Feed aggregator

March Patch Tuesday Fixes Two Zero Days

Info Security - Wed, 03/13/2019 - 10:55
March Patch Tuesday Fixes Two Zero Days

Microsoft has patched over 60 vulnerabilities this month, two of which are being exploited in the wild and four of which were previously disclosed.

The two Windows flaws being used to attack targets are elevation of privilege bugs CVE-2019-0797 and CVE-2019-0808. The latter was being used in combination with a use-after-free vulnerability in Google Chrome (CVE-2019-5786).

“Although not as severe due to requiring local access, they could be used in conjunction with an RCE exploit in order to take full control of a system,” said Rapid7 senior security researcher, Greg Wiseman.

However, he said IT admins should prioritize three others, which are critical RCE flaws in the Windows DHCP client: CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726.

“Systems running Windows Deployment Services TFTP Server should also be patched against CVE-2019-0603 as soon as possible,” he added.

The four previously disclosed vulnerabilities patched yesterday are Visual Studio RCE bug CVE-2019-0809, which affects the Visual Studio C++ Redistributable Installer; CVE-2019-0757, a NuGet Package Manager tampering vulnerability affecting Linux and Mac installations; Active Directory elevation of privilege vulnerability CVE-2019-0683; and Windows DoS flaw, CVE-2019-0754.

There were also several patches for Microsoft Edge released this month, including CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 and CVE-2019-0773.

“All of these vulnerabilities are ChakraCore scripting engine vulnerabilities affecting Microsoft Edge running on Windows 10, and if exploited could allow an attacker to exploit arbitrary code,” explained Recorded Future senior solutions architect, Allan Liska.

There were no Adobe security patches to worry about this month, but SAP has issued 15 fixes in its monthly Security Notes update.

The most critical, SAP Security Note #2764283, has a CVSS score of 8.7 and patches a critical bug in SAP HANA HANA Extended Application Services Advanced.

“This bug that can lead to critical compromise of data confidentiality, including arbitrary files retrieval from the server, and availability, such as denial-of-service conditions in successful exploits,” wrote security firm Onapsis.

Categories: Cyber Risk News

Google, Apple & GoDaddy Recall Over One Million Certificates

Info Security - Wed, 03/13/2019 - 09:55
Google, Apple & GoDaddy Recall Over One Million Certificates

Over one million digital certificates have been mis-issued by Google, Apple and GoDaddy after an operational snafu left them non-compliant with industry standards.

Researcher Adam Caudill revealed the issue late last week, claiming that the companies had misconfigured the EJBCA software package used by many Certificate Authorities to generate certs.

In effect, this meant they were generating certificates with just 63-bit serial numbers, thus failing to meet the minimum 64-bit requirements set out by the CA Browser Forum in its Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

“When we are talking about numbers this large, it’s easy to think that one bit wouldn’t make much difference, but the difference between 2^64 and 2^63 is substantial — to be specific, 2^63 is off by over nine quintillion or more specifically 9,223,372,036,854,775,808,” explained Caudill.

The good news is that the mis-issued certificates are said to present no security risk today, and Google at least has revoked most (95%) of its batch within the required five-day period.  

Apple and GoDaddy will require longer, in the case of the latter, up to 30 days.

“Without robust automation, changing certificates can be complex and time-consuming, leaving the CA to choose between complying with requirements or impacting their customers,” Caudill argued.

“It’s also not clear how many other CAs may be impacted by this issue; while a few have come forward, I would be shocked if this is the full list. This is likely an issue that will live on for some time.”

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argued that there’s a much broader lack of visibility into certificate issuance which is threatening internet security.

“The reality is that the vast majority of organizations lack even the most basic intelligence about where they are using machine identities. Replacing a single digital certificate can take hours and most firms don’t have automated processes in place to replace large numbers of them when problems like this occur,” he said.

“As a result, many businesses are going to feel a lot of pain. Even worse, if the replacement process isn’t completed by experts it’s very error prone, and the ‘cure’ can introduce new vulnerabilities or cause business systems to fail. This is a huge third-party risk that CISOs and board members don’t understand.”

Categories: Cyber Risk News

New Ursnif Variant Bypasses Japanese AV

Info Security - Tue, 03/12/2019 - 19:49
New Ursnif Variant Bypasses Japanese AV

A prolific malware, dubbed Ursnif, has resurfaced with new features, including the ability to bypass a popular Japanese antivirus software called PhishWall, according to Cybereason.

Described as one of the most prolific information-stealing malware programs, Ursnif has been around since at least 2013. For nearly three months, researchers have been observing a campaign that has introduced a new variant of Ursnif using delivery methods through Bebloh. According to the research, the most notable changes in this most recent version include a new, stealthy persistence mechanism, revamped stealing modules, cryptocurrency and disk encryption software module and an anti-PhishWall module.

Ursnif and Bebloh are both notorious for the amount of financial damage they cause worldwide, particularly in Japan. The adversaries are reportedly after the money but will try to capitalize on any other sensitive information they can access.

“The newly discovered Ursnif variant comes with enhanced stealing modules focused on stealing data from mail clients and email credentials stored in browsers. The revamping and introduction of new mail stealer modules puts an emphasis on the risk that trojans can pose to enterprises if corporate accounts are compromised,” wrote Cybereason researcher Assaf Dahan.

The attacks begin with a phishing email containing a weaponized Microsoft Office document that, when opened, prods the user to click on "enable content," which executes the embedded macro code.

To ensure delivery, the malware uses enhanced country-targeted delivery methods identified by researchers as a modified VBA code that checks for Japanese settings on the infected machine. In addition, PowerShell compiles a .NET DLL that checks the Japanese language settings, along with an added IP geolocation check to ensure that the infected machine is in Japan, according to the research.

“This technique was previously seen in 2018, but the attackers modified the code in this version to make it less obvious and harder to detect,” Dahan wrote.

“What stands out in these campaigns is the great effort made by threat actors to target Japanese users, using multiple checks to verify that the targeted users are Japanese. These multiple tests prove to be quite effective not only in targeting the right crowd, but also in evading security products such as sandboxes, since the malicious code will not run unless the country/language settings are properly configured. We assess that this new wave of country-based targeted delivery is likely to become more and more popular in future campaigns.”

Categories: Cyber Risk News

File Sharing Links Leave Data out of the Box

Info Security - Tue, 03/12/2019 - 16:25
File Sharing Links Leave Data out of the Box

Security researchers have found that hundreds of thousands of documents were unintentionally leaked after multiple companies left sensitive corporate and customer data exposed on their Box enterprise storage accounts. The issue, though, is not a vulnerability but a feature of Box, according to researchers.

“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” researchers at Adversis wrote in a blog post.

“The issue could be compared to AWS S3 buckets publicly hosting any manner of documents. Not all are sensitive, but often times they are. On one hand this issue is worse than the S3 bucket issue because finding a company's Box account is fairly easy, unlike with S3 bucket names which can be long and difficult to guess. On the other hand, employees seem much less likely to store full databases in Box.”

Information that was easily discoverable because staff were sharing public links to files included passport photos, social security and bank account numbers, intellectual property, employee lists and financial and IT data.

“Permissions on document and file-sharing services are a big risk today. But the issue is not specific to just Box – services like Dropbox, Google Drive and others all share the same inherent risk associated with file sharing,” said Jason Haddix, VP of researcher Growth at Bugcrowd.

“Despite what any company’s security team might say, people are still going to use these services because the collaboration capabilities and ease of use far outweigh any security fears for users.

“To make sharing easier, users often make these files accessible to anyone with the hyperlink. These links then get shared from user to user, eventually traversing other networks and making their way into other documents. Given this life cycle, we’ve seen numerous privacy- and security-related incidents associated with file sharing misconfigurations over the years.”

Categories: Cyber Risk News

Cyber-Attacks Increasing for Canadian Orgs

Info Security - Tue, 03/12/2019 - 15:51
Cyber-Attacks Increasing for Canadian Orgs

Cybersecurity threats are intensifying in Canada, with a large majority of organizations saying they have been the victim of a cyber-attack in the past 12 months, according to a new report.

As part of a global threat research project, Carbon Black has published its first study looking at the evolving threat landscape in Canada. Released today, 2019 Cyberattack Landscape in Canada found that among the 250 Canadian CIOs, CTOs and CISOs surveyed, 83% said they suffered a security breach in the past year.

“Our first Canada Threat Report exposes the hostile environment facing Canadian businesses and underlines the fact that in today’s digital landscape, breaches are all but inevitable. 76% of surveyed Canadian businesses reported an increase in cyberattacks in the past 12 months,” the report said.

“Of these, 33% have seen up to a 25% increase, 19% have seen an increase of between 26-50% and 15% have seen a 51-100% increase in attack volumes. 10% have witnessed increases of more than 100%.”

According to the report, the average number of breaches per surveyed organization was 3.42, with more than three-quarters (76%) of companies experiencing an increase in attack volumes. Given that 81% of surveyed organizations said that attacks have become more sophisticated, it’s not surprising that 85% of participating organizations plan to increase spending on cyber-defense.

While attacks are increasing in frequency, there seems to be a lack of understanding of the overall scale of attacks and the extent to which criminals are profiting from them on the dark web. “Only 10% of survey respondents correctly identified that the dark economy is valued at more than $1 trillion USD,” the report said.

Though malware was seen in 30% of attacks, “weaknesses in processes and outdated security technology were factors in 20% of breaches, indicating that failures in basic security hygiene continue to be high risk vectors that organizations should address as a priority.”

Categories: Cyber Risk News

Non-UK Far-Right Twitter Accounts Amplify Brexit Messages

Info Security - Tue, 03/12/2019 - 11:08
Non-UK Far-Right Twitter Accounts Amplify Brexit Messages

Far right Twitter accounts from outside the UK are amplifying pro-Brexit messages and spreading content from non-authoritative news sources on the network, in what could be a sign of a coordinated misinformation campaign.

As the clock ticks down to EU exit day for the UK at the end of March, F-Secure undertook a detailed study into inorganic activity on the social network. It analyzed 24 million tweets from 1.65 million accounts collected between December and February containing the word “brexit.”

Although there was inorganic activity observed on both remain and leave sides of the debate, it was far more prominent among the latter, the security vendor claimed.

Report author, Andy Patel, revealed that leave tweeters are being bolstered by non-UK far-right Twitter accounts, some of which also agitated with #MAGA and #giletsjaunes messages.

They also spread content from non-authoritative news sources such as PoliticalUK and PoliticaLite, which support far-right activist Tommy Robinson, who was banned from Twitter last year.

Taken together, these findings could indicate that “coordinated astroturfing activity is being used to amplify pro-Brexit sentiment,” argued Patel.

However, proving this conclusively is challenging given that sophisticated bot automation tools exist today to hide the signs of artificial amplification, for example by queueing posts and interspersing them with ‘real’ tweets from news sites, he revealed.

In addition, Twitter only allows the last 3200 posts to be collected from any given account, meaning tens or hundreds of thousands of tweets published by many of the suspicious accounts studied for this report are inaccessible.

“Finding [evidence of coordinated pro-Brexit astroturfing] would require additional work – most of the tweets published by this group likely weren’t captured by our stream-search for the word ‘brexit,’” said Patel.

“It’s clear that an internationally-coordinated collective of far-right activists are promoting content on Twitter (and likely other social networks) in order to steer discussions and amplify sentiment and opinion towards their own goals, Brexit being one of them.”

Categories: Cyber Risk News

Chinese Hackers Backdoor Gaming Titles

Info Security - Tue, 03/12/2019 - 10:28
Chinese Hackers Backdoor Gaming Titles

Chinese hackers have launched supply chain attacks against three gaming companies in order to spread malware far and wide across Asian endpoints, according to ESET.

The security vendor’s malware researcher, Marc-Etienne M.Léveillé, wrote in a blog post on Monday that the attacks are the work of the well-known Winnti Group, which has used such tactics before.

It targeted two gaming titles and a “gaming platform application," compromising them with the same backdoor code.

Although two of the developers have now fixed the compromise, ESET warned that one of the games, Infestation, is still distributing the trojanized version. The firm has thus far been unable to contact its Thai developer, Electronics Extreme.

It’s still unclear what the final payload is as ESET wasn’t able to analyze the DLL file in question. However, we do know that the group behind it didn’t want any users in Russia or China to be affected, as the malware is designed to stop running if either system language is detected.

Victims are overwhelmingly located in Asia: mainly Thailand (55%) but also the Philippines (13%), Taiwan (13%), Hong Kong (5%), Indonesia (3%) and Vietnam (3%).

Léveillé claimed the number of victims could have reached the hundreds of thousands by now.

“Supply-chain attacks are hard to detect from the consumer perspective. It is impossible to start analyzing every piece of software we run, especially with all the regular updates we are encouraged or required to install. So, we put our trust in software vendors that the files they distribute don’t include malware,” he concluded.

“Perhaps that’s the reason multiple groups target software developers: compromising the vendor results in a botnet as popular as the software that is hacked. However, there is a downside of using such a technique: once the scheme is uncovered, the attacker loses control and computers can be cleaned through regular updates.”

The Chinse government-linked Winnti Group was uncovered by Kaspersky Lab back in 2013, although it had been tracking it since 2011. The collective was known for abusing digital signatures and using a kernel level 64-bit signed rootkit in multiple attacks designed to steal source code and other IP from gaming developers.

Categories: Cyber Risk News

Clear warning to businesses to prepare for IR35 changes now

Outlaw.com - Tue, 03/12/2019 - 10:08
HM Revenue & Customs (HMRC) has issued a clear warning to businesses not to delay preparing for changes to the off-payroll working rules in its latest consultation document published last week .
Categories: Cyber Risk News

OIG: NASA’s Poor Cybersecurity is Operational Threat

Info Security - Tue, 03/12/2019 - 10:00
OIG: NASA’s Poor Cybersecurity is Operational Threat

Government inspectors have uncovered serious deficiencies in NASA’s information security program which they claim could threaten operations.

The findings come from the latest Office of the Inspector General (OIG) review of the space agency for fiscal year 2018, under the Federal Information Security Modernization Act of 2014 (FISMA).

The OIG tested the maturity of NASA’s infosec program via 61 metrics in five security function areas plus a subset of IT systems. This involved testing systems against corresponding security documentation, and interviewing information system owners and security personnel.

Unfortunately, the report assessed NASA’s cybersecurity program as at Level 2 (Defined) for the second year in a row — well short of the Level 4 (Managed and Measurable) required by the Office of Management and Budget in order to be judged effective.

The inspectors also flagged two serious issues: missing, incomplete and inaccurate data in system security plans and control assessments not conducted in a timely manner.

“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” explained assistant inspector general for audits, Jim Morrison, in a letter to NASA’s CIO, Renee Wynn.

“Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”

The news is concerning given the willingness of nation state hackers to go after sensitive government IP, which could impact national security.

Yet it’s not the first time NASA has been called out for less than optimal cybersecurity: the agency received an even worse report card back in 2010 when the OIG inspected.

Last year, NASA also revealed that a server containing Social Security numbers and other identity data from current and former employees may have been compromised.

Categories: Cyber Risk News

OIG: NASA’s Poor Cybersecurity is Operational Threat

Info Security - Tue, 03/12/2019 - 10:00
OIG: NASA’s Poor Cybersecurity is Operational Threat

Government inspectors have uncovered serious deficiencies in NASA’s information security program which they claim could threaten operations.

The findings come from the latest Office of Government Inspector (OIG) review of the space agency for fiscal year 2018, under the Federal Information Security Modernization Act of 2014 (FISMA).

The OIG tested the maturity of NASA’s infosec program via 61 metrics in five security function areas plus a subset of IT systems. This involved testing systems against corresponding security documentation, and interviewing information system owners and security personnel.

Unfortunately, the report assessed NASA’s cybersecurity program as at Level 2 (Defined) for the second year in a row — well short of the Level 4 (Managed and Measurable) required by the Office of Management and Budget in order to be judged effective.

The inspectors also flagged two serious issues: missing, incomplete and inaccurate data in system security plans and control assessments not conducted in a timely manner.

“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” explained assistant inspector general for audits, Jim Morrison, in a letter to NASA’s CIO, Renee Wynn.

“Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”

The news is concerning given the willingness of nation state hackers to go after sensitive government IP, which could impact national security.

Yet it’s not the first time NASA has been called out for less than optimal cybersecurity: the agency received an even worse report card back in 2010 when the OIG inspected.

Last year, NASA also revealed that a server containing Social Security numbers and other identity data from current and former employees may have been compromised.

Categories: Cyber Risk News

Trump's 2020 Budget Asks for $11bn for Cyber-Defense

Info Security - Mon, 03/11/2019 - 19:21
Trump's 2020 Budget Asks for $11bn for Cyber-Defense

In the proposed 2020 federal budget, released by the White House today, President Donald Trump has requested nearly $11bn be allocated to improving cybersecurity.

“For cyber, the budget continues to integrate efforts and operationalize US cyber strategy, while scaling artificial intelligence throughout the department,” the document stated.

Throughout the 150-page document, cybersecurity appeared several times, falling into different categories of national security across multiple sectors, whether it was combating cybercrime and cryptocurrency threats or continuing to consolidate IT infrastructure.

While the bulk of the funding would be used by the Department of Homeland Security (DHS) and the Department of Defense (DoD), the most substantial request was for nearly $10bn to advance the top three cyber missions of the DoD, which are “safeguarding DOD’s networks, information, and systems; supporting military commander; and defending the nation.”

Protecting the nation’s critical infrastructure continues to be a top priority, particularly in the nation’s energy sector. In order to address those threats and “ensure robust cybersecurity programs across the energy sector, the budget provides funding in multiple programs, including over $156 million for the recently established office of cybersecurity, energy security, and emergency response.”

The president requested additional resources for research and development, as well as funds to improve resilience in the private sector. “The budget includes more than $1bn for DHS’s cybersecurity efforts. These resources would increase the number of DHS-led network risk assessments from 473 to 684 – including assessments of state and local electoral systems – as well as for additional tools and services, such as the EINSTEIN and the Continuous Diagnostics and Mitigation programs, to reduce the cybersecurity risk to federal information technology networks.”

Recognizing that all of these efforts will require skilled candidates, part of the funding is also earmarked for training a new cybersecurity workforce. “As part of this initiative, DHS would hire at least 150 new cybersecurity employees using this system by the end of 2020. In this way, DHS would be better positioned to compete with the private sector for cyber talent.”  

Categories: Cyber Risk News

ICS Ethernet Switches Littered with Flaws

Info Security - Mon, 03/11/2019 - 17:45
ICS Ethernet Switches Littered with Flaws

Security researchers discovered multiple vulnerabilities in Moxa industrial switches, according to Positive Technologies and Moxa.

Moxa published a security advisory stating that it had issued resolutions for the vulnerabilities in the EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A series ethernet switches that are used to build industrial networks across several sectors including oil and gas, transportation, and maritime logistics.

“A vulnerable switch can mean the compromise of the entire industrial network. If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely,” said Paolo Emiliani, industry and SCADA research analyst at Positive Technologies, in a press release.

Three of the vulnerabilities were identified as highly dangerous, according to the press release. Security experts Ivan Boyko, Vyacheslav Moskvin and Sergey Fedonin said, “The flaws could allow an attacker to recover passwords from a cookie intercepted over the network or by using XSS, extract sensitive information, or brute force credentials using the proprietary configuration protocol to obtain control over the switch and possibly the entire industrial network.”

Five of the vulnerabilities are specific to the EDS-405A series, EDS-408A series and EDS-510A series. Though an authenticated user could execute arbitrary code by exploiting any of the vulnerabilities, one of the identified vulnerabilities is "missing encryption of sensitive data," which would allow an attacker access from the unlock function, according to the advisory. 

In the IKS-G6824A series, researchers discovered plain text storage of passwords that could allow an attacker to reboot the device. In addition, an improper web interface access control could “results in read-only users being able to alter configurations.”

As a fix, Moxa said, “We suggest that users disable the web console access (HTTP) and use other consoles, such as SNMP/Telnet/CLI, to eliminate this potential vulnerability.” Customer can also request new firmware patches for several of the listed vulnerabilities.

“Positive Technologies experts advise disabling all unneeded equipment features (such as the management web interface) immediately after setup. If features cannot be disabled, companies should take preventive action to detect malicious activity with the help of an ICS monitoring and incident reaction solution,” the press release said.

Categories: Cyber Risk News

Presidential Hopefuls Leverage SXSW to Talk Cyber

Info Security - Mon, 03/11/2019 - 17:37
Presidential Hopefuls Leverage SXSW to Talk Cyber

Despite Austin’s South by Southwest (SXSW) conference and festival being largely focused on film and music, 2020 presidential candidates arrived in Texas ready to talk about data privacy and cybersecurity.

On March 8, Sen. Elizabeth Warren made headlines for her promise to break up big tech companies such as Amazon, Google, Facebook and Apple, while Sen. Amy Klobuchar proposed reforming antitrust laws and the possibility of taxing technology companies that profit from consumer data.

In an interview at SXSW, Warren argued that companies that have a platform where goods are sold should not be able to then create goods that can be sold on that platform. With Apple’s app store, though, the security of the apps is a key consideration that must be part of the conversation. When pressed on the subject of security, Warren stated in an interview with The Verge:

Well, are they in competition with others who are developing the products? That's the problem all the way through this, and it's what you have to keep looking for.

If you run a platform where others come to sell, then you don't get to sell your own items on the platform because you have two comparative advantages. One, you've sucked up information about every buyer and every seller before you've made a decision about what you're going to sell. And second, you have the capacity – because you run the platform – to prefer your product over anyone else's product. It gives an enormous comparative advantage to the platform.

Both Warren and Klobuchar are targeting big tech companies under the guise of spurring innovation to preserve capitalism. In an interview with CBS correspondence Ed O’Keefe, Klobuchar talked about the need to revise existing antitrust laws, particularly in the tech space.

“We have seen an extraordinary amount of consolidation in these companies...I want to protect our capitalist system,” she said.

The 2020 Democratic candidate also broached the idea of a tax on companies that profit from sharing private information. “If they are making money off of you, you should be making money off of them. So if they start sharing your data in a big way, we should start taxing them for that, and that money should go back to consumers, either to protect cybersecurity or to bring down our debt.”

While data privacy is a paramount concern for many presidential hopefuls, dismantling big tech companies is not the path that each candidate would head down. “We need to discuss with the leaders of those companies their responsibility to the American people and their responsibility about privacy issues,” said former Starbucks CEO Howard Shultz, who has yet to announce whether he will make a bid for 2020. “What Sen. Warren is offering is not a solution for the American people.”

Categories: Cyber Risk News

EU's mobile payments market attracts global challengers

Outlaw.com - Mon, 03/11/2019 - 12:27
ANALYSIS: US technology companies, Chinese e-wallet providers and European fintechs have found different ways to compete for a share of the EU's mobile payments market.
Categories: Cyber Risk News

Why the HE sector must embrace cloud computing

Outlaw.com - Mon, 03/11/2019 - 11:01
ANALYSIS: Higher education providers that embrace cloud computing have an opportunity to access technology that can enhance students' learning experience, better support academics with their research, and make collaboration easier.
Categories: Cyber Risk News

Over 80% of Firms Suffer Security Skills Shortages

Info Security - Mon, 03/11/2019 - 10:56
Over 80% of Firms Suffer Security Skills Shortages

The majority of security professionals believe it’s getting harder to recruit talent into the industry, according to a new study from Tripwire.

The firm commissioned Dimensional Research to poll over 300 industry professionals back in February, in order to compile its Tripwire 2019 Skills Gap Survey.

Some 85% claimed their IT security department is already understaffed, and just 1% said they can manage all of their organization’s cybersecurity needs with a shortfall in skills.

Almost all of those polled (96%) said they’re either currently facing problems recruiting or can see it coming. Of those, 68% are worried about falling behind on patching, 60% about being able to identify and respond to issues quickly and stay ahead of emerging threats, and 53% about losing their ability to manage and secure configurations properly.

Part of the challenge is the rapid rate of technological change and advances in the threat landscape: 93% of respondents claimed that the skills required to be a great security professional have changed over the past few years.

Perhaps unsurprisingly given the above, most respondents (93%) said they’d benefit from outside help, especially in areas such as security assessments (71%), pen testing (53%) and vulnerability management (51%).

"The skills gap issue continues to worsen, which is troubling, since cybersecurity threats only continue to grow,” argued Tripwire CTO, David Meltzer.

“Additionally, security teams are in search of new skill sets to deal with evolving attacks and more complex attack surfaces as they include a mix of physical, virtual, cloud, DevOps and operational technology environments. It's becoming more difficult to maintain critical security controls, and there are fewer people available to do it."

According to (ISC)2, there is a global shortfall of security professionals approaching three million today. Part of the problem is under-representation of women, who account for just a quarter (24%) of roles currently.

An Infosecurity Europe poll last Friday to coincide with International Women’s Day revealed that industry pros believe men still have more opportunities to progress in cyber-careers.

Categories: Cyber Risk News

Pre-GDPR UK Breach Reporting Was a Mess

Info Security - Mon, 03/11/2019 - 10:27
Pre-GDPR UK Breach Reporting Was a Mess

Many UK firms struggled to identify breach incidents, delayed reporting to the regulator and left out key details in the year prior to the GDPR, and could still be non-compliant today, according to new data obtained by Redscan.

The managed security services provider obtained its findings from Freedom of Information (FOI) data relating to 181 anonymized incidents reported to the Information Commissioner’s Office (ICO) in the financial year ending April 2018.

It took firms on average 60 days to identify they’d been a victim of a breach, and then another 21 days to report the incident. The longest a business took to identify a breach was 1320 days, and to report, 142 days.

The vast majority (93%) also left out key details in their reporting, such as the impact of the incident and their recovery processes.

That means less than a quarter would have complied with the GDPR had it been in force then, Redscan estimated. The new law stipulates a strict 72-hour reporting window once a breach has been discovered.

Although the figures in many ways highlight exactly why the new legislation was brought in, Redscan argued that the GDPR is unlikely to have changed behaviors.

“Anyone who thinks that businesses are better geared to detect and respond to breaches since May 2018 is kidding themselves,” the firm’s director of cybersecurity, Mark Nicholls, told Infosecurity. “Despite greater time pressures and larger fines, most organizations still lack the security expertise and resources they need.”

While prior to the GDPR, firms needed to provide estimates for impact and recovery time, reporting requirements are now even more onerous, causing firms to struggle, he added.

“The information sought by the ICO goes way beyond the basics of recovery time and impact; businesses are now asked to provide estimates for the number of records affected and explain all measures being taken to mitigate possible adverse effects,” said Nicholls. “Businesses must also inform all individuals at risk, and to do that they need a full understanding of the scope of the breach.”

A report from DLA Piper in early February claimed there had been 59,000 breach reports to regulators since the GDPR was introduced, including 10,600 in the UK, although there was no info on whether these came in late and/or with incomplete information.

Categories: Cyber Risk News

#RSAC: Fixing the Mess of IoT Security

Info Security - Mon, 03/11/2019 - 10:00
#RSAC: Fixing the Mess of IoT Security

Ken Munro, partner at Pen Test Partners, opened his talk at RSA Conference 2019 by explaining how easy it was for him to hack a Wi-Fi-enabled tea kettle. In the online manual, he discovered the default password. To find out how it connected to the home router, he used the AT command that the kettle’s internet system used. Buying used kettles on eBay, he reset to the factory settings, but the original owner’s router information was not deleted, and so not only did he have that key, he also had the former owner’s address through the transaction.

That was kettle version 1.0. For a later version, the manufacturers hired security professionals to add security to the newer versions of the kettle.

“The security problems in IoT are systemic because now the vendors are realizing they don’t have the expertise, so they outsource. They outsource to providers of lots of different organizations. Find one vulnerability in that, and you have access to millions of devices,” Munro said.

The concern is that while these vulnerabilities may seem small or easily fixed on one device, the reach of the API can go much further. A front-end vulnerability on a smart hot tub can control the temperature and the jets, but a back-end service provider delivers services to other devices like vehicles and medical equipment.

How do we address these systemic flaws? It requires recognizing where the flaws are coming from, such as default credentials or not separating different clients.

“If you deliver IoT and outsource any of your services, it is critical that you check that those service providers are secure,” Munro said. Even if you don’t develop IoT, you consume it. He recommended finding out who is responsible for handling the security of all of the smart equipment in your office.

“If you take one thing from this talk,” he added, “put IoT security into your service contracts so you can follow-up if they let you down.”

Categories: Cyber Risk News

Iranian Group Stole 6TBs of data from Citrix

Info Security - Mon, 03/11/2019 - 09:50
Iranian Group Stole 6TBs of data from Citrix

An Iranian-linked hacking group has stolen terabytes of corporate data from Citrix as part of a major campaign against tech, oil and gas, and government organizations, according to a security vendor.

LA-based security firm Resecurity said on Friday it has shared details with law enforcement of a Christmas 2018 attack on the tech giant by the IRIDIUM group.

“The incident has been identified as a part of a sophisticated cyber-espionage campaign supported by nation state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy,” it wrote in a blog post on Friday.

“Based our recent analysis, the threat actors leveraged a combination of tools, techniques and procedures (TTPs) allowing them to conduct targeted network intrusion to access at least six terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”

These TTPs included “proprietary techniques” designed to bypass two-factor authentication systems, and methods to access VPNs and single sign-on (SSO), it added.

Citrix CISO, Stan Black, confirmed the attack in a brief blog post, revealing that the firm was contacted by the FBI on March 6 with details of the raid.

He said the hackers had downloaded unspecified “business documents,” adding that there’s currently no sign that any Citrix products or services have been compromised.

“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords,” Black revealed. “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”

Ojas Rege, chief strategy officer at MobileIron, argued that it’s time firms eliminated passwords altogether.

“Biometric authentication is the starting point because the end user now no longer has to remember passwords,” he added. “The back-end credential into enterprise systems can then be made much stronger to mitigate password spraying and similar attacks, all without creating pain for the end user.”

Categories: Cyber Risk News

#RSAC: The Most Dangerous New Attack Techniques & How to Counter Them

Info Security - Mon, 03/11/2019 - 09:15
#RSAC: The Most Dangerous New Attack Techniques & How to Counter Them

An RSA Conference 2019 a panel representing the SANS Institute – featuring Heather Mahalik, director of forensics engineering at ManTech and mobile forensics course director, and Ed Skoudis, instructor, and Johannes Ullrich, dean of research – addressed the most dangerous attack techniques facing organizations and individuals today.

According to Skoudis, there are two specific attack vectors that he’s seeing increasingly. First is the manipulation of the DNS infrastructure associated with specific enterprises. “Hackers are using credentials that they have compromised in the normal course of business,” he explained. “Bad guys are logging into DNS and name registrars and manipulating the DNS records there. Emails destined for your organizations are actually being redirected to them.”

The second attack vector is domain fronting, a technique that obscures where the attacker is located. However, that’s just the start, he said, as many of these attackers are disappearing into the cloud and acting as a trusted cloud provider.

Mahalik revealed how easily anyone can be targeted in individualized attacks. If someone wants to get your information, it can be easily tracked in the cloud. “The lazier we get as humans, the better the glimpse into our lives for everyone else.” Information that is in one cloud is being shared in other clouds, making it available to bad guys who want it.

Ulrich returned to the DNS problem; it is an issue of privacy versus security. If a bad guy intercepts your traffic, they know a lot about you, so you want to go to something more private. HTTPS seems like the optimum solution, but HTTPS makes it more difficult for security staff to monitor logs that would otherwise find anomalies in the traffic.

Finally, Ulrich said there has been a rise in CPU flaws. Hackers are taking advantage of the flaws in these features to attack your system.

The solution? All three experts said there needs to be an increase in the use of MFA to make it more difficult for outsiders to gain access to your networks, your clouds, your servers or your private information.

Categories: Cyber Risk News

Pages