Wednesday, February 28, 2018
The A.V.
The A.V. Club Do the wrong thing: 90 years, 90 movies that should have been nominated for Best Picture | Earther You Need to Watch This New Netflix Series on Flint | The Takeout Do you find the Jane Walker whisky logo condescending? |
from Lifehacker http://ift.tt/2GRvNND
Earther What You Should Know About the EPA’s Proposal to Close Its Environmental Research Center | T
Earther What You Should Know About the EPA’s Proposal to Close Its Environmental Research Center | The A.V. Club Netflix’s plan for world domination looks especially bad for movies | The Takeout The search for a perfect pie crust: We meet again, lard |
from Lifehacker http://ift.tt/2HUn7r4
Phillips clinical imaging solution plagued by vulnerabilities
Phillips is developing a software update to mitigate 35 CVE-numbered vulnerabilities in the Philips IntelliSpace Portal (ISP), a clinical imaging visualization and analysis solution that is used by healthcare and public health organizations around the world.
According to ICS-CERT, some of the vulnerabilities can be exploited remotely by unauthenticated attackers and exploits for some of them are publicly available, although none are known to specifically target Philips ISP.
“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem,” the Dutch technology company noted.
About the vulnerabilities
Neither ICS-CERT nor Philips mentions how the vulnerabilities were discovered, but it’s likely that at least some of them are found in third-party code included in this and other products not manufactured by Phillips.
The vulnerabilities fall into several categories: improper input validation; information exposure; permission, privilege and access control; unquoted search path or element; leftover debug code; and cryptographic issues.
“Philips’ analysis has shown that these identified issues may allow attackers unauthorized access to sensitive information stored on the system, and modify this information as well as obtain sensitive information transmitted, including authentication credentials,” the company said, and confirmed that all 8.0.x and 7.0.x versions of the IntelliSpace Portal are affected.
Security updates and mitigations
Phillips has announced that these issues will be solved in the newest software release for Philips IntelliSpace Portal, which is expected to be pushed out in the coming months.
“Additionally, Philips’ evaluation of Operating System security patches is ongoing, and after appropriate testing, the patches and mitigating controls are posted on Philips’ InCenter. ISP users are recommended to obtain available mitigating controls by accessing their InCenter account,” ICS-CERT noted.
ICS-CERT has added to this their usual mitigation advice: Minimize network exposure of the devices, make sure that they are not accessible from the Internet, put them behind firewalls and isolate them from the business network, and access them remotely through VPNs.
from Help Net Security http://ift.tt/2GQX9DB
Download: CISSP Exam Study Guide
The CISSP Exam Study Guide provides a solid foundation for anyone preparing to become a Certified Information Systems Security Professional. It contains materials to prepare you for all 8 domains of the CISSP exam.
In this guide you’ll find:
- An overview of the exam’s structure
- The key things you need to know in each domain
- Sample tests for each domain, with thorough explanations of the answers
- Additional resources to check out
- And more…
from Help Net Security http://ift.tt/2CpudUL
Surge in memcached-based reflected DDoS attacks is due to misconfigured servers
Massive memcached-based reflection DDoS attacks with an unprecedented amplification factor have been ongoing for the last few days, by taking advantage of memcached servers exposed to the Internet.
What is memcached?
Memcached is a distributed memory caching system and is used to speed up dynamic database-driven websites and Internet-facing services by caching data and objects in RAM.
It is often deployed in data center, cloud, and IaaS networks.
According to both Rapid7 and SANS ISC, there are currently over 100,000 exposed memcached servers on the Internet.
What’s the problem?
“The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself,” Cloudflare’s Marek Majkowski explains.
“Amplification attacks are effective because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) ‘amplifying’ the attacker’s bandwidth.”
Involving a memcached server in reflection/amplification DDoS attacks is easy: the attacker first puts in place a set of reflectors/amplifiers with arbitrary-length key/value pairs on a vulnerable memcached server, and then issues queries for them from the (spoofed) IP address of the target.
It’s not that memcached attacks were unknown before this (memcached as a possible amplification vector was pointed out last year), it’s that they have spiked in the last couple of days.
“At peak, we’ve seen 260Gbps of inbound UDP memcached traffic,” Majkowski shared.
According to US-CERT, memcached has an bandwidth amplification factor of 10,000 to 51,000, which is by far the highest when compared with that of other UDP protocols.
“Arbor’s current assessment is that, as with most other DDoS attack methodologies, memcached DDoS attacks were initially – and for a very brief interval – employed manually by skilled attackers; they have subsequently been weaponized and made available to attackers of all skill levels via so-called ‘booter/stresser’ DDoS-for-hire botnets,” Arbor Networks noted.
“The rapid increase in the prevalence of these attacks indicates that this relatively new attack vector was weaponized and broadly leveraged by attackers within a relatively short interval.”
What’s the solution?
Memcached lacks access controls by design, and that’s why it shouldn’t be exposed to the Internet.
“Attacks of the size potentially created by memcached reflection cannot be easily defended against by data center solutions, requiring the cooperation of upstream ISPs and/or cloud-based DDoS protection services,” says Akamai’s SIRT.
“Blocking port 11211 is a starting point for defenses and will prevent systems on your network from being used as reflectors. Configuring mitigation controls, like port blocking, can allow for this traffic to be handled quickly and efficiently.”
Setting the servers behind a firewall is also recommended.
Majkowski also urged developers to stop using UDP and stop enabling it by default.
“We’ve been down this road so many times. DNS, NTP, Chargen, SSDP and now memcached. If you use UDP, you must always respond with strictly a smaller packet size then the request. Otherwise your protocol will be abused,” he pointed out.
“Also remember that people do forget to set up a firewall. Be a nice citizen. Don’t invent a UDP-based protocol that lacks authentication of any kind.”
from Help Net Security http://ift.tt/2HSUoD1
Tuesday, February 27, 2018
UK cyber risk picture: Emergency services at risk of a major cyber attack
The UK’s emergency services are at risk of a major cyber-attack. This is the finding of a new landscape analysis, issued by intelligence provider Anomali.
The UK Threat Landscape report, which explores the UK’s Critical National Infrastructure (CNI) against threats and possible vulnerabilities, points to a number of weak spots in the UK which could attract an attack. One of the most notable, in addition to the emergency services, is the Defence Equipment and Supply Organisation which presents a prime target for actors seeking to disrupt defence procurement.
Other key findings of the analysis include the vulnerability of the UK’s energy infrastructure. 21% of all electricity is generated by 15 nuclear reactors, all of which are owned by EDF. This combination of monopoly of ownership and geographic clustering means that the civil nuclear sector is constantly on a high state of alert for a terrorist and cyber-attack.
Commenting on the findings, Hugh Njemanze, CEO of Anomali said, “The UK presents a complex cyber risk picture – previous foreign policy commitments and current tensions between NATO and other nation states make it a target for international terror organisations.
Within the UK, the nature of the economy and industry present a combination of opportunity and risk to those looking to plan a hybrid attack. The network of small and medium enterprises which support Critical National Infrastructure strengthens its resilience, whereas the geographical clustering of industries can weaken the system leaving them vulnerable to attack.
The UK’s emergency services are a prime example of this – the breadth and complexity of the organisations which comprise this mean there are a number of points of potential weakness. The number of notable attacks over the past few years are testament to this weakness. It is clear that the UK’s emergency services need to take action to stop this heightened risk becoming a reality. One of the best means of preventing these attacks is ensuring that knowledge of cyber threats is shared between emergency services operators so all can ensure the resilience of their networks.”
In addition to this, the UK’s Financial Services sector, which is a key pillar of the economy is highly vulnerable to cyber-attacks – it is subject to regular and significant stress tests by the Bank of England to prevent a major disruption to the economy.
from Help Net Security http://ift.tt/2HS4zYq
Earther Annihilation Reminds Us Why We Need Ecological Horror Stories | The A.V.
Earther Annihilation Reminds Us Why We Need Ecological Horror Stories | The A.V. Club Unsolved: The Murders Of Tupac And The Notorious B.I.G. is irredeemably wack | The Takeout Ask The Salty Waitress: What can I do when my friends behave like knuckleheads? |
from Lifehacker http://ift.tt/2BUJGuV
How to Peel and Slice a Mango
My love for mangos is deep and eternal, but there is no denying that they are slippery little buggers, which makes them a pain to peel. Fortunately, there are two easy ways to peel the gorgeous, golden fruit, neither of which require any single-use, fruit-specific tools.
For the first, which is my favorite, you’ll need a knife and a pint glass. The video shows you how it’s done, but all you have to do is slice each side off the pit, then, holding it firmly by the skin, slide the edge of your glass in between the flesh and the skin. Dispose of the evil skin (which I am very allergic to), slice as usual and enjoy.
Advertisement
The second method is also quite easy, but requires a bit more active peeling. Simply peel the fruit with a vegetable peeler, leaving two little circles on either side. Using these skin circles as grip pads, slice the slippery fruit from the pit, then peel off the little circles and dice it up however you like. (Oh, and if you are also allergic to mango skin, rinse the fruit off before eating, otherwise your lips may puff up in a most unattractive and uncomfortable fashion.)
from Lifehacker http://ift.tt/2EY07tp
Can the FBI really unlock ANY iPhone in existence?
US media giant Forbes is making a bold claim: the FBI can now unlock every iPhone in existence.
Actually, that’s not exactly what Forbes said – the headline used the slang term “Feds”, referring not just the FBI, but to law enforcement in general and, by obvious association, to the world’s various intelligence services, too.
And, to be precise, Forbes put the word “probably” in the headline, too, neatly wrapped in brackets in a way that probably made the Forbes lawyers much happier.
So, according to Forbes, law enforcement agencies may be able to unlock many or most iPhones in use out there.
Is it true?
The company that caused Forbes to make this dramatic claim is one we’ve mentioned before on Naked Security: Cellebrite.
Cellebrite is headquartered in Israel, but owned by Suncorporation, a Japanese company broadly associated with video gaming and the pachinko industry. (A pachinko machine is a type of slot machine popular in Japan.)
You may recall that the FBI famously (or infamously, depending on where you stand in the phone unlocking debate) broke into the iPhone 5C of the dead San Bernadino terrorist and mass-murderer Syed Rizwan Farook.
At first, no one quite knew how the FBI did it.
We speculated that there were several approaches the cops might have used:
- Perhaps the passcode was 0000 or 2580, and the FBI got lucky?
- Perhaps the lock-out limit on guessing wasn’t turned on and so the FBI had thousands of tries, not just 10?
- Perhaps the iPhone had enough unencrypted data left in RAM to help the investigation?
- Perhaps the FBI could re-write RAM and flash storage to allow 10 guesses over and over again?
- Perhaps the FBI purchased a zero-day vulnerability in iOS?
- Perhaps the FBI recovered the passcode using fingerprint grease stains on the screen?
In the end, it seems that Cellebrite helped out in the San Bernadino case, in a phone hack that was claimed to have cost close to $1,000,000 in total, and that involved a system that worked only on a “narrow slice of phones,” apparently including the iPhone 5C but not the iPhone 5s or later.
What now?
Now, if Forbes is to be believed, Cellebrite has extended the range of phones it can successfully unlock, according to the company’s own marketing material:
Devices supported for Advanced Unlocking and Extraction Services include:
Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.
Google Android devices, including Samsung Galaxy and Galaxy Note devices; and other popular devices from Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE, and more.
Of course, Cellebrite isn’t openly promising that it can always get everything off the systems listed above, merely that those devices “are supported”.
And Cellebrite isn’t saying which sorts of device – newer ones generally have more secure hardware to support the security baked into the software – it’s willing to take a go at.
You have to send the device to a Cellebrite office; it’s sent back unlocked, if possible – obviously, Cellebrite can’t guarantee to unlock any phone out there, not least because a confiscated device could, in fact, already be irreparably damaged.
But would Cellebrite go to the trouble of inviting law enforcement agencies to send “devices of interest” to a Cellebrite lab if it didn’t think it had a fair chance of getting in?
Does Cellebrite have an exploitable vulnerability up its sleeve that neither Apple nor the jailbreaking community has yet discovered?
Despite Forbes’s bullish (or bearish, depending on where you stand in the phone unlocking debate) claims, we simply can’t say.
What to do?
Let’s assume the worst – namely that Cellebrite does have a pair of iPhone and Android zero-day aces in the hole.
In a way, there’s some good news in that scenario: you can bet your boots (and your trendy phone case) that Cellebrite is going many miles out of its way not to let those zero-days become known, because they’d be the geese that laid the golden purchase orders.
So, even if Cellebrite is willing to have a go at cracking phones, for a fee, your device still isn’t wide open to just anyone.
In other words, the following simply precautions are well worth taking:
- Patch early, patch often. This can be tricky in the divided and inconsistent Android ecosystem, but it’s pretty easy in the iPhone world: when there’s an iOS update, install it right away. You’ll be protecting against plenty of new security holes that have recently been reported – and, who knows, if Cellebrite really does have a secret security hole of its own, sooner or later you’ll neutralise that one, too.
- Use the longest phone lock code you can manage. A 10-digit lock code is a mild irritation for a while, but soon starts to feel like a virtuous and more secure choice than 4 or 6 digits – because it is.
- Set the shortest lock period you can tolerate. A phone that automatically locks itself after a minute will annoy you from time to time, but it will annoy any prospective “hit and run” crooks (or mischievous friends and colleagues) a whole lot more.
from Naked Security http://ift.tt/2CNf5MJ
Earther There’s Life on the Closest Thing We Have to Mars | The A.V.
Earther There’s Life on the Closest Thing We Have to Mars | The A.V. Club Stephen Colbert breaks out the rum for a wild, shoeless interview with Jennifer Lawrence | The Takeout This month in overturned trucks: breakfast sausage, cattle, 77,000 pounds of chicken sludge |
from Lifehacker http://ift.tt/2CnvT1b
How Google implements the Right To Be Forgotten
Who is asking Google to delist certain URLs appearing in search results related to their name, and what kind of requests does the search giant honor?
The company has been keeping track of them since the “Right to be Forgotten” privacy ruling has been put into practice by the European Union, and since January 2016 the company’s reviewers have been manually annotating each requested URL with additional category data, including category of site, type of content on page, and requesting entity.
“Together with the data that we have previously published about the Right To Be Forgotten, the new data allowed us to conduct an extensive analysis of how Europe’s right to be forgotten is being used, and how Google is implementing the European Court’s decision,” noted Elie Bursztein, leader of Google’s anti-abuse research team.
Number of delisting requests
The data showed that since the ruling came into effect (May 2014) up to February 2018, Google has received some 2.4 millions URLs delisting requests, and 43% of these URLs ended up being delisted.
Also, 89% of requesters were private individuals:
Interestingly, the top 1,000 requesters (0.25% of individuals filing RTBF requests) were responsible for 15% of the requests.
“Many of these frequent requesters are in fact not individuals themselves, but law firms and reputation management services representing individuals,” Bursztein noted.
The data collected since January 2016 showed that the two dominant intents behind the Right To Be Forgotten delisting requests are removing personal information and removing legal history.
It showed that way the RTBF is exercised through Europe varies by country, as its influenced by regional attitudes toward privacy, local laws, and media norms. Also, the great majority (77%) of the RTBF requests target local content.
How Google approaches each request
Google assess each request on a case-by-case basis and, if they decide not to delist the URL, the requester will receive an explanation why they decided not to.
“A few common material factors involved in decisions not to delist pages include the existence of alternative solutions, technical reasons, or duplicate URLs. We may also determine that the page contains information which is strongly in the public interest,” the company explained.
“Determining whether content is in the public interest is complex and may mean considering many diverse factors, including—but not limited to—whether the content relates to the requester’s professional life, a past crime, political office, position in public life, or whether the content is self-authored content, consists of government documents, or is journalistic in nature.”
Examples from last year
Here are a few examples (all from 2017):
Google received a request to delist four URLs from Google Search, including a government webpage containing records of a court case. The requester was listed as a victim of sexual abuse and human trafficking and the case occurred when the individual was a minor. Google delisted all four URLs.
The company received a request to delist dozens of recent, reputable news articles regarding the conviction of an individual for rape, including video footage of the victim. Given the articles’ recency and the severity of the crime, Google decided not to delist the content.
A man from the UK who was convicted of benefits fraud in 2012 asked Google to delist nearly 300 articles related to the conviction based on a document he provided suggesting he was later found innocent of the crime.
The company delisted 293 of the URLs, but after the requester asked them to delist several other pages related to his separate conviction for forging documents, Google re-reviewed the original document he submitted as proof of his innocence in the benefits case, and discovered that it was a forgery. So, they reinstated all of the URLs they had previously delisted.
Many more examples can be found in the latest update of Google’s Transparency Report.
from Help Net Security http://ift.tt/2BUprh5
Cellebrite Unlocks iPhones for the US Government
Forbes reports that the Israeli company Cellebrite can probably unlock all iPhone models:
Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.
[...]
It also appears the feds have already tried out Cellebrite tech on the most recent Apple handset, the iPhone X. That's according to a warrant unearthed by Forbes in Michigan, marking the first known government inspection of the bleeding edge smartphone in a criminal investigation. The warrant detailed a probe into Abdulmajid Saidi, a suspect in an arms trafficking case, whose iPhone X was taken from him as he was about to leave America for Beirut, Lebanon, on November 20. The device was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5.
This story is based on some excellent reporting, but leaves a lot of questions unanswered. We don't know exactly what was extracted from any of the phones. Was it metadata or data, and what kind of metadata or data was it.
The story I hear is that Cellebrite hires ex-Apple engineers and moves them to countries where Apple can't prosecute them under the DMCA or its equivalents. There's also a credible rumor that Cellebrite's mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.
from Schneier on Security http://ift.tt/2CLmJHH
Mobile banking Trojans spread confusion worldwide
Consumers around the world that use mobile banking apps are at a greater risk of being tricked by cybercriminals and falling victim to mobile banking theft. This is according to new global research from Avast, which asked almost 40,000 consumers in Spain and eleven other countries around the world to compare the authenticity of official and counterfeit banking application interfaces.
Fraudulent software sometimes difficult to identify
Globally, 58% of respondents identified the official mobile banking app interface as fraudulent while 36% mistook the fake interface for the real one. In Spain, the results were similar at 67% and 27% respectively, compared to 40% and 42% in the U.S.
The findings highlight the level of sophistication and accuracy applied by cybercriminals to create trusted copies designed to spy on users, collect their bank login details, and steal their money.
Cybercriminals targeting banks
Researchers detected a number of mobile banking Trojans in recent months – a privacy and security threat that is on the rise. The banks targeted by cybercriminals and under the microscope in the survey include Citibank, Wells Fargo, Santander, HSBC, ING, Chase, Bank of Scotland and Sberbank.
Despite having strict security measures and safeguards in place, the large customer bases of each bank make them attractive targets for cybercriminals to develop fake apps that can mimic their official apps.
BankBot Trojan on Google Play
In November last year, Avast discovered a new strain of the BankBot Trojan on Google Play targeting consumers’ bank login details. This latest variant was concealed in supposedly trustworthy flashlight and Solitaire apps. Once downloaded, the malware would initiate and target the apps of large blue chip banks. If a user opened the banking application, the malware would create a fake overlay on top of the genuine app with the goal of collecting the customer’s banking details and sending them on to the attacker.
“We are seeing a steady increase in the number of malicious applications for Android devices that are able to bypass security checks on popular app stores and make their way onto consumers’ phones. Often, they pose as gaming and lifestyle apps and use social engineering tactics to trick users into downloading them”, said Gagan Singh, Senior VP and General Manager of Mobile at Avast.
“More often than not, consumers can rely on trusted app stores like Google Play and Apple’s App Store to download applications, but extra vigilance is also advised. It’s important to confirm that the banking app you are using is the verified version. If the interface looks unfamiliar or out of place, double-check with the bank’s customer service team. Also use two-factor authentication if it’s available and make sure you have a strong antivirus for Android installed to detect and protect you from money-grabbing malware.”
Consumers are worried
The survey also found that consumers across the globe are more concerned about having money stolen from their checking accounts than losing a wallet or purse or having their social media accounts hacked and their personal messages read. Globally, 72% of respondents voiced financial loss as their primary concern. In Spain, 85% of consumers said the same and 71% in the U.S.
43% of survey respondents worldwide said they use mobile banking apps. In both Spain and the U.S., 46% said they were active users. Of the respondents that don’t bank via smartphone or tablet, 30% pointed to a lack of security as the leading concern. This concern was shared by 21% of the respondents in Spain and 36% in the U.S.
from Help Net Security http://ift.tt/2HP2cWh
Monday, February 26, 2018
The A.V.
The A.V. Club The Walking Dead returns with the same old lines | Earther Has the Arctic Finally Reached a Tipping Point? | The Takeout Somebody Feed Phil is the sweetest, most joyful food show on TV |
from Lifehacker http://ift.tt/2BR0XoV
Private browsing is not that private, but it can be
Private, “Incognito mode” browsing sessions are not as foolproof as most users believe them to be.
“After a private session terminates, the browser is supposed to remove client-side evidence that the session occurred. Unfortunately, implementations of private browsing mode still allow sensitive information to leak into persistent storage,” a group of MIT and Harvard University researchers pointed out.
“Browsers use the file system or an SQLite database to temporarily store information associated with private sessions; this data is often incompletely deleted and zeroed-out when a private session terminates, allowing attackers to extract images and URLs from the session. During a private session, web page state can also be reflected from RAM into swap files and hibernation files; this state is in cleartext, and therefore easily analyzed by curious individuals who control a user’s machine after her private browsing session has ended. Simple greps for keywords are often sufficient to reveal sensitive data.”
While this is not exactly news for some information security professionals, workable solutions for this problem are scarce.
But Frank Wang, an MIT graduate student in electrical engineering and computer science; Nickolai Zeldovich, an associate professor of electrical engineering and computer science at MIT; and James Mickens, an associate professor of computer science at Harvard have come up with one, and it doesn’t rely on browsers adequately scrubbing the collected information from the system.
They called their solution Veil.
About Veil
Veil is a web framework that allows web developers to implement private browsing semantics for their pages and puts the onus on them to protect client-side user privacy.
The developers must recompile their web content using the Veil compiler. The compiler transforms cleartext URLs into blinded references, as well as injects into each page a runtime library that forces dynamic content fetches to use blinded references.
The compiler then uploads the objects in a web page to Veil’s blinding servers, from where user’s browser will download the content.
“The blinding servers provide name indirection, preventing sensitive information from leaking to client-side, name-based system interfaces. The blinding servers mutate content, making object fingerprinting more difficult; rewritten pages also automatically encrypt client-side persistent storage, and actively walk the heap to reduce the likelihood that in-memory RAM artifacts will swap to disk in cleartext form. In the extreme, Veil transforms a page into a thin client which does not include any page-specific, greppable RAM artifacts,” the researchers explained.
The good news for web developers is that Veil automates much of this effort – the framework is meant to be a helpful tool for those developers who want to protect user privacy, but don’t have the necessary technical skills to do it. It’s also a great tool for developers who are actively invested in using technology to hide sensitive user data.
The blinding servers required for this to work can be run by volunteers, be hosted by companies, or by the site administrators.
“An increasing number of web services define their value in terms of privacy protections, and recent events have increased popular awareness of privacy issues. Thus, we believe that frameworks like Veil will become more prevalent as users demand more privacy, and site operators demand more tools to build privacy-respecting systems,” the researchers concluded.
from Help Net Security http://ift.tt/2CIUdGA
A view of the global threat landscape: Cybercrime and intrusion trends
Established and well-resourced cyber operations will continue to innovate, developing new methods of distributing crimeware and incorporating advanced tactics to infiltrate, disrupt and destroy systems, according to a new report by CrowdStrike.
“We’ve already seen cyber adversaries launch massive, destructive attacks that render organizations inoperable for days or weeks. Looking ahead, security teams will be under even more pressure to detect, investigate, and remediate breaches faster,” said Dmitri Alperovitch, CrowdStrike’s CTO.
Key findings
- Based on observed incidents, the 2018 CrowdStrike Global Threat Report established that the average “breakout time” in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system they had compromised and move laterally to other machines within the network.
- In 2017, 39 percent of all observed attacks constituted malware-free intrusions that were not detected by traditional antivirus, with the manufacturing, professional services and pharmaceutical industries facing the most malware-free attacks.
- The propagation of advanced exploits has blurred the lines between statecraft and tradecraft, evolving the threat landscape beyond the defense capabilities of conventional security measures.
- Extortion and weaponization of data have become mainstream among cybercriminals, heavily impacting government and healthcare, among other sectors.
- Nation-state-linked attacks and targeted ransomware are on the rise and could be used for geopolitical and even militaristic exploitation purposes.
- Supply chain compromises and crypto fraud and mining will present new attack vectors for both state-sponsored and eCrime actors.
“Today, the lines between nation-states and eCrime actors are increasingly blurring, elevating the sophistication of threats to a new level. Actionable threat intelligence and real-time threat data are crucial in empowering better security and executive decisions,” said Adam Meyers, vice president of Intelligence at CrowdStrike. “With the Global Threat Report, public and private sector organizations can be better informed about the employed tactics, techniques, and procedures (TTPs) and properly allocate the defenses and resources necessary to protect assets that are most at risk.”
from Help Net Security http://ift.tt/2FwzuJ5
Monday review – the hot 20 stories of the week
from Naked Security http://ift.tt/2GM2JXH
Is GDPR-regulated data lurking in unexpected pockets of your organization?
A recent study showed that over 60 percent of corporate data is stored on employee endpoints. And yet, as companies work to ensure compliance with the new General Data Protection Regulation (GDPR), they still may be overlooking a few key areas.
The GDPR globally impacts the processing of all personal data on EU residents and takes effect on May 25, 2018. The challenge is personal data doesn’t just live in your customer relationship management (CRM) system, it also exists in a more unstructured way on your company’s endpoints.
To protect company assets and meet GDPR compliance standards, organizations need to have a firm understanding of where personal data resides, including where it is created, used and stored. Failure to adequately secure user endpoints could mean major fines as well as damage to customer relationships and brand reputation.
Protect endpoint data
To secure potentially vulnerable endpoints, companies need to conduct a detailed impact assessment of their data systems. An important initial step in this assessment is defining what constitutes personal data. Because the definition can vary based on context and from country to country, your company should work with its legal counsel to gain clarity. For companies in the U.S. with customers or prospects in the EU, this likely means adopting the stricter European standard.
Next, it’s crucial that organizations get a good understanding of where personal data lives in their ecosystems and the areas it traverses, in both structured and unstructured ways. Employees want to work in the most efficient manner possible, which means they don’t always follow corporate IT policy when it gets in the way. Doing so isn’t necessarily malicious.
Imagine the implementation consultant who takes client information home to work on an issue after hours, or the sales rep who brings prospect data on the road in order to craft a customized pitch. Company leadership certainly does this as well – according to the CTRL-Z report, C-suite executives are the most likely to violate company data security policies. So, while a strict internal data policy is important, you also need the tools in place to account for human behavior and gain visibility to data as it moves in and out of traditional security perimeters.
Regardless of where your organization’s personal data resides – whether it’s on an endpoint or in a cloud application – under GDPR, if you get breached or ransomed, you have to be able to account for it. The more quickly and easily you can identify the scope of an incident, the faster you can begin to remedy the situation. Thankfully, there are software solutions available that can help companies assess their exposure by quickly identifying where files exist and what information is contained within them. By implementing endpoint data protection and visibility solutions, organizations can be well-positioned to investigate incidents and begin the recovery process.
Encryption is not enough
Encryption is another important data protection tool available to companies. But based on the requirements of GDPR, it’s still not enough to fully safeguard your company’s data assets. According to industry research, nearly 70 percent of data loss incidents originate on the endpoint.
Imagine scenarios in which credentials are taken or an employee acts maliciously with the intent to damage the company. In these cases, encryption wouldn’t be enough to stop the possible distribution of vital company data. Any data that users can access is potentially at risk. That’s why companies need software solutions that can monitor user endpoints, provide visibility to data movement and interactions, and alert personnel to suspicious activity.
Reporting an incident
Having a complete picture of your data ecosystem – where personal data lives and travels across an organization – is essential to not only safeguarding it, but also successfully reporting on it in the event of a breach. According to the new GDPR rules, companies must report an incident within 72 hours of detection. If you are uncertain where your data lives, however, there is no way to determine the magnitude of your exposure. In the event that data is compromised, knowing exactly what data is exposed and showing sufficient control over it will make interactions with the regulatory authority much smoother.
On the other hand, a breach may not have resulted in any personal data exposure at all. If you do not have a complete inventory of and visibility over your data, you could be filing unnecessary reports and risking consumer confidence without any real cause for alarm. Announcing to customers that you are unsure if personal data was exposed is nearly as bad as confirming its loss. After all, who wants to do business with a company that can’t be sure where personal data is stored?
Culture change required
Until now, many organizations haven’t thought about their entire data ecosystem as an asset that needs to be inventoried and managed in the same way as physical assets or regulated consumer data like protected health information or credit cardholder data. Under GDPR, that perspective will have to change. Companies need to expand the scope of what they consider to be personal data. Data should be treated as an asset, and companies need to take that seriously. Anything less could leave them vulnerable to outside attacks, regulatory infractions and reputational damage.
It’s an unfortunate reality that we can’t prevent all data breaches or data loss; and since complete prevention is impossible, companies need to be prepared to detect data breaches and respond quickly and effectively. Organizations need policies in place that govern internal data access and ultimately the capability to respond and investigate quickly during a data breach. With continuous data protection, visibility, recovery and oversight, companies can mitigate their risks and feel confident they are meeting GDPR standards while building trust with their consumers.
from Help Net Security http://ift.tt/2Fvz6dN
Sunday, February 25, 2018
Week in review: Hidden cybersecurity talent, the myths hampering cybersecurity maturity
Here’s an overview of some of last week’s most interesting news and articles:
Counterfeit digital certificates for sale on underground forums
Researchers have discovered that, for the last couple of years, a few underground vendors have been offering legitimately issued code signing certificates and domain name registration with accompanying SSL certificates.
Whitepaper: What is GDPR and what does your organisation need to do to comply?
Wherever your team stands on its path to readiness, this whitepaper will help you better understand GDPR and your company’s compliance obligations.
Discover hidden cybersecurity talent to solve your hiring crisis
Not having access to technical talent is a common complaint in the cybersecurity world. Folks with security experience on their resumes are in such high demand, CISOs need to hunt beyond the fields we know. To borrow a phrase from the ever-logical Mr. Spock, CISOs need to embrace Infinite Diversity in Infinite Combinations.
Russian, Indian banks lose millions to hackers
The Russian central bank’s Financial Sector Computer Emergency Response Team (FinCERT) disclosed that hackers compromised a computer at a Russian bank and used the SWIFT system to transfer 339.5 million roubles (around $6 million) to accounts they controlled.
Which phishing messages have a near 100% click rate?
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease.
Email inboxes still the weakest link in security perimeters
Over one-third of all security incidents start with phishing emails or malicious attachments sent to company employees.
Intel releases Spectre 2 microcode updates for Kaby Lake, Coffee Lake, Skylake
Intel has released to OEMs a new set of Spectre firmware updates.
The four myths hampering cybersecurity maturity
The four myths that security organizations need to stop believing and how they should move forward.
What if defenders could see the future? Many clues are out there
Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud, and IoT environments.
How organizations are confronting escalating third-party cyber risk
Based on in-depth interviews with security executives from 30 participating organizations across multiple industries, RiskRecon revealed how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships.
BEC scammers actively targeting Fortune 500 companies
Nigerian scammers are targeting Fortune 500 companies, and have already stolen millions of dollars from some of them, IBM Security researchers have found.
Expected changes in IT/OT convergence and industrial security
Over the past year, we have seen a continued cross-pollination: IT security staff trying to step on the plant floor and plant teams trying to understand IT security.
Poor communication between CEOs and technical officers leads to misalignment
CEOs are incorrectly focused on malware, creating misalignment within the C-suite, which results in undue risk exposure and prevents organizations from effectively stopping breaches. Technical officers (CIOs, CTOs and CISOs) on the front lines of cybersecurity point to identity breaches – including privileged user identity attacks and default, stolen or weak passwords – as the biggest threat, not malware.
Afraid of AI? We should be
Not (yet!) of a sentient digital entity that could turn rogue and cause the end of mankind, but the exploitation of artificial intelligence and machine learning for nefarious goals.
Hack In The Box announces keynote speakers for 2018 Amsterdam event
Hack In The Box Security Conference (HITBSecConf) is returning to Amsterdam in April this year with more than 70 speakers who will take to stage.
The advent of GDPR could fuel extortion attempts by criminals
The number of exploit kit attacks is, slowly but surely, going down, and malware peddlers are turning towards more reliable tactics such as spam, phishing, and targeting specific, individual vulnerabilities. That’s the good news. The bad news is that everything else is on the rise: BEC scams, ransomware, stealthy crypto-mining, the number of enterprise records compromised in data breaches.
US sets up dedicated office for energy infrastructure cybersecurity
The US government is setting up a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the US Department of Energy. The CESER office will focus on energy infrastructure security and enable more coordinated preparedness and response to natural and man-made threats.
New infosec products of the week: February 23, 2018
A rundown of infosec products released last week.
from Help Net Security http://ift.tt/2oramfv
Saturday, February 24, 2018
Friday, February 23, 2018
The A.V.
The A.V. Club Long before Spider-Man, Sam Raimi cast Liam Neeson as a wilder, grosser superhero | Earther #ThisEatsThat Highlights the Totally Weird Shit Animals Eat | The Takeout Ask The Salty Waitress: Can I leave a server my number? |
from Lifehacker http://ift.tt/2GAzyGX
Which phishing messages have a near 100% click rate?
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease.
For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge.
“Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out.
The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognize and avoid phishing attacks and how often they are used.
In the US, most organizations use computer-based online security awareness training and simulated phishing attacks to train employees, while UK organizations generally opt for more passive training methods over hands-on practice:
Also, 46 percent of US organizations use those tools biweekly or monthly, while UK organizations do that in just 21 percent of cases.
As a result, 61 percent of US organizations see quantifiable results from these efforts, compared to 28 percent of UK orgs.
You also might find yourself tempted by a “set it and forget it” security awareness training program, the researchers noted, but that’s not ideal. “When you plan and schedule your phishing tests months (or even years) in advance, you lose the ability to be responsive to emerging threats and to tailor activities based on your results.”
Other interesting findings
The company based the report on data from tens of millions of simulated phishing attacks, and they found that:
- Personalized phishing tests (personalized email address, first name or last name) are no more effective than non-personalized ones.
- End users are most likely to report suspicious emails in the middle of the week.
- The topics and themes that are most tempting to end users are “online shopping security updates,” “corporate voicemail from an unknown caller,” and “corporate email improvements.”
- Two simulated phishing templates had a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan.
- Organizations in the telecommunications, retail, consumer goods, government, and hospitality industries have, on average, the worst click rate (15% to 13%), while those in the energy, finance, transportation and defense industrial base industries have the best (8% to 3%).
- Average click rates fell across all four categories (corporate, commercial, cloud and consumer emails) this year in comparison to 2016. The researchers particularly saw a significant improvement in click rates on cloud-based templates (business-related emails include messages about downloading documents from cloud storage services, or going to an online sharing service to create or edit a document).
Surveys of infosec professionals and end users also revealed that:
- On average, 53% of infosec professionals reported experiencing spear phishing in 2017.
- 95% of organizations train end users on how to identify and avoid phishing attacks.
- 45% of organizations said there are ramifications if their users continue to click on simulated phishing attacks. Consequences include counseling from a manager or IT department, additional training, and removal of access to systems, but also termination (11% of orgs) and a monetary penalty (5% of orgs).
- Most end users know what phishing is, but only 16% of them know what smishing is. “As more and more employees use smartphones to connect to corporate systems and data, the potential rami cations of an uneducated workforce should not be ignored,” the researchers pointed out.
from Help Net Security http://ift.tt/2CgDpeg
Election Security
I joined a letter supporting the Secure Elections Act (S. 2261):
The Secure Elections Act strikes a careful balance between state and federal action to secure American voting systems. The measure authorizes appropriation of grants to the states to take important and time-sensitive actions, including:
- Replacing insecure paperless voting systems with new equipment that will process a paper ballot;
- Implementing post-election audits of paper ballots or records to verify electronic tallies;
- Conducting "cyber hygiene" scans and "risk and vulnerability" assessments and supporting state efforts to remediate identified vulnerabilities.
The legislation would also create needed transparency and accountability in elections systems by establishing clear protocols for state and federal officials to communicate regarding security breaches and emerging threats.
from Schneier on Security http://ift.tt/2HFF1hd
Thursday, February 22, 2018
The A.V.
The A.V. Club Ryan Coogler, Michael B. Jordan, and Ta-Nehisi Coates are teaming up for a new movie | Earther Let Teens Do a Town Hall on Climate Change Next | The Takeout Shrimp paste is so funktastic it’ll make George Clinton jealous |
from Lifehacker http://ift.tt/2sNxSb2
Trend Micro fixes serious vulnerabilities in Email Encryption Gateway
Trend Micro has plugged a bucketload of vulnerabilities in its Email Encryption Gateway, some of which can be combined to execute root commands from the perspective of a remote unauthenticated attacker.
The Trend Micro Encryption for Email Gateway (TMEEG) is a Linux-based software solution/virtual appliance that provides the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client and the platform from which it originated.
“The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses, keywords, or PCI compliance,” the company explains.
About the vulnerabilities
The vulnerabilities have been discovered and privately disclosed to the company in June 2017 by Leandro Barragan and Maximiliano Vidal (Core Security Consulting Services). Security researcher Vahagn Vardanyan has also been given credit for the discovery.
The flaws affect version 5.5 Build 1111 and below of the product.
The list includes twelve vulnerabilities with separate CVE numbers, and their severity ranges from low to critical:
- CVE-2018-6219: Insecure Update via HTTP (CVSS 7.5).
- CVE-2018-6220: Arbitrary file write leading to command execution (CVSS 7.5).
- CVE-2018-6221: Unvalidated Software Updates (CVSS 7.5).
- CVE-2018-6222: Arbitrary logs locations leading to command execution (CVSS 7.2).
- CVE-2018-6223: Missing authentication for appliance registration (CVSS 9.1).
- CVE-2018-6225: XML external entity injection in a configuration script (CVSS 5.5).
- CVE-2018-6226: Reflected cross-site scripting in two configuration scripts (CVSS 7.4).
- CVE-2018-6227: Stored cross-site scripting in a policy script (CVSS 7.4).
- CVE-2018-6228: SQL injection in a policy script (CVSS 4.9).
- CVE-2018-6229: SQL injection in an edit policy script (CVSS 6.5)
- CVE-2018-6224: Lack of cross-site request forgery protection (CVSS 6.8)
- CVE-2018-6230: SQL injection in a search configuration script (CVSS 3.8).
What can you do?
Trend Micro has released a security update (version 5.5 Build 1129) to plug ten of these holes, but the last two on the list are still unpatched.
“Due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions, as well as the pending End-of-Life of the Email Encryption Gateway product [in the coming weeks], Trend Micro has decided that these will not be addressed in the current iteration of the product,” the company stated.
But there are mitigating factors that should prevent those flaws from being exploited: CVE-2018-6224 has to be chained to with at least 3 other (now patched) vulnerabilities to remote command execution, and both CVE-2018-6224 and CVS-2018-6230 can be exploited only if the TMEEG web console is accessible via the Internet (which, by design, is not).
So, the company advises admins to implement the offered update and to make sure that the web console is accessible only via the company intranet and only by users who need to be able to access it.
Core Security has published a separate security bulletin and has offered more technical details about the vulnerabilities, as well as Proof of Concept code for each.
from Help Net Security http://ift.tt/2EUJG09
How one guy could have taken over any Tinder account (but didn’t)
An Indian researcher has put Tinder’s online security in the spotlight again.
Last month, we explained how missing encryption in Tinder’s mobile app made it less secure than using the service via your browser – in your browser, Tinder encrypted everything, including the photos you saw; on your mobile, the images sent for your perusal could not only be sniffed out but covertly modified in transit.
This time, the potential outcome was worse – complete account takeover, with a crook logged in as you – but thanks to responsible disclosure, the hole was plugged before it was publicised. (The attack described here therefore no longer works, which is why we are comfortable talking about it.)
In fact, researcher Anand Prakash was able to penetrate Tinder accounts thanks to a second, related bug in Facebook’s Account Kit service.
Account Kit is a free service for app and website developers who want to tie accounts to phone numbers, and to use those phone numbers for login verification via one-time codes send in text messages.
Prakash was paid $5000 by Facebook and $1250 by Tinder for his troubles.
Note. As far as we can see in Prakash’s article and accompanying video, he didn’t crack anyone’s account and then ask for a bug bounty payout, as seemed to have happened in a recent and controversial hacking case at Uber. That’s not how responsible disclosure and ethical bug hunting works. Prakash showed how he could take control of an account that was already his own, in a way that would work against accounts that were not his. In this way, he was able to prove his point without putting anyone else’s privacy at risk, and without risking disruption to Facebook or Tinder services.
Unfortunately, Prakash’s own posting on the topic is rather abrupt – for all we know, he abbreviated his explanation on purpose – but it seems to boil down to two bugs that could be combined:
- Facebook Account Kit would cough up an AKS (Account Kit security) cookie for phone number X even if the login code he supplied was sent to phone number Y.
As far as we can tell from Prakash’s video (there’s no audio explanation to go with it, so it leaves a lot unsaid, both literally and figuratively), he needed an existing Account Kit account, and access to its associated phone number to receive a valid login code via SMS, in order to pull off the attack.
If so, then at least in theory, the attack could be traced to a specific mobile device – the one with number Y – but a burner phone with a pre-paid SIM card would admittedly make that a thankless task.
- Tinder’s login would accept any valid AKS security cookie for phone number X, whether that cookie was acquired via the Tinder app or not.
We hope we’ve got this correct, but as far as we can make out…
…with a working phone hooked up to an existing Account Kit account, Prakash could get a login token for another Account Kit phone number (bad!), and with that “floating” login token, could directly access the Tinder account associated with that phone number simply by pasting the cookie into any requests generated by the Tinder app (bad!).
In other words, if you knew someone’s phone number, you could definitely have raided their Tinder account, and perhaps other accounts connected to that phone number via Facebook’s Account Kit service.
What to do?
If you’re a Tinder user, or an Account Kit user via other online services, you don’t need to do anything.
The bugs described here were down to how login requests were handled “in the cloud”, so the fixes were implemented “in the cloud” and therefore came into play automatically.
If you’re a web programmer, take another look at how you set and verify security information such as login cookies and other security tokens.
Make sure that you don’t end up with the irony of a set of super-secure locks and keys…
…where any key inadvertently opens any lock.
from Naked Security http://ift.tt/2BKvCnF
Intel releases Spectre 2 microcode updates for Kaby Lake, Coffee Lake, Skylake
Intel has released to OEMs a new set of Spectre firmware updates. They include microcode for Kaby Lake, Coffee Lake, and Skylake processors.
“This represents our 6th, 7th, and 8th Generation Intel Core product lines as well as our latest Intel Core X-series processor family. It also includes our recently announced Intel Xeon Scalable and Intel Xeon D processors for data center systems,” Navin Shenoy, general manager of the Data Center Group at Intel Corporation, pointed out.
The release follows that of microcode updates for some Skylake-based platforms in early February, and Intel’s January advice to stop deploying initial firmware updates that addressed Spectre (variant 2) due to a higher than expected incidence of reboots and other unpredictable system behavior.
Shenoy advised users to implement OEM firmware updates as the OEMs release them.
Intel also offers a constantly updated document that offers insight into the current situation regarding Spectre patches, i.e., released microcode. As can be seen, the status of the various updates varies from “planning” and “pre-beta” to “production.”
Microsode updates for older processors using the Broadwell and Haswell cores are still in “beta”.
Mitigation instead of an update?
Shenoy also noted the existence of a Google-developed mitigation technique for Variant 2 called Retpoline.
“‘Retpoline’ sequences are a software construct which allow indirect branches to be isolated from speculative execution. This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches,” Google explains.
“The name ‘retpoline’ is a portmanteau of ‘return’ and ‘trampoline.’ It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly.”
Intel has provided more information on Retpoline in a newly published white paper.
from Help Net Security http://ift.tt/2EXzYK9
What if defenders could see the future? Many clues are out there
Malware sophistication is increasing as adversaries begin to weaponize cloud services and evade detection through encryption, used as a tool to conceal command-and-control activity. To reduce adversaries’ time to operate, security professionals said they will increasingly leverage and spend more on tools that use AI and machine learning, reported in the 11th Cisco 2018 Annual Cybersecurity Report (ACR).
While encryption is meant to enhance security, the expanded volume of encrypted web traffic (50 percent as of October 2017) — both legitimate and malicious — has created more challenges for defenders trying to identify and monitor potential threats. Cisco threat researchers observed more than a threefold increase in encrypted network communication used by inspected malware samples over a 12-month period.
Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud, and IoT environments. Some of the 3,600 security professionals interviewed for the Cisco 2018 Security Capabilities Benchmark Study report, stated they were reliant and eager to add tools like machine learning and AI, but were frustrated by the number of false positives such systems generate. While still in its infancy, machine learning and AI technologies over time will mature and learn what is “normal” activity in the network environments they are monitoring.
“Last year’s evolution of malware demonstrates that our adversaries continue to learn,” said John N. Stewart, Senior Vice President and Chief Security and Trust Officer, Cisco. “We have to raise the bar now – top down leadership, business led, technology investments, and practice effective security – there is too much risk, and it is up to us to reduce it.”
The financial cost of attacks is no longer a hypothetical number
According to study respondents, more than half of all attacks resulted in financial damages of more than US$500,000, including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs.
Supply chain attacks are increasing in velocity, complexity
These attacks can impact computers on a massive scale and can persist for months or even years. Defenders should be aware of the potential risk of using software or hardware from organizations that do not appear to have a responsible security posture.
- Two such attacks in 2017, Nyetya and Ccleaner, infected users by attacking trusted software.
- Defenders should review third-party efficacy testing of security technologies to help reduce the risk of supply chain attacks.
Security is getting more complex, scope of breaches is expanding
Defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches have many downstream effects on an organization’s ability to defend against attacks, such as increased risk of losses.
- In 2017, 25 percent of security professionals said they used products from 11 to 20 vendors, compared with 18 percent of security professionals in 2016.
- Security professionals said 32 percent of breaches affected more than half of their systems, compared with 15 percent in 2016.
Security pros see value in behavioral analytics tools
92 percent of security professionals said behavior analytics tools work well. Two-thirds of the healthcare sector, followed by financial services, found behavior analytics to work extremely well to identify malicious actors.
Use of cloud is growing: Attackers taking advantage of the lack of advanced security
- In this year’s study, 27 percent of security professionals said they are using off-premises private clouds, compared with 20 percent in 2016
- Among them, 57 percent said they host networks in the cloud because of better data security; 48 percent, because of scalability; and 46 percent, because of ease of use.
- While cloud offers better data security, attackers are taking advantage of the fact that security teams are having difficulty defending evolving and expanding cloud environments. The combination of best practices, advanced security technologies like machine learning, and first-line-of-defense tools like cloud security platforms can help protect this environment.
Trends in malware volume have an impact on defenders’ time to detection (TTD)
- The Cisco median TTD of about 4.6 hours for the period from November 2016 to October 2017 — well below the 39-hour median TTD reported in November 2015, and the 14-hour median reported in the Cisco 2017 Annual Cybersecurity Report for the period from November 2015 to October 2016.
- The use of cloud-based security technology has been a key factor in helping Cisco to drive and keep its median TTD to a low level. Faster TTD helps defenders move sooner to resolving breaches.
from Help Net Security http://ift.tt/2CbyKdv
How organizations are confronting escalating third-party cyber risk
Based on in-depth interviews with security executives from 30 participating organizations across multiple industries, RiskRecon revealed how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships.
Researchers identified vendor-neutral capability sets comprising common, emerging, and pioneering practices that firms have implemented to manage third-party security risk.
“Enterprise risk officers are waking up to the reality that their information risk increasingly resides in the systems of their third-parties, beyond the bounds of their own network. You can outsource your systems and operations to third-parties, but you cannot outsource your risk,” said RiskRecon CEO Kelly White.
The financial services industry is the clear leader
Financial services firms have been actively managing third-party security risk for an average of six and a half years, nearly four years longer than firms in other industries. Financial services firms also are the drivers behind more than 60 percent of the pioneering practices observed in the study.
Third-party security risk management is rapidly innovating
Thirty-two percent of the third-party risk management practices the study identified are implemented by fewer than 25 percent of the study participants. In all cases, these pioneering practices were recently implemented by the adopting firms. The practices leverage objective security data to better understand third-party risk performance and more intelligently allocate and engage risk analysts in assessments.
Pioneering firms are hunting for dangerous conditions in their third-party systems
Twenty-three percent of respondent companies are proactively identifying severe vulnerabilities in their vendors’ systems and working collaboratively with their vendors to quickly address the issues.
Fourth-party awareness is peaking over the horizon
While only seven percent of respondent firms are actively tracking fourth-parties (the third-parties used by their vendors), an additional 33 percent stated that they intend to implement capabilities to better manage fourth-party risk within two years, citing regulatory requirements as the primary driver.
Brian Johnson, a CISO consultant, said, “CISOs know that effective third-party security risk management is essential for protecting their enterprise, yet many lack the data necessary to appropriately understand and prioritize third-party risk exposure. The best thinking on solving risk lies within industry, where practitioners are solving real enterprise risk problems every day.”
from Help Net Security http://ift.tt/2EIXKKW
Wednesday, February 21, 2018
What Messages From Your Boss Really Mean
If you work from home, you know how important it is to stay connected with your boss and coworkers via email and chat programs like Slack. Trouble is, text-only communication can leave a lot up to the imagination in terms of tone. Is your online boss really a jerk who hates everything you do? Or are you just reading their messages in the worst way possible?
Order in lunch, fire up Slack, and plan your afternoon shower. It’s Work From Home Week! From our couches and our local coffeeshops, Lifehacker is bringing you advice on maintaining your productivity, balance, and sanity, whether you’re working at home for just a day or a whole career.
In this video, you’ll learn four useful online communication tips that are sure to reduce some of that remote worker anxiety you feel from time to time. For example, I explain:
- Why you shouldn’t read too much into messages, no matter how insincere they look.
- Why it’s good to actually speak with your boss face to face whenever you can.
- Why you should spend more time chatting in the company Slack.
If everyday communication is stressing you out while you work from home, take a deep breath, watch the video above, and realize that more often than not no news is good news when it comes to work messages.
from Lifehacker http://ift.tt/2Gx884G
The A.V.
The A.V. Club Live’s not dead: 21 great live albums from the 21st century | Earther The Trump Administration Might (Sort Of) Be Serious About Clean Coal | The Takeout Now Steak-umm is trolling Neutral Milk Hotel fans |
from Lifehacker http://ift.tt/2BEWyFo
To prevent data breaches, AWS offers S3 bucket permissions check to all users
Amazon Web Services (AWS) has announced that all customers can now freely check whether their S3 buckets are leaking stored data.
“Previously available only to Business and Enterprise support customers, [the S3 bucket permissions check] identifies S3 buckets that are publicly accessible due to ACLs or policies that allow read/write access for any user,” the cloud computing giant noted.
The check is available through AWS Trusted Advisor, an online tool that helps users inspect their AWS environment and improve system performance and reliability, optimize costs, and close security gaps.
About the S3 bucket permissions check
The S3 bucket permissions check is one of the seven core security checks available to all customers for free. It checks bucket policies and bucket access control lists (ACLs) to identify publicly accessible buckets.
“There are two ways that S3 buckets can be made publicly accessible: through bucket policies and ACLs,” the company explains.
“Bucket permissions check does not check object ACLs, which can allow everyone in the world or any authenticated AWS user to access the object and its permissions. An object can also be publicly accessible through the object’s ACLs. When an object is publicly accessible through the READ ACL, it allows access to the contents of the object. With READ_ACP and WRITE_ACP ACLs, grantees can also read and modify the object ACLs respectively.
“Bucket permissions check makes it easier to identify S3 buckets that provide public read and write access. You can also view whether the source for the public access is a bucket policy, a bucket ACL, or both. If you change a bucket policy or a bucket ACL, the Amazon S3 console analyzes them in real time and alerts you if those changes enable public read and write access on the bucket.”
The check labels each listed bucket as:
- Public – Publicly accessible by either everyone in the world or by any authenticated AWS user.
- Not public – The bucket is not publicly accessible but objects in it might be due to object ACLs.
- Access denied – Customer is locked out of the bucket.
- Error – Means that a service-related error occurred.
- Undetermined – Amazon S3 can’t determine whether the bucket is publicly accessible.
The list can be organized so the customer can easily see more specific access information, i.e., which bucket has Read and/or Write access permissions, and to see the “source” of that access (an ACL or a Bucket policy, or both).
Leaking cloud
Cloud storage instances that can be accessed by anyone who stumbles upon them are a big problem: hardly a day goes by without news about some company or other inadvertently leaving sensitive data accessible to unauthorized users.
As flagged by the BBC, some security researchers have begun leaving “friendly warnings” to AWS S3 users whose private content has been made public.
But not all users will be lucky enough to get a warning and act on it. Malicious actors looking for unsecured data storage and information that can be of use to them will go in and out without the user noticing anything. So it’s definitely welcome news that Amazon is finally offering this check to all users.
from Help Net Security http://ift.tt/2HzW8kb
Poor communication between CEOs and technical officers leads to misalignment
A misalignment between CEOs and technical officers is weakening enterprise cybersecurity postures, according to Centrify.
CEOs are incorrectly focused on malware, creating misalignment within the C-suite, which results in undue risk exposure and prevents organizations from effectively stopping breaches. Technical officers (CIOs, CTOs and CISOs) on the front lines of cybersecurity point to identity breaches – including privileged user identity attacks and default, stolen or weak passwords – as the biggest threat, not malware.
As a result, cybersecurity strategies, project priorities, and budget allocations don’t always match up with the primary threats nor prepare companies to stop most breaches.
The study – a survey of 800 enterprise executives including CEOs, technical officers, and CFOs – highlights that:
- 62 percent of CEOs cite malware as the primary threat to cybersecurity, compared with only 35 percent of technical officers.
- Only 8 percent of all executives stated that anti-malware endpoint security would have prevented the “significant breaches with serious consequences” that they experienced.
- 68 percent of executives whose companies experienced significant breaches indicate it would most likely have been prevented by either privileged user identity and access management or user identity assurance.
“While the vast majority of CEOs view themselves as the primary owners of their cybersecurity strategies, this report makes a strong argument that companies need to listen more closely to their technical officers,” said Tom Kemp, CEO of Centrify. “It’s clear that the status quo isn’t working. Business leaders need to rethink security with a Zero Trust Security approach that verifies every user, validates their devices, and limits access and privilege.”
Investing in the wrong cybersecurity solutions
The 2017 Data Breach Investigation Report released by Verizon indicates that 81 percent of breaches involve weak, default, or stolen passwords. Identity is the primary attack vector, not malware, yet the report reveals that malware is still the focus point for most CEOs:
- 60 percent of CEOs invest the most in malware prevention and 93 percent indicate they already feel “well-prepared” for malware risk.
- 49 percent of CEOs say their companies will substantially reduce malware threats over the next two years, yet only 28 percent of CTOs agree with this statement.
These investment decisions are frequently caused by misplaced confidence in the ability to protect against breaches, putting organizations at significant risk. While technical officers are more aware of the real risks, they are also frustrated by inadequate security budgets, as spending is typically strongly aligned with CEO priorities rather than with actual threats.
Poor communication leads to misalignment
The study also exposed that the disconnect between CEOs and technical officers leads to misaligned security strategies, and tension among executives.
- 81 percent of CEOs say they are most accountable for their organizations’ cybersecurity strategies, while 78 percent of oalicers make the same ownership claim.
- Only 55 percent of CEOs say their organization has experienced a breach, whereas 79 percent of CTOs acknowledge they’ve been breached. This indicates that 24 percent of CEOs are not aware that they have experienced a breach.
“The traditional security model of using well-defined perimeters between ‘trusted’ corporate insiders and ‘untrusted outsiders’ to protect assets has evolved with the advent of cloud, mobile and IoT. Yet most enterprises continue to prioritize spending on traditional security tools and approaches,” said Garrett Bekker, Principal Security Analyst at 451 Research. “Centrify’s research reveals that a primary reason for conflicting cybersecurity strategies and spending is that C-level executives and technical managers don’t always see eye-to-eye regarding security priorities, and a misaligned C-Suite can put the organization at risk. Modern organizations need to rethink their approach and adopt a framework that relies on verifying identity rather than location as the primary means of controlling access to applications, endpoints and infrastructure.”
Outdated thinking results in higher risk
CEOs also expressed frustration with security technologies that have a poor user experience and cause their employees to lose productivity. 62 percent of CEOs state that multi-factor authentication (MFA) is difficult to manage and is not user-friendly, while only 41 percent of technical officers agree with this assessment.
This outdated perception has been resolved by significant innovation by identity security vendors in areas such as machine learning. These advances have substantially reduced the burden of deploying and managing authentication solutions and improved the user experience for a range of security technologies.
from Help Net Security http://ift.tt/2CaBmbs