STE WILLIAMS

Security Talent Gap Threatens Adoption Of Analytics Tools

Finding qualified personnel with the right skillsets to configure and operate analytics platforms is a big challenge today, but workforce development, training, and more intuitive technology could help.

Most organizations are struggling to find security professionals with the right skills to properly operate and maintain security analytics platforms for detection and response. Some experts are looking for ways to close the talent gap via workforce development, training and, in some cases, technology.

The recently released SANS Institute 2015 Analytics and Intelligence Survey revealed that the demand for cybersecurity tools and resources has doubled since 2014. The majority of the 476 respondents (59 percent) cited a lack of skills and dedicated resources as the main obstacles to discovering and acting on cybersecurity incidents and breaches.

Finding these skillsets in today’s marketplace is difficult due to incredibly high demand for top talent that understands system information and event management (SIEM) systems and correlation, forensics, event management, and now, with analytics in the mix, pattern analysis across large diverse datasets, according to the SANS survey commissioned by security tools provider DomainTools.

The skill shortage challenge was ranked third by 30% of respondents in the 2014 survey, indicating that this problem is actually getting worse.

“There is absolutely a dearth of skilled analysts who have familiarity with network technology and the kinds of threat intelligence analytics that come from endpoint devices,” says Tim Chen, CEO of DomainTools. These analysts would need the skills to detect anomalies and take the appropriate measures to respond to incidents. However, that is just one piece of the human capital chain, he says.

Security professionals are pulling various data feeds and log and event data from disparate systems into databases where they can perform advance analytics. Engineers are needed to write application programming interfaces and connect systems together on the backend so security operators can actually analyze the data. That is an often overlooked skillset, Chen says.

Only 3% of organizations in the SANs survey say their analytics and intelligence processes for pattern recognition are fully automated, and another 6% report having a “highly automated” intelligence and analytics environment.

By leveraging technologies and automation, organizations can better distribute their security operations teams’ workloads, putting senior staff to work on more advanced threats, and at the same time, foster the recruitment of top talent.

Many manual processes being performed by senior SOC staff could be automated, including the weeding out false alarms, the generation of responses to help tickets, and the generation of reports that give information about key metrics such as detection success or false-positives, security experts say.

Security vendors are well aware of the need to write rules into their products that can help security professionals better prioritize alerts, says Tim Helming, director of product management with DomainTools. Some of the skills that are most valuable are hard to quantify because they come with judgement, intuition, and experience, and the analyst develops a sixth sense about alerts, which is tough to gauge during the hiring process, he says.

Workforce development crucial

Technology is just one way to address the cybersecurity skills gap. Workforce development is also paramount in addressing the problem, says Richard Spires, CEO of Learning Tree International, Inc. and a former chief information officer of the Department of Homeland Security.

“Clearly there are not enough people who have the skill competency to fill all the jobs in cybersecurity. You can’t hire your way out of this problem,” Spires says.

The IT management and training company recently launched IT Workforce Optimization Solutions, a comprehensive suite of services designed to help IT management plan, develop, and implement strategies to build and sustain high-performing IT organizations. The goal is to help IT organizations develop a culture to support professional development of their staff with an emphasis on skill assessment, individual development plans, training, mentoring, and matching people with the right assignments.

Security pros often get hired away once they reach a certain level of competency, so a key factor in development of individuals is how to retain them and help them feel they are part of a team.

The workforce solutions and services are based on the National Cybersecurity Workforce Framework as defined by the National Initiative for Cybersecurity Education (NICE) and the Skills Framework for the Information Age, which maps the skills of the workforce with the needs of a business.

Automation of technology is an important aspect of the equation to develop and retain skilled analysts, but everything cannot be automated given the complexity of IT environments, Spires says.

“You need on-the-job training to really understand data sets over time,” so once analysts learn about their systems and what is normal, they can automate tasks. However, with today’s IT environments, you still need the human element in the loop to help.  

“I don’t see that changing for some time because of the complexity of our environments,” Spires says.

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Article source: http://www.darkreading.com/careers-and-people/security-talent-gap-threatens-adoption-of-analytics-tools-/d/d-id/1323430?_mc=RSS_DR_EDT

  • 17/12/2015
  • adm

The InfoSec Gender Divide: Practical Advice For Empowering Women

There is no one-size-fits-all approach for women to succeed in IT security. What you need is a roadmap and a little help from your friends.

While stigmas and stereotypes suggest the industry is not welcoming toward women, speaking from my own experience, I believe more women can become empowered women by researching IT security opportunities, developing security credentials, and seizing security opportunities when they arise.

But before I share my game plan, let me share a little about myself.

I earned my B.S. in Engineering and Masters in Business Administration, becoming a senior security engineer and security manager. Along the way, I increased my competencies and certifications in information security and business continuity to establish myself as a senior security and compliance management consultant and as a senior instructor for security training and certification courses.

As a young professional, I received important advice from my manager (a retired Air Force Colonel) to advance my career to the next level by expanding my skillset and achieving independent recognition of my skills. As such, I built the business case for training courses with certification exams, earning my Certified Business Continuity Professional (CBCP) and my Certified Information Systems Security Professional (CISSP). In response to the evolving security profession, I added: Information Systems Security Management Professional (ISSMP), Member of the Business Continuity Institute (MBCI) and Certified Information Systems Auditor (CISA).

Despite the workforce statistics, through working hard, continuing education and carving my own career path, I did not encounter gender discrimination or lack of encouragement. Here’s what made the difference:   

Research IT Security Opportunities

As demand rises for IT security professionals of all stripes, so do opportunities for women. This is in response to regulatory and contractual compliance initiatives such as SOX, HIPAA, and PCI, scrutiny on the protection of personal information, and attention to cybersecurity threats and prevention. These trends are not showing signs of tapering.

Women should research and reach out to everyone they know – and don’t know —  who work in IT Security fields or knows someone who is a security practitioner. Pick their brains to identify field(s) that piques your interest. Areas include:

  • Governance, risk management, and compliance (GRC) program
  • Security architecture and security engineering
  • Information security auditing
  • Identity and access management
  • System and network security
  • Secure software development and security testing
  • Security operations, incident response, investigations and forensics
  • Security product development along with technical sales and application engineering

Develop Security Credentials

Educational opportunities are widespread. Starting in grade school, science, technology, engineering, and mathematics (STEM) courses can prepare and steer young women toward careers in engineering, finance, IT, and IT Security. Women can explore the newer IT security and information assurance concentrations and programs inside university computer science or the business departments. Pairing internships with coursework creates an even more powerful combination. Through internships, you apply coursework and develop practical qualifications. As students, women should attend their region’s ISC2 Chapter, ISSA Chapter or ISACA Chapter meetings to meet security professionals, receive mentorship, and connect for internship opportunities.

Another trend in developing qualifications is taking professional security training while in college or shortly after graduation. This past summer, a mid-20’s woman in my CISSP class mentioned to me that her father encouraged her to earn a Security+ Certification while studying for her B.S. in biology. In this way, she differentiated herself from other college graduate job applicants. She is now protecting healthcare intellectual property and healthcare personal information.

Firsthand, my own mid-20s daughter’s “Big Four” firm motivated her to earn a CPA in her first year; then I coached her to earn a CISA.  An interesting outcome is that she now leads an integrated assurance team. Now, we are discussing a CISSP certification to enhance her qualifications.

This advice also applies to women considering a career shift. Look for mentors at your current company or through one of the professional security organizations listed above. A mentor can guide your transition and suggest development points to enhance what you already offer. I often receive requests to meet for coffee from business analysts, infrastructure analysts or operators and financial analysts and auditors who want to learn how to transition into IT security and about applicable security certifications. I find this time productive and helpful in getting new ideas and expanding one’s network.

Seize Opportunities

In recent discussions with my CISSP and ISSMP students on the disparity between  men and women in IT security, security managers of both genders point out that more men than women apply for their open positions, which in and of itself was not surprising. What WAS surprising to me is that men would apply for positions even though they didn’t have the required skills listed in the job description. On the other hand, women would apply for a job only if they were qualified, and in many cases, over-qualified.

While this is certainly not a scientific study, it paints a curious portrait pertaining to confidence levels. My advice for women would be to apply even if you need to learn, develop and train. Be confident! You cannot receive an offer you didn’t apply for. Periodically review IT Security job postings along your career path (or shifted career path) and note skill and certification requirements.

You’ll also need to develop your plan of learning and development to seize those opportunities. As security is a dynamic and expanding field, to remain relevant, you must stay up to date on the latest threats, risk management techniques and industry innovations. This implies continued reading and attending webcasts and training courses that build upon current knowledge. Furthermore, earning certifications is vital because it is independent verification of competency. Not only does this secure a position, it enhances and builds confidence for future career advancement and opportunities.

Barbara Johnson provides information security and business continuity management consulting services to U.S. government agencies, defense contractors, entertainment, finance, healthcare, technology and travel information services. Her expertise includes developing governance … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/the-infosec-gender-divide--practical-advice-for-empowering-women-/a/d-id/1323578?_mc=RSS_DR_EDT

  • 17/12/2015
  • adm

Validating Supply Chain Cybersecurity

What’s This?

How to identify risks, understand downstream effects, and prepare for incidents.

You’ve got your organization protected as best you can, but what about your supply chain? Like any type of chain, the security in your supply chain is only as good as the weakest link. Can malicious software find its way into your company or your products through your supply chain? Can a weak downstream link lead to an opportunity for exploits that take advantage of your intellectual property? Or can disruption of one link disrupt your profitability?

Almost every business is dependent on far-reaching supply chains, and we have already seen some serious cyber incidents from security lapses. Historically, supply chain professionals focused on protecting links through supplier qualification, insurance, and physical security, protecting against risks ranging from theft to delayed deliveries. While those practices remain essential, today’s supply chain professional must add a focus on information security to their defensive strategy. New efforts must focus on protecting intellectual property, defending against hacktivism and espionage, detecting embedded malware, and ensuring continuity of operations.

Managing security risk in your supply chain is new, but you have probably already been through a similar process with quality. First, you identify and classify each of your suppliers with regard to what they do now and the critical aspects of their contractual obligations. Then you define a clear baseline of security and privacy requirements for the group. Standards tools such as ISO/IEC 27036 (information security for supplier relationships) can provide a solid baseline.

With a baseline established, the next step is regular validation of security and privacy controls. Validation can be challenging, full of competing acronyms, contractual issues, and resource constraints. Doing this for every supplier in your chain is unrealistic for most companies, so it is important to prioritize. And fortunately there are standards and processes emerging for various industries that range from self-assessment to third-party certification.

One example is the Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR) for various cloud computing offerings. STAR is a straightforward three-level certification, accompanied by a publicly accessible registry. STAR provides important information about product certifications, including the date, country, term, and level of certification. Decisions can be based on a simple cost and risk comparison, or on more thorough analysis of the strengths and weaknesses of current or potential suppliers. Analogous to ratings systems in other industries such as banking or tourism, STAR requires little technical training to understand the difference between level 1, 2, and 3 certifications.

These certifications are also valuable to your supplier. Suppliers can readily compare themselves to their competitors and build a strategic perspective of their own organization’s risks and opportunities.

From your customers’ perspective, your company includes the extended network of people, processes, and partners involved in delivering products and services. You cannot “go it alone” or dismiss these issues as limited to supply chain experts.

Validating the supply chain, whether it is for product quality or information security, is now an essential part of your success. You need to identify risks, to understand the potential downstream effects of a security breach or cyberattack, and to prepare response plans so that you can respond quickly to an incident. The alternative could be a serious loss of reputation, customers, and profits. 

Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company’s security business across hardware and software platforms, including McAfee and Intel’s other security … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/validating-supply-chain-cybersecurity/a/d-id/1323597?_mc=RSS_DR_EDT

  • 17/12/2015
  • adm

Facebook, Google and Twitter agree to German demand to delete hate speech within 24 hours

Facebook, Twitter, and Google have agreed with Germany and will delete hate speech from their services within 24 hours to fight a rising tide of online racism.

The flood of refugees into Germany has been tied to a deluge of racist and xenophobic hate-speech on social media that Facebook, for one, had been accused of allowing to linger online.

According to Reuters, German Justice Minister Heiko Maas said on Tuesday that the agreement should make it easier for users and anti-racism groups to report hate speech to teams that specialize in the area at the three companies.

Getting it down in one day should be doable, he said:

When the limits of free speech are trespassed, when it is about criminal expressions, sedition, incitement to carry out criminal offenses that threaten people, such content has to be deleted from the net. And we agree that as a rule this should be possible within 24 hours.

Under pressure from Germany, Facebook had already launched a hate-speech task force in September.

In fact, before it even sat down with Maas in September, the company had agreed to do three things in the wake of the previous month’s anti-immigration violence.

Namely, Facebook promised to:

  • Partner with FSM, a German self-regulatory group of multimedia service providers.
  • Start the hate speech task force, working with nonprofits, companies, and government officials, including Maas.
  • Establish a campaign to promote “counter speech” in Germany, drawing in experts from the UK and Scandinavia to develop ways to combat racism and xenophobia through discussions on social media.

In October, a German prosecutor launched an investigation into three Facebook managers for allegedly “ignoring racist posts.”

In November, Germany launched yet another, similar investigation, this one into European head of Facebook Martin Ott, Facebook’s managing director for northern, central and eastern Europe, who’s based in Hamburg.

The prosecution said last month that Ott may be held responsible for his employer’s failure to remove hate speech.

A Facebook spokesperson told Reuters that the allegations lack merit and that there’s been no violation of German law by Facebook or its employees.

Twitter, for its part, gave up a separate fight to protect racist users in July, agreeing to unmask posters of racist content on its French service when ordered by a Paris court to hand it over.

Maas told reporters on Tuesday that the deal with the three companies will ensure that the companies adhere to German law when policing hate speech, rather than their own internal policies.

Under German law, anyone who makes a public comment inciting hatred or violence against someone on ethnic or religious grounds can face up to three years in prison.

A Google spokesperson told Tech Crunch that the company’s on board with Germany’s approach to hate speech:

We’re committed to working with Governments on this issue and work to review the majority of flagged content within 24 hours. YouTube’s policies have long prohibited hate speech and extremism, and we comply quickly with valid law enforcement requests.


Image of hate on keyboard courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bFFxR2ZE0QM/

  • 17/12/2015
  • adm

Facebook throttles antagonistic, drive-by ‘fake name’ reporting

After getting slammed by critics for over a year with regards to its real-name policy, Facebook on Tuesday hugged it tight, saying yet again that the policy’s not going away.

But it is going to get better: starting on Tuesday, Facebook users in the US for the first time got the ability to add context to what’s hitherto been barebones reporting and verification functions.

Now, as Facebook’s blog post illustrated, reporting an account prompts Facebook to ask for more details so that it can understand the problem and gives four options with examples:

  • The profile doesn’t represent a real person. Examples: a fictional character, a profile made with pictures of models.
  • They’re using my or someone else’s name or photo. Examples: your name, a friend or celebrity’s name.
  • They’re using a name that they don’t go by in real life. Examples: a name that no one calls them.
  • Other

It also requires people who report accounts to help Facebook understand the problem by providing details.

That’s one of the tools Facebook’s initially testing in the US in pursuit of two goals: reducing the number of people asked to verify the name they use on Facebook when they already use the one people know them by, and making it easier for people to confirm their name if necessary.

Up until yesterday, reporting a supposedly “fake” name on Facebook has been as easy as the social media equivalent of a drive-by shooting.

That’s resulted in individuals and groups – including journalists and human rights activists – being antagonized with en masse account flagging.

An extensive list of others harmed by the real-name policy was provided by The Nameless Coalition, which in October penned an open letter (PDF) to Facebook explaining why the policy is broken and how Facebook could mitigate the damages it causes.

Facebook’s also testing a new tool that allows for more context when it comes to people having to verify their names.

The tool lets such people inform Facebook of a special circumstance and again gives the company more information about their particular situation and helps its review teams provide more personalized support.

The tool presents these options, plus the optional choice of providing more context:

  • Affected by abuse, stalking or bullying
  • Lesbian, gay, bisexual, transgender or queer
  • Ethnic minority
  • Other

The two new tools follow several other changes Facebook’s made to the real-name processes over the last year, including expanding the options and documents that can be used to verify a name.

It’s also started to roll out a new process in which people will have access to their account for seven days while they verify or update their name, as well as implementing additional security protections for documents that people share when verifying their name.

The Nameless Coalition had asked Facebook to provide users with the ability to submit the information using PGP or another common form of encrypted communication, so that their identity information would be protected during the submission process.

Facebook responded by promising that IDs submitted as part of the identity verification process would be encrypted when they’re temporarily stored on its servers.

This is all just the start, Facebook says.

From Facebook’s post, written by Justin Osofsky, Facebook’s vice president of Global Operations, and Todd Gage, product manager:

These improvements are only the beginning. Early in the new year, we will be looking at other ways we can reduce the number of people who have to go through an ID verification experience, while preserving the safety of other people on the site.

We will also continue to work on making the experience itself more compassionate and easier to navigate. Throughout this process, we will continue our ongoing conversations with the Facebook community so they can share their thoughts on improvements they’d like to see.

One of the most vocal critics of Facebook’s real-name policy, San Francisco drag queen and community activist Lil Miss Hot Mess, told Business Insider that she’s “cautiously optimistic” about the changes.

I’m cautiously optimistic about Facebook’s ‘real names’ improvements — they’ve been [a] long time coming and the devil will be in the details. It’s great that Facebook is finally taking steps to reduce ‘fake name’ reporting as a form of cyberbullying used to silence marginalized communities.

Facebook says that the new tools are now being tested on a limited basis in the US only, across mobile and desktop. Based on feedback, they’ll be rolled out globally.


Image of fake id courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/toDwdurHFbQ/

  • 17/12/2015
  • adm

Press Backspace 28 times to own unlucky Grub-by Linux boxes

A pair of researchers from the University of Valencia’s Cybersecurity research group have found that if you press backspace 28 times, it’s possible to bypass authentication during boot-up on some Linux machines.

The problem’s not a kernel nor an operating system problem, but rather one in the very popular bootloader Grub2, which is used to boot an awful lot of flavours of Linux.

Essentially, if you enable Grub2’s password protection during system startup, it won’t do you much good – it can be easily defeated. (Luckily, the vast majority of distributions of Linux do not enable this by default.)

As Hector Marco and Ismael Ripoll explain in an advisory, hitting the backspace key 28 times at the Grub username prompt during power-up will produce a “rescue shell” under Grub2 versions 1.98 (December, 2009) to 2.02 (December, 2015).

The rescue shell offers all manner of opportunities for fun, as it allows unauthenticated access to a machine and the ability to load another environment. Once your preferred environment is running, you can install a rootkit, browse local storage resources and launch many forms of attack.

The source of the bug is an integer underflow fault that the researchers pin onto a single commit in 2009 – b391bdb2f2c5ccf29da66cecdbfb7566656a704d in case it was you – that affects the grub_password_get() function.

The researchers prepared a proof-of-concept attack exploiting the flaw to hide a backdoor on a computer, and – oh unhappy day – found that 55 virus-fighting tools could not detect the infection.

The duo claim “Grub2 is the bootloader used by most Linux systems including some embedded systems. This results in an incalculable number of affected devices.”

The good news is the researchers have also cooked up a fix, available here. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/press_backspace_28_times_to_own_any_grubby_linux_box/

  • 17/12/2015
  • adm

Spoiler alert! Try these “Star Wars: The Force Awakens” spoiler-blocker extensions

Web filtering software is great for security, for example by blocking phishing sites and keeping out exploit kits and malware.

Nevertheless, you may have had a falling-out with web filtering in your company at some point, for example when you and IT argued about whether your favorite fantasy football site was work-related or not.

But here’s some content filtering that you and the sci-fi fans in IT will agree upon, at least if you’re Star Wars nerds like me: browser extensions that shield you from spoilers about the newest film in the cult franchise, “Star Wars: The Force Awakens,” premiering this Friday, 18 December 2015.

Force Block is one of these extensions, available for Google Chrome users.

If you browse to a website with potential spoilers, the Force Block extension covers the entire webpage with a black screen containing a warning.

Force Block uses pattern-matching logic to detect keywords relating to Star Wars in general, and looks out for quotes from the new film, sourced from people who’ve seen it in early release, according to the folks at Priceless Misc who developed the extension.

The Force Block warning messages contain amusing references to the rest of the Star Wars canon.

force-block-screenshot

Here are a few examples of warnings I’ve seen after installing the extension:

The ability to destroy a planet is insignificant next to the power of spoilers.

The spoilers are strong with this page.

I felt a great disturbance in the Force … this page has possible spoilers.

That’s no moon, it’s a spoiler.

Spoilers not make one great.

He doesn’t like spoilers, I don’t like spoilers either.

These are not the spoilers you’re looking for.

Spoilers ahead … many Bothans died to bring us this information.

These blast points are too accurate for sandpeople, only imperial spoilers are so precise.

If you’re willing to risk it, you have the options to “proceed anyway” or unblock the URL for future visits.

Some reviewers of the extension in the Chrome Web Store have complained that Force Block is “too sensitive,” leading to false positives that make it hard to know when the extension is working as it should.

Ironically, once you have the extension running, Force Block blocks pages about Force Block itself, as well as blocking some websites with the word “spoiler,” even if they don’t contain any Star Wars keywords (as I discovered when I checked out the Spoiler Shield mobile app, which claims to block spoilers in your mobile Facebook and Twitter feeds).

Another Chrome extension, Unspoiler, helpfully blocks Star Wars spoilers within a webpage, but without blocking the entire page, so you can continue using the site and see other content.

If you’re a Firefox user, you can try add-ons that block specific keywords, such as ProCon.

None of these spoiler blockers is fool-proof, so proceed with caution, may the Force be with you … and once you see Star Wars for yourself, try not to spoil it for the rest of us.


Image of Star Wars promotional display courtesy of TeeRoar / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tz_vWhZIMzE/

  • 16/12/2015
  • adm

Congress strips out privacy protections from CISA ‘security’ bill

The little-loved Cybersecurity Information Sharing Act (CISA) will likely become law this week, and in a form far worse than first thought.

After passing the House of Representatives and the Senate, CISA has been marked up in congressional sessions in a way that has removed most of its privacy protections. CISA has also been tacked onto an omnibus bill that the White House is unlikely to veto.

“It looks like a done deal,” EFF legislative analyst Mark Jaycox told The Register. “It’s what we’ve been saying about CISA from the start – this has been couched as a security bill but it’s not.”

Under the original CISA legislation, companies would share their users’ information with federal government departments once it had been anonymized. The government could then analyze it for online threats, while the companies received legal immunity from prosecution for breaking existing privacy agreements.

But as the bill was amended, the privacy parts of the proposed law have been stripped away. Now companies don’t have to anonymize data before handing it over. In addition, the government can use it for surveillance and for activities outside cybercrime. And in addition, companies don’t have to report security failings even if they spot them.

The chance to question those changes before it becoming law has also been limited thanks to the bill being folded into an omnibus bill containing a whole host of unrelated budgetary and business matters. It’s highly unlikely the White House would veto the legislation for this one matter as there is too much riding on the overall bill passing.

While it may seem the battle is lost, Jaycox said there was still work to be done, both in amending CISA (assuming it is passed) and in working to prevent similarly flawed legislation being signed off by legislators.

“We need to work on the further education of Congress; this isn’t the be-all and end-all security bill – there will be others,” he said. “CISA also has to be implemented by departments, notably the Department of Homeland Security, and we’ll be watching how this is done.”

The traditional way of overcoming bad law is in the US courts. As with encryption in the 1990s, the judiciary can be a very effective in bringing sense to badly framed legislation.

But there is a problem with this approach when it comes to CISA. Under the language of the legislation, all data handed over is immune from freedom of information requests. That will make it difficult for individuals to act and protect their privacy from government intrusion. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/16/congress_strips_out_privacy_protections_from_cisa_security_bill/

  • 16/12/2015
  • adm

SQL Injection, XSS Flaws Found In Network Management System Products

Patches available for two flaws, pending for four others.

Security vendor Rapid7 today disclosed cross-site scripting (XSS) and SQL injection vulnerabilities it found in network management system products from Spiceworks, Ipswitch, Castle Rock Computing, and Opsview.

Patches are currently available for two of the disclosed vulnerabilities. Two patches are pending from Castle Rock, which has yet to disclose a date when they would become available and Ipswitch, which was supposed to release patches for two flaws today but doesn’t appear to have done so.

In an alert, Rapid7 principal security research manager Tod Beardsley described network management systems as presenting a valuable target for attackers.

“By subverting these systems, and attacker can often pull an immense amount of valuable intelligence about the internal infrastructure,” he said. “The fact that many of these protocols are delivered over SNMP is also very interesting; too often, designers of management software which is intended for internal use don’t consider the insider threat,” Beardsley wrote.

Beardsley told Dark Reading there’s a presumption within many organizations to implicitly trust data from an SNMP device simply because it is an internal protocol and the devices are assumed to be known devices. “You don’t usually think of SNMP data as user supplied, but that’s exactly what it is,” he says. “If I have a device on your network, I can say whatever I want to say.”

The Spiceworks vulnerability affects the company’s Spiceworks Desktop Web application. In its alert Rapid7 described the vulnerability as an XSS flaw resulting from insufficient filtering of data supplied via SNMP. The flaw, which has been patched, basically allows an unauthenticated user to execute arbitrary code in an authenticated user’s browser and use that access to launch further attacks.

Two of the vulnerabilities that Rapid7 disclosed this week affect the WhatsUpGold network monitoring and performance management product from Ipswitch. One of them is a persistent XSS flaw while the other is a SQL injection error. According to Rapid7, the XSS flaw in WhatsUpGold does not require the attacker to be authenticated and enables threat actors to steal data, modify system configurations, and generally take full control of a compromised system. The SQL injection error in WhatsUpGold requires an attacker to be authenticated to the system first but allows data to be extracted from the application’s underlying database.

Ipswitch is scheduled to release patches for both issues Dec. 16, but as of Wednesday afternoon, nothing appears to have been released, Beardsley says.

Of the remaining three flaws, two were in Castle Rock’s SNMPc Enterprise and its SNMPc OnLine Web-based monitoring tool, respectively. As with Ipswitch, one of the flaws is a XSS error while the other is a SQL injection issue. The XSS flaw allows an unauthenticated attacker to compromise data and change system configuration while the SQL injection error enables access to the application’s database. Patches are pending for both flaws.

The sixth flaw, also an XSS error, exists in Opsview’s Web application component. The flaw lets attackers execute arbitrary code in an authenticated user’s browser session, which can then be used to launch further attacks on the Web application. Opsview has released a patch for the bug.

In order to exploit any of these flaws, an attacker would at minimum need to have some presence on the internal network, either via a previous compromise or by using a conference room or a waiting room to gain access, Beardsley says. The XSS flaws do not require the attacker to be authenticated on the network, while the SQL injection errors do require authentication and allow privilege escalation.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/sql-injection-xss-flaws-found-in-network-management-system-products/d/d-id/1323585?_mc=RSS_DR_EDT

  • 16/12/2015
  • adm

HIV dating app leaks sensitive user data, threatens infection when alerted

A dating app for HIV-positive people that was leaking sensitive user data apparently threatened to infect the admin for a site that planned to write about it.

What the dating app, Hzone, threatened:

Why do you want to do this? What’s your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.

Well, that’s a first, the admin for Databreaches.net – “Dissent” – told Salted Hash’s Steve Ragan over at security publication CSO.

In an email to Ragan, Dissent said that she couldn’t recall any response that “even comes close to this level of insanity.”

Hzone, launched in March 2015, is a dating app for HIV singles that allows users to Tinderishly swipe profiles right or left.

It’s rated four out of five stars on its partner site, HIV Positive Dating, a support and dating group for people with sexually transmitted diseases.

According to CSO, Hzone representatives claim that the app has more than 4900 registered users.

The leakage was brought to light by Chris Vickery.

Given that it has to do with a MongoDB database that houses Hzone’s data – and given that Chris Vickery is the name of the help desk guy by day/security researcher by night who identified that the MongoDB-propelled MacKeeper is failing to keep 13 million Macs safe – I’m going to hazard a guess that this is one and the same MongoDB poker and have reached out to him to confirm that.

At any rate, Vickery discovered that sometime before 29 November, the MongoDB database had been exposed to the internet and was leaking data, with 5027 accounts (it apparently picked up 100 accounts over the span of a week of leakage) fully available to anyone who knew how to discover public-facing MongoDB installations.

Vickery’s efforts to responsibly disclose the leakage were met with silence on the part of a nonresponsive Hzone, so he looked to the DataBreaches.net blog for help.

Five days after repeated notifications from Vickery and DataBreaches.net’s Dissent, Hzone finally stirred itself to respond with the bizarre message above.

In all that time, sensitive data was up for grabs. That included users’ date of birth, religion, relationship status, country, email address, ethnicity, height, last login IP address, username, orientation, number of children, and password hash.

Dissent noted that users can also enter their nicknames, share their political views and sexual life experiences, and post their photo in their profile.

On top of all that, Hzone’s database also stores messages posted by members – often with personal or sensitive information, such as this:

Hi. I was diagnosed 3 years ago now. CD4 and Viral Load is relatively good. I’m therefore not on Meds yet. My 6-monthly blood tests are due in June. Planning to go in meds. I’m worried about the side effects. What kinds of side effect have you experienced? Xx

Dissent says that DataBreaches.net filed a complaint with the US Federal Trade Commission (FTC) last Wednesday (9 December) urging them to talk some sense into the developer.

The FTC didn’t respond, Dissent says.

Apple’s iTunes App Store did respond when the blog contacted it on Saturday (12 December), saying that it would investigate.

Finally, on Monday night, the database was secured, but only after far more back-and-forth between Vickery, Databreaches.net and an Hzone spokesperson who admitted in an email that the company’s tech team wasn’t exactly what you’d call particularly tech literate.

Dissent’s post is replete with even more scarcely believable details about Hzone.

It’s well worth a read, though you might want to put a pillow down on your desk first if you’re given to head bangery.

I feel the need to echo Dissent’s “User Beware” notice. If you know anybody who might be using Hzone, please do ask them to read her post.

Her warning:

While anyone can have a leak or breach, Hzone’s failure to timely respond to notification, the lack of encryption for stored sensitive data, and their refusal to delete profiles when they have inadequate incident response are truly concerning.

Image of HIV test label courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GIirStjTNJ0/

  • 16/12/2015
  • adm