Cyber Security March 2018

This posting is here to collect security alert news in March 2018.

I post links to security vulnerability news to comments of this article.



  1. Tomi Engdahl says:

    Pirate Site Visits Lead to More Malware, Research Finds
    BY ERNESTO ON MARCH 18, 2018

    New research from Carnegie Mellon University reveals that more time spent on pirate sites increases the risk of running into malware. The same effect was not found for other categories, such as social networks, shopping or gambling sites. While the results show an increased threat, it’s doubtful that the absolute numbers will impress hardened pirates.

    In recent years copyright holders have been rather concerned with the health of pirates’ computers.

    They regularly highlight reports which show that pirate sites are rife with malware and even alert potential pirates-to-be about the dangers of these sites.

    The recent “Meet The Malwares” campaign, targeted at small children, went as far as claiming that pirate sites are the number one way through which this malicious software is spread. We debunked this claim, but it’s hard to deny that pirate sites have their downsides.

    Anti-Piracy Video Scares Kids With ‘Fake’ Malware Info

  2. Tomi Engdahl says:

    Cambridge Analytica’s Board Suspends CEO Nix Amid Inquiry

    Action comes after comments on U.K. Channel 4 News report
    Firm also under fire for harvesting data from Facebook users

  3. Tomi Engdahl says:

    Privacy and security is important:

    Facebook has lost nearly $50 billion in market cap since the data scandal
    That’s the stock’s biggest-ever two-day drop.

    Facebook’s Cambridge Analytica data debacle could be more damaging to the company than any of its other recent missteps.

    The news that the data analytics firm that helped Donald Trump get elected president was able to amass data on 50 million users without their permission has sent Facebook’s market value down nearly $50 billion since Friday. That’s the stock’s biggest two-day decline ever.

    There have been a number of reasons for shareholder concern.

  4. Tomi Engdahl says:

    Hackers gain access to 880K credit cards from Orbitz customers

    Another day, another breach. Today, online travel agency Orbitz disclosed that hackers managed to get both credit card data and personal information (though no Social Security numbers and passwords) from users who made their travel purchases on the site between January 1, 2016 and December 22, 2017. In total, the company says, that’s about 880,000 payment cards that were accessed from what the company calls a “legacy Orbitz platform.”

  5. Tomi Engdahl says:

    Private Internet Access releases software as open source

    Private Internet Access, a company best known for its VPN Service of the same name, announced today that it started the process of releasing all of its software as open source.

  6. Tomi Engdahl says:

    Facebook is making it harder for developers to “steal” data, but what they should be doing is making it easier for users to delete their old data, e.g. everything over a year old. Currently you have to delete either your entire account or nothing at all.

    Facebook’s Zuckerberg Outlines Steps to Protect User Data

    Social network will audit all apps that had broad access
    Sandberg says she ‘deeply regrets’ company didn’t do more

    Facebook Inc. Chief Executive Officer Mark Zuckerberg outlined some concrete steps the social network will take to protect user data, his first public response to the crisis over Cambridge Analytica’s access to information from the platform.

    Zuckerberg laid out the timeline of events leading up to the current predicament, explaining what Facebook knew and when about Cambridge Analytica’s access to the data of 50 million users. The co-founder also said Facebook still hasn’t independently confirmed reports from news organizations over the weekend that kicked off the controversy.

  7. Tomi Engdahl says:

    Google, Twitter Security Chiefs Leaving Companies

    Michael Coates, the chief information security officer (CISO) of Twitter, announced on Wednesday that he has decided to leave the social media giant. Google security chief Gerhard Eschelbeck has also announced his departure.

  8. Tomi Engdahl says:

    Growing Mistrust Threatens Facebook After Data Mining Scandal

    As Facebook reels from the scandal over hijacked personal data, a movement to quit the social network gathered momentum Wednesday, portending threats to one of the most powerful internet firms.

    In a sign of the mood, one of those calling it quits was a high-profile co-founder of the WhatsApp messaging service acquired by Facebook in 2014 for $19 billion.

    “It is time. #deletefacebook,” Brian Acton said in a tweet, using the hashtag protesting the handling of the crisis by the world’s biggest social network.

    The WhatsApp co-founder, who now works at the rival messaging application Signal, posted the comment amid a growing uproar over revelations that Facebook data was harvested by a British political consulting firm linked to Donald Trump’s presidential campaign.

    “Delete and forget. It’s time to care about privacy,” he said.

  9. Tomi Engdahl says:

    AMD Says Patches Coming Soon for Chip Vulnerabilities

    AMD Chip Vulnerabilities to be Addressed Through BIOS Updates – No Performance Impact Expected

    After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips.

    In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

    AMD attempted to downplay the risks, saying that any attacker gaining administrative access could have a wide range of attacks at their disposal “well beyond the exploits identified in this research.”

    “Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” the notice continued.

    “Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits added.

    Check Point has also confirmed two of the RYZENFALL vulnerabilities following its own review.

    “This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated last week.

    Some have compared the recent AMD vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

  10. Tomi Engdahl says:

    U.S. Military Should Step Up Cyber Ops: General

    Washington – US efforts to conduct offensive and defensive operations in cyberspace are falling short, a top general warned Tuesday amid ongoing revelations about Russian hacking.

    General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has “not gone nearly far enough” in the cyber domain, also noting that the military still lacks clear rules of cyber engagement.

    “We have to go much further in treating cyberspace as an operational domain,” Hyten told the Senate Armed Services Committee.

    “Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace we need to have the authorities to respond.”

    Hyten noted, however, that the US had made some progress in conducting cyber attacks on enemies in the Middle East, such as the Islamic State group.

    The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media.

    It also accuses Moscow of stealing hacking secrets of the US intelligence community — while US cyber security investigators have accused the Russian government of a sustained effort to take control of critical US infrastructure systems including the energy grid.

  11. Tomi Engdahl says:

    ‘Slingshot’ Campaign Outed by Kaspersky is U.S. Operation Targeting Terrorists: Report

    The Slingshot cyber espionage campaign exposed recently by Kaspersky Lab is a U.S. government operation targeting members of terrorist organizations, according to a media report.

    Earlier this month, Kaspersky published a report detailing the activities of a threat actor targeting entities in the Middle East and Africa — sometimes by hacking into their Mikrotik routers. The group is believed to have been active since at least 2012 and its members appear to speak English, the security firm said.

    The main piece of malware used by the group has been dubbed Slingshot based on internal strings found by researchers. Kaspersky identified roughly 100 individuals and organizations targeted with the Slingshot malware, mainly in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

    CyberScoop claims to have learned from unnamed current and former U.S. intelligence officials that Slingshot is actually an operation of the U.S. military’s Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM), aimed at members of terrorist organizations such as ISIS and al-Qaeda. SOCOM is well known for its counterterrorism operations, which can sometimes include a cyber component.

  12. Tomi Engdahl says:

    Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps

    German industrial giant Siemens has released security patches for several of its SIMATIC products, including some controllers and a mobile application.

    Organizations using SIMATIC products were informed by both Siemens and ICS-CERT this week of a denial-of-service (DoS) vulnerability that can be exploited by sending specially crafted PROFINET DCP packets to affected systems.

  13. Tomi Engdahl says:

    18.5 Million Websites Infected With Malware at Any Time

    There are more than 1.86 billion websites on the internet. Around 1% of these — something like 18,500,000 — are infected with malware at a given time each week; while the average website is attacked 44 times every day.

    Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock’s malware scanners, while a smaller subset also use the firm’s cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites.

    The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. “We went from about 0.8% of our user base in Q3 to a little over 1% in Q4,” Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.

    Despite the increase in infected sites, continued Ortega, “The total number of attacks or attempted attacks actually decreased by about 20% — so what we’re seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through.”

  14. Tomi Engdahl says:

    Mark Zuckerberg’s scandal response is doomed, because Facebook is about feelings

    The CEO of Facebook broke his long silence on Wednesday, five days after a huge scandal broke about political consulting firm Cambridge Analytica and its illicit use of Facebook user data.

    The TL;DR of his agonizingly late-to-the-game note was that Cambridge Analytica’s misdeeds were the result of Facebook flaws that were patched long ago: “The good news is that the most important actions to prevent this from happening again today we have already taken years ago.”

    Zuckerberg also announced several other steps to bulk up Facebook’s protections of user privacy, restrict outside developers’ access to personal information, and make sure that users are aware of how their data is being accessed.

    In a subsequent barrage of interviews on Wednesday, Zuckerberg expanded on his statement, telling CNN he was “really sorry this happened,” and acknowledged that perhaps Facebook needed to be more heavily regulated.

    The systematic, point-by-point (and surely heavily lawyered) response to the worst crisis in Facebook’s history has virtually no chance of calming the outrage or quelling the disgust that many Facebook users are feeling this week. That’s because Facebook’s success was never predicated on the rational benefits of its gargantuan social network; it was always about how Facebook makes you feel.

    Facebook has always lived at the intersection of engineering and psychology. Its system of likes and shares is ruthlessly designed to hack our brains and tap into our unconscious need to receive affirmation: “short-term, dopamine-driven feedback loops,”

    Tapping into people’s unconscious desires and fears to build a business is nothing new, of course.

  15. Tomi Engdahl says:

    You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report

    The cost of having an organization targeted by a distributed denial of service (DDoS) attack for an hour is as low as $10, cybersecurity firm Armor says.

    The low cost of launching such attacks results from the proliferation of cybercrime-as-a-service, one of the most profitable business models adopted by cybercriminals over the past years. It allows criminals-wannabe to employ the resources of established cybercriminals for their nefarious purposes, including malware distribution, DDoS-ing, spam, and more.

  16. Tomi Engdahl says:

    GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

    GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.

    The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities.

    The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email.

    When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories.

  17. Tomi Engdahl says:

    Iran-linked Hackers Adopt New Data Exfiltration Methods

    An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered.

    The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in recent attacks.

    Nyotron now says that OilRig has used roughly 20 different tools it its latest campaign, including off-the-shelf, dual-purpose utilities and previously unseen malware. In addition to data exfiltration, the group has been heavily focused on bypassing network-level security products to establish a foothold into targeted environments.

    Since November 2017, the notorious Iran-linked threat group has been targeting various organizations in the Middle East with evolved tactics, techniques and procedures (TTPs), including the abuse of Google Drive and SmartFile for command and control (C&C) purposes, Nyotron’s report (PDF) reveals.

  18. Tomi Engdahl says:

    Android Trojan Leverages Telegram for Data Exfiltration

    A newly discovered Android Trojan is abusing Telegram’s Bot API to communicate with the command and control (C&C) server and to exfiltrate data, Palo Alto Networks security researchers warn.

    Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The threat is similar to the previously observed IRRAT Trojan, which uses Telegram’s bot API for C&C communication only.

    Still active in the wild, IRRAT masquerades as applications supposedly informing users on the number of views their Telegram profile received (something that Telegram doesn’t actually allow for). After the app’s first launch, the malware creates and populates a series of files on the phone’s SD card, which it then sends to an upload server.

    The files contain contact information, a list of Google accounts registered on the phone, SMS history, a picture taken with the front-facing camera, and a picture taken with back-facing camera. The malicious app reports to a Telegram bot, hides its icon from the phone’s app menu, and continues to run in the background, waiting for commands.

  19. Tomi Engdahl says:

    Code Execution Flaws Found in ManageEngine Products

    Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

    ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

  20. Tomi Engdahl says:

    The Daily Beast:
    Source: US investigators identify Guccifer 2.0 as a GRU officer, attributed via hacker’s login to US social media service without a VPN from a Moscow IP address — Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee …

    EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer

    Robert Mueller’s team has taken over the investigation of Guccifer 2.0, who communicated with (and was defended by) longtime Trump adviser Roger Stone.

    Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned. It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.

    That forensic determination has substantial implications for the criminal probe into potential collusion between President Donald Trump and Russia.

    “The attribution of Guccifer 2.0 as an officer of Russia’s largest foreign intelligence agency brings the investigation closer to the Kremlin’s doorstep—and to Trump himself.”

    “Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.”

  21. Tomi Engdahl says:

    Shannon Liao / The Verge:
    Symantec report: instances of cryptojacking rose 8,500% in Q4 2017, partly due to easy-to-operate coin mining apps, coin mining up 34,000% in 2017

    Cryptojacking rates increased by 85 times in Q4 2017 as bitcoin prices spiked: report
    Where the money is, the thieves will follow

  22. Tomi Engdahl says:

    Dustin Volz / Reuters:
    US DoJ charges nine Iranians and an Iranian company with hacking parts of US government, UN, and hundreds of universities in the US and around the world

    U.S. charges Iranians for global cyber attacks on behalf of Tehran

  23. Tomi Engdahl says:

    Atlanta computer systems held hostage in ransomware attack

    Files on city computer systems have been encrypted, according to a ransom note that demands payment in bitcoin.

    City officials in Atlanta are dealing with a cyberattack that uses ransomware to hold internal computer systems hostage.

    The attack caused outages on several computer systems, including online bill paying services and some law enforcement data, CBS affiliate WGCL-TV reported Thursday. A ransom note discovered Thursday morning stated that all files on affected systems had been encrypted and demanded payment in the cryptocurrency bitcoin to decrypt them.

    Atlanta city government systems down due to ransomware attack [Updated]
    FBI called in as some city services are interrupted, employees told to turn off PCs.

    The city of Atlanta government has apparently become the victim of a ransomware attack. The city’s official Twitter account announced that the city government “is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information.”

    According to a report from Atlanta NBC affiliate WXIA, a city employee sent the station a screen shot of a ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees received emails from the city’s information technology department instructing them to unplug their computers if they noticed anything suspicious. An internal email shared with WXIA said that the internal systems affected include the city’s payroll application.

    In a statement sent to Ars, a city spokesperson said, “At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue. We are confident that our team of technology professionals will be able to restore applications soon.”

  24. Tomi Engdahl says:

    Trump’s new national security advisor has ties to Cambridge Analytica

    Trump’s third national security advisor John Bolton shares at least one thing in common with his first one, Michael Flynn: both men have ties to Cambridge Analytica, a political data firm at the center of a new Facebook privacy firestorm.

  25. Tomi Engdahl says:

    Guccifer 2.0’s schoolboy error reveals he’s hacking from Moscow

    Guccifer 2.0, the notorious hacker who is alleged to have compromised the computer systems of the Democratic National Committee (DNC) and stolen opposition research on Donald Trump, has accidentally tipped his hand that he was working for Russian intelligence.

    Back in 2016, Guccifer 2.0 denied being Russian or working for Russia in online interviews and claimed (somewhat unconvincingly) to come from Romania.

    But, as Daily Beast now reports, the so-called “lone hacker” was in fact an officer with Russia’s military intelligence division (GRU).

  26. Tomi Engdahl says:

    Charlie Savage / New York Times:
    Prominent technologists including Ray Ozzie explore ways for unlocking data on secure devices that would require new legal mandates and likely weaken security — WASHINGTON — Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools …
    Justice Dept. Revives Push to Mandate a Way to Unlock Phones

    Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools into smartphones and other devices that would allow access to encrypted data in criminal investigations.

    F.B.I. and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such “extraordinary access” to encrypted devices, according to people familiar with the talks.

    Based on that research, Justice Department officials are convinced that mechanisms allowing access to the data can be engineered without intolerably weakening the devices’ security against hacking.

    But the renewed push is certain to be met with resistance.

    “Building an exceptional access system is a complicated engineering problem with many parts that all have to work perfectly in order for it to be secure, and no one has a solution to it,” said Susan Landau, a Tufts University computer security professor. “Any of the options people are talking about now would heighten the danger that your phone or your laptop could be hacked and data taken off of it.”

    Craig Federighi, the senior vice president of software engineering at Apple, stressed the importance of strengthening — not weakening — security protections for products like the iPhone, saying threats to data security were increasing every day and arguing that it was a question of “security versus security” rather than security versus privacy.

    “Proposals that involve giving the keys to customers’ device data to anyone but the customer inject new and dangerous weaknesses into product security,” he said in a statement. “Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems.”

    But some computer security researchers believe the problem might be solvable with an acceptable level of new risks.

    The researchers, Mr. Ozzie said, recognized that “this issue is not going away,”

    In October, Mr. Rosenstein, the deputy attorney general, argued in a speech that permitting technology companies to create “warrant-proof encryption” was endangering society.

    “Technology companies almost certainly will not develop responsible encryption if left to their own devices,” he said. “Competition will fuel a mind-set that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.”

    The Symphony approach

    The idea is that when devices encrypt themselves, they would generate a special access key that could unlock their data without the owner’s passcode. This electronic key would be stored on the device itself, inside part of its hard drive that would be separately encrypted — so that only the manufacturer, in response to a court order, could open it.

    Law enforcement officials see that idea as attractive in part because companies like Apple are already trusted to securely hold special keys

    Still, Ms. Landau argued that creating such a system would create significant additional security risks.

    The Obama administration never agreed on asking for legislation mandating access mechanisms. Military and cybersecurity agencies worried that weakening security would create new problems, and commerce officials worried about quashing innovation and making American tech products less competitive.

  27. Tomi Engdahl says:

    JASK and the future of autonomous cybersecurity

    Automated attacks have overwhelmed corporate security departments. This startup is helping to fight back


    JASK and the future of autonomous cybersecurity
    Automated attacks have overwhelmed corporate security departments. This startup is helping to fight back
    Danny Crichton
    @dannycrichton / 10 hours ago

    Level 3 Communications in Broomfield, Colorado.
    There is a familiar trope in Hollywood cyberwarfare movies. A lone whiz kid hacker (often with blue, pink, or platinum hair) fights an evil government. Despite combatting dozens of cyber defenders, each of whom appears to be working around the clock and has very little need to use the facilities, the hacker is able to defeat all security and gain access to the secret weapon plans or whatever have you. The weapon stopped, the hacker becomes a hero.

    The real world of security operations centers (SOCs) couldn’t be further from this silver screen fiction. Today’s hackers (who are the bad guys, by the way) don’t have the time to custom hack a system and play cat-and-mouse with security professionals. Instead, they increasingly build a toolbox of automated scripts and simultaneously hit hundreds of targets using, say, a newly discovered zero-day vulnerability and trying to take advantage of it as much as possible before it is patched.

    Security analysts working in a SOC are increasingly overburdened and overwhelmed by the sheer number of attacks they have to process. Yet, despite the promises of automation, they are often still using manual processes to counter these attacks. Fighting automated attacks with manual actions is like fighting mechanized armor with horses: futile.

    Nonetheless, that’s the current state of things in the security operations world

    “The industry, in general from a SOC operations perspective, it is about to go through a massive revolution.”

    That revolution is automation. Many companies have claimed that they are bringing machine learning and artificial intelligence to security operations, and the buzzword has been a mainstay of security startup pitch decks for some times. Results in many cases have been nothing short of lackluster at best. But a new generation of startups

    Data wrangling and the challenge of automating security

    Borrowing concepts from military organizational design, the modern SOC is designed to fuse streams of data into one place, giving security analysts a comprehensive overview of a company’s systems. Those data sources typically include network logs, an incident detection and response system, web application firewall data, internal reports, antivirus, and many more.

    These professionals are often overworked since the growth of the security team is generally reactive to the threat environment.

    Data wrangling is one of the most fundamental problems that every SOC faces. All of those streams of data need to be constantly managed to ensure that they are processed properly. As LaRosa from ADP explained, “The biggest challenge we deal with in this space is that [data] is transformed at the time of collection, and when it is transformed, you lose the raw information.” The challenge then is that “If you don’t transform that data properly, then … all that information becomes garbage.”

    The challenges of data wrangling aren’t unique to security

    Managing that data inside the SOC is the job of a security information and event management system (SIEM), which acts as a system of record for the activities and data flowing through security operations. Originally focused on compliance

    Products like ArcSight and Splunk and many others here have owned this space for years

    JASK and the future of “autonomous security”
    That’s where a company like JASK comes in. Its goal, simply put, is to take all the disparate data streams entering the security operations center and automatically group them into attacks. From there, analysts can then evaluate each threat holistically, saving them time

    Martin’s philosophy with JASK is that the industry should walk before it runs.

    “Phase one would be to collect all the data and prepare and identify it for machine learning,”

    Analysts still have to interpret the information that has been compiled, and even more importantly, they have to decide on what is the best course of action. Today’s companies are moving from “runbooks” of static response procedures to automated security orchestration systems. Machine learning realistically is far from being able to accomplish the full lifecycle of an alert today

    The company’s stack is built on technologies like Hadoop

    The nuance around artificial intelligence is refreshing in a space that can see incredible hype. Now the hard part is to keep moving that roadmap forward.

  28. Tomi Engdahl says:

    Thomas Fox-Brewster / Forbes:NEW
    Anonymous sources say US law enforcement is routinely unlocking iPhones with dead victims’ fingerprints sans search warrant, a practice that is entirely legal — In November 2016, around seven hours after Abdul Razak Ali Artan had mowed down a group of people in his car …

    Yes, Cops Are Now Opening iPhones With Dead People’s Fingerprints

    FBI forensics specialist Bob Moledor, who detailed for Forbes the first known case of police using a deceased person’s fingerprints in an attempt to get past the protections of Apple’s Touch ID technology. Unfortunately for the FBI, Artan’s lifeless fingerprint didn’t unlock the device

    No privacy for the dead

    And it’s entirely legal for police to use the technique, even if there might be some ethical quandaries to consider. Marina Medvin, owner of Medvin Law, said that once a person is deceased, they no longer have a privacy interest in their dead body. That means they no longer have standing in court to assert privacy rights.

    Relatives or other interested parties have little chance of stopping cops using fingerprints or other body parts to access smartphones too. “Once you share information with someone, you lose control over how that information is protected and used. You cannot assert your privacy rights when your friend’s phone is searched and the police see the messages that you sent to your friend. Same goes for sharing information with the deceased – after you released information to the deceased, you have lost control of privacy,” Medvin added.

    Police know it too. “We do not need a search warrant to get into a victim’s phone, unless it’s shared owned,”

    But there are some anxieties around the ability of the police to turn up at a crime scene and immediately start accessing deceased individuals’ cellphones without any need for permission.

    Alongside the lack of legal restrictions, the fingerprint method’s much cheaper than having to pay a contractor like Cellebrite or U.S. startup GrayShift (whose iPhone hacking tech was revealed by Forbes earlier this month) to unlock a phone. Whilst Cellebrite is believed to charge between $1,500 and $3,000 for each iPhone, GrayShift’s GrayKey hacking box costs up to $30,000 for unlimited unlock attempts.

    Once the phone’s opened, the cops will keep it in that state and send the device to forensics experts. They’ll then use tools like Cellebrite’s UFED tech to draw all the information out for investigators to explore. More often than not, police will already have those forensics services on hand.

    Police are now looking at how they might use Apple’s Face ID facial recognition technology, introduced on the iPhone X. And it could provide an easier path into iPhones than Touch ID.

    Don’t be surprised if cops do start holding iPhone X devices up to the faces of the dead in the near future then, if it hasn’t happened already.

  29. Tomi Engdahl says:

    Reuters/Ipsos poll: only 41% of Americans trust Facebook to obey privacy laws while 66% trust Amazon, 62% trust Google, 60% trust Microsoft, and 53% trust Apple

    Americans less likely to trust Facebook than rivals on personal data: Reuters/Ipsos poll

    Some 41 percent of Americans trust Facebook to obey laws that protect their personal information, compared with 66 percent who said they trust Amazon, 62 percent who trust Google, 60 percent for Microsoft and 47 percent for Yahoo.

    Facebook, the world’s largest social media firm, has been offering apologies as it tries to repair its reputation among users, advertisers, lawmakers and investors for mistakes that let 50 million users’ data get into the hands of political consultancy Cambridge Analytica.

  30. Tomi Engdahl says:

    Pwner of a Lonely Heart: The Sad Reality of Romance Scams

    Valentine’s Day is a special holiday, but for victims of romance scams it is a tragic reminder, not only of love lost, but financial loss as well. According to the FBI Internet Crime Complaint Center (IC3), romance scams accounted for $230 million in losses in 2016.

    Men and women may jokingly refer to their significant other as their “partner in crime,” but when it comes to romance scams, this joke may become a sad reality. In additional to financial losses, many scammers may convince their victims to become money mules or shipping mules, directly implicating them in illegal behavior.

    The scam artists create profiles of charming and successful men to engage these lonesome women. Dating sites frequently ask what women are looking for in a partner, so it is easy for the scammer to say exactly what they need to seem like “Mr. Right.”

    Once these scammers engage with their victims, there are an inevitable variety of excuses why they can’t meet

    After a few months of correspondence, the scammer will claim a supposed tragedy: a lost paycheck or medical fees are common – and request a small loan. The typical loss in these scams is $14,000, not to mention the considerable psychological damage – victims of romance scams frequently withdraw from their social circles, embarrassed by the stigma.

    some of these scams can continue on for years, with frequent requests for financial support

  31. Tomi Engdahl says:

    U.S. Imposes Sanctions on Iranians for Hacking

    U.S. Charges Iranians in Massive Hacking Scheme

    The United States unveiled charges on Friday against nine Iranians for their alleged involvement in a massive state-sponsored hacking scheme which targeted hundreds of universities in the US and abroad and stole “valuable intellectual property and data.”

    Ten Iranians were also hit with sanctions along with an Iranian company, the Mabna Institute, which engaged in computer hacking on behalf of Iran’s Revolutionary Guards, the US Treasury Department said.

    The two founders of the Mabna Institute, Gholamreza Rafatnejad, 38, and Ehsan Mohammadi, 37, were among the nine Iranians indicted in New York and whose assets are subject to US seizure.

    Since 2013, the Mabna Institute carried out cyber intrusions into the computer systems of 144 US universities, the Treasury Department said, and 176 universities in 21 foreign countries.

    Mabna Institute employees and contractors “engaged in the theft of valuable intellectual property and data from hundreds of US and third-country universities… for private financial gain,” it said.

  32. Tomi Engdahl says:

    David Meyer / Fortune:
    Leader of hacker gang known as Carbanak, who used malware attacks to steal €1B from banks and ATMs, caught in Spain — For the past five years, a gang of hackers known as Carbanak has been targeting banks around the world, stealing well over $1 billion in total.

    A Cyber Gang Stole $1 Billion by Hacking Banks and ATMs. Now Police Say They’ve Caught the Mastermind

  33. Tomi Engdahl says:

    Sources: Kaspersky’s Slingshot malware report exposed counterterrorism cyber-espionage operation led by US Joint Special Operations Command — The U.S. government and Russian cybersecurity giant Kaspersky Lab are currently in the throes of a nasty legal fight that comes on top of a long-running feud …

    Kaspersky’s ‘Slingshot’ report burned an ISIS-focused intelligence operation

  34. Tomi Engdahl says:

    Do Business Leaders Listen to Their Own Security Professionals?

    Survey Shows a Disconnect Between Business Leaders and Security Professionals

    A new research report published this week claims, “A disconnect about cybersecurity is causing tension among leaders in the C-suite — and may be leaving companies vulnerable to breaches as a result.”

    The specific disconnect is over the relative importance between anti-malware and identity control — but it masks a more persistent issue: do business leaders even listen to their own security professionals?

    The basis for this assertion comes from two sources: the Verizon 2017 Data Breach Investigations Report (DBIR), and the report’s own research. DBIR states, “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” The new research (PDF), conducted by Centrify and Dow Jones Customer Intelligence shows that companies’ security officers agree with the view, while their CEOs do not. Centrify surveyed 800 senior executives in November 2017.

  35. Tomi Engdahl says:

    Danny Palmer / ZDNet:
    Researchers say that over a million Android users likely affected by Andr/HiddnAd-AJ malware through seven apps in the Play Store, one with 500K+ downloads — Attackers managed to serve up adware to large number of victims. — Cyber criminals have distributed malware to hundreds of thousands …

    Android malware found inside apps downloaded 500,000 times

    Attackers managed to serve up adware to large number of victims.

    Cyber criminals have distributed malware to hundreds of thousands of Android users by successfully hiding it inside a series of apparently harmless apps.

    The malware sneaked onto the Google Play store disguised as seven different apps – six QR readers and one ‘smart compass’ – and bypassed security checks by hiding their true intent with a combination of clever coding and delaying the initial burst of malicious activity.

    Following installation, the malware waits for six hours before it begins work on its true purpose – serving up adware, flooding the user with full screen adverts, opening adverts on webpages and sending various notifications containing ad related links.

    All of this activity is designed with the intent of generating click-based revenue for the attackers – even if the app itself isn’t actively running.

  36. Tomi Engdahl says:

    David Shepardson / Reuters:
    FCC chief to propose new rules barring use of federal funds to purchase equipment or services from firms posing a security threat to US communications networks

    FCC chief proposes steps to protect U.S. communications networks

    WASHINGTON (Reuters) – Federal Communications Commission Chairman Ajit Pai on Monday said he was proposing new rules to bar the use of funds from a government program to purchase equipment or services from companies that pose a security threat to U.S. communications networks.

  37. Tomi Engdahl says:

    Drupal to Patch Highly Critical Vulnerability This Week

    Drupal announced plans to release a security update for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28, 2018, aimed at addressing a highly critical vulnerability.

    The Drupal security team hasn’t provided information on the vulnerability and says it won’t release any details on it until the patch arrives. An advisory containing all the necessary information will be published on March 28.

    Before that, however, the team advises customers to be prepared for the update’s release and to apply it immediately after it is published, given its high exploitation potential.

    “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” Drupal announced.

    The highly popular content management system (CMS) powers over one million sites and is used by a large number of e-commerce businesses.

    Due to the widespread use of Drupal, currently the second most used CMS after WordPress, the security update will be released for Drupal versions 8.3.x and 8.4.x as well, although they are no longer supported.

    Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001

  38. Tomi Engdahl says:

    One Year Later, Hackers Still Target Apache Struts Flaw

    One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers.

    The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and

    The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a remote and unauthenticated attacker to execute arbitrary OS commands on the targeted system.

    The first exploitation attempts were spotted one day after the patch was released, shortly after someone made available a proof-of-concept (PoC) exploit. Some of the attacks scanned servers in search of vulnerable Struts installations, while others were set up to deliver malware.

    The expert said his honeypot recorded 57 exploitation attempts on Sunday, on ports 80, 8080 and 443. The attacks, which appear to rely on a publicly available PoC exploit, involved one of two requests designed to check if a system is vulnerable.

  39. Tomi Engdahl says:

    FCC’s Pai proposes ban on USF use on ‘national security threats’

    Federal Communications Commission (FCC) Chairman Ajit Pai said the will have drafted a Notice of Proposed Rulemaking that would bar the use of Universal Service Funds to buy equipment from companies deemed national security threats. The action is in response to the latest wave of concerns on Capitol Hill regarding alleged ties between the Chinese military and intelligence communities and Chinese companies such as Huawei and ZTE.

    Pai will call for a vote on the proposal at a meeting April 17. The announcement comes after reports last Friday that he sent a letter to Congress in which he stated he shares concerns recently expressed about Huawei. For example, in February, Senators Tom Cotton (R-Arkansas) and Marco Rubio (R-Florida) introduced the “Defending U.S. Government Communications Act,” which would prohibit the United States government from buying or leasing telecommunications equipment and/or services from Huawei, ZTE, or any their subsidiaries or affiliates. Congressman Mike Conaway (Texas-11) introduced a similar bill in the House of Representatives in January.

    “Threats to national security posed by certain communications equipment providers are a matter of bipartisan concern,” said Pai in a press statement. “Hidden ‘back doors’ to our networks in routers, switches—and virtually any other type of telecommunications equipment—can provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more. Although the FCC alone can’t safeguard the integrity of our communications supply chain, we must and will play our part in a government- and industry-wide effort to protect the security of our networks.”

  40. Tomi Engdahl says:

    Watering Hole Attack Exploits North Korea’s Flash Flaw

    An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns.

    The targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea’s Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week.

    By the end of February, cybercriminals were already abusing the vulnerability. The newly observed incident, Morphisec notes, is a textbook case of a watering hole assault. As part of such attacks, which are mainly focused on cyber-espionage, actors plant malware on websites their victims are likely to visit.

  41. Tomi Engdahl says:

    Pentagon Looks to Counter Ever-stealthier Warfare

    The US military has for years enjoyed a broad technological edge over its adversaries, dominating foes with superior communications and cyber capabilities.

    Now, thanks to rapid advances by Russia and China, the gap has shrunk, and the Pentagon is looking at how a future conflict with a “near-peer” competitor might play out.

    Air Force Secretary Heather Wilson recently warned that both Russia and China are experimenting with ways to take out the US military’s satellites, which form the backbone of America’s warfighting machine.

    “They know that we are dominant in space, that every mission the military does depends on space, and in a crisis or war they are demonstrating capabilities and developing capabilities to seek to deny us our space assets,” Wilson said.

    “We’re not going to let that happen.”

  42. Tomi Engdahl says:

    The Firefox Frontier:
    Mozilla launches Facebook Container Extension for Firefox that isolates your digital identity, preventing Facebook from tracking your activity on other sites — Our Multi-Account Containers extension has been a game changer for many users, letting them manage various parts of their online life without intermingling your accounts.

    Facebook Container Extension: Take control of how you’re being tracked
    March 27, 2018

    Our Multi-Account Containers extension has been a game changer for many users, letting them manage various parts of their online life without intermingling your accounts. To help Firefox users have more control of their data on Facebook, we’ve created the Facebook Container Extension.

  43. Tomi Engdahl says:

    First OpenSSL Updates in 2018 Patch Three Flaws

    The first round of security updates released in 2018 for OpenSSL patch a total of three vulnerabilities, but none of them appears to be serious.

    OpenSSL versions 1.1.0h and 1.0.2o patch CVE-2018-0739, a denial-of-service (DoS) vulnerability discovered using Google’s OSS-Fuzz service, which has helped find several flaws in OpenSSL in the past period.

    The security hole, rated “moderate,” is related to constructed ASN.1 types with a recursive definition.

    Finally, OpenSSL 1.1.0h fixes an overflow bug that could allow an attacker to access TLS-protected communications. The vulnerability, CVE-2017-3738, was first disclosed in December 2017, but since an attack is not easy to carry out the issue has been assigned a low severity rating and it has only been patched now.

  44. Tomi Engdahl says:

    Statistics Say Don’t Pay the Ransom; but Cleanup and Recovery Remains Costly

    Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of those are now confident that they can prevent future attacks, and 68% say this is because they have replaced legacy AV with next-gen endpoint protection.

    Thes details come from a February 2018 survey undertaken by Vanson Bourne for SentinelOne, a next-gen provider, allowing SentinelOne to claim, “This distrust in legacy AV further confirms the required shift to next-gen endpoint protection in defending against today’s most prominent information security threats.” This is a fair statement, but care should be taken to not automatically confuse ‘legacy AV’ with all traditional suppliers — many can also now be called next-gen providers with their own flavors of AI-assisted malware detection.

    SentinelOne’s Global Ransomware Report 2018 (PDF) questioned 500 security and risk professionals (200 in the U.S., and 100 in each of France, Germany and the UK) employed in a range of verticals and different company sizes.

    The result provides evidence that paying a ransom is not necessarily a solution to ransomware. Forty-five percent of U.S. companies infected with ransomware paid at least one ransom, but only 26% had their files unlocked. Furthermore, 73% of those firms that paid the ransom were targeted at least once again. Noticeably, while defending against ransomware is a security function, responding to it is a business function: 44% of companies that paid up did so without the involvement or sanction of the IT/security teams.

  45. Tomi Engdahl says:

    New “ThreadKit” Office Exploit Builder Emerges

    A newly discovered Microsoft Office document exploit builder kit has been used for the distribution of a variety of malicious payloads, including banking Trojans and backdoors, Proofpoint reports.

    The exploit builder kit was initially discovered in October 2017, but Proofpoint’s researchers have linked it to activity dating back to June 2017. The builder kit shows similarities to Microsoft Word Intruder (MWI), but is a new tool called ThreadKit.

  46. Tomi Engdahl says:

    jRAT Leverages Crypter Service to Stay Undetected

    In recently observed attacks, the jRAT backdoor was using crypter services hosted on the dark web to evade detection, Trustwave security researchers have discovered.

    Also known as Adwind, AlienSpy, Frutas, Unrecom, and Sockrat, the jRAT malware is a Windows-based Remote Access Trojan (RAT) discovered several years ago that has already infected nearly half a million users between 2013 and 2016. The threat has been hitting organizations all around the world and was recently spotted as part of an ongoing campaign.

    jRAT allows its operators to control it remotely to achieve complete control of the infected system. With the help of this backdoor, attackers can capture keystrokes, exfiltrate credentials, take screenshots, and access the computer’s webcam, in addition to executing binaries on the victim’s system.

    “It is highly configurable to whatever the attacker’s motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use,” Trustwave notes.

  47. Tomi Engdahl says:

    Axonius Uses Existing Tools to Find, Secure Devices

    Axonius emerged from stealth mode on Tuesday with a platform designed to help organizations identify and secure all the devices on their network by leveraging existing security and management tools.

    The company aims to bridge the gap between device discovery and vulnerability assessment products with a solution that combines data from existing tools in an effort to provide a centralized view of all devices and help enterprises ensure that all their systems are patched.

    Axonius says its Cybersecurity Asset Management Platform can leverage combinations of nearly 30 tools from various vendors in order to discover all the devices on a network, obtain information about those systems, and ensure that they are not neglected by vulnerability scanners.

    The company has created what it calls “adapters” to integrate tools from Microsoft, Amazon, Cisco, enSilo, ESET, Forcepoint, Fortinet, IBM, Juniper, McAfee, ManageEngine, Qualys, Rapid7, Splunk, Symantec, VMware and others into its platform.

  48. Tomi Engdahl says:

    McAfee Enhances Product Portfolio, Unveils New Security Operations Centers

    Since emerging from Intel as a standalone cybersecurity company in April 2017, McAfee has consistently made multiple new product announcements simultaneously. It has continued that model this week with a new version of the Enterprise Security Manager (ESM 11), and enhancements to Behavioral Analytics, Investigator, Advanced Threat Defense, and Active Response.

    Significantly, it has also unveiled two new security operation centers (SOCs) that combine physical and cybersecurity into the McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. This is McAfee using its own products for its own organization: McAfee ‘eating its own dog food’ as its own Customer Zero.

    The SOCs have a triple purpose — to protect McAfee; to use McAfee products in a live scenario to provide practical feedback to the developers; and to provide an educational environment for customers to see McAfee SOC products in live action rather than choreographed simulation. The ‘practical feedback’ also provides an illustration of a key principle in McAfee’s product philosophy: man and machine integration, each learning from and benefiting the other.

    “The big deal for the McAfee Security Fusion Centers,”


Leave a Comment

Your email address will not be published. Required fields are marked *