The security stand-off between the United States and Russia and China is set to intensify after the Pentagon revealed it has been developing a “do not buy” list of software originating from the two hostile nations.
The Defense Department’s acquisitions boss, Ellen Lord, told reporters that the list was begun six months ago in concert with US intelligence agencies.
As the name suggests, once a vendor is included on the list, their products will be boycotted by the Pentagon as a security risk.
However, drawing up the list has apparently not always been easy given that Beijing and Moscow are keen to hide the true origin of some companies.
"What we are doing is making sure that we do not buy software that is Russian or Chinese provenance, for instance, and quite often that is difficult to tell at first glance because of holding companies," Lord reportedly said. "We have identified certain companies that do not operate in a way consistent with what we have for defense standards."
Kaspersky Lab was banned for government use after fears of ties to Russian intelligence which it claims were never substantiated by lawmakers, while both ZTE and Huawei could yet face similar bans on their products if a defense authorization bill for fiscal 2019 passes Congress.
“It really speaks to cybersecurity writ large, which is one of our greatest concerns right now," Lord said. "This is a challenge for us in terms of how to deal with the industrial base, particularly small companies who don’t always have the resources."
Terry Ray, CTO at Imperva, argued that governments have always placed strict controls on foreign technology providers.
“It is common for the US government to scan software used in its environments for backdoors and other embedded code, or configurations that may allow hidden or previously unidentified connections, inbound or outbound to the technology,” he said.
“At the moment, I have not seen details on any new inspection processes which makes me think the technical review will utilize existing techniques. However, it’s important to note that other well-developed countries operate similarly and prefer to purchase and implement in-country or open source technology, in lieu of off-the-shelf products offered by the US or its allies.”
By using the HiBids advertising platform, cyber-criminals have been delivering malicious advertisements to millions of victims worldwide in a large-scale malvertising and banking Trojan campaign, according to researchers at Check Point.
These malicious ads can infect the PC or mobile device of the person viewing the ads with malware, such as a crypto-miner, ransomware or a banking Trojan. Master134, the criminal reported to be responsible for the campaign, redirected stolen traffic from over 10,000 hacked WordPress sites, then sold it to Adsterra, the real-time bidding (RTB) ad platform, according to today’s blog post.
From there, Adsterra sold the traffic to advertising resellers, including ExoClick, AdKernel, EvoLeads and AdventureFeeds, which passed it on to the highest-bidding ‘advertiser.’ “Our discovery revealed an alarming partnership between a threat actor disguised as a Publisher and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots,” researchers wrote.
The key to the campaign's success was that the advertisers were seemingly legitimate companies; however, they were actually criminals looking to distribute ransomware, banking Trojans, bots and other malware, which is how the infected ads – not legitimate ads – appeared on thousands of publishers’ websites worldwide.
During this campaign, which is still active, Check Point reportedly saw 40,000 clicks per week on these malicious ads. Cyber-criminals, who measure the return on investment of their ad spend by comparing it to the money they make from crypto-mining and ransom, are compromising the legitimate business of online advertising, exploiting it to display malware-infected ads.
Recognizing that threat actors will always search for new ways to spread their attack campaigns, researchers anticipate seeing more of these types of attacks, though the involvement of seemingly legitimate online advertising companies is of great concern. “We can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?” the researchers wrote.
During a 29 July interview on “Face the Nation,” Sen. Jeanne Shaheen (D-N.H.) expressed concern over widespread phishing attacks against the Senate and political parties, according to The Hill.
“I don't know who else is on the list but I do know that we've had an experience in our office with people getting phishing emails with social media accounts,” Shaheen said in the interview. “There has been one situation that we have turned over to authorities to look into. And we're hearing that this is widespread with political parties across the country, as well as with members of the Senate.”
Sunday’s “Face the Nation” interview came only days after Microsoft confirmed that the campaign of Sen. Claire McCaskill (D-Mo.) was one of the three congressional campaigns in which Russians had unsuccessfully targeted staff and computer systems.
Russian meddling in midterm election campaigns has been a growing concern since the 2016 election. News that the Mueller investigation indicted 12 Russians for election meddling has renewed concerns, particularly as the 2018 midterm elections are swiftly approaching. President Trump met with his National Security Council (NSC) on Friday, 27 July, to address these and other cybersecurity concerns.
After the meeting, the White House released a statement affirming that “the President has made it clear that his Administration will not tolerate foreign interference in our elections from any nation state or other malicious actors.”
Prior to the NSC meeting, Defense Secretary Jim Mattis reportedly told reporters that US cyber-defenses have already been deployed, according to the Washington Examiner’s Daily on Defense newsletter. “Rest assured, there are actions underway to protect our elections or to expose any external efforts by anybody to influence the American public, to show false news, that sort of thing,” Mattis said.
As confirmation of foreign meddling continues to mount, the Senate Rules Committee aims to prioritize the Secure Elections Act, which is reportedly slated for markup in mid-August.
Four scientists at the university have published findings on a new type of Spectre attack in a paper entitled NetSpectre: Read Arbitrary Memory over Network. The paper details a new CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine, a significant development for Spectre-class attacks.
“By manipulating the branch prediction, Spectre tricks a target process into performing a sequence of memory accesses which leak secrets from chosen virtual memory locations to the attacker. This completely breaks confidentiality and renders virtually all security mechanisms on an affected system ineffective,” the researchers wrote.
While Dod said the research is concerning from a device-hardening perspective, “The need for leak and transmit gadgets to be present on the victim’s computer makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack," said Mounir Hahad, head of threat research at Juniper Networks.
Some commentators agree that the industry could be moving too far into the weeds with the attacks as the likelihood of exploitation is so low. Brajesh Goyal, vice president of engineering at Cavirin, said, “The need for leak and transmit gadgets to be present on the victim’s computer also makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack."
UK Card Not Present (CNP) fraud losses have fallen for the first time since 2011, despite rising levels in many European countries, according to new stats from FICO.
The fraud prevention firm’s latest interactive map is built on data from Euromonitor International and UK Finance.
It revealed that the UK saw the biggest reduction in net fraud losses of 8%, although the average across Europe rose by 2% (€30m).
A FICO spokesperson confirmed to Infosecurity that the vast majority (around 70%) of CNP fraud is committed online.
“As well as fraud migration, we are also seeing an evolution of fraudulent exploitation using cyber-enabled crimes,” said fraud consulting director, Toby Carlin. “The total size of the cyber-enabled threats will come to the fore as PSD2 reporting comes into play across Europe, but early indications from the UK show that cyber-enabled digital fraud is set to overtake plastic fraud by 2020.”
Despite the growing online threat, the UK is now the first market to have “significantly” reduced CNP fraud losses in several years. This should serve as an example to other regions that investment in the right technologies can reap rewards, but also as a warning that scammers may be on the lookout for geographies where less is being spent, said the firm.
“This is a significant turning point in the global fight against CNP, with hundreds of millions of euros worth of fraudulent migration imminent,” FICO claimed. “All other markets should be on high alert to receive this migrating attack and ensure that preventative mechanisms are deployed as soon as possible to stop themselves becoming the easiest target for criminals to hit.”
A PwC report recently claimed that nearly half (49%) of UK organizations have suffered from cyber-enabled fraud over the past two years, while Cifas figures from April pointed to identity fraud reaching an all-time-high last year, and e-commerce fraud jumping 49%.
Hundreds of tech-savvy inmates at several Idaho correctional facilities have been caught exploiting a software vulnerability on their state-funded tablets to artificially increase account balances.
Officials claimed that 364 prisoners had been caught hacking the JPay tablets which are provided to allow them access to email, music and games.
The software exploit apparently allowed them to transfer a total of nearly $225,000 into their accounts, with one inmate managing an audacious $10,000.
There’s no hit to the taxpayer as these are virtual credits provided by JPay, with the firm claiming it has already recovered $65,000 worth. The guilty inmates will not be able to download games or music until they can compensate the corrections-related service provider, it said.
“JPay is proud to provide services that allow incarcerated individuals to communicate with friends and family, access educational programming, and enjoy positive entertainment options that help prevent behavioral issues,” a JPay spokesperson statement noted.
“While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”
The Idaho Department of Correction has also moved to discipline those involved, with reports suggesting they could lose various privileges and even be transferred to a higher security risk level.
US telecoms firm CenturyLink refused to disclose the vulnerability exploited by the inmates, citing it as proprietary technology.
The incidents took place at the: Idaho State Correctional Institution, Idaho State Correctional Center, Idaho Correctional Institution-Orofino, South Idaho Correctional Institution and the Correctional Alternative Placement Plan facility.
The US government has repeated warnings of state-sponsored cyber-attacks made possible by infiltrating the software supply chain.
The report from the National Counterintelligence and Security Center (NCSC) reveals insight into foreign economic and industrial espionage against the US.
It calls out China, Russia and Iran as “three of the most capable and active cyber actors tied to economic espionage and the potential theft of US trade secrets and proprietary information.”
While new technologies such as AI and IoT will introduce new vulnerabilities into networks “for which the cybersecurity community remains largely unprepared,” it’s the software supply chain that represents one of the biggest emerging threats, the NCSC claimed.
It said 2017 was a watershed year in that it witnessed seven “significant” incidents versus just four in the preceding three years.
These included the infamous backdoor inserted into popular Ukrainian accounting software M.E. Docs which was the initial threat vector for the NotPetya ransomware campaign. Other supply chain attacks included CCleaner, which targeted technology firms and mobile operators, and Kingslayer, which has compromised at least one defense contractor.
The warnings echo those of the UK’s National Cyber Security Centre (NCSC) in April, which claimed state-sponsored and other compromises of MSPs and software providers can give hackers a stepping stone into thousands of organizations’ networks by allowing them to abuse “privileged accesses and client/supplier relationships.”
“When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect. Network monitoring can detect unusual or suspicious behaviour, but it is still difficult to ascertain whether a security flaw has been deliberately introduced (possibly as a backdoor) or results from a careless error on the part of developers or manufacturers – or indeed to prove that any potential access has been exploited,” it argued.
James Romer, EMEA chief security architect at SecureAuth Core Security, argued that secure access is a key part of protecting the supply chain.
“There needs to be a more robust approach to authentication within organizations’ supply chains,” he added. “One that brings context to the process and allows for a rapid response to evolving threats without significant human intervention.”
Android users have been warned about another Exobot banking malware source code (v. 2.5) that was leaked online. It was first detected in May 2018 and has been dubbed "Trump Edition." The leak is expected to result in a surge of malicious Android apps given that the malware source code is now available in dark web hacking forums, according to Tripwire.
"The Trojan gets the package name of the foreground app without requiring any additional permissions. This is a bit buggy, still, but works in most cases. The interesting part here is that no Android permissions are required. All other Android banking Trojans families are using the Accessibility ore Use Stats permissions to achieve the same goal and therefore require user interaction with the victim," ThreatFabric security researcher, Cengiz Han Sahin told Bleeping Computer.
It’s no secret that bank websites and banking apps are under constant attack and that using Android Trojans to target baking apps is fairly commonplace. With this new Trump Edition, though, there are two primary concerns for security experts: First, whenever an infected Android device hits a financial institution's website, the overlay attack steals user credentials. Second, the release of any mobile banking malware will quickly ripple across the devices.
An increase in these types of attacks could have long-term implications that would likely impact more than financial institutions. “The data this malware is targeting will impact not only banks and their customers but also ecommerce companies and other industries,” said Ryan Wilk, VP of customer success, NuData Security, a Mastercard company.
“Personally identifiable information extracted from Exobot-infected devices will quickly find its way to the dark web, where it can be used against the account holder’s account, as well as other online accounts.”
This source code leak could spike an increase in overlay attacks, according to Frederik Mennes, senior manager market and security strategy, security competence center at OneSpan. “Malware on the user’s mobile device shows a window on top of the genuine mobile banking app that looks very similar to the genuine app. In this way the malware aims to trick the user into entering his credentials into the overlay window.”
A flaw in the website design for LifeLock, a company charged with protecting the identity of its online customers, resulted in millions of customer accounts being exposed, according to KrebsonSecurity. A vulnerability in the site, which reportedly lacked authentication and security, has been fixed, but the breach highlights the larger security concerns inherent in web application security.
Of particular concern is the fact that web apps have become the cornerstone of operations for today’s digital enterprises. They are accessible at all times, from any location or device, but they can also contain sensitive customer data. Securing the data must be a priority, according to Setu Kulkarni, vice president of product and corporate strategy, WhiteHat Security.
“WhiteHat Security's research has shown that web applications are consistently the most exploited means of entry into the enterprise by hackers. Despite this, companies are still failing to implement proper application security protections, making them an easy and vulnerable target.”
“We often see enterprises inheriting risk from third parties. In many cases, web pages are developed by non-IT teams without much governance. Data-flow architecture gets ignored, which can jeopardize personally identifiable information (PII). Largely by necessity, web applications are built and deployed by a wide range of coders, architects and administrators, who sometimes make mistakes.”
The LifeLock site breach serves as another reminder of the security issues in web application development, which often are not designed with security in mind. “Too many website applications are built with little thought on how to prevent being hacked,” said Chris Olson, CEO of The Media Trust.
“LifeLock's web app vulnerability appears to have resulted from developers' oversight and mirrors many other incidents in the past year alone, where security features and procedures to reinforce them receive little attention. Developers should make security a priority throughout a product's life-cycle stages, from concept to manufacturing to retirement. Website operators should police all their website third parties to ensure all their activities fall within policies and scan their sites to identify and obstruct unauthorized code.”
The breach echoes the reality that an unknown vulnerability can pose a major threat to data security and brand reputation, according to Rich Campagna, CMO, Bitglass. “Enterprises need to have visibility across their networks, cloud services and devices in order to prevent and monitor for these kinds of risks.
“This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorized accesses and encrypt sensitive data at rest. Because LifeLock failed to utilize such a solution, millions of customers have had their data exposed, become more vulnerable to highly targeted spear phishing campaigns and lost trust in a company dedicated to keeping their data safe.”
In an effort to deliver more robust application and data security solutions that protect enterprises against attacks from cyber-criminals, California-based Imperva Inc. announced that it will acquire the Los Angeles-based application security company Prevoty. The deal, which is expected to close in Q3 2018, has an estimated value of $140m. The Prevoty office will become an Imperva location.
Five years into its journey to deliver application protection to enterprises, Prevoty drew Imperva's attention with its Autonomous Application Protection (AAP) product, which Imperva states will extend its ability to deliver end-to-end application services from the network edge all the way down to within the applications themselves, protecting not only the applications but also the various databases where data is stored.
"The acquisition is expected to advance our hybrid security strategy and further our mission to deliver best-in-class cybersecurity solutions," said Chris Hylen, president and CEO of Imperva, in the press release. With the additional functionality of AAP, Imperva said it will deliver increased visibility into how applications are accessed to see what is happening within the application, thereby enhancing application services both on-premise and in the cloud.
In an email delivered to Prevoty’s employees, CEO Julien Bellanger wrote, “When we first started, Kunal and I believed in the mission of revolutionizing application security by adding protection and visibility to every piece of production software. We are well on our way there from a product perspective and market traction but not yet at the scale we were dreaming about. Becoming part of Imperva will help us reach our goals at a different scale and pace.”
Bellanger called the acquisition a milestone in his vision for Prevoty, which he co-founded in 2013, adding that the board and the executive team are excited about the opportunity to join Imperva, who has offered continued employment opportunities to Prevoty employees.
"Our team is excited to join Imperva, a company with a long track record of cybersecurity leadership and innovation,” Bellanger said in the press release. "We believe that the combination of our solutions with Imperva's portfolio of products will allow us to jointly create the gold standard in technology for application and data protection for organizations everywhere."
IT leaders could be dangerously underestimating the security risks posed by IoT, according to new research from Trend Micro.
The security vendor polled 1150 IT and security decision-makers in the UK, Germany, the US, Japan and France.
Despite businesses spending an average of over $2.5m each year on IoT projects, they don’t appear to be investing in cybersecurity.
Even though 63% of respondents agreed that IoT-linked attacks have increased over the past year, just half (53%) think they’re a threat to their organization.
This might explain why over two-fifths (43%) regard IoT security as an afterthought, and just 38% get security teams involved in the implementation process for new projects. This drops even further for smart factory (32%), smart utility (31%) and wearable (30%) projects.
Responding organizations suffered an average of three attacks on connected devices over the past year, according to Trend Micro.
“The embedded operating systems of IoT devices aren’t designed for easy patching, which creates a universal cyber risk problem,” said the firm’s COO, Kevin Simzer. “The investment in security measures should mirror the investment in system upgrades to best mitigate the risk of a breach that would have a major impact on both the bottom line and customer trust.”
While loss of customer trust (52%) and monetary loss (49%) were thought to be the biggest consequences of a related breach, loss of personally identifiable information (32%) and regulatory fines (31%) came some way behind. That’s despite the new GDPR, which could impose severe financial penalties on firms found not to have taken customer data protection seriously in the event of a breach.
“The significant investment in this technology across the globe is testament to the fact that IoT solutions can bring many advantages to businesses,” Simzer concluded. “But if security is not baked into the design of IoT solutions, and SDMs [security device managers] aren’t involved in the IoT implementation process, businesses could face damages far greater than the benefits this connected tech delivers.”
The volume of common web-based vulnerabilities found by a leading cybersecurity firm over the past nine years has refused to come down, highlighting a need for greater investment in secure coding practices and awareness.
Global information assurance firm NCC Group uncovered over 1100 vulnerabilities from more than 350 vendors of operating systems, hardware and networking services, and cloud and web services over a near decade-long period.
However, while some classes of vulnerability had virtually disappeared over the past nine years — including format string flaws, memory-related flaws and some vulnerabilities in XML applications and services — others stubbornly persisted, it claimed.
King among these is the cross-site scripting (XSS) flaw, which was the most common type overall, comprising 18% of all those found.
“Although there could be a lot of factors influencing the discovery of bugs over the past nine years — such as shifts in industry focus with regard to certain classes of bugs, and even the time that our consultants have available — there is still an ongoing prevalence of the most common vulnerabilities,” explained NCC Group research director, Matt Lewis.
“While some historically common vulnerabilities have disappeared over the last nine years, cross-site scripting has been around for almost 20 years. We should have seen a significant fall in these types of vulnerabilities, but this hasn’t been the case, which highlights the need for better education around security within the software development life cycle.”
Over the years, Lewis and his team have uncovered vulnerabilities in 53 categories and have also spotted an increase in the number targeting complex applications and hardware — including deserialization flaws and exploitation of multiple chained flaws across complex web apps.
“This highlights the need for more investment into security skills, as well as a wider understanding of how important the mitigation of these vulnerabilities is for the overall security of businesses,” said Lewis.
Security researchers have found a flaw in a home security camera model which could allow individuals to view users’ video feeds.
The bug was found in the SWWHD-Intcam, also known as the Swann Smart Security Camera, which has been on sale in several high street retailers including Currys and Walmart for the past eight months.
The problem relates to the Safe by Swann cloud system which allows users to view their feeds remotely via smartphone, according to the BBC.
These contain a serial number unique to each camera, which can be manually altered to allow access to other devices, the report claimed.
They apparently also identified a way to work out which serial numbers Swann cameras were using, allowing them to theoretically view any account with ease.
"Swann was able to detect the subsystem Ken Munro and his team were attempting to hack and promptly addressed the vulnerability", a spokeswoman for the company told the BBC.
"This vulnerability did not apply to any other Swann products. We have not detected any other such attempts."
However, there are concerns that other camera brands supported by Israel-headquartered supplier OzVision may be vulnerable to attack. A problem was discovered in Flir cameras back in October last year, with a patch apparently imminent.
Some 40% of UK consumers are concerned that devices can listen in to their private conversations, according to McAfee research.
“People need to feel empowered and protected so they can embrace new technologies that aim to deliver peace of mind. Businesses manufacturing these devices must do their bit and ensure that security is built-in from the get-go,” said chief scientist, Raj Samani.
“There are also simple measures consumers can take when introducing new connected gadgets to their home environments. For example, people need to ensure they have protected Wi-Fi in place with multi-factor authentication and complex passwords. This will help prevent cyber-criminals from accessing devices and getting their hands on personal information.”
More than three-quarters of DevOps professionals do not practice “DevSecOps”, or are still in the process of implementation.
According to the DevOps Pulse 2018 survey by Logz.io, its survey of 1044 DevOps engineers, sys admins, developers and other IT professionals found that 54% said that their department handles security incidents in their organization, while only 41% have dedicated security operations personnel.
Because of that, 76% of those surveyed either do not practice DevSecOps or are still implementing it, while 71% do not feel their team have adequate knowledge of DevSecOps best practices and 56% do not feel there are adequate tools available to help with DevSecOps.
Eoin Keary, founder of edgescan, told Infosecurity that he felt that 54% handling security incidents was a good thing, as this shows that cybersecurity is integrating with DevOps professionals earlier and continuously.
“Handling incidents is also positive assuming the know-how is there: most incident response teams have staff from different departments within a company,” he said. “At edgescan, we see a large uptick for SaaS and managed services given the ability for a client to leverage dedicated experts and knowledge in particular fields they may not have internally in the organization.”
Keary also acknowledged that DevSecOps is still an emerging movement, and the cultural change required to implement a DevSecOps methodology can take time to foster.
Kai Roer, CEO of CLTRe, told Infosecurity that he felt that the 76% figure was natural, as even if half of all organizations did manage incidents within the DevOps team, “this transformation of culture is work in progress.”
He said: “DevSecOps is a huge cultural shift, merging different teams, with different focuses, interests and competences, into one team. This shift has seen some very interesting successes, for example by speeding up patch deployments, as well as improving security by making changes available much faster.
“DevOps has matured a lot over the past few years, and adding security to form DevSecOps has been idealized for some time now. Just as merging operations and development made a huge cultural shift to the teams and to their organizations, adding security is likely to do the same. Suddenly, security goes from being a specialist team who sits on the side-lines, into a function that is tightly incorporated within development and operations.”
Roer said that this change is “bound to improve the security competence in those organizations”, and thereby directly influencing the security culture in those organizations.
Chinese shipping giant COSCO is said to have suffered a major ransomware-related outage affecting its Americas operations, although so far seems to be trying to minimize the potential news fall-out.
Reports from the trade press citing internal emails suggest the firm has been hit by ransomware in the US and is asking staff not to open suspicious emails.
However, an official statement from the stet-owned firm yesterday doesn’t mention malware as the cause.
“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations,” it states.
“So far, all the vessels of our company are operating as normal, and our main business operation systems are performing stably. We are glad to inform you that we have taken effective measures. Except for above regions affected by the network problem, the business operation within all other regions will be recovered very soon.”
The ‘network breakdown’ also appears to have taken COSCO’s US website offline at the time of writing.
One report suggested that the firm had been forced to rely on the telephone to communicate with customers, slowing operations but not putting them completely out of action.
If the reports are true, they call to mind the NotPetya-related outage at Danish shipper Maersk, which resulted in an estimated $300m loss for the firm.
It’s another reminder of the potential impact ransomware can have, even on large organizations which should have a generous pot of revenue assigned to cybersecurity.
However, in general, reports of the malware to the FBI have decreased over the past year. The Bureau received only 1783 ransomware complaints in 2017, linked to losses of just $2.3m. That’s a sizeable drop from the 2673 reports it processed in 2016 and the 2453 from 2015.
With a 50 year history, COSCO is said to be the fourth largest shipper in the world.
A US senator has written to three key government agencies responsible for federal cybersecurity, urging them to begin the transition process away from Adobe Flash.
"As the three agencies that provide the majority of cybersecurity guidance to government agencies, the National Security Agency, the National Institute of Standards and Technology and the Department of Homeland Security must take every opportunity to ensure that federal workers are protected from cyber-threats and that the government is not intentionally supporting risky online behavior,” he wrote.
“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming — the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”
Wyden demanded three actions be taken: that no new Flash content is deployed on any federal website, starting from within the next 60 days, that all agencies remove Flash content by August 1 2019 and that they remove Flash from employee desktop computers by the same deadline.
He claimed these efforts could be accelerated by an expansion of DHS cyber hygiene scans of agencies to include Flash content. The department could then provide a list to each agency of all the locations of Flash content on their sites along with guidance on how to transition away from it.
Known vulnerabilities are arguably a bigger preventable risk than eye-grabbing zero days: just 14 of the 19,954 vulnerabilities reported by Flexera in 2017 were zero-days, a 40% decrease from 2016.
Adobe Flash has long been a magnet for hackers and continues to get regular updates each Patch Tuesday, although system administrators often struggle to prioritize and keep up-to-date with the barrage of fixes issued by vendors, most with different update mechanisms.
Wyden is know for his tech literacy, introducing the first net neutrality bill back in 2006, and is a regular champion of cybersecurity and internet freedom on the Hill.
The US Department of Homeland Security (DHS) has flagged a new report highlighting an increase in attacks on critical ERP apps by state-sponsored hackers, cyber-criminals and hacktivists.
The joint research by Digital Shadows and Onapsis revealed that hackers are increasingly targeting known vulnerabilities to steal highly sensitive data or disrupt business processes — exploiting known vulnerabilities, supply chain gaps and misconfiguration errors.
It claimed that there are now around 9000 known vulnerabilities in SAP and Oracle apps, which have seen a 100% increase in the number of publicly-available exploits over the past three years.
The report also calculated a 160% increase in activity related to ERP-specific vulnerabilities from 2016 to 2017.
It’s not just traditional state-sponsored actors targeting these apps for espionage or disruption, or cyber-criminals looking to make money — the report claimed hacktivist group Anonymous has carried out nine operations since 2013.
Some of the attacks observed include use of popular malware like banking trojan Dridex to grab user credentials.
In some cases, the supply chain is making the job of the attackers even easier: the researchers found 545 SAP configuration files publicly exposed on misconfigured FTP and SMB, offering valuable information on the location of sensitive files in targeted organizations.
Companies are also guilty of basic security mistakes which could play into the hands of attackers: the report claimed to have found over 17,000 SAP and Oracle ERP apps exposed on the internet — many not up-to-date with patches.
The dark web provides threat actors with a wealth of information on where the key weaknesses to exploit lie, according to Digital Shadows.
“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is,” said Digital Shadows CISO, Rick Holland.