Cyber Risk News
IBM researchers have created a new approach to container isolation with the launch of Nabla containers, designed for strong isolation on a host. The containers achieve isolation by adopting a strategy of attack surface reduction to the host and using only nine system calls.
According to the Nabla website, IBM researchers have "measured exactly how much access to the kernel common applications exhibit with Nabla containers and standard containers by measuring the number of system calls containerized applications make and correspondingly how much kernel functions they access.
"A containerized application can avoid making a Linux system call if it links to a library OS component that implements the system call functionality. Nabla containers use library OS - aka unikernel - techniques, specifically those from the Solo5 project, to avoid system calls and thereby reduce the attack surface. Nabla containers only use 9 system calls, all others are blocked via a Linux seccomp policy."
There has been a fierce debate within the industry regarding whether isolated containers or virtual machines (VMs) are more secure. James Bottomley, IBM research engineer and Linux kernel developer, wrote a blog regarding 'one of the biggest problems about container vs Hypervisor security': "No-one has actually developed a way of measuring security, so the debate is all in qualitative terms, but no-one actually has done a quantitative comparison."
The researchers then tested Nabla through the metric of performance, and showed that it is "far and away the best containment technology for secure workloads given that it sacrifices the least performance over docker to achieve the containment." The blog also noted that Nabla was two-times more secure than using hypervisor-based containment.
There are some limitations to Nabla, however, in that Nabla runtime only supports images built for nabla as well as missing features, which the team is currently working on.
A Virginia-based political campaign and robocalling company Robocent left hundreds of thousands of voter records on a public, exposed and unprotected Amazon S3 bucket. This year has already seen a lineup of attempted attacks on local elections and campaigns, but this news comes less than a week after the indictment of 12 Russian officials for meddling in the 2016 US presidential election.
According to an 18 July blog post by Bob Diachenko, head of communications at Kromtech Security, Robocent’s self-titled bucket was reportedly "indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found. Repository contained both audio files, with pre-recorded political messages for robocalls dials (*.mp3, *.wav), and voter data (*.csv, *.xls files)."
Voter names, phone numbers, addresses, age, gender, jurisdiction breakdown and political affiliation were some of the information included in the data, which Robocent co-founder told ZDNet was publicly available information that the company was only "keeping track of."
“Voter data is extremely sensitive and leaks like this highlight the need for organizations to maintain visibility into where their data is located within their cloud infrastructure and whether the storage system is risk appropriate given the sensitivity of the information. It’s easy for a fast-growing or seasonal organization like this one to lose track of that risk over time,” said Sam Bisbee, CSO, Threat Stack.
“Many companies have critical AWS cloud security misconfigurations. It’s an easy mistake to make. AWS customer needs to take responsibility for their security by prioritizing infrastructure visibility. Find ways to proactively create transparency within the cloud to effectively manage the security of data and systems and you give your organization the best chance of defending itself against cybercriminals.”
The security of the 2018 midterm elections is a growing concern, which makes the lack of proper cybersecurity hygiene through virtually all job roles within the election ecosystem, private and public, problematic for security, said Ben Johnson, CTO and co-founder, Obsidian Security.
“Given this abysmal state of election security, one has to assume that any voter data that hasn’t already leaked soon will,” Johnson said. “Companies, campaigns and individuals are all racing to collect and utilize data without doing nearly enough to properly safeguard it. When you combine poor practices with lucrative data and motivated, sophisticated attackers, this picture will get worse before it gets better.”
A committee of MPs and peers in the UK has criticised the government for its lack of urgency in addressing the cybersecurity skills gap in relation to critical national infrastructure (CNI).
According to a report released following the meeting with The Joint Committee on the National Security Strategy, the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK's CNI operators and regulators in relation to cybersecurity. The report also calls for ministers to step forward and take the lead in developing a strategy to give drive and direction.
The committee references the May 2017 WannaCry attack on the National Health Service, believing it demonstrated a fundamental need to ensure the UK is able to keep CNI secure from cyber-threat. They go on to say that a lack of detailed analysis of which CNI sectors and specialisms are most acutely affected is impacting on the government’s ability to understand, and therefore address, the gap between skills supply and demand.
"Our Report reveals there is a real problem with the availability of people skilled in cybersecurity but a worrying lack of focus from the government to address it," said chair of The Joint Committee, Margaret Beckett MP. "We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us, but also the much larger number of posts which require moderately specialist skills.
"We acknowledge that the cybersecurity profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications. However, we are calling on government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, government must work in close partnership with the CNI sector and providers to create a cybersecurity skills strategy to give clarity and direction. It is a pressing matter of national security to do so."
In its recommendations, the committee proposed the government should address the need for continuing professional development for teachers and lectures, enabling their knowledge to keep pace with the rapidly changing cybersecurity landscape. It also references increasing the numbers of women in the cybersecurity workforce, saying that a version of the CyberFirst Girls Competition could be used to attract returning mothers to the cybersecurity profession.
"I sympathise with the NCSC and others who have been tasked with addressing the cyber-skills gap for a few years now," said Eerke Boiten, professor of cybersecurity, De Mortfort University. "They have pumped significant amounts of money out of the five year Cyber Security Strategy into various initiatives, not all of them looking likely to be productive. In particular, an initiative to introduce cyber security at secondary schools contained no thought on how to integrate this with the computing curriculum.
"I think that both for the medium term and the gender balance issue, secondary schools have to be the focal point. The drop in take up and the general perception of the Computer Science A level are serious concerns. Increasing the number of highly qualified teachers is indeed essential, but calling for more CPD is not going to be effective until there is resource for it at a time when most secondary schools are being cut financially.
"The government would also do well to note the points made about recruiting from abroad," he continued. "Brexit makes any job in the UK unattractive for most EU applicants; the limits on Tier 2 visas also have an adverse effect. The NSS recommendations gloss over this only where they talk of the 'implications, risks and opportunities of Brexit'."
A standalone skills strategy, promised by government in November 2016 and which would frame and give impetus to its various efforts, will be published by December 2018.
Cisco has advised users of its Policy Suite that it has discovered vulnerabilities, which allow remote attackers to access different features of the solution.
The company's Policy Suite provides a framework for building rules that can be used to enforce business logic against policy enforcement points such as network routers and packet data gateways. It is mainly used by wireless and mobile organisations.
According to Cisco, the vulnerability is due to a lack of authentication, meaning an attacker could gain access and make changes to existing repositories and create new ones. Furthermore, a vulnerability in the Cluster Manager could allow a remote attacker to log into an affected system using the root account, which has a default, static user credentials. An exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
Cisco has also pushed out patches for its SD-WAN, with seven high-rated advisories, and its VPN subsystem. For the SD-WAN solution, there is a file overwrite and a denial-of-service vulnerability.
The vulnerability affects releases prior to Release 18.2.0, with no workarounds that can address it. The tech giant has released free software updates that address the vulnerability, with its security incident response team believing that there has not been any malicious use.
The previous week other vulnerabilities were announced by the company for its web-based user interface of the Cisco IP Phone 6800, 7800 and 8800 Series, plus others.
Access to further information can be found here.
A large majority of US retailers have experienced a breach, which according to the 2018 Thales Data Threat Report exceeds the global average. The report found that 75% of retailers have experienced a breach in the past year, compared to 52% in 2017.
US retail lags behind the global average when it comes to implementing encryption, with only 26% of retailers reporting that they have begun implementation. Still, retail is more inclined to store sensitive data in the cloud as widespread digital transformation is under way, with 95% of retail organizations expected to use sensitive data in an advanced technology environment, such as cloud, internet of things (IoT) and containers. More than half of respondents said they believe sensitive data is currently being used in these environments without the proper security protocols.
“This year’s significant increase in data breach rates should be a wake-up call for all retail organizations. Digital transformation is well under way and the business benefits of the cloud, big data, IoT and mobile payment technologies are compelling and fueling widespread adoption,” Peter Galvin, chief strategy officer, Thales eSecurity, said in a press release.
“However, with the flow of sensitive data through all of these disparate platforms and technologies, the attack surface increases exponentially and with it the risk of a data breach.”
The report found that in 2018, retail data breaches more than doubled, from 19% in 2017 to 50% this year, making retail the second-highest vertical to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government.
“These increases come as no surprise to retailers. While nearly 95% of retailers acknowledge vulnerability to data breaches, now almost half recognize they are extremely vulnerable. This is an increase of 30% from the previous year,” said Garrett Bekker, principal analyst for information security at 451 Research.
Even though 84% of retailers plan to increase IT security spending, the report indicates that their spending plans don’t correlate with the most effective defenses.
“While this trend can be partially attributed to US retailers aggressively pursuing a multi-cloud strategy, these organizations continue, year after year, to spend on the same security solutions that worked for them previously. With increasingly porous networks and expanding use of external resources (SaaS, PaaS and IaaS most especially), traditional endpoint and network security are no longer sufficient to protect sensitive data,” said Bekker.
According to new research from Proofpoint, the majority of federal agencies are behind schedule when it comes with complying to the Department of Homeland Security’s (DHS's) Binding Operational Directive (BOD) 18-01. With less than 90 days remaining for agencies to secure their email systems, some agencies have not started their Domain-based Message Authentication, Reporting & Conformance (DMARC) email authentication compliance journey for any of their domains, according to the research.
Email authentication, when deployed, can prevent spoofing for the trusted domains of federal agencies that are in compliance, but a lot of work goes into implementing and enforcing DMARC. Federal agencies run the risk of blocking legitimate email, and DHS’s aggressive timelines have created a lot of work for agencies that are trying to be compliant.
Proofpoint’s research found that 28% of agencies have not yet begun to move toward DMARC compliance. Based on this finding, it is unlikely that all agencies will reach DMARC compliance for each of their domains by the October 2018 deadline – given that this deadline is only a few short months away, the research concluded.
Of the agencies that have started DMARC compliance, about 72% are working on their implementation project themselves and gathering DMARC data, and only 19% of agencies have engaged a vendor to help them implement email authentication. Agencies are delayed in complying with the deadline, and, according to Rob Holmes, VP of email security, Proofpoint, what is going on behind the scenes is making compliance slower than anticipated.
“We anticipate there is a gap in compliance as BOD 18-01 was issued with little advance notice and without a reserved budget," said Holmes. "Without having previously budgeted to become compliant within the DHS’s deadlines, many agencies have tried to work within the internal resources they have available.”
Federal agencies have been charged with many different pieces in their overall security portfolios, and DMARC authentication, though critical, is only one of those.
“A small percentage of agencies have blind DMARC deployments and are not gathering any data at all,” Holmes said. “Of the total domains included in the directive, 36% have already achieved the one-year compliance standard of publishing a valid SPF record and a valid DMARC record with a 'reject' policy. A further 22% have satisfied the January 2018 standard of publishing a DMARC with a 'monitor' policy but have more work to do, while 42% are not even compliant with the January milestone, due to SPF and/or DMARC gaps.”
Web forums were the greatest targets for credential spills during 2017, which saw more than 2.3 billion credentials from 51 different organizations reportedly stolen, according to a new report from Shape Security. Of those 51 different organizations, companies providing online services contributed the largest number of compromised credentials, with over 2 billion credential spills. In total, the criminal enterprise is costing US businesses over $5bn a year.
The report, released today, studied the life cycle of stolen credentials, taking a holistic, behind-the-scenes look at the extent to which credentials can be monetized and weaponized long after a breach occurs. Because web forums serve as hyper-specialized communities of online users, they tend to have lower membership and thus a smaller collection of credentials. “However, they are easy targets for credential spills because many are volunteer-run and lack a corporate security or IT function," the report stated. While web forums were found to be the most frequently targeted, they are not actually the source of the greatest number of spills.
“Social media sites were typically responsible for the largest spills. This makes sense because those organizations rely on a network effect to succeed, so they are likely to have the largest user bases,” the report said.
While the report found the frequency of credential spills remained consistent for two years, the average size of spills in 2017 was lower than in 2016. “Additionally, over the course of two years, spills have been reported on a very regular basis; in 2017, the longest gap between reports was 31 days,” it said.
On average, there’s a 15-month window between credentials being compromised and the breach, during which time criminals carry out their most damaging credential stuffing attacks. Credential stuffing attacks make up from 58% to 90% of login traffic, depending on the industry. According to the report, the US consumer banking industry suffers almost $50m potential losses each day due to credential stuffing attacks.
In the banking industry alone, credential stuffing attacks cost an average of $1.7bn annually. In the e-commerce industry, the average cost jumped to $6bn annually. Over time, though, the value of the stolen credentials decreases. As more people have access to those credentials, they fall out of favor for criminals.
LabCorp, a healthcare diagnostics company, has shut down its systems after a suspected network breach, which could have put millions of health records at risk.
In a report to the United States Securities and Exchange Commission, the company announced that during the weekend of July 14 2018, it had detected suspicious activity on its IT network and immediately took specific systems offline. The company said that the suspicious activity has been detected only on LabCorp Diagnostics systems, and that "there was no indication that it affected systems used by Covance Drug Development."
LabCorp provides diagnostic, drug development and technology-enabled solutions for more than 115 million patients per year, according to its website. It typically processes tests on more than 2.5 million patient specimens per week and supports clinical trial activity in around 100 countries. It has over 1900 patient service centers in the US.
The filling itself does not go into detail as to which systems might have been affected, but concerns over patient data are justified. In August 2017, the NHS suffered a data breach where 1.2 million patient names were hacked, and another breach which resulted in 655,000 patient records from three hacked healthcare providers being sold.
According to Healthcare IT News, in June 2018 LabCorp successfully won a court battle over an alleged HIPAA violation and was accused of not providing enough privacy protection at its Providence Hospital computer intake system. LabCorp argued an individual can’t bring a lawsuit under HIPAA and filed a motion to dismiss. The judge agreed.
HIPAA has also published that there have been 2181 healthcare data breaches since 2009, the largest being Anthem Inc. which had 78.8 million records stolen from a database hack.
"We take it for granted that doctors and medical professionals will have complete access to our health profiles and background... however the very nature of this access, and the vast amount of information held within the healthcare industry, make it a prime and profitable target for criminals," wrote Suzanne Widup, senior analyst, Verizon Security, back in March 2018. "Knowing which security threats are out there, and what steps to take to proactively prevent security incidents is vital if personal healthcare information is to be kept safe."
While it has not been confirmed by LabCorp who is behind the suspected attack, Verizon's 2018 Protected Health Information Data Breach Report highlighted that healthcare was the only industry in which internal actors were the biggest threat to an organisation, driven by financial gain or looking up personal records of celebrities.
In the US, vote-counting computers used in government elections contained a security vulnerability which could have been used to affect election results. The systems, which were sold by Elections Systems & Software (ES&S), contained remote-access software and were sold between 2000 and 2006, with some machines still being used as late as 2011.
Election-management systems are not voting terminals - they are in county election offices and contain software that in some counties is used to program all the voting machines used in the county. The systems also tabulate final results from voting machines.
In a report by Motherboard, in a letter sent to Senator Ron Wyden D-Oregon, which came to light on July 17 2018, the company admitted that it had "provided pcAnywhere remote connection software to a small number of customers between 2000 and 2006." The article goes onto say that originally in February 2018, ES&S had denied installing the software on any of its election systems it sold and said: "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software." The company's machines were used in a number of states and at least 60% of ballots cast in the US in 2006 were counted on the systems.
This news comes alongside the continuing investigations into suspected Russian meddling in the 2016 US presidential elections. On July 14 2018 deputy attorney general, Rod Rosenstein, announced that 12 individuals had been changed as part of the investigation.
During 2006, hackers stole the source code for the pcAnywhere software, which wasn't made public knowledge until 2012 when a hacker posted some of the code online. This forced Symantec, the distributor of the software, to admit it had been stolen. Security researchers also found a vulnerability in the software that would allow an attacker to seize control of a system, without the need to authenticate with a password. Researchers at Rapid7 also conducted research and found that 150,000 online computers were configured to allow direct access to hackers.
Alarmingly, pcAnywhere was still being used in 2011 by Venango County, Pennsylvania, and it has not been clear whether the security flaws were patched or if there could have been more vulnerabilities. According to Motherboard, ES&S wrote in its letter to Wyden that it would be willing to meet privately in his office to discuss election security, but when the company was asked to attend a hearing on election security last week before the Senate Committee on Rules and Administration, ES&S declined to send anyone to answer Senate questions.
Wyden said he’s still waiting for ES&S to respond to the outstanding questions he sent the company in March. “ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cybersecurity questions, you have to ask what it is hiding.”
Scammers are increasingly targeting Personally Identifiable Information (PII), turning away from bitcoin scams and putting resource behind traditional technology support scams.
According to Malwarebytes's Cybercrime tactics and techniques: Q2 2018 report, the new General Data Protection Regulation (GDPR) could be fueling this increase in PII theft, as the information could be more valuable on the black market. The company observed that a victim had allowed a phishing scammer entry into their computer, which resulted in stolen email credentials.
The report also noted that phone scamming had risen in awareness with the general public, with potential victims being more vigilant. However, scammers still tried filtering down to unsuspecting victims by using tactics such as calling to route straight to voicemail to request a callback, hanging up on victims who aren't entirely convinced and requiring a small upfront payment before the scam.
"Because of the new policies ushered in by the EU’s GDPR in late May, organizations will only have a limited time to hold onto PIIs of their customers, making it more valuable to criminals," said the report. "This means we may see an uptick in data - stealing threats, from spyware and info stealers to keyloggers and good old-fashioned phishing scams."
Interestingly, Malwarebytes found that cryptomining detections were declining, but were still dominating the threat landscape for both businesses and consumers. The report explains that many criminals are not getting the return on investment from cryptomining they were expecting, and is expected to stabilise as it follows market trends in cryptocurrency.
Enterprise systems remain vulnerable to cryptomining, with detections every month fluctuating throughout 2018: "By Q3, we may be able to identify an ongoing trend and/or campaign trying to spread these tools," said the report. "More than likely, though, we'll see a decline in business detections as we head into Q3, which has already been observed on the consumer side."
Android cryptominers also saw a decline from Q1, with May seeing a 16% drop from the previous month. There were 244% more miner detections than in Q1.
A survey of 900 security professionals conducted by AlienVault at Infosecurity Europe found that spending on GDPR compliance efforts has hindered threat detection but cybersecurity publicity might actually benefit the industry. Additionally, the survey reflected the strong belief that cybersecurity is becoming entrenched in politics.
Of the professionals that participated in the survey, 51% said the additional resources their organization are spending on GDPR compliance takes vital resources away from detecting threats.
In addition, the report noted that not all security publicity is bad. An overwhelming majority (84%) of respondents said that the increased cyber-threat publicity has been very useful. Without offering reasons as to how all of the press coverage is useful, the report stated, “It is likely that large public breaches raise awareness for the need of cybersecurity.”
A majority (56%), believe cybersecurity has become a political pawn, with only 17% disagreeing with that perception. “It’s easy to see why many professionals feel this way. Encryption, in particular, finds itself at the forefront of many discussions, polarizing opinion as to whether or not law enforcement should have ‘back doors’ or other means of accessing communication to crack down on crime,” the report wrote.
Cloud security threats will be the most concerning external threat moving forward, followed by distributed denial-of-service (DDoS) attacks and the international threat landscape, including threats of nation-state attacks.
Phishing is the most concerning internal threat, with 55% of respondents expressing concern that their organization will fall victim to a phishing attack. Ransomware came in at a close second, with 45% of participants ranking it as the most concerning internal threats.
Respondents were asked to select their top threat concerns. More than a quarter (29%) of respondents worry about a shortage of skilled staff, and 27% are concerned about nonmalicious insider mistakes. Less than a quarter (23%) of security professionals fear social media threats.
“The human element of phishing is what makes it attractive to attackers and [a] concern for security departments. No single control can defend against a phishing attack, and ultimately, humans make mistakes. In fact, human error can be traced back to the root cause of many breaches,” the report stated.
AlienVault said user awareness and education are important but don’t go far enough in preparing for these types of attacks. To fortify their overall security posture, companies should create a layered defense comprising of people, technology and process, according to the report.
The number of cyber incidents saw a 32% jump in the first quarter of 2018 compared to the same period in 2017, according to a new report from Positive Technologies. According to the report, hackers are motivated by data theft, and malware attacks have spiked 75% since Q1 2017.
“Attackers are planning to either use these credentials in future attacks or profit by selling this information on the black market,” Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in today’s press release.
According to the report, individuals were the primary victims of malware, which was used in five out of six attacks, often in combination with social engineering and exploitation of web vulnerabilities.
Next to individuals, at 28%, government is the second-highest sector targeted by attacks, accounting for 16% of total attacks. Healthcare was at 8%, finance at 7% and IT at 5%.
Spyware, which grants an attacker access to sensitive internal information and allows hackers to collect personal data and account credentials, was the most commonly used type of malware. The report also noted the factors that contribute to an attacker successfully accessing sensitive information with malware, which include a lack of antivirus protection and end user error, such as clicking on malicious links and downloading infected files.
In addition, cryptocurrency miners, such as WannaMine and RubyMiner, were used in nearly one quarter (23%) of malware attacks. “Our research shows that 63% of attacks included use of malware. Spyware, in particular, is used most often because it allows obtaining not only personal information and corporate secrets but credentials for the services and systems needed to attack internal corporate infrastructure,” Galloway said.
Positive Technologies predicts that the unique number of cyber-attacks will continue to escalate, with attackers honing in to use existing attack vectors against government and finance targets. Phishing campaigns using SANNY spyware against government targets were often detected as the source of malware placed on government infrastructure.
Still, finance and banking are the most frequent victims of cyber-attacks.
Over 26,000 mobile devices and laptops were lost on the Transport for London (TfL) network between April 2017 and April 2018, raising serious questions about threats individual devices pose to company data security, says think tank Parliament Street.
Through a Freedom of Information (FOI) request, the think tank discovered that 26,272 devices were lost and handed into TFL lost property, with Apple devices taking the top spot followed by Samsung and Lenovo. In an independent study by Centrify, it is suggested that in the UK, younger employees are the "main culprits" for data security breaches in the workplace.
Responding to the research, Robert Coleman, UKI CTO, CA Technologies said: "With businesses investing heavily in purchasing and developing growing volumes of applications to improve employee productivity, the security threat posed by lost and stolen devices has increased dramatically.
"Nobody can prevent mobiles and tablets from being misplaced, but companies can ensure that the applications which reside on these devices are only accessible by the correct privileged users so that fraudsters cannot exploit them as a backdoor into the business."
Mobile working and the security of data still continue to concern enterprises. In a report by Apricorn, nearly one in five organizations (18%) suggested their mobile workers didn't care about security, with a third of them experiencing a data loss as a direct result of mobile working.
Parliament Street's report recommends that businesses implement an identity verification strategy for every employee, increase training and "scrap trust" as a strategy: "With cyber-attacks rapidly on the rise, a healthy paranoia is a positive force for change within the organization."
Ojas Rege, chief strategy officer, MobileIron said that two new developments could help organizations in this area: “Biometrics, like fingerprint and facial recognition, provide an easy and more secure way for individuals to access their mobile devices and apps. Machine learning takes data inputs from devices, networks, and apps to constantly monitor and identify evolving threats of which the user is almost never aware.”
The Netherlands-based Telecompaper reported that Telefonica, a top-10 telecom vendor based in Spain that delivers telecom services across more than 20 countries, was hit by a major security breach. Personal customer data of millions of its clients was possibly exposed in the breach. The company reportedly said the flaw was fixed and that the breach was reported to the authorities.
Information exposed by the breach was reported to have included customers' fixed-line and mobile numbers, their full names, national ID numbers, home addresses, banks and call and data records.
Though the company does not yet know the full extent of the breach, the data exposed in the security breach reportedly could be downloaded by a hacker. “Surprisingly, the Telefonica customer data was easily downloadable as an unencrypted spreadsheet,” said Pravin Kothari, founder and CEO of CipherCloud.
“Moral of the story? Cyber-attackers will get into any network sooner or later. End-to-end encryption would have provided safe harbor for Telefonica if they used it to protect the data. With encryption there would be no breach to report under GDPR as stolen encrypted data would be unusable,” said Kothari.
With GDPR in effect, Telefonica must now comply with the notification and follow-up mandates. “This sort of data exposure is why so many organizations who transact with customers online – from the banking and finance sector to e-com and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics,” said Ryan Wilk, vice president of customer success, NuData Security, a Mastercard company.
“In doing so, they’re shifting from 'let's make our company a bunker for everyone' to 'let's leave the bunker for risky users only.' They do so by using technology that doesn't rely on data that could have been exposed in a breach, thus preventing post-breach damage. Passive biometrics technology cannot be mimicked by hackers and helps break the chain of perpetual fraud that grows whenever customer data is breached and stolen,” said Wilk.
Discovered by security consultant, Adrian Pruteanu, the issue comes about by running on the non-standard port 5054 where by default RLM's web server does not require authentication. Attackers can specify an arbitrary license file on the server to read and modify which could result in information leakage or remote code execution via upload of malware.
Pruteanu said: "During a recent penetration engagement, I came across a particularly interesting web application called RLM, running on the non-standard port 5054. This naturally caught my eye. After a bit of poking around, I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise.
"Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities," he continued.
In its response to Trustwave, Reprise wrote: "We tell end users not to run the RLM server - which implements the web server - in privileged mode. There is no reason it needs to run with elevated privileges. The license and options file editors in the web interface are no more dangerous than Notepad or Wordpad.”
The vulnerability was flagged to Reprise on May 16 2018, with the vendor discontinuing communication on May 29.
"Security holes are rarely made up of isolated vulnerabilities," said Eerke Boiten, professor of cybersecurity, De Montfort University, Leicester. "In this case it appears to be an administrative web interface that doesn’t authenticate properly, combined with a server running with too high privileges, and one or more unnamed vulnerabilities that allow this to be exploited to the level of full code execution.
"Responsible behavior would be to fix each element of this, not to just change the user manual to ensure that anyone who has a recent copy of it will not make a dangerous mistake."
A report by Recorded Future has found that Russia's vulnerability database, while highly focused, is incomplete and slow, and only publishes 10% of known vulnerabilities.
Run by the military organization, Federal Service for Technical and Export Control of Russia (FSTEC), the vulnerability database, also known as BDU, has published only 11,036 vulnerabilities of the 107,901 Common Vulnerabilities and Exposures (CVEs) reported by NVD (approximately 10%). FSTEC populates the BDU database with vulnerabilities that primarily present a threat to Russian state information systems. This gives researchers information on which technologies, hardware, and software are used on Russian government networks.
The report highlights that FSTEC didn't start publishing vulnerability data until 2014, roughly 15 years after the US NVD was established, but still covered 25% of the CVEs from years before the database was started. Furthermore, among the vulnerabilities that FSTEC published the fastest, 75% were vulnerabilities for browsers or industrial control-related software.
Percentage of vendor CVEs covered by FSTEC
Interestingly, when it comes to monitoring vendors and technologies, Recorded Future found that Russia focused more on Adobe more than any other vendor, covering nearly half of all its vulnerabilities. However, of the vulnerabilities that were not published, 386 had a CVSS score of 10, and 871 had a score greater than eight.
Over the course of the past year, Recorded Future also examined the publication speeds, missions and utility of the NVDs of two countries: China and the US. It found that Russia was on average 83 days slower than China to publish vulnerabilities, and 50 days slower than the US.
"As the research demonstrates, FSTEC broadly publishes only about 10% of known vulnerabilities," Priscilla Moriuchi and Dr Bill Ladd wrote. "The larger question is, 'Why?' Why waste resources on a vulnerability disclosure database that does not address 90% of vulnerabilities for its users?
"There are three likely hypotheses," they went onto say. "FSTEC is vastly under-resourced and can only focus on key technologies for Russian users; FSTEC is a military organization and is publishing 'just enough' content to be credible as a national vulnerability database, or the FSTEC has a dual offensive and information security mission and publishes based on the competing needs. This would be similar to how China’s NVD (CNNVD) functions."