despite the publicity around the Bluekeep RDP vulnerability, brute forcing is arguably a bigger threat today to administrators of these systems.

The NSA last week urged organizations to patch the remote code execution bug, CVE-2019-0708, warning that it could be wormable as it requires no human interaction to spread. Although exploitation has not yet been observed in the wild, it’s only a matter of time, experts claimed.

However, in the meantime, GoldBrute appears to be only just getting started.

“Shodan lists about 2.4 million exposed servers,” said Marinho. “GoldBrute uses its own list and is extending it as it continues to scan and grow.”

Categories: Cyber Risk News

Pages