Researcher will demonstrate at Black Hat Europe his team’s recent discovery: a way to exploit popular user-blocking feature on social media and other sites.
At least a dozen social media and other online sites – including Facebook, Instagram, Tumblr, Google+, Twitter, eBay, PornHub, Medium, Xbox Live, Ashley Madison, Roblox, and Xvideos – were vulnerable to the side-channel attack found by researchers at NTT Secure Platform Laboratories and Waseda University. So far, Twitter and eBay have updated their platforms to prevent the attack, and some browsers, including Microsoft Edge, Microsoft Internet Explorer, and Mozilla Firefox, have added a feature to thwart the attack, according to Takuya Watanabe, who will present his team’s findings in December at Black Hat Europe in London.
During testing for our Intel Core i9-9900K review we found out that new ASUS Z390 motherboards automatically install software and drivers to your Windows 10 System, without the need for network access, and without any user knowledge or confirmation. This process happens in complete network-isolation (i.e. the machine has no Internet or LAN access). Our Windows 10 image is based on Windows 10 April 2018 Update and lacks in-built drivers for the integrated network controllers.
A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.
Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.
Mexico’s central bank said on Tuesday it had raised the security alert level in its payment system after a non-banking financial user reported “inconsistencies” in the cash payment matching system.
Apple has managed to prevent the hottest iPhone hacking company in the world from doing its thing.
Uncloaked by Forbes in March, Atlanta-based Grayshift promised governments its GrayKey tech could crack the passcodes of the latest iOS models, right up to the iPhone X. From then on, Apple continued to invest in security in earnest, continually putting up barriers for Grayshift to jump over. Grayshift continued to grow, however, securing contracts with Immigration and Customs Enforcement, and the Secret Service.
Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above.
Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.
While the extensions differ, the attack method is the same: PHP Object Injection (POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.
It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions.
Modus operandi
Some more info on this group’s modus operandi. Once any of the probes above is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site. This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted. Once a user enters his CC details and clicks submit, the fake credit card form disappears and the unsuspecting (?) user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.
Nowadays, it’s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).
Two hackers who stole millions of users’ data from ride-hailing firm Uber have been indicted on separate hacking charges related to a data breach at online learning portal Lynda, two people familiar with the case have told TechCrunch.
Security researchers found a new DDoS-for-hire service built with leaked code, that offers easy and cheap access to sufficient power to knock down most targets.
Thousands of bots, hundreds of gbps, low prices
The operators of the service promote themselves on social media networks, where they advertised over 500Gbps of power and 20,000 bots. These numbers are likely an exaggeration, as Fortinet saw lower speeds and fewer bots when they visited 0x-booter’s website: 424.825 Gbps and 16,993 bots.
prices between $20 for 15 minutes, and $150 for a two hour-long attack.
Brendan Koerner / Wired:
An in-depth look at how a swatting prank led to a deadly shooting in Wichita; Tyler Barriss, the serial swatter responsible, is facing federal and state charges
Her heartfelt rumination soon segued into a stinging critique of Wichita’s police, whom she largely blames for what happened to her son. His death last December, in bizarre circumstances that made headlines around the world, turned Finch into an advocate for holding cops to account when they make fatal errors
Finch conspicuously failed to mention the nihilistic Angeleno who has been widely vilified for his role in her son’s death. She goes out of her way to avoid letting this young man’s name cross her lips, even though he has become a global symbol of all that’s rotten in gaming culture.
The man who called the Glendale, California, police department at 1:52 pm on September 30, 2015, said his name was Alex. In a quiet, almost childlike voice, he stated that he’d placed several backpacks containing bombs inside the news studio of KABC-TV, adjacent to Griffith Park. The bombs would be remotely detonated in 10 minutes.
No explosives were found
Deceitful internet enthusiasts have been swatting strangers and acquaintances for more than a decade, using VoIP providers and virtual private networks to make themselves difficult to catch. The FBI issued a dispatch about the crime’s rising popularity in February 2008, noting that “individuals did it for the bragging rights and ego, versus any monetary gain.”
But the members of online communities where swatting is commonplace, such as certain hardcore gaming circles, consider that assessment too simplistic. Though they acknowledge that swatting is obnoxious, they also view it as a necessary form of frontier justice—a surefire way to stop vulgar “keyboard warriors” from slandering or threatening their online associates. “When you’re on the internet and your actions have little weight in real life, and then suddenly that translates into something as physically heavy as a swatting, it makes you realize the weight of your actions on a computer a lot more than you normally would,” says one former Call of Duty fanatic who has taken part in swattings.
Benjamin Wofford / Vox:
Interviews with government officials, analysts, and tech experts reveal severe vulnerabilities in many levels of the US election system, ahead of midterms — An investigation into the US
An investigation into the US election system reveals frightening vulnerabilities at almost every level.
Like burglars who pull the fire alarm and, in the ensuing chaos, ransack the cash register, the hackers entered through a hole of their own creation.
Within days, Knox hired a third-party security consultant, called Sword and Shield, to conduct a forensic analysis. Their report, which was shared with Vox and reviewed by cybersecurity experts, confirmed that no data was stolen during the attack. But among the various data sets on offer that night, one had controlled the website that ran the precinct tally. That software presented the attackers, whoever they were, with a chance to meddle with the preliminary results or, worse, to announce a false winner, at least temporarily.
Such a tactic has been attempted at least once before, by a Kremlin-affiliated hacking group in 2014. Sword and Shield’s report found that the DDOS attacks came from 65 countries. But it traced the malicious probe to just two: the United Kingdom and Ukraine. The latter has been a redoubt of Russian-affiliated hackers-for-hire, what the New York Times’s David Sanger has called “Putin’s petri dish” and Radio Free Europe calls “ground zero on the front lines of the global cyberwar.”
“It’s every county versus the FSB”
What happened in Knox County last spring provided apparent confirmation of what leaders in the intelligence community have warned for months: that the successful interference campaign in the 2016 elections — an event that the Senate Intelligence Committee this year called “an unprecedented, coordinated cyber campaign against state election infrastructure” — is being reprised in the 2018 midterms, and will continue for the foreseeable future.
“2016 certainly could have been a lot worse,” warns former CIA Director John Brennan
“It should be seen as a wake-up call,” he went on. “We are really flirting with disaster if we don’t come to terms with this.”
With the midterms two weeks away, news of electoral cyberattacks has begun to appear with growing frequency. In 2018, at least a dozen races for the House and Senate, mostly Democrats, have been the public targets of malicious cyber campaigns, in a variety of attacks that suggests the breadth of the threat: Campaigns have been besieged by network penetration attempts, spearphishing campaigns, dummy websites, email hacking, and at least one near-miss attempt to rob a Senate campaign of untold thousands of dollars.
“The Russians will attempt, with cyberattacks and with information operations, to go after us again,” said Eric Rosenbach, the former Pentagon chief of staff and so-called cyber czar, now at the Harvard Belfer Center, when I talked to him this summer. In fact, he added, “They’re doing it right now.”
During early voting in some Texas counties, a handful of voters reported seeing their straight-ticket votes changed to endorse the opposing party. Others reported that an issue with the voting machines appeared to remove any selection for U.S. Senate altogether.
The issue is specific to Hart eSlates, electronic voting systems created by major voting machine vendor Hart Intercivic. The Secretary of State’s office maintains that this issue is “not due to a malfunction with the machine” but rather is a result of user error.
“The Hart eSlate machines are not malfunctioning, the problems being reported are a result of user error – usually voters hitting a button or using the selection wheel before the screen is finished rendering,” said Sam Taylor, Texas Secretary of State Communications Director.
The eSlate is a direct recording electronic (DRE) voting machine that employs a selection wheel and five buttons in lieu of a touchscreen.
“Counties are already spending a great deal of money on the eSlate and using the systems in elections despite potential usability issues that could lead to longer voter times… and mistakes made by voters while making selections on ballots.”
GCHQ’s rumoured hacking operation against Belgacom came back into the spotlight yesterday after a local newspaper revealed more tantalising snippets from a Belgian judicial investigation into the attack.
Originally having come to light thanks to whistleblower Edward Snowden’s disclosures from American spy agency files he swiped from the NSA, the UK’s signals intelligence bods are said to have hacked into the Belgian telco in order to monitor private communications flowing over its networks.
Belgian newspaper De Standaard reported yesterday that a judicial investigation had found proof that the hack, traces of which were found by Belgacom, “was the work of the GCHQ, an intelligence service of ally Great Britain”.
The refusal to co-operate is unsurprising. For all manner of obvious diplomatic reasons, the UK is not going to confess to hacking one of its supposedly closest allies; an ally which hosts the key institutions of the EU as well as NATO.
the three Belgian techies’ machines were the ultimate gateway for the British spies into Belgacom’s networks, with the telco eventually confessing to 5,000 machines being infected.
Having man-in-the-middle’d Belgacom’s core routers, GCHQ was also, according to the Intercept, able to break into private VPN sessions as well as pinpointing phones using the 2G GPRS protocol. At the time, smartphone penetration in the Middle East and Africa region was much lower than it is today.
Googlers must clean up their language at work as the ads giant is being anal about references to, ahem, carnal knowledge in internal web links and documents.
Files and URLs with raunchy words like “fuck” in them are now forbidden from being shared around the workplace, and are already being automatically filtered out to prevent staff seeing them.
“Progress is impossible without change, and those who cannot change their minds cannot change anything.” – George Bernard Shaw
Although George Bernard Shaw died nearly 70 years ago, well before the security industry developed, his words encapsulate the evolution of security from hardware and point products, to an approach that relies increasingly on security DevOps.
Let’s take the first part of the quote: progress is impossible without change. The IT security industry has changed tremendously over the last twenty years. New vendors enter the market all the time with solutions designed to better protect organizations from the latest threats. There are hundreds of security vendors out there, not to mention open source tools as well.
Today, security teams face a highly fragmented market – picking and choosing tools from various vendors. The best of breed approach has ruled the day and now many organizations have a patchwork of product platforms from various security companies.
Which brings us to the second half of the quote: those who cannot change their minds cannot change anything. Gone are the days when you can simply put various pieces of hardware in place and think you’re protected. Unless these disparate solutions talk to each other, legitimate threats slip through the cracks. To close this gap, enterprises are now re-thinking the way they purchase and deploy security technologies.
Security vendors today make APIs available so that someone else – the customer or a third-party – can write software to access the APIs and tie solutions together. Many vendors are going a step further and adopting an API-first strategy, meaning their own user interfaces and administration consoles talk to the APIs.
A focus on security DevOps is also enabling software-defined networking and software-defined access so that enterprises can respond quickly to changing business requirements and enhance security. The solutions centralize configuration and management and use automation to deploy and secure applications and user access faster, with the right policies for users or devices to any application, across the network.
What does the increasing reliance on security DevOps mean for security professionals? Organizations need to step back and make sure they have the right people on the team. Different teams within security operations use different tools. Bringing these tools together into an enterprise security architecture requires representatives from each of these teams working together to develop and execute a roadmap.
Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.
The leadership’s pattern of global internet usage has shifted. A year ago, it peaked at the weekends, primarily for online gaming and video streaming. Over the last year, weekday usage has increased while weekend use has decreased (although weekend use is still primarily for gaming and streaming). Recorded Future does not know why this shift has occurred, but suggests that it is indicative of the global internet becoming a greater part of the leaders’ every day work.
IT security skills remain red hot, but just how many security positions are open now? What do top security pros earn? We round up instructive data
Security positions – whether in data, information, network, systems, or cloud – make the list of “hard-to-staff” positions in Robert Half Technology’s 2019 Salary Guide.
You’ve heard that one before.
the lowest percentiles for the least-skilled or least-experienced roles still commanding near-six-figure salaries. That’s the floor, folks.
The national average salary for a chief security officer is $270,000. (Source: Robert Half Technology)
At the highest level, the national average salary for a chief security officer is $270,000 (95th percentile). That’s second only to the CIO’s national average pay of $293,000 (also 95th percentile.
The role may be very complex or in a market where the competition for talent is extremely high.
Sure, that’s the C-suite, but you don’t need to sit anywhere near it to earn a hefty paycheck as a security pro these days. At the high end of Robert Half’s average salary tables, a top information systems security manager brings in nearly $200,000 per year.
All those lofty projections about a cybersecurity talent gap? Employers seem to already be pricing them into the job market. It’s not just salary data, either: There’s a range of numbers that quantify the current (and future) state of IT security talent.
3.5 million: The number of unfilled cybersecurity jobs worldwide expected in 2021
$93,000: The lowest national average salary for a security-related position in the U.S.
43,467: The number of open positions returned for a recent national search for “information security” on jobs site Glassdoor.
129,173: The number of results for a national job search for “information security” on LinkedIn.
78 percent : The percentage of companies (with internal security resources) that also hire an outside security firm for help
72 percent : In that same CompTIA report, nearly three out of four companies said they view their security center of operations (SOC) as an internal function.
25 percent of companies say “significant improvement” is needed in network security skills.
25 percent : The CompTIA report notes that certain bedrock security skills, such as network security and access control, are relatively strong in today’s businesses.
$199,750: Security gurus who are averse to a management position may want to reconsider: This is the national average salary (95th percentile) for a top-notch information systems security manager, according to Robert Half.
58 percent: The percentage of CIOs and other IT leaders (roughly 250 in all) included in a recent survey by TEKsystems who checked off security as one their top three technology areas
19 percent: The percentage of IT leaders in that same survey who listed “Having the right skills/expertise” as the “biggest barrier to successfully executing on key technology initiatives.”
Exploited omission in US-China cyber detente agreement.
Researchers have mapped out a series of internet traffic hijacks and redirections that they say are part of large espionage and intellectual property theft effort by China.
For many people who purchase a new Windows 10 PC, Microsoft’s built-in Edge browser has one purpose: to download an alternate browser like Google Chrome. The most common way to do this for people who don’t have the URL memorized? Type “download Chrome” in the address bar and click the first result provided by Bing search. Unfortunately those unsuspecting users have a high chance of downloading malware and adware. That’s because Bing has been serving up malicious but highly visible Google Chrome ads for months
The malicious URL that Bing is happy to promote can’t fool Google or Firefox. When I simply type the above URL into my Firefox browser I’m faced with a bold red page declaring “Deceptive Site Ahead” completely with details and an option to go back.
I notified Bing Ads of this issue, and since Landau’s tweet went viral overnight, I have confidence the malicious ad will be removed from Bing Search within the next 24 hours.
Catalin Cimpanu / ZDNet:
Researchers detail how state-owned China Telecom, the third largest carrier in the country, regularly hijacks internet traffic passing through the US and Canada — Chinese government turned to local ISP for intelligence gathering after it signed the Obama-Xi cyber pact in late 2015, researchers say.
Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.
Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to “create unnecessary panic”.
News of the leak sent shares in Cathay, which was already under pressure as it struggles for customers, plunging more than six percent to a nine-year low in Hong Kong trading.
Local politicians slammed the carrier, saying its response had only fuelled worries.
“Whether the panic is necessary or not is not for them to decide, it is for the victim to decide. This is not a good explanation at all to justify the delay,” said IT sector lawmaker Charles Mok.
And legislator Elizabeth Quat said the delay was “unacceptable” as it meant customers missed five months of opportunities to take steps to safeguard their personal data.
The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed.
- Probe launched -
“We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised,” chief executive Rupert Hogg said in a statement Wednesday.
But Mok said the public needs to know how the company can prove that was the case.
“Such a statement doesn’t give people absolute confidence that we are completely safe, and it doesn’t mean that some of this data would not be misused later,” Mok told AFP.
British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.
This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information have potentially been compromised.
A further 108,000 people’s personal details without card verification value have also been compromised, the airline said in a statement.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” it said.
The company, which has promised to compensate any affected customers, said there had been no verified cases of fraud since its first announcement about the cyber attack in September.
Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.
Davey Alba / BuzzFeed News:
After Orlando let its pilot with Amazon’s facial “Rekognition” tech expire amid public outcry in June, FOIA docs show a new pilot has begun under a mutual NDA
New documents obtained by BuzzFeed News reveal the most detailed picture yet of how the Orlando Police Department is using Amazon Rekognition, the tech giant’s facial recognition technology.
Lokakuun alussa F-Secure ilmoitti, että taiwanilainen tietoliikennevalmistaja Zyxel alkaa ensimmäisenä valmistajana tarjota operaattorikumppaneilleen F-Securen teknologiaa. Tällä viikolla seurasi toinen laitevalmistajan julkistus Actiontec Electronicsin kanssa.
Cyber experts and European policy makers have gathered in the Europol headquarters in The Hague to share their experiences and knowledge on the Internet of Things (IoT) at the Europol-ENISA IoT Security Conference.
The key event is expected to tackle growing concerns that while there is expected to be over 20bn IoT devices in operation by 2020, it is not yet widely known how to address the security demands that come with this emerging technology.
A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.
The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.
The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump’s personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier.
Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump’s personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potential security vulnerabilities in Trump’s cellphone use since he became president. And President Barack Obama bristled at—but acquiesced to—the security rules prohibiting him from using a “regular” cellphone throughout his presidency.
Three broader questions obviously emerge from the story. Who else is listening in on Trump’s cellphone calls? What about the cellphones of other world leaders and senior government officials? And—most personal of all—what about my cellphone calls?
There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet’s major communications links and then picking out individuals of interest.
Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.
Phones can’t go more than 90 days out of date on security
Fragmentation has always been a problem — especially when it comes to security
Personal data has become one of the most valuable commodities in the digital age, and marketers will do almost anything to get hold of it. By tracking what you do online, where you go and anything else they can discover, it is possible to build an accurate profile of you as a person. That profile can then be used to advertise goods and services that marketers think will interest you.
Smartphone manufacturers like Google and Apple have begun to tighten up privacy, forcing apps to ask permission before gaining access to your GPS location, or your camera for instance. This has made it much harder for marketers to collect quite as much personal data.
But marketers are fighting back – and they’ve developed a new workaround to beat your phone’s security settings.
Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix.
The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation.
Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a “sandbox” is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.
No matter how robust an operating system is, it is difficult for it to be completely free of possible threats. Given that cybercriminals are constantly reinventing themselves, it follows that the same goes for cyberthreats. It is a constant cycle where any delay or slip up can open up new points of entry for unwanted visitors.
And if operating systems are vulnerable, the companies using them are also vulnerable. In many cases, companies entrust their corporate cybersecurity to a single piece of default software; but experience shows that this is not enough. We now yet more proof of this. And what’s more, it affects a huge number of companies all over the world.
How to avoid the vulnerabilities?
It is clear that, in light of these risks, companies can’t simply make do with the cybersecurity provided by their operating system; they must develop their own precautionary measures.
1.- Cyber-resilience. 90% of companies acknowledge that they are not cyber-resilient. This is something that needs to change right now. Against a backdrop where attacks are renewed and new strategies are constantly being developed, companies must actively protect their corporate cybersecurity and frequently renew their warning systems and processes.
2 .- 360º security.
3.- Check CFA. If a device in our company has suffered an intrusion using ExploitGuard CFA File Creator, it’s worth checking it, especially in order to verify what applications it has permission to access.
4.- Updates. On the other hand, companies must ensure that all their applications have the proper updates, since 99.96% of active vulnerabilities in corporate environments have pending updates that, were they applied, would greatly help to prevent security risks.
This is something that is highlighted in IDC’s report, The State of IT Resilience, which gives an overview of the current situation. Among its findings is the fact that, although companies see cyber-resilience as vital to their digital transformation processes, only 10% believe they have managed to become cyber-resilient.
As such, the remaining 90% still have unfinished business: implementing, increasing or improving their IT security processes in order to make their corporate cybersecurity more robust and, in this way, steer themselves towards a comprehensive and effective digital transformation. This is the only way to avoid security incidents with irreparable data loss (49% admit to having suffered this an incident of this type in the last three years).
report Cyber-Resilience: the Key to Business Security, written by Panda Security.
1.- Cybersecurity as a business strategy
Traditionally, in a significant proportion of large companies senior management didn’t get involved in corporate cybersecurity, and instead left it entirely in the hands of the technical department. However, in this day and age, the exponential increase in cyberattacks has forced businesses to place cybersecurity right at the heart of their corporate strategies, forming a vital pillar in the smooth running of the whole organization.
2.- Action protocols. Once cybersecurity occupies an appropriate position, it’s a good idea for companies to prepare for possible threats, and to design a series of action protocols so that, rather than improvising – an unwise course of action –, they follow a series of internal procedures in order to minimize, or even avoid, possible damage.
These protocols must be divided into four separate phases: prevention (before a possible attack), detection and proactive threat hunting (when an attack knocks at the door), containment and response (when an attack is underway, and you need to hinder the cybercriminal’s work), and reduction of the attack surface (when the attack is done and the effects need to be minimized).
3.- Cyber-recycling. Any cybersecurity expert knows that no protection can fully stand the test of time. New threats increase at an exponential rate, which means that cyber-resilient companies must be up to speed with not only the current threats, but also those that could appear in the future, knowing how to identify new trends and the new strategies that are constantly being adopted by cybercriminals.
4.- Eliminate risks at all levels. As we mentioned before, corporate cybersecurity is no longer just a matter for technical departments, but is something that must concern every layer of the company, including management.
It’s all well and good to start taking an interest in personal privacy. A run through the privacy settings of your social accounts won’t take long. And then the apps: Uber, Netflix, Amazon. Ah yes, other stores too — everywhere you’ve ever shopped. Everywhere you’ve ever gamed, procrastinated, banked, downloaded music, dated…this is getting tough.
The seemingly impossible task of regaining control over our own online security is now vital, though, and so Kaspersky Lab’s incubator came up with the Privacy Audit Web service. It’s a smart advocate, and it’s incredibly easy to use.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
495 Comments
Tomi Engdahl says:
Side-Channel Attack Exposes User Accounts on Facebook, XBox, Other Social Sites
https://www.darkreading.com/cloud/side-channel-attack-exposes-user-accounts-on-facebook-xbox-other-social-sites/d/d-id/1333125?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Researcher will demonstrate at Black Hat Europe his team’s recent discovery: a way to exploit popular user-blocking feature on social media and other sites.
At least a dozen social media and other online sites – including Facebook, Instagram, Tumblr, Google+, Twitter, eBay, PornHub, Medium, Xbox Live, Ashley Madison, Roblox, and Xvideos – were vulnerable to the side-channel attack found by researchers at NTT Secure Platform Laboratories and Waseda University. So far, Twitter and eBay have updated their platforms to prevent the attack, and some browsers, including Microsoft Edge, Microsoft Internet Explorer, and Mozilla Firefox, have added a feature to thwart the attack, according to Takuya Watanabe, who will present his team’s findings in December at Black Hat Europe in London.
Tomi Engdahl says:
ASUS Z390 Motherboards Automatically Push Software into Your Windows Installation
https://www.techpowerup.com/248827/asus-z390-motherboards-automatically-push-software-into-your-windows-installation
During testing for our Intel Core i9-9900K review we found out that new ASUS Z390 motherboards automatically install software and drivers to your Windows 10 System, without the need for network access, and without any user knowledge or confirmation. This process happens in complete network-isolation (i.e. the machine has no Internet or LAN access). Our Windows 10 image is based on Windows 10 April 2018 Update and lacks in-built drivers for the integrated network controllers.
Tomi Engdahl says:
DDoS-Capable IoT Botnet ‘Chalubo’ Rises
https://www.securityweek.com/ddos-capable-iot-botnet-chalubo-rises
A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.
Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.
Tomi Engdahl says:
Mexico central bank issues alert after insurer Axa cyberattack
https://www.reuters.com/article/mexico-centralbank-incident/mexico-central-bank-issues-alert-after-insurer-axa-cyberattack-idUSL2N1X403Z
Mexico’s central bank said on Tuesday it had raised the security alert level in its payment system after a non-banking financial user reported “inconsistencies” in the cash payment matching system.
Tomi Engdahl says:
Apple Just Killed The ‘GrayKey’ iPhone Passcode Hack
https://www.forbes.com/sites/thomasbrewster/2018/10/24/apple-just-killed-the-graykey-iphone-passcode-hack/#70bfd5d75318
Apple has managed to prevent the hottest iPhone hacking company in the world from doing its thing.
Uncloaked by Forbes in March, Atlanta-based Grayshift promised governments its GrayKey tech could crack the passcodes of the latest iOS models, right up to the iPhone X. From then on, Apple continued to invest in security in earnest, continually putting up barriers for Grayshift to jump over. Grayshift continued to grow, however, securing contracts with Immigration and Customs Enforcement, and the Secret Service.
Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above.
Tomi Engdahl says:
Multiple 0days used by Magecart
https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/
Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.
While the extensions differ, the attack method is the same: PHP Object Injection (POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.
It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions.
Modus operandi
Some more info on this group’s modus operandi. Once any of the probes above is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site. This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted. Once a user enters his CC details and clicks submit, the fake credit card form disappears and the unsuspecting (?) user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.
Tomi Engdahl says:
New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
Nowadays, it’s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).
Tomi Engdahl says:
ICS Networks Continue to be Soft Targets For Cyberattacks
CyberX study shows that many industrial control system environments are riddled with vulnerabilities.
https://www.darkreading.com/vulnerabilities—threats/ics-networks-continue-to-be-soft-targets-for-cyberattacks/d/d-id/1333119?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8566-ilmaisista-hakkerityokaluista-varoitetaan
Tomi Engdahl says:
Two hackers behind 2016 Uber data breach have been indicted for another hack
https://techcrunch.com/2018/10/25/uber-hackers-indicted-lynda-breach/?utm_source=tcfbpage&sr_share=facebook
Two hackers who stole millions of users’ data from ride-hailing firm Uber have been indicted on separate hacking charges related to a data breach at online learning portal Lynda, two people familiar with the case have told TechCrunch.
Tomi Engdahl says:
Bushido-Powered DDoS Service Whipped Up from Leaked Code
https://www.bleepingcomputer.com/news/security/bushido-powered-ddos-service-whipped-up-from-leaked-code/?fbclid=IwAR3uXSaXniab8Rmnsv-HVhWQXdQNaE4GfdprmWIatD3OdZAnC_M3sp9g89A
Security researchers found a new DDoS-for-hire service built with leaked code, that offers easy and cheap access to sufficient power to knock down most targets.
Thousands of bots, hundreds of gbps, low prices
The operators of the service promote themselves on social media networks, where they advertised over 500Gbps of power and 20,000 bots. These numbers are likely an exaggeration, as Fortinet saw lower speeds and fewer bots when they visited 0x-booter’s website: 424.825 Gbps and 16,993 bots.
prices between $20 for 15 minutes, and $150 for a two hour-long attack.
Tomi Engdahl says:
Hackers selling exploits to law enforcement agencies have poor security practices
https://www.techrepublic.com/article/hackers-selling-exploits-to-law-enforcement-agencies-have-poor-security-practices/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5bd309fe04d30145aa4a3eb7&utm_medium=trueAnthem&utm_source=facebook&fbclid=IwAR0AKhX_PXHsn2IHPx3eyderhoj0RfrntVYRmivZ93eTyHnkN2uOVZpj21k
Startups selling vulnerabilities, exploit kits, and access to personal data to government agencies have a poor record of securing their own platforms.
Tomi Engdahl says:
Brendan Koerner / Wired:
An in-depth look at how a swatting prank led to a deadly shooting in Wichita; Tyler Barriss, the serial swatter responsible, is facing federal and state charges
It Started as an Online Gaming Prank. Then It Turned Deadly
https://www.wired.com/story/swatting-deadly-online-gaming-prank/
Her heartfelt rumination soon segued into a stinging critique of Wichita’s police, whom she largely blames for what happened to her son. His death last December, in bizarre circumstances that made headlines around the world, turned Finch into an advocate for holding cops to account when they make fatal errors
Finch conspicuously failed to mention the nihilistic Angeleno who has been widely vilified for his role in her son’s death. She goes out of her way to avoid letting this young man’s name cross her lips, even though he has become a global symbol of all that’s rotten in gaming culture.
The man who called the Glendale, California, police department at 1:52 pm on September 30, 2015, said his name was Alex. In a quiet, almost childlike voice, he stated that he’d placed several backpacks containing bombs inside the news studio of KABC-TV, adjacent to Griffith Park. The bombs would be remotely detonated in 10 minutes.
No explosives were found
Deceitful internet enthusiasts have been swatting strangers and acquaintances for more than a decade, using VoIP providers and virtual private networks to make themselves difficult to catch. The FBI issued a dispatch about the crime’s rising popularity in February 2008, noting that “individuals did it for the bragging rights and ego, versus any monetary gain.”
But the members of online communities where swatting is commonplace, such as certain hardcore gaming circles, consider that assessment too simplistic. Though they acknowledge that swatting is obnoxious, they also view it as a necessary form of frontier justice—a surefire way to stop vulgar “keyboard warriors” from slandering or threatening their online associates. “When you’re on the internet and your actions have little weight in real life, and then suddenly that translates into something as physically heavy as a swatting, it makes you realize the weight of your actions on a computer a lot more than you normally would,” says one former Call of Duty fanatic who has taken part in swattings.
Tomi Engdahl says:
https://www.htbridge.com/blog/FT500-application-security.html
Tomi Engdahl says:
Benjamin Wofford / Vox:
Interviews with government officials, analysts, and tech experts reveal severe vulnerabilities in many levels of the US election system, ahead of midterms — An investigation into the US
The midterms are already hacked. You just don’t know it yet.
https://www.vox.com/2018/10/25/18001684/2018-midterms-hacked-russia-election-security-voting
An investigation into the US election system reveals frightening vulnerabilities at almost every level.
Like burglars who pull the fire alarm and, in the ensuing chaos, ransack the cash register, the hackers entered through a hole of their own creation.
Within days, Knox hired a third-party security consultant, called Sword and Shield, to conduct a forensic analysis. Their report, which was shared with Vox and reviewed by cybersecurity experts, confirmed that no data was stolen during the attack. But among the various data sets on offer that night, one had controlled the website that ran the precinct tally. That software presented the attackers, whoever they were, with a chance to meddle with the preliminary results or, worse, to announce a false winner, at least temporarily.
Such a tactic has been attempted at least once before, by a Kremlin-affiliated hacking group in 2014. Sword and Shield’s report found that the DDOS attacks came from 65 countries. But it traced the malicious probe to just two: the United Kingdom and Ukraine. The latter has been a redoubt of Russian-affiliated hackers-for-hire, what the New York Times’s David Sanger has called “Putin’s petri dish” and Radio Free Europe calls “ground zero on the front lines of the global cyberwar.”
“It’s every county versus the FSB”
What happened in Knox County last spring provided apparent confirmation of what leaders in the intelligence community have warned for months: that the successful interference campaign in the 2016 elections — an event that the Senate Intelligence Committee this year called “an unprecedented, coordinated cyber campaign against state election infrastructure” — is being reprised in the 2018 midterms, and will continue for the foreseeable future.
“2016 certainly could have been a lot worse,” warns former CIA Director John Brennan
“It should be seen as a wake-up call,” he went on. “We are really flirting with disaster if we don’t come to terms with this.”
With the midterms two weeks away, news of electoral cyberattacks has begun to appear with growing frequency. In 2018, at least a dozen races for the House and Senate, mostly Democrats, have been the public targets of malicious cyber campaigns, in a variety of attacks that suggests the breadth of the threat: Campaigns have been besieged by network penetration attempts, spearphishing campaigns, dummy websites, email hacking, and at least one near-miss attempt to rob a Senate campaign of untold thousands of dollars.
“The Russians will attempt, with cyberattacks and with information operations, to go after us again,” said Eric Rosenbach, the former Pentagon chief of staff and so-called cyber czar, now at the Harvard Belfer Center, when I talked to him this summer. In fact, he added, “They’re doing it right now.”
Tomi Engdahl says:
https://enigma0x3.net/2018/10/23/cve-2018-8414-a-case-study-in-responsible-disclosure/
Tomi Engdahl says:
Russian trolls get DM from US Cyber Command: We know who you are. Stop it
https://arstechnica.com/information-technology/2018/10/us-cyber-command-doxes-dms-warnings-to-russian-disinformation-trolls/
Part of new cyber strategy to identify, track, warn Russian operatives.
Tomi Engdahl says:
Every minute for three months, GM secretly gathered data on 90,000 drivers’ radio-listening habits and locations
https://boingboing.net/2018/10/23/dont-touch-that-dial.html
Tomi Engdahl says:
Texas has a long history of problems with Hart eSlate voting machines
https://techcrunch.com/2018/10/26/texas-voting-machines-changing-votes-hart-eslate/?utm_source=tcfbpage&sr_share=facebook
During early voting in some Texas counties, a handful of voters reported seeing their straight-ticket votes changed to endorse the opposing party. Others reported that an issue with the voting machines appeared to remove any selection for U.S. Senate altogether.
The issue is specific to Hart eSlates, electronic voting systems created by major voting machine vendor Hart Intercivic. The Secretary of State’s office maintains that this issue is “not due to a malfunction with the machine” but rather is a result of user error.
“The Hart eSlate machines are not malfunctioning, the problems being reported are a result of user error – usually voters hitting a button or using the selection wheel before the screen is finished rendering,” said Sam Taylor, Texas Secretary of State Communications Director.
The eSlate is a direct recording electronic (DRE) voting machine that employs a selection wheel and five buttons in lieu of a touchscreen.
“Counties are already spending a great deal of money on the eSlate and using the systems in elections despite potential usability issues that could lead to longer voter times… and mistakes made by voters while making selections on ballots.”
Tomi Engdahl says:
Belgium: Oi, Brits, explain why Belgacom hack IPs pointed at you and your GCHQ
State investigation finds non-Snowden proof of UK badness – local report
https://www.theregister.co.uk/2018/10/26/belgium_finds_evidence_gchq_belgacom_hack_proximus/
GCHQ’s rumoured hacking operation against Belgacom came back into the spotlight yesterday after a local newspaper revealed more tantalising snippets from a Belgian judicial investigation into the attack.
Originally having come to light thanks to whistleblower Edward Snowden’s disclosures from American spy agency files he swiped from the NSA, the UK’s signals intelligence bods are said to have hacked into the Belgian telco in order to monitor private communications flowing over its networks.
Belgian newspaper De Standaard reported yesterday that a judicial investigation had found proof that the hack, traces of which were found by Belgacom, “was the work of the GCHQ, an intelligence service of ally Great Britain”.
The refusal to co-operate is unsurprising. For all manner of obvious diplomatic reasons, the UK is not going to confess to hacking one of its supposedly closest allies; an ally which hosts the key institutions of the EU as well as NATO.
the three Belgian techies’ machines were the ultimate gateway for the British spies into Belgacom’s networks, with the telco eventually confessing to 5,000 machines being infected.
Having man-in-the-middle’d Belgacom’s core routers, GCHQ was also, according to the Intercept, able to break into private VPN sessions as well as pinpointing phones using the 2G GPRS protocol. At the time, smartphone penetration in the Middle East and Africa region was much lower than it is today.
Tomi Engdahl says:
F***=off, Google tells its staff: Any mention of nookie now banned from internal files, URLs
No sex, please, we’re the Chocolate Factory
https://www.theregister.co.uk/2018/10/22/google_bans_naughty_language/
Googlers must clean up their language at work as the ads giant is being anal about references to, ahem, carnal knowledge in internal web links and documents.
Files and URLs with raunchy words like “fuck” in them are now forbidden from being shared around the workplace, and are already being automatically filtered out to prevent staff seeing them.
Tomi Engdahl says:
To Strengthen Security, Shift Your Focus to Security DevOps
https://www.securityweek.com/strengthen-security-shift-your-focus-security-devops
“Progress is impossible without change, and those who cannot change their minds cannot change anything.” – George Bernard Shaw
Although George Bernard Shaw died nearly 70 years ago, well before the security industry developed, his words encapsulate the evolution of security from hardware and point products, to an approach that relies increasingly on security DevOps.
Let’s take the first part of the quote: progress is impossible without change. The IT security industry has changed tremendously over the last twenty years. New vendors enter the market all the time with solutions designed to better protect organizations from the latest threats. There are hundreds of security vendors out there, not to mention open source tools as well.
Today, security teams face a highly fragmented market – picking and choosing tools from various vendors. The best of breed approach has ruled the day and now many organizations have a patchwork of product platforms from various security companies.
Which brings us to the second half of the quote: those who cannot change their minds cannot change anything. Gone are the days when you can simply put various pieces of hardware in place and think you’re protected. Unless these disparate solutions talk to each other, legitimate threats slip through the cracks. To close this gap, enterprises are now re-thinking the way they purchase and deploy security technologies.
Security vendors today make APIs available so that someone else – the customer or a third-party – can write software to access the APIs and tie solutions together. Many vendors are going a step further and adopting an API-first strategy, meaning their own user interfaces and administration consoles talk to the APIs.
A focus on security DevOps is also enabling software-defined networking and software-defined access so that enterprises can respond quickly to changing business requirements and enhance security. The solutions centralize configuration and management and use automation to deploy and secure applications and user access faster, with the right policies for users or devices to any application, across the network.
What does the increasing reliance on security DevOps mean for security professionals? Organizations need to step back and make sure they have the right people on the team. Different teams within security operations use different tools. Bringing these tools together into an enterprise security architecture requires representatives from each of these teams working together to develop and execute a roadmap.
Tomi Engdahl says:
Overcoming Common SD-WAN Security Mistakes
https://www.securityweek.com/overcoming-common-sd-wan-security-mistakes
Tomi Engdahl says:
Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate
https://www.securityweek.com/analysis-north-koreas-internet-traffic-shows-nation-run-criminal-syndicate
Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.
The leadership’s pattern of global internet usage has shifted. A year ago, it peaked at the weekends, primarily for online gaming and video streaming. Over the last year, weekday usage has increased while weekend use has decreased (although weekend use is still primarily for gaming and streaming). Recorded Future does not know why this shift has occurred, but suggests that it is indicative of the global internet becoming a greater part of the leaders’ every day work.
Tomi Engdahl says:
IT security jobs by the numbers: 12 stats
https://enterprisersproject.com/article/2018/10/it-security-jobs-numbers-12-stats?sc_cid=7016000000127ECAAY
IT security skills remain red hot, but just how many security positions are open now? What do top security pros earn? We round up instructive data
Security positions – whether in data, information, network, systems, or cloud – make the list of “hard-to-staff” positions in Robert Half Technology’s 2019 Salary Guide.
You’ve heard that one before.
the lowest percentiles for the least-skilled or least-experienced roles still commanding near-six-figure salaries. That’s the floor, folks.
The national average salary for a chief security officer is $270,000. (Source: Robert Half Technology)
At the highest level, the national average salary for a chief security officer is $270,000 (95th percentile). That’s second only to the CIO’s national average pay of $293,000 (also 95th percentile.
The role may be very complex or in a market where the competition for talent is extremely high.
Sure, that’s the C-suite, but you don’t need to sit anywhere near it to earn a hefty paycheck as a security pro these days. At the high end of Robert Half’s average salary tables, a top information systems security manager brings in nearly $200,000 per year.
All those lofty projections about a cybersecurity talent gap? Employers seem to already be pricing them into the job market. It’s not just salary data, either: There’s a range of numbers that quantify the current (and future) state of IT security talent.
3.5 million: The number of unfilled cybersecurity jobs worldwide expected in 2021
$93,000: The lowest national average salary for a security-related position in the U.S.
43,467: The number of open positions returned for a recent national search for “information security” on jobs site Glassdoor.
129,173: The number of results for a national job search for “information security” on LinkedIn.
78 percent : The percentage of companies (with internal security resources) that also hire an outside security firm for help
72 percent : In that same CompTIA report, nearly three out of four companies said they view their security center of operations (SOC) as an internal function.
25 percent of companies say “significant improvement” is needed in network security skills.
25 percent : The CompTIA report notes that certain bedrock security skills, such as network security and access control, are relatively strong in today’s businesses.
$199,750: Security gurus who are averse to a management position may want to reconsider: This is the national average salary (95th percentile) for a top-notch information systems security manager, according to Robert Half.
58 percent: The percentage of CIOs and other IT leaders (roughly 250 in all) included in a recent survey by TEKsystems who checked off security as one their top three technology areas
19 percent: The percentage of IT leaders in that same survey who listed “Having the right skills/expertise” as the “biggest barrier to successfully executing on key technology initiatives.”
Tomi Engdahl says:
China systematically hijacks internet traffic: researcher
https://www.itnews.com.au/news/china-systematically-hijacks-internet-traffic-researchers-514537
Exploited omission in US-China cyber detente agreement.
Researchers have mapped out a series of internet traffic hijacks and redirections that they say are part of large espionage and intellectual property theft effort by China.
Tomi Engdahl says:
Stop Using Microsoft Edge To Download Chrome — Unless You Want Malware
https://www.forbes.com/sites/jasonevangelho/2018/10/27/stop-using-microsoft-edge-to-download-chrome-unless-you-want-malware/#ceae4d113ea6
For many people who purchase a new Windows 10 PC, Microsoft’s built-in Edge browser has one purpose: to download an alternate browser like Google Chrome. The most common way to do this for people who don’t have the URL memorized? Type “download Chrome” in the address bar and click the first result provided by Bing search. Unfortunately those unsuspecting users have a high chance of downloading malware and adware. That’s because Bing has been serving up malicious but highly visible Google Chrome ads for months
The malicious URL that Bing is happy to promote can’t fool Google or Firefox. When I simply type the above URL into my Firefox browser I’m faced with a bold red page declaring “Deceptive Site Ahead” completely with details and an option to go back.
I notified Bing Ads of this issue, and since Landau’s tweet went viral overnight, I have confidence the malicious ad will be removed from Bing Search within the next 24 hours.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Researchers detail how state-owned China Telecom, the third largest carrier in the country, regularly hijacks internet traffic passing through the US and Canada — Chinese government turned to local ISP for intelligence gathering after it signed the Obama-Xi cyber pact in late 2015, researchers say.
China has been ‘hijacking the vital internet backbone of western countries’
https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/
Chinese government turned to local ISP for intelligence gathering after it signed the Obama-Xi cyber pact in late 2015, researchers say.
Tomi Engdahl says:
Questions Mount Over Delay After Cathay Pacific Admits Huge Data Leak
https://www.securityweek.com/questions-mount-over-delay-after-cathay-pacific-admits-huge-data-leak
Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.
Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to “create unnecessary panic”.
News of the leak sent shares in Cathay, which was already under pressure as it struggles for customers, plunging more than six percent to a nine-year low in Hong Kong trading.
Local politicians slammed the carrier, saying its response had only fuelled worries.
“Whether the panic is necessary or not is not for them to decide, it is for the victim to decide. This is not a good explanation at all to justify the delay,” said IT sector lawmaker Charles Mok.
And legislator Elizabeth Quat said the delay was “unacceptable” as it meant customers missed five months of opportunities to take steps to safeguard their personal data.
The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed.
- Probe launched -
“We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised,” chief executive Rupert Hogg said in a statement Wednesday.
But Mok said the public needs to know how the company can prove that was the case.
“Such a statement doesn’t give people absolute confidence that we are completely safe, and it doesn’t mean that some of this data would not be misused later,” Mok told AFP.
Tomi Engdahl says:
BA Says 185,000 More Customers Affected in Cyber Attack
https://www.securityweek.com/ba-says-185000-more-customers-affected-cyber-attack
British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.
This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information have potentially been compromised.
A further 108,000 people’s personal details without card verification value have also been compromised, the airline said in a statement.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” it said.
The company, which has promised to compensate any affected customers, said there had been no verified cases of fraud since its first announcement about the cyber attack in September.
Tomi Engdahl says:
Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate
https://www.securityweek.com/analysis-north-koreas-internet-traffic-shows-nation-run-criminal-syndicate
Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.
Tomi Engdahl says:
Davey Alba / BuzzFeed News:
After Orlando let its pilot with Amazon’s facial “Rekognition” tech expire amid public outcry in June, FOIA docs show a new pilot has begun under a mutual NDA
With No Laws To Guide It, Here’s How Orlando Is Using Amazon’s Facial Recognition Technology
https://www.buzzfeednews.com/article/daveyalba/amazon-facial-recognition-orlando-police-department
New documents obtained by BuzzFeed News reveal the most detailed picture yet of how the Orlando Police Department is using Amazon Rekognition, the tech giant’s facial recognition technology.
Tomi Engdahl says:
F-Secure ja Elisa kehittävät iot-ajan reititintä – lupaa suojaa, vaikka valmistaja ei ole tietoturvaa edes miettinyt
https://www.tivi.fi/Kaikki_uutiset/f-secure-ja-elisa-kehittavat-iot-ajan-reititinta-lupaa-suojaa-vaikka-valmistaja-ei-ole-tietoturvaa-edes-miettinyt-6746856
Lokakuun alussa F-Secure ilmoitti, että taiwanilainen tietoliikennevalmistaja Zyxel alkaa ensimmäisenä valmistajana tarjota operaattorikumppaneilleen F-Securen teknologiaa. Tällä viikolla seurasi toinen laitevalmistajan julkistus Actiontec Electronicsin kanssa.
Tomi Engdahl says:
Yahoo! $50m! hack! damages! bill!, Russian trolls menaced by Uncle Sam inaction, computer voting-machine UI confusion, and more
https://www.theregister.co.uk/2018/10/27/security_roundup_261018/
Tomi Engdahl says:
Cyber experts and policymakers tackle future of IoT security at key Europol-ENISA conference
https://www.governmentcomputing.com/security/news/cyber-experts-policymakers-tackle-future-iot-security-key-europol-enisa-conference
Cyber experts and European policy makers have gathered in the Europol headquarters in The Hague to share their experiences and knowledge on the Internet of Things (IoT) at the Europol-ENISA IoT Security Conference.
The key event is expected to tackle growing concerns that while there is expected to be over 20bn IoT devices in operation by 2020, it is not yet widely known how to address the security demands that come with this emerging technology.
Tomi Engdahl says:
The D in Systemd stands for ‘Dammmmit!’ A nasty DHCPv6 packet can pwn a vulnerable Linux box
Hole opens up remote-code execution to miscreants – or a crash, if you’re lucky
https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/
A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.
The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.
Tomi Engdahl says:
Nobody’s Cellphone Is Really That Secure, Bruce Schneier Reminds
https://tech.slashdot.org/story/18/10/28/112251/nobodys-cellphone-is-really-that-secure-bruce-schneier-reminds?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump’s personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier.
Nobody’s Cellphone Is Really That Secure
But most of us aren’t the president of the United States.
https://www.theatlantic.com/technology/archive/2018/10/president-trump-and-cell-phone-security/574096/
Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump’s personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potential security vulnerabilities in Trump’s cellphone use since he became president. And President Barack Obama bristled at—but acquiesced to—the security rules prohibiting him from using a “regular” cellphone throughout his presidency.
Three broader questions obviously emerge from the story. Who else is listening in on Trump’s cellphone calls? What about the cellphones of other world leaders and senior government officials? And—most personal of all—what about my cellphone calls?
There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet’s major communications links and then picking out individuals of interest.
Tomi Engdahl says:
Google mandates two years of security updates for popular phones in new Android contract
https://www.theverge.com/2018/10/24/18019356/android-security-update-mandate-google-contract
Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.
Phones can’t go more than 90 days out of date on security
Fragmentation has always been a problem — especially when it comes to security
Tomi Engdahl says:
Marketers develop a new sneaky tracking technique
https://www.pandasecurity.com/mediacenter/technology/new-sneaky-tracking-technique/
Personal data has become one of the most valuable commodities in the digital age, and marketers will do almost anything to get hold of it. By tracking what you do online, where you go and anything else they can discover, it is possible to build an accurate profile of you as a person. That profile can then be used to advertise goods and services that marketers think will interest you.
Smartphone manufacturers like Google and Apple have begun to tighten up privacy, forcing apps to ask permission before gaining access to your GPS location, or your camera for instance. This has made it much harder for marketers to collect quite as much personal data.
But marketers are fighting back – and they’ve developed a new workaround to beat your phone’s security settings.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/salasanan-taytyy-kuolla-kai-6746785
Tomi Engdahl says:
New Windows Zero-Day Bug Helps Delete Any File, Exploit Available
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-bug-helps-delete-any-file-exploit-available/
Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix.
The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation.
Tomi Engdahl says:
Twelve malicious Python libraries found and removed from PyPI
https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/
One package contained a clipboard hijacker that replaced victims’ Bitcoin addresses in an attempt to hijack funds from users.
Tomi Engdahl says:
The D in Systemd stands for ‘Dammmmit!’ A nasty DHCPv6 packet can pwn a vulnerable Linux box
Hole opens up remote-code execution to miscreants – or a crash, if you’re lucky
https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/
Tomi Engdahl says:
The midterms are already hacked. You just don’t know it yet.
An investigation into the US election system reveals frightening vulnerabilities at almost every level.
https://www.vox.com/2018/10/25/18001684/2018-midterms-hacked-russia-election-security-voting
Tomi Engdahl says:
Threat Roundup for October 19 to October 26
https://blog.talosintelligence.com/2018/10/threat-roundup-1019-1026.html
Tomi Engdahl says:
Windows Defender Becomes First Antivirus To Run Inside a Sandbox
https://tech.slashdot.org/story/18/10/29/1514204/windows-defender-becomes-first-antivirus-to-run-inside-a-sandbox?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a “sandbox” is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.
Windows Defender becomes first antivirus to run inside a sandbox
https://www.zdnet.com/article/windows-defender-becomes-first-antivirus-to-run-inside-a-sandbox/
Windows Defender with sandbox support rolled out to Windows insiders, but some Windows 10 users can enable it right now.
Tomi Engdahl says:
Microsoft Says It Has Resolved an Issue With Bing Which Was Causing It To Push Malware When Users Searched for Chrome
https://search.slashdot.org/story/18/10/29/0936208/microsoft-says-it-has-resolved-an-issue-with-bing-which-was-causing-it-to-push-malware-when-users-searched-for-chrome?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
If your company uses Windows 10, watch out: there are new vulnerabilities about
https://www.pandasecurity.com/mediacenter/security/windows-10-new-vulnerabilities/
No matter how robust an operating system is, it is difficult for it to be completely free of possible threats. Given that cybercriminals are constantly reinventing themselves, it follows that the same goes for cyberthreats. It is a constant cycle where any delay or slip up can open up new points of entry for unwanted visitors.
And if operating systems are vulnerable, the companies using them are also vulnerable. In many cases, companies entrust their corporate cybersecurity to a single piece of default software; but experience shows that this is not enough. We now yet more proof of this. And what’s more, it affects a huge number of companies all over the world.
How to avoid the vulnerabilities?
It is clear that, in light of these risks, companies can’t simply make do with the cybersecurity provided by their operating system; they must develop their own precautionary measures.
1.- Cyber-resilience. 90% of companies acknowledge that they are not cyber-resilient. This is something that needs to change right now. Against a backdrop where attacks are renewed and new strategies are constantly being developed, companies must actively protect their corporate cybersecurity and frequently renew their warning systems and processes.
2 .- 360º security.
3.- Check CFA. If a device in our company has suffered an intrusion using ExploitGuard CFA File Creator, it’s worth checking it, especially in order to verify what applications it has permission to access.
4.- Updates. On the other hand, companies must ensure that all their applications have the proper updates, since 99.96% of active vulnerabilities in corporate environments have pending updates that, were they applied, would greatly help to prevent security risks.
Tomi Engdahl says:
90% of companies acknowledge that they are not cyber-resilient
https://www.pandasecurity.com/mediacenter/security/companies-not-cyber-resilient/
Cyber-resilience: unfinished business
This is something that is highlighted in IDC’s report, The State of IT Resilience, which gives an overview of the current situation. Among its findings is the fact that, although companies see cyber-resilience as vital to their digital transformation processes, only 10% believe they have managed to become cyber-resilient.
As such, the remaining 90% still have unfinished business: implementing, increasing or improving their IT security processes in order to make their corporate cybersecurity more robust and, in this way, steer themselves towards a comprehensive and effective digital transformation. This is the only way to avoid security incidents with irreparable data loss (49% admit to having suffered this an incident of this type in the last three years).
report Cyber-Resilience: the Key to Business Security, written by Panda Security.
1.- Cybersecurity as a business strategy
Traditionally, in a significant proportion of large companies senior management didn’t get involved in corporate cybersecurity, and instead left it entirely in the hands of the technical department. However, in this day and age, the exponential increase in cyberattacks has forced businesses to place cybersecurity right at the heart of their corporate strategies, forming a vital pillar in the smooth running of the whole organization.
2.- Action protocols. Once cybersecurity occupies an appropriate position, it’s a good idea for companies to prepare for possible threats, and to design a series of action protocols so that, rather than improvising – an unwise course of action –, they follow a series of internal procedures in order to minimize, or even avoid, possible damage.
These protocols must be divided into four separate phases: prevention (before a possible attack), detection and proactive threat hunting (when an attack knocks at the door), containment and response (when an attack is underway, and you need to hinder the cybercriminal’s work), and reduction of the attack surface (when the attack is done and the effects need to be minimized).
3.- Cyber-recycling. Any cybersecurity expert knows that no protection can fully stand the test of time. New threats increase at an exponential rate, which means that cyber-resilient companies must be up to speed with not only the current threats, but also those that could appear in the future, knowing how to identify new trends and the new strategies that are constantly being adopted by cybercriminals.
4.- Eliminate risks at all levels. As we mentioned before, corporate cybersecurity is no longer just a matter for technical departments, but is something that must concern every layer of the company, including management.
Tomi Engdahl says:
Privacy audit: Find out what the Internet knows about you
https://www.kaspersky.com/blog/privacy-audit/24415/
Start with privacyaudit.me
It’s all well and good to start taking an interest in personal privacy. A run through the privacy settings of your social accounts won’t take long. And then the apps: Uber, Netflix, Amazon. Ah yes, other stores too — everywhere you’ve ever shopped. Everywhere you’ve ever gamed, procrastinated, banked, downloaded music, dated…this is getting tough.
The seemingly impossible task of regaining control over our own online security is now vital, though, and so Kaspersky Lab’s incubator came up with the Privacy Audit Web service. It’s a smart advocate, and it’s incredibly easy to use.
https://privacyaudit.me/en/