STE WILLIAMS

The UK’s Conservative Party has kicked off its annual conference by exposing its MPs’ phone numbers to anyone able to guess their email addresses.

Party chairman Brandon Lewis was planning to sell the “interactive” app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).

But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.

The Tory conference app has no security at all, you can just edit other MPs details and see it all regardless of settings as they didn’t add authentication 🤷🏾‍♀️ H/T @DawnHFoster pic.twitter.com/lJdomlsMB4

— Kevin Beaumont (@GossiTheDog) September 29, 2018

Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.

I’ve updated his position to something more accurate. pic.twitter.com/ydo9edmYc4

— Neil Claxton (@MintRoyale) September 29, 2018

Crowd Comms, the company behind the app, said the error “meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo”.

Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.

However, Lewis – who declined to say how many people had been affected – insisted that a “limited number of delegates” were hit.

In a video interview, he told Sky News that the party was contacting them to outline “exactly what has happened” – the text of this note has been shared on Twitter, and points the finger firmly at the app developer.

Almost 24 hours since a data breach which exposed the private contact details of hundreds of people, the Conservatives finally send out an email about their conference app. No apology. Everything blamed on the firm they bought the app from. pic.twitter.com/WsTUIvjiXz

— Adam Bienkov (@AdamBienkov) September 30, 2018

Crowd Comms claimed that the error was “rectified within 30 minutes”, but it isn’t clear when they started the clock started ticking, as it is possible the company was informed about the breach privately before it was put on Twitter.

The snafu is a huge embarrassment for the Tories at a time when they are trying to manage the much tougher problem of Britain’s exit from the European Union, and improve its reputation with the public as the threat of another election remains real.

It also follows a disastrous 2017 conference, which saw PM Theresa May handed a P45* during her keynote, after which the letter “F” fell off the slogan on the board behind her.

However, one Tory MP who might be having a quiet smirk about the incident is Matt Hancock (the then digital secretary, now health secretary), whose eponymous app launch was widely criticised for its data privacy and security – but at least it didn’t expose people’s phone numbers.

Both Crowd Comms and the Conservatives have issued the requisite apologies for the error, while the Information Commissioner’s Office has confirmed it is making enquiries.

Whether it will take action against the Conservatives is another question – most recently the party escaped with a ticking off after phone calls made on its behalf “crossed the line” into unlawful direct marketing.

And whether any action will make an impact in the long run is another matter, because, despite their posturing, political parties appear happy to play fast and loose with privacy laws when it enables them to sign people up to their mailing lists.

Meanwhile, Conservative MP Nadine Dorries has become embroiled in her own security blunder after pranksters changed the text on her parliamentary website to include suggestions that the Irish border problem could be solved by drones and the blockchain.

In consultation with Boris, our partners in the D.U.P. [Democractic Unionist Party] and the [pro-Brexit Tory support group] E.R.G. I wish to state that we will insist on a friction-less solution to all security concerns and debate with our Irish colleagues the very real technical solution of building an electronic defense system using solar powered drones to deploy a massive block-chain spanning the 499km Irish border.”

The end of the page also states: “Comments, Webshells and shellcode are welcome.

Despite the issue being widely pointed out on social media, her team is either unaware or unable to fix the problem.

Dorries has something of a reputation when it comes to cyber security. Last year she advertised the fact she shouts her passwords out across the office after fellow MP Damian Green was hit with allegations over porn found on his work computer.

The Register has tried to reach Dorries for comment. ®

* “Details of employee leaving work” – the UK government standard tax form given to Brits when they’ve left or been booted out. Also known as a pink slip…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/10/01/tory_conference_app_data_breach_dorries_blockchain_prank/

The Financial Conduct Authority (FCA) has slapped a £16.4m fine on Tesco Bank for the security vulnerabilities that led to millions of pounds being pilfered from thousands of customers’ online accounts two years ago.

As revealed by us at the time, Tesco called on the National Cyber Security Centre to probe the 5 November 2016 attack that ultimately saw a total of £2.26m stolen from 9,000 customers accounts over 48 hours. Tesco had been forced to suspend online and contactless transactions in the immediate aftermath of the breach as it probed the root cause.

The fine, made public today, is for the bank’s failure to demonstrate “due skill, care and diligence” in safeguarding personal current account holders against infosec nasties, the FCA said.

“The FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said the FCA’s Mark Steward, exec director of enforcement and market oversight.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” he added.

Tesco Bank had actually received a fraud alert from Visa in November 2015, roughly a year before the attack, about fraudulent transactions similar to the one that eventually hit its business.

The crooks most likely employed an algorithm that generated authentic debit card numbers, and these “virtual” cards were then used for unauthorised transactions, the FCA said.

The FCA said crooks took advantage of deficiencies in the “design” and “distribution” of Tesco’s debit card, but it also highlighted other failings including the way the bank configured specific authentication and employed fraud detection rules.

For example, Tesco Bank’s financial crime operations team emailed the fraud strategy inbox rather than phoning the on-call Fraud Strategy Team – as internal regs required. So it took the 21 hours for the two teams to make contact and nothing was done in the interim to halt the attack.

The majority of the transactions were made in Brazil and relied on magnetic strip rules, a method known as PoS 91 that is mostly used outside of Europe and carries no limits on the value or number of transactions.

The FCA also castigated Tesco for failing to “take appropriate action to prevent the foreseeable risk of fraud” and for failing to “respond to the… cyber attack with sufficient rigour, skill and urgency”.

Steward at the FCA added:

Banks must ensure that their financial crime systems and the individuals who design and operate them must work to substantially reduce the risk of such attack occurring in the first place,” said Steward.

He said prevention was better than cure, and claimed Tesco had finally boosted its controls with the aim of stopping “this type of incident from being repeated.

The FCA, however, revealed that because Tesco had agreed to settle the incident early, it had qualified for a 30 per cent Stage 1 discount.

Tesco also qualified for another 30 per cent reduction in fines by fully co-operating with the FCA, compensating impacted customers and by halting around 80 per cent of unauthorised transactions before they were processed.

“But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”

Every little helps. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/10/01/fca_fines_tesco_bank_164m_for_2016_security_breach/

Cisco’s Gee Rittenhouse and Duo’s Dug Song offer ideas and goals for the merged companies as Duo folds under the Cisco umbrella.

Cisco Systems first announced its intent to acquire Duo Security, the cloud-based multifactor authentication (MFA) startup, for $2.35 billion in early August. Since then, the two companies have been finalizing the deal’s close and determining how to integrate Duo’s tech into Cisco’s portfolio.

The Duo acquisition, which closes today, is one of Cisco’s largest security deals to date and its third largest deal in the last five years. To learn more about what drove the partnership and where their teams are headed, we asked the two people leading them: Duo cofounder and CEO Dug Song, and Gee Rittenhouse, head of Cisco’s newly formed Security Business Group, the division under which Duo operates.

“We want to have a portfolio that covers all of the major threat vectors,” says Rittenhouse. “There was an emerging perimeter around identity that we were lacking.”

Duo brings more to the table than MFA tech alone, he continues, noting that Cisco was already working on policy and identity in network security. The acquisition gives Cisco an opportunity to leverage Duo’s technology and extend its network security posture into cloud-based or on-premise applications, coupling it with the policy and identity in its networking business.

Right now, there are several ways Duo could play a role within Cisco’s portfolio and it’s still ironing out the details, Rittenhouse explains. He says Duo will continue to focus on its business and execute within Cisco, and he hopes Cisco will help broaden Duo’s reach through scale and access to a larger market.

The post-acquisition weeks have been “business as usual” at Duo, says Song, and he’s looking forward to the company having a greater influence as part of Cisco. “The reality is, we are looking at a larger impact we hope to have,” he says. Duo already supports a number of Cisco products, Song notes, but he hopes the company will have a greater inpact as part of its larger portfolio.

Duo plans to use its additional scale to reach a growing number of people working on mobile and multi-cloud environments. “We’re taking a user-centric approach as more and more attackers are going after users,” he says.

Cisco expects this latest acquisition will help it enter new areas of security, specifically on the application side, and the company plans to continue integrating security throughout its product portfolio.

“If you take a look at multifactor authentication … this opens up an entirely new market for Cisco, and one that we’re very excited to jump into,” he adds, emphasizing an industry-wide need to establish trust around users and devices. In the app security space, Rittenhouse views Duo as a “huge component” of being able to protect applications in a simple way.

(From left to right: Dug Song, Duo cofounder and CEO, Gee Rittenhouse, SVP and GM of Cisco Security, and Jon Oberheide, Duo cofounder and CTO)

Simplicity, he says, is a critical part of security but difficult to achieve.

“I think identity has always been important; one of the issues that was hard in terms of implementation was the complexity,” he explains. Multifactor keys like tokens or fobs interfere with the user experience. Duo’s approach, he adds, shows how simplicity makes MFA a priority. Duo’s approach, Rittenhouse says, has sown a path for the industry and demonstrated how if you create a strong user experience for MFA, it will rise to the importance that it deserves.

“We have to design security for people,” Song continues, and build technologies in a way that’s both protective and easy to use. “We are building consumer-grade technologies that are enterprise worthy.”

This simplicity, Rittenhouse says, is a priority going forward as Cisco works on the front end of its security portfolio. Up until this point, it has been integrating the back end with intelligence from Cisco Talos, the firm’s research division.

“There’s a huge emphasis, going forward, about putting together very simple product management – a single pane of glass,” so operations teams have a simpler end-to-end view of security alerts.

This doesn’t mean customers will be required to swap existing MFA tech for Duo’s, says Rittenhouse. With respect to MFA, Cisco is an open platform and customers can buy the product in its entirety or purchase it in parts and integrate their preferred authentication tool. It’s common for security teams to want to bring in other vendors, Rittenhouse notes. 

“Don’t expect to see Duo mandated as multi-factor authentication in Cisco’s portfolio,” he says.

While current and new customers may have their pick of authentication tools, there is an added convenience to have Duo’s tech integrated from the start. As more of the industry has to deal with the complexity of integrating new enterprise technologies he adds, there is a value proposition when vendors pre-integrate and make it easier to use straight out of the box.

But will Duo’s technology still carry the Duo label? That’s something they’re still working on.

“We haven’t worked through that at this point,” says Rittenhouse. Duo as a company will become Cisco as a company, he continues, but they have not yet determined how to label the actual product. It’s a key question – Duo, after all, has built a strong identity in the industry. How does the company expect to maintain that identity as it’s folded under the Cisco umbrella?

Culture is an essential part of Duo, says Song. Hiring for cultural fit and cultural contribution, developing and growing that culture will continue to be important under Cisco.

“Coming into Cisco we see something similar,” he continues. Duo plans to maintain its same values around inclusion, diversity, continuing to represent multiple perspectives. As part of Cisco, Song explains, Duo will be able to build on parts of its culture through new initiatives it couldn’t do before – corporate giving, for example, or tuition for continuing education.

Its focus, of course, will continue to be “easy, effective, trustworthy security” as it continues to grow the technical partnership Duo and Cisco have had for years.

Related Content:

• 7 Most Prevalent Phishing Subject Lines
  
• USB Drives Remain Critical Cyber Threat
  
• 4 Traits of a Cyber-Resilient Culture
  
• How Data Security Improves When You Engage Employees in the Process
  

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/exclusive-cisco-duo-execs-share-plans-for-the-future/d/d-id/1332931?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Comment We’re hearing more about AI or machine learning being used in security, monitoring, and intrusion-detection systems. But what happens when AI turns bad?

Two interesting themes emerged from separate recent studies: the growth of artificial intelligence coupled with concerns about their potential impact on security.

A survey of 5,000 IT professionals released late last month revealed three major threats techies believe they will face over the next five years: malicious AI attacks in the form of social engineering, computer-manipulated media content, and data poisoning. Just four in 10 pro quizzed believed their organizations understood how to accurately assess the security of artificially intelligent systems.

That was according to the Information Systems Audit and Control Association’s (ISACA) second annual Digital Transformation Barometer, which named AI and machine learning among the top three technologies likely to be deployed in the next year.

They were also listed in the top five technologies likely to face resistance.

Interestingly, ISACA highlighted the different perceptions of AI risk between the digitally informed and business leaders who are technically illiterate.

“For AI, having digitally literate leaders correlates to lower perceived risks, which can be key when making the case for deploying technologies,” ISACA noted. “33 per cent of companies whose leaders do not possess technological expertise perceive AI to be high-risk, while just 25 per cent of companies with digitally literate leaders perceive AI to be high-risk. Organisations led by digitally literate leaders were almost twice as likely to deploy AI than other organizations (33 per cent compared to 18 per cent).”

When it came to emerging technologies, a decision on whether or not to deploy was found to be largely affected by familiarity. Using AI as an example, 76 per cent of enterprises testing it said that it was worth the risk, with just nine per cent saying it was not. In enterprises that were not testing AI, the confidence in it being worth the risk dropped by a third, while the proportion of respondents who said it is not worth the risk more than doubled.

Rise of the Machines

Are the ISACA members right to be concerned about AI security risks, or does simply understanding a tech make you fear it less?

A paper published earlier this year, titled The New Frontiers of Cybersecurity, backed by the National Natural Science Foundation of China, sided with the former statement.

AI quickly cooks malware that AV software can’t spot

READ MORE

It asserted that machine-learning is capable of transforming security by mining information and learning from various types of data – such as spam emails, messages and videos – and then evolving an autonomous detection or defense system. Continuous self-training will continue to promote the performance of AI-powered systems, including their stability, accuracy, efficiency, and scalability. But this also works the other way round.

“AI is pushing the boundaries of the abilities of hackers,” the paper noted. “Autonomous hacking machines powered by AI can craft sensitive information and find vulnerabilities in computer systems, thus making it much more difficult to fight hackers. Worse yet, AI is able to learn sensitive information, such as personal preferences, from a vast amount of seemingly insensitive data.

“These facts lead us to believe that hackers weaponized by AI will create more sophisticated and increasingly stealthy automated attacks that will demand effective detection and mitigation techniques.”

Knowing AI and not fearing it has its place; understanding it as an tool in the hands of the enemy, however, is also worthwhile. Luckily, so far, miscreants prefer to run relatively simple attacks, usually involving phishing or automated exploitation of known vulnerabilities, than training and developing sophisticated machine-learning cyber-weapons. ®

We’ll be examining machine learning, artificial intelligence, and data
analytics, and what they mean for you, at Minds Mastering Machines in
London, between October 15 and 17.
Head to
the website
for the full agenda and ticket information.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/10/01/can_ai_be_trusted_on_security/

Analysis It was 40 years ago that the first experimental Block-I GPS satellite was launched to help test the viability of a global positioning system.

In December this year, the US Air Force is planning to launch the first GPS III satellite, to “augment the current constellation of 31 operational GPS satellites,” around the globe. It’s a great feat of engineering, and something that today we tend to take for granted.

Almost every mobile phone now has GPS technology built-in but while this may have revolutionized the mobile maps industry, has it transformed other industries? While everything from healthcare to retail, manufacturing and construction can claim that location-based services are impacting their worlds, not everything is reliant on GPS. When it comes to business, in particular the management and tracking of goods and customer engagement, GPS is not the only and not always the best technology to use.

So, what is? We’ve picked out four technologies to see how they are shaping up when it comes to delivering location-based services, whether in the outside world or in shops, factories and homes.

GPS

It’s not just about Google maps and finding a local restaurant. GPS is probably the best macro-tracking technology around for commercial use. This is thanks, in some small part, to US President Bill Clinton, who issued a policy directive to descramble the signal and dramatically improve its accuracy for the general public.

GPS is a navigation system that relies on a network of some 30 satellites plus ground stations, and receivers. A receiver on a device calculates its position by working out its distance from the satellites using a process called trilateration.

UK getting ready to go it alone on Galileo

READ MORE

To date, many of the main commercial applications have been in wide area tracking. GPS tracking of cars, for example, in fleet management, or athlete and player tracking in sports.

Today NASA is using GPS to help weather forecasters warn of flash floods, while Three Square Market, a Wisconsin-based technology company famous for microchipping willing employees is planning to launch a chip, powered by body heat with GPS technology and voice recognition. The aim is to use the hardware for tracking dementia patients.

GPS might be one of the most recognizable location technologies, but it has limitations. One is that it operates on a relatively large scale, making it in appropriate for more micro-level tracking say, in a retail or an industrial setting: GPS has horizontal positional accuracy with a single receiver of between about five to 10 metres 95 per cent of the time and 15 to 20 metres 95 per cent of the time for vertical.

Also, because of its use of wide-area communications, GPS relies upon having a good view of the sky to stay in contact its network. It’s, therefore, of relatively little use inside buildings away from windows, underground, or underwater – the first two meaning it will struggle in manufacturing or retail scenarios. Cities with tall buildings and forests are also a problem for GPS.

Beacons

The short-range wireless technology Bluetooth is 20 years old this year and is now on its fifth standard. Bluetooth 5.0 promises to transform beacon technology, at least when compatible beacons and devices are more readily available. Bluetooth beacons pretty live up to their name: they are transmitters that send out a unique identifier.

Receivers – typically smartphones – pass these ID codes to apps so that the software can immediately work out where you are, as each identifier is associated with a physical point on the map. Retailers can put them around stores so if you’ve got a compatible app installed, and Bluetooth on, you can be associated with specific types of products and targeted for ads, vouchers, offers, and so on.

Version 5.0 boasts double the data rate speed of its predecessor (it’s now 2Mbps) and has a maximum range of 800 metres (line of sight required), compared to the more limiting 50 metres outdoor range (10m indoors) of version 4.2. While this probably isn’t an advantage, as range is an inhibitor to accuracy and precision, it’s an indication of how the Bluetooth SIG is thinking.

It is clearly pushing the technology more towards IoT and industrial IoT-type applications, where there will be significant advantages for beacons, in reduced power consumption and data speeds. There are also some studies looking at triangulation to improve accuracy, even at range. However, until 5.0 gets a foothold, most current beacons will continue using Bluetooth 4.0. According to the latest Bluetooth Market Update, the shipment of Bluetooth beacons will reach 400 million by 2022, and with nearly four billion Bluetooth devices forecast to ship in 2018 alone, the future looks bright for beacons.

The technology to date is predominantly found in retail, although applications for bus stop information, tracking luggage and smarts homes are increasing. Apple launched its iBeacon back in 2013, installing the technology in over 250 Apple stores globally. Since then, beacons have found their way into many outlets including Macy’s and Walgreens, as stores look to gain competitive advantage and personalise marketing. This is the key driver. According to a report from BIA/Kelsey, location-based ad sales are predicted to grow to $32.4bn by 2021.

Despite the fillip from Apple, challenges remain, and rollouts must be approached thoughtfully. Their effective range can compromised – signals can be blocked by physical objects and reflections – while trying to compensate by putting “too many” beacons together can produce a cloud that will produce signal noise and reduce accuracy. Beacons must be placed carefully and calibrated for accuracy.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/10/01/location_location_location/

Roundup One or two things happened this week on the security front, like the elimination of the White House cyber czar, the massive leak of code from Aeroflot , and the debut of UEFI rootkits.

A few other stories may have slipped your radar this week. Such as:

The (other) Facebook privacy fsck up

When they weren’t losing tens of millions of user account log-ins this week, the folks over at the house of Zuck were taking heat for another privacy blunder, this time involving two-factor authentication.

It seems Facebook has been using the phone numbers users submit for two-factor authentication to help target ads, using numbers intended for account recovery to also help narrow down a user’s location and interests.

It should be noted that Facebook isn’t actually selling or providing any advertisers with the numbers (which is why you’re reading this in the roundup and not a banner story, or possibly a report on legal action).

Rather, when an advertiser submits ads to run on the social network, Facebook itself uses your phone number to help target the ads, selecting places you have shopped at (and given your phone number) or nearby services and companies. Still, not a great look, and a huge disincentive for customers to set up a 2FA option that should be a no-brainer.

BBFC: Brit Bureaucrats’ Files Compromised

Hat tip to Reg reader Colin McDermott for discovering and reporting this incident with the British Board of Film Classification. McDermott said the BBFC along with a few other sites had apparently been compromised to serve up spammy search result links:

Did a little security research tonight, letting sites know they have been hacked. A few schools, an NHS site, and probably most interestingly I just discovered the British Board of Film Classification site is currently hacked. Will let someone know about that in the morning… pic.twitter.com/c8HMyT3lWq

— Colin McDermott (@colinmcdermott) September 28, 2018

The BBFC tells us it got McDermott’s report and the offending code has since been scrubbed, though the damage may have already been done.

“From what I can see Google first cached some of the content on the 8th of August,” our man tells us.

“So it has been live for quite a long time, potentially nearly two months.”

$700k bill for Penn Dems in ransomware outbreak

This year, the Democratic party has been racking up record amounts of money in its fundraising efforts.

That is good news for the Pennsylvania branch of the party, who finds itself faced with a $700,000 bill from Microsoft to restore its systems in the wake of a massive ransomware attack.

According to TribLive the attack occurred in March 2017, with an infection encrypting the party’s PCs and data with the demand of around $30k worth of Bitcoin.

Instead, the party opted not to pay the ransom, lost their data, and called in Redmond to come clean up the mess, to the tune of nearly three-quarters of a million.

Let’s not make this a lesson on whether or not you should pay ransomware operators (that doesn’t always work either). Rather, it should be a lesson to make regular backups and be ready to restore data when something like this happens.

I was born a coal miner’s DDoSer

Did you know that there’s a big coal controversy in Germany? Well, you do now, as the battle has been taken to cyberspace.

Energy company RWE says its site was taken offline earlier this week in a distributed denial of service attack from an unknown source intent on crippling access to its site for an extended period of time.

As Heise notes, the attack is likely the work of people allied with environmental activists who have opposed to the company’s controversial mining activities in the Hambach Forest.

For now, it appears the attack was limited to the DDoS, and no other intrusions or data theft was reported.

Qualys surfaces EoP bug in Linux

Researchers with Qualys this week disclosed a potentially nasty elevation of privilege vulnerability in Linux.

The security company says the flaw, designated CVE-2018-14634, would potentially allow an attacker to gain root privileges.

“We discovered an integer overflow in the Linux kernel’s create_elf_tables() function: on a 64-bit system,” Qualys explains. “A local attacker can exploit this vulnerability via a SUID-root binary and obtain full root Privileges.”

Fortunately, Ovum said that most Linux builds have already patched the bug, making real-world export pretty unlikely. Still, users and admins will want to keep an eye out for any updates and apply them when need be.

Hacking pays (the government)

File this to: could have been worse. Tencent researcher Zheng Dutao has been hit with a fine by the government of Singapore for hacking the Wi-Fi network at his hotel.

Apparently, Dutao had been staying at the Fragrance Hotel in Singapore for this year’s Hack-in-the-Box conference when he decided to break into the hotel’s network gateway (via a default password) and take a look around, eventually finding and re-posting the login credentials for the hotel’s telnet and MySQL database.

After authorities found out, they arrested Dutao and, last week, handed down a bill for $5,000 Singapore (about $3,600 USD). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/29/security_roundup_290918/

Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a “precautionary step”.

What’s happened?

In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September 2018.

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.

Rosen says the vulnerability is now fixed.

We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.

Those affected will now have to log back into Facebook, and any apps that use Facebook Login.

Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts.

It’s still early days but Facebook says it looks like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.

Facebook says it doesn’t yet know if any accounts were misused or information was accessed.

But access tokens are what Facebook uses to authenticate you, so if you were affected you should assume that the attackers had access to all of your data – anything you can see, read, download or change when you log in to Facebook.

Serious bugs in Facebook are nothing new – we report on them all the time – but we normally hear about them through the company’s bug bounty program.

Facebook doesn’t know who was behind this attack, or why they did it, but whoever did it passed up on some very lucrative bounties.

What to do?

If you’ve been forcibly logged out by Facebook then your account is one of those affected. The forceed logout will automatically have invalidated any existing access tokens for your account.

Rosen says there’s no need for anyone to change their passwords.

(Access tokens are generated randomly after Facbook has gone through the process of validating your password when you login. There’s no way to work backwards from an access token to recover your password.)

Whether you’re affected or not, as a precautionary measure you can choose to log out of all your Facebook sessions as described below.

The process can be quite cumbersome so please read through the instructions fully.

LOGGING OUT OF
ALL FACEBOOK SESSIONS

---

LOGGING OUT FULLY VIA YOUR BROWSER

• From your Facebook home page, click the “menu down-arrow” (▼) in the top right hand corner.
• Click on the the second-last option Settings to access the Settings page.
• Click on Security and Login near the top left of the page.
• Look at the list of devices in the Where You’re Logged In section. (You may need to click ▼ See More to open up the whole list.)

If you have numerous sessions listed you will find a Log Out Of All Sessions option at the bottom of the list. This brings up a popup with a Log Out button. If not, you can log out of individual sessions by clicking on the three-dots icon on the right and choosing Log Out for each one. If you think that any of the sessions shown in your logged-in list weren’t connections from a device of your own, follow Facebook’s instructions by clicking on Secure Your Account or Not you?

Note that even after using Log Out Of All Sessions, your current session rather confusingly still shows as Active Now.

• To logout completely, click on the “menu down-arrow” (▼) again.
• Select the Log Out option that’s at the very bottom of the list.

After this final step you should be dumped back to the main Facebook login page.

---

LOGGING OUT FULLY VIA THE APP ON YOUR PHONE

• In the Facebook app, tap the “three-lines” icon in the bottom right corner.
• Scroll down to Settings and Privacy and tap to open its submenu.
• Tap Settings to open the Settings page.
• In the Security section, tap on Security and login.
• Look at the list of devices in the Where You’re Logged In section.

From here, follow the relevant part of the “via your browser” procedure described above to log out of all sessions, except for the current one that will still show as Active Now.

• To logout completely, tap on the “three-lines” icon again.
• Select the Log Out option that’s at the very bottom of the list.

A popup will ask, “Are you sure you want to log out?” – if you choose Log Out, the app should dump you back at the main Facebook login screen.

---

Follow @AnnaBrading
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p_Hp7Q0tDmk/

Government agencies remind users that RDP can be used for malicious purposes by criminal actors.

Remote Desktop Protocol (RDP) can be a huge boon to IT departments that need remote administration capabilities for branch offices, remote locations, and workers in the field. But the same qualities that make RDP so valuable for support make it just as useful for malicious activities.

The FBI Internet Crime Complaint Center (IC3), in collaboration with DHS, is reminding professionals to be careful with their use of RDP and similar protocols to insure that legitimate users and applications are the only ones sharing desktops in the enterprise. Failure to take proper precautions can open the door to a host of malware, including ransomware from CrySIS to SamSam.

The bulletin from IC3 warns that RDP exploits can be difficult to spot because they require no user input. Constantly monitoring traffic broken out by protocol, limiting the use of RDP, keeping systems current on updates, and moving to multi-factor authentication wherever possible, are some of the key ways to defend against such attacks, it said.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/fbi-ic3-warns-of-rdp-vulnerability/d/d-id/1332929?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.

Related Content:

• Destructive ‘VPNFilter’ Attack Network Uncovered
• Insecure IoT Devices Pose Physical Threat to General Public
• Shadow IoT Devices Pose a Growing Problem for Organizations
  
• 7 Serious IoT Vulnerabilities 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Companies with a solid track record of cybersecurity share these practices and characteristics.

Attend enough security conferences and you’re bound to hear solemn advice about the importance of building a strong security culture across an enterprise. But what exactly does that mean? And how can it be accomplished? The leaders at (ISC)² recently endeavored to define what it means to build a resilient cybersecurity culture. They put together a survey of tech leaders at 250 companies with a solid cybersecurity track record to get an idea of the common traits, practices, and thought processes among security-focused organizations.

For longtime security pros, none of the findings were particularly surprising. But it did confirm what a lot of professionals have recommended to their peers for a long time with regard to developing security staff, educating users, and engaging with the business. The following are four key traits that both the recent survey and other experts say are common among the companies with the strongest cybersecurity cultures.

Employ a CISO
One of the strongest commonalities among companies with a solid cybersecurity culture is that they have a definitive and highly placed executive in charge of security. The study found that 86% of companies performing well in security employ a chief information security officer (CISO). 

Now, this might seem like a gimme, but the truth is that almost half of average companies today still don’t have a C-level security executive in place. According to a study done earlier this year by PricewaterhouseCoopers, just 52% of global organizations have a CISO. This is particularly troubling because the CISO is the person who typically develops better support from the CEO and board.

“The CISO must help the board understand where the company stands in providing cybersecurity for the company networks,” Keith Alexander, CEO of IronNet Cybersecurity and former head of the US Cyber Command and the National Security Agency, told PwC. “The information provided should include any cyberattacks that have occurred, as well as shortfalls in training, equipment, and tools in the cyber domain.”

Quality Relationship with the Business
The relationship between resilient cybersecurity culture, presence of a CISO, and support from top management is so tight that it’s hard to say which of these factors begets the other. The (ISC)² study showed that 97% of cyber-resilient organizations have top management that understands the importance of strong cybersecurity, and 96% indicate their policies align with their board of directors’ cybersecurity strategy.

To gain and maintain that kind of buy-in, security organizations must work hard to establish a quality relationship not only with those stakeholders in the upper echelon but also across the business. 

Experts recommend frequent meetings and check-ins with business counterparts to ensure that the security team is setting its course according to business priorities.

“Monthly meetings with key stakeholders to ensure cybersecurity and risk decisions align with your firm’s business needs; this isn’t likely to happen if operations and governance are handled by cybersecurity and IT staff,” says Bart McDonough, CEO at cybersecurity consultancy Agio, who explains that regular meetings ensure that business-unit managers participate in planning. “These monthly meetings should review, certify and update your firm’s data map, any new business processes or ‘shadow-IT’ activities that could create new exposures, ensure that cyber-event activity logs and incident-response plans are updated as appropriate, decide where to make strategic investments in cybersecurity, and develop ways to integrate cybersecurity procedures into work processes with minimal disruption.”

Formalized Risk Management Policies
According to the (ISC)², one of the top reasons cited for confidence in cybersecurity preparedness is a strong risk management policy. Organizations need to have repeatable, rationalized processes, and those are based on policy that is set by the close relationship just mentioned.

Security experts recommend that risk policies should be largely driven by data and identity context.

“IT security departments should refine and enhance their risk-based strategies to ensure they fully understand the impact of where data resides, the criticality of that data, and how we’re managing risk to an acceptable level regardless of where it’s stored or processed,” says Robert LaMagna-Reiter, senior director of information security for First National Technology Solutions. “Data-centric enhancements to the risk management process should be further enhanced by incorporating identity-driven enforcement.”

Long Tenures within the Security Team
One of the biggest indicators of a strong security culture is how well the organization can not only recruit but also hang on to security talent. The recent study showed that 79% of security-centric firms keep their security staff on the roster for three or more years, and 37% of them report an average tenure of longer than five years. 

“Organizations that want to recruit — and more importantly retain — the best security talent need to provide a growth path and continued learning opportunities to keep their security staff engaged,” says Drew Nielsen, CISO of Druva, a cloud data protection firm. “The other option organizations have is to grow talent from within. If organizations have IT talent that is champing at the bit to make a career move, training them in security is an excellent to start to fill this gap. Growth can come in many forms, such as through a security career path or training and skills development, but the most important part here is accessibility and options for employees to achieve that personal and professional growth.”

The survey numbers echo this recommendation. About 70% of the best-performing security firms train and promote staff from within, 57% offer training and certification opportunities to employees, and 55% cross-train IT workers in cybersecurity skills.

Related Content:

• 6 Security Training Hacks to Increase Cyber IQ Org-Wide
• How to Gauge the Effectiveness of Security Awareness Programs
• 6 Ways to Tell an Insider Has Gone Rogue

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/careers-and-people/4-traits-of-a-cyber-resilient-culture/d/d-id/1332928?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple