STE WILLIAMS

Cisco has taken delivery of a bulk order for 29 Common Vulnerabilities and Exposures (CVEs) IDs.

If you’re running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won’t be patched and there’s no workaround – so it is probably time to replace them.

Those are listed in one of two new critical-rated CVEs, the other of which Cisco fixed without your help.

Users don’t need to take any action about the now-patched authentication bug in Cisco’s Umbrella API (CVE-2018-0435), but that’s not the case for various RV-Series routers.

The management interfaces of the RV110W, RV130W and RV215W kit have a buffer overrun (CVE-2018-0423) that leaves them vulnerable to remote attackers.

As the advisory stated: “The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition.”

The Guest feature is disabled in the devices’ default configuration.

Cisco has patched the RV130W Wireless-N Multifunction VPN router’s firmware.

If you’re running either the RV110W Wireless-N VPN firewall or RV215W Wireless-N VPN router, configure it to disable the Guest feature because Cisco already had those units on its end-of-life list.

As for the other 27 patches, 13 are rated as “High” priority and the rest are “Medium”.

As well as the buffer overrun, the aforementioned routers’ admin interface also has:

• A directory traversal bug (CVE-2018-0426)
• A command injection bug (CVE-2018-0424) only patched in the RV130W and with no workaround for the other two products
• An information disclosure vulnerability (CVE-2018-0425) also unpatched in the RV130W and RV215W units

Cisco’s vulnerability announcements also list high-rated bugs in various Webex products, Cisco’s SD-WAN Solution, and management products; and there are 14 bugs rated “Medium”.

Four older announcements relating to Apache Struts, FragmentSmack, SegmentSmack and an Orchestrator snafu were updated with expanded product lists. Enjoy. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/07/cisco_bug_swat_september_2018/

British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers.

The biz, which billed itself as the world’s favorite airline, said its systems had been compromised for more than two weeks.

“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised,” the airline said in a statement on its website.

According to BA, the stolen data did not include travel or passport information. It does appear to have included the personal and financial details of those booking travel via the BA website and mobile app during the affected period. As many as 380,000 payment cards were exposed to the intruders.

In a separate statement, Alex Cruz, British Airways’ chairman and CEO said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

British Airways’ latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage

READ MORE

The air carrier says it will contact affected customers and advise them to inform their financial service providers about the incident. It plans to handle any financial claims on an individual basis.

BA insists its ransacked systems have been patched up, and its website is now working normally.

As of the time of this article was filed, Google Chrome continued to report that the airline’s Customer Data Theft notification webpage is not fully secure and visitors should not enter sensitive information like passwords or credit cards. The main BA landing page, however, qualified for a security lock icon.

Chrome’s web developer tools indicate that, among other issues, the alert page contains a mix of secure and insecure content, the problematic element being a form that targets an insecure endpoint.

Spokespeople for British Airways declined to comment beyond their official statements. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/06/british_airways_hacked/

The US government has formally accused the North Korean government of being behind the Sony pictures hack, the WannaCry ransomware that crippled the UK’s National Health Service and other organizations, and a series of online bank heists including $81m stolen from Bangladesh’s national bank.

The state-sponsored attacks were allegedly carried out by a group of North Korean hackers who worked for a front company called Chosun Expo Joint Venture, the FBI and Department of Justice (DoJ) said at a press conference on Thursday.

They named one of the group – called the Lazarus Group by security companies fighting to combat its actions – and put his name, Park Jin Hyok, and face on an FBI Wanted poster, adding that he is now considered a fugitive from justice.

The US will impose additional sanctions against North Korea as a result of the findings of the investigation, a DoJ spokesperson noted.

North Korea has long been suspected – and accused – of having carried out the Sony hack and being behind the WannaCry ransomware but today those accusations were made formal.

A lengthy 179-page affidavit [PDF] from the special agent in charge of the investigation gives an extensive rundown of how the attacks were tracking back to Hyok, his hacking group, and eventually the North Korean government.

It details how the group used multiple Gmail accounts and went to some lengths to cover their tracks but left a series of electronic breadcrumbs that ultimately led to the hackers and an email account that North Korean government officials were also seen to be using, making the connection to the government.

Global

Officials stressed the global reach of the hacking group’s actions, highlighting that over 100 search warrants were issued along with 85 requests to foreign countries for more information.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said John Demers, Assistant Attorney General for National Security.

The group targeted entertainment groups and banks and then used the same code to create the WannaCry ransomware that caused global havoc, including crippling the National Health Service in the UK.

The entertainment groups were targeted because of movies that depict the North Korean government unflatteringly. Sony was responsible for The Interview, a fictionalized assassination of North Korea’s leader. Its systems were infiltrated through a spear-phishing attack and then personal emails from senior executives were leaked online, causing immense embarrassment. Copies of upcoming movies, including The Interview, were also placed online.

The investigators revealed that cinema chain AMC was also targeted because it was due to show the film, as well as an unnamed British production company that was also working on a film depicting North Korea.

Numerous efforts were made to break into banks started in 2015, it was revealed, with the most successful being the removal of $81m from Bangladesh Bank in February 2016. But other attempts were made across the world with “attempted losses well over $1 billion,” the complaints notes.

And the rest

And then countless other attempts were made against Western targets, including hospitals, universities, utility companies, defense contractors, Bitcoin currencies and others.

Investigators noted that the same devices, IP addresses and encryption keys were used repeatedly in these attacks and domain names hard-coded into the malware were under the control of the hackers – fancug.com was just one example.

Nork hackers Lazarus brought back to life by AppleJeus to infect Macs for the first time

READ MORE

They also discovered that prior to attacks that the hacking team followed and tracked specific individuals at target companies through their social media accounts – effectively engaging in online surveillance – and pulled domain name and business records in an effort to find holes in their systems and figure out the most effective way to spear-phish employees.

In one attack, an email sent to a victim from Facebook alerting them to the fact that their account had been accessed from a different IP address was grabbed by the hackers and then resent with the hyperlink within the email changed from Facebook’s website to a domain that they controlled. The victim clicked on what looked like a legitimate link in a legitimate Facebook email and ended up on a webpage that investigators assume installed malware on their computer. Similar efforts were made with Google Drive and any other services that the victims used.

The affidavit goes into extensive detail over how the attacks were tracked back through server logs and other electronic piece of evidence.

The named individual – Park Jin Hyok – often visited China to carry out legitimate computer work, the formal complaint notes, before returning to North Korea to continue his hacking work on behalf of his government. Investigators discovered his CV and tracked his activities.

Long memory

The US government acknowledged that it is unlikely to get their hands on Park Jin Hyok – his last known location was North Korea and the US does not have an extradition treaty with the dictatorship – but argued it was still important to name him and lodge a formal complaint.

“We have a long memory and are fully prepared for the day when he will be arrested,” said a DoJ representative, adding: “It is one thing to name a group and quite another to say we know who did it and name them. The message is: you can’t hide from us.”

In unrelated news, President Donald Trump unexpectedly praised North Korea’s leader just hours before the press conference and the imposition of further sanctions on the country.

“Kim Jong Un of North Korea proclaims ‘unwavering faith in President Trump’,” the 45th president of the United States tweeted. “Thank you to Chairman Kim. We will get it done together!” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/06/us_north_korea_hacking/

Analysis Despite repeated denials, some under oath, US Supreme Court nominee Brett Kavanaugh appears to have known – and may even have pushed for – the warrantless spying program that was approved by President George W Bush in the aftermath of the September 11, 2001 attacks.

That is the upshot of a series of emails that were provided to US Congress as it carried out its review of Judge Kavanaugh’s legal record during what have become highly contentious confirmation hearings for his proposed lifetime appointment to the highest court in the US.

The emails are labeled “committee confidential” meaning that they should not be shared beyond the committee. But on Thursday they were leaked to the news media and some were then later publicly posted by Senator Cory Booker (D-NJ), who argued they were of such significance that their release was warranted due to the broader public interest.

One email from Kavanaugh, who was working at the White House at the time, to John Yoo at the Justice Department in September 2001, appears to directly contradict Kavanaugh’s claims (made under oath) not to have heard about the warrantless surveillance program known as Stellar Wind until it was exposed in an article in 2005.

Yoo was to become the main architect of the surveillance program that was later deemed illegal and unconstitutional, just as he was to author an infamous memo that was used to justify torture programs approved by the Bush Administration.

Kavanaugh titled his email sent to Yoo “4A issue” – referring the Fourth Amendment covering unreasonable search – and asked Yoo: “Any results yet on the 4A implications of random/constant surveillance of phone and e-mail conversations of non-citizens who are in the United States when the purpose of the surveillance is to prevent terrorist/criminal violence?” Carbon-copied on the emails was Timothy Flanagan, the then deputy White House counsel.

Good times

That would appear to indicate a clear understanding of the fact that Yoo had been asked to draw up a series of legal justifications for programs that President Bush and Vice President Dick Cheney wanted to introduce in the aftermath of the terrorist attacks.

One of them – which Kavanaugh was referring to – was titled “Constitutional Standards on Random Electronic Surveillance for Counter-Terrorism Purposes” and considered a “hypothetical” warrantless surveillance program.

Kavanaugh’s email was sent on September 17 and on October 4, Yoo’s memo was finalized. The Stellar Wind spying program was authorized later that same day by President Bush.

But when asked about his knowledge of any spying programs back in 2006 when he had a confirmation hearing to get on the Washington DC appeals court, Kavanaugh told Senator Patrick Leahy (D-VT) several times that he had not seen or heard anything about the warrantless surveillance program before it was revealed in the press.

This week, with the “confidential” email in hand, Leahy asked Kavanaugh again about his knowledge of warrantless surveillance programs and whether he stood by his claim not to have been involved.

Kavanaugh dodged the question by using the same technique that President Bush himself had used when asked about the program years earlier – referring to one small part of the program and then pretending that was the only aspect under consideration.

It’s worth noting that Kavanaugh has formally prepared numerous nominees for the congressional confirmation process and so is expert at the various question-dodging techniques employed at such hearings.

Leahy pushed back but ultimately was withheld from going into further detail because of the confidential nature of the memo that he was referring to – a memo that is now in the public domain.

Yoo-hoo!

Meanwhile, John Yoo – who is currently a law professor in California – told the New York Times in an email before the memo was published that: “Kavanaugh was not cleared to know about Stellar Wind or any other counterterrorism surveillance program that I worked on while at the Justice Department. I have never had any conversation with Kavanaugh about those programs, or even the general subject of presidential power and electronic surveillance. Ever.”

All of which comes down the usual splitting of hairs and carefully worded denials that to the rest of the world look like outright lies.

It is if course entirely possible that Kavanaugh was not formally included in any subsequent discussion of the warrantless surveillance program. His email was sent one week after the September 11 attacks at 3am in the morning and he cc’ed the deputy White House counsel, so it is very possible in the whirlwind of those days he was asked to follow up on something while not being formally part of the group that put the spying program together.

It is also perfectly possible that Kavanaugh’s involvement in the program came before the program was named “Stellar Wind” and that he did not form part of the team that implemented it.

That would allow everyone to claim he had no knowledge of it – if you define “knowledge” as being formally included in discussions or having their legal opinion sought. And to those in the Executive Branch this could easily be seen as a justifiable bending of the truth since all kinds of issues are discussed all the time at the top level of government but only when someone’s official opinion is sought does it have any real bearing of the issue itself.

Or, in other words, you can’t hold someone responsible for something when they were not given official input into its evolution.

Supreme decision

But while that distinction is justifiable when considering political positions, it is an entirely different situation when you are considering a lifetime position on the country’s highest court.

In fact, the most baffling thing about the whole Kavanaugh nomination is why the White House even considered putting forward someone who spent years within the White House, especially during some of its most eventful times.

It is a shameful sign of just how blinkedly partisan American politics have become that the White House chose to elevate a highly politicized figure to a Supreme Court Justice position rather than choose someone who has spent their career within the traditional legal system.

Some feel the answer is that Kavanaugh is pretty much the only eligible lawyer that has given a clear view of the extent of presidential powers, and it’s an expansive one. That would be something that President Trump would be excited about given what looks like the increasing possibility that he will be impeached.

In a telling exchange this week between Kavanaugh and Senator Kamala Harris (D-CA), he stumbled repeatedly when asked directly whether he had had a conversation with the president’s lawyers over the investigation being carried out by special investigator Robert Mueller.

Of course, the spying memo is not the only controversial one covering Kavanaugh. There are also extremely problematic emails covering hot button topics like abortion, racial profiling, the theft of Congressional documents, and so on.

And just in case you were wondering, Kavanaugh hasn’t changed his views on mass surveillance in the intervening years. As we pointed out in July, he is firmly pro-NSA and has even written a defense of its programs.

“The government’s metadata collection program is entirely consistent with the Fourth Amendment,” he wrote, adding that: “Critical national security need outweighs the impact on privacy.”

That opinion was specifically added to a denial [PDF] by the Washington DC Court of Appeals in 2015 to rehear a case in front of the full court. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/06/kavanaugh_surveillance_program/

Tesla will allow vetted security researchers to hunt for vulnerabilities in its vehicle firmware risk free – as long as it is done under its bug bounty program.

The luxury electric automaker said this week it will reflash the firmware on cars that have been bricked by infosec bods probing for exploitable bugs in its code, provided they have suitably enrolled in the Elon Musk-run biz’s bounty program. And any sanctioned searching can be carried out with worrying about being sued by Tesla’s legal eagles.

“If, through your good-faith security research, you (a pre-approved, good-faith security researcher) cause a software issue that requires your research-registered vehicle to be updated or ‘reflashed,’ as an act of goodwill, Tesla shall make reasonable efforts to update or ‘reflash’ Tesla software on the research-registered vehicle by over-the-air update, offering assistance at a service center to restore the vehicle’s software using our standard service tools, or other actions we deem appropriate,” Tesla’s updated security policy now reads.

“Tesla has complete discretion as to the software or other assistance that will be provided and it may be only for a limited number of times. Tesla’s support does not extend to any out-of-pocket expenses (e.g. towing) incurred by you.“

Tesla also said that research done through its bug bounty program will not be subject to any legal reprisal, either through criminal complaints (via the US Computer Fraud and Abuse Act) or copyright assertions (the US Digital Millennium Copyright Act). Warranties will also remain valid for those who enroll as security researchers.

“Tesla will not consider software changes, as a result of good-faith security research performed by a good-faith security researcher, to a security-registered vehicle to void the vehicle warranty of the security-registered vehicle, notwithstanding that any damage to the car resulting from any software modifications will not be covered by Tesla under the vehicle warranty,” the policy reads.

The announcement will put to rest fears from security bods that Tesla would wield the DMCA and the CFAA laws as weapons against anyone who hacked its products for research. Without the fear of legal reprisal, infosec types will now be free to pop open Tesla firmware to hunt for bugs and claim rewards.

Among those applauding the carmaker was Bugcrowd founder Casey Ellis, whose startup oversees payouts made through Tesla’s bug bounty program.

this is a massive step forward in taking the risk out of #vulnerabilitydisclosure and #bugbounty by @tesla, and maximizing the benefit of a safer internet… i sincerely hope this becomes the status quo.

massive props to all involved!!! #securityresearchisnotacrime https://t.co/1aULl9dNBw

— caseyjohnellis (@caseyjohnellis) September 5, 2018

Ellis told The Register that while Tesla had previously had a good relationship with researchers, putting everything down into a concrete policy will help to bring more researchers into the fold.

“The problem they’re addressing with safe-harbor is the overall reservation in the hacker community to engage to help because of the anti-hacking laws which exist,” Ellis explained. “They’re also signaling the importance of bilateral safe-harbor to other companies which are running similar programs.”

This doesn’t however, mean that just anyone can screw up their Tesla and get a free reflash from the company. To be protected by the security policy, owners will need to register both themselves and their cars as part of the bug research program. Researchers will also be subject to guidelines for responsible disclosure, including not accessing other people’s data, giving Tesla a reasonable time frame to patch the discovered flaw, and not exposing their hacked cars to any unsafe conditions.

Those who want to be enrolled in the research program will need to contact Tesla directly to be vetted. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/06/tesla_bug_bounty_policy_update/

Voting machines that do not provide a paper trail or cannot be independently audited should immediately be removed, concludes a new report from the National Academies of Sciences, Engineering, and Medicine.

A new report from the National Academies of Sciences, Engineering, and Medicine is recommending the use of human-readable paper ballots as the best way to protect the security and integrity of US elections, at least in the immediate future.

In fact, the committee behind the report wants election officials to consider ditching voting methods that do not provide a reliable paper-verifiable audit trail as early as the upcoming 2018 midterms and for all local, state, and federal elections by 2020.

It also does not want jurisdictions to permit the use of the Internet and Internet-connected systems to return marked ballots until “very robust guarantees” of security and verifiability are developed. Other recommendations include the need for states to mandate risk-limiting audits prior to the certification of election results and routine assessments of the integrity of voter registration systems and databases.

The report, funded by grants from the Carnegie Corporation, the William and Flora Hewlett Foundation, and several others, is based on an exhaustive analysis of the state of US election security in the wake of concerns over Russian interference in the 2016 general elections. It also examines the current state of technology and standards for voting across the country with a particular emphasis on the challenges — including those related to cybersecurity issues — stemming from the last elections.

Lee Bollinger, president of Columbia University and co-chair of the committee that developed the report, described the study as coming at a critical time for American democracy.

In a live-streamed event on Thursday, Bollinger said that when the committee began working on the report, it had fully expected to find that US voting systems were moving away from physical, in-person balloting toward Internet and remote voting.

“However, by the time the committee’s first meeting in April 2017, it was clear the most significant threat to American elections was coming not simply from the need for new technologies, but rather from efforts by foreign actors seeking to undermine the credibility of election results,” he said.

The report makes note of assessments by the US intelligence community of Russian involvement in several cyberattacks and attempted attacks against US election infrastructure in the months leading to the 2016 presidential election. Among them was an incident in June 2016 when network credentials to the Arizona state voter registration system were posted on a site frequented by suspected Russian hackers, and another later that month involving a voter registration system in Illinois.

Such incidents combined with aging and insecure voting equipment, inadequate poll worker training, and vulnerable voter registration systems mandate a return to paper ballots, Bollinger said. The ballot could be marked either by hand or machine using a ballot-marking device and could be counted using an optical scanner or even hand-counted.

“Paper ballots are evidence that cannot be manipulated by faulty software or hardware,” he noted. “And they can be used to audit and verify the results of an election.”

Marian Schneider, president of election watchdog group Verified Voting, says the recommendations in the new report are exactly in line with what her organization has been calling for, as well.

While many states already use the kind of paper-based voting system that the report recommends, many others do not, she says. Some states use completely paperless voting systems or Direct Recording Electronic (DRE) systems, for which a voter’s choice is recorded and stored directly in the computer. Some DREs support a paper-based audit trail where voters can verify the system has properly captured their intent before casting their vote. And many states use a combination of paper and paperless systems, Schneider notes.

Five states — Delaware, New Jersey, Georgia, Louisiana, and South Carolina — currently vote exclusively on machines that do not support a paper record. In a report this July, the Committee on House Administration categorized these states as being exposed to the most critical election security vulnerabilities. “It is nearly impossible to determine if paperless voting machines have been hacked and if vote tallies have been altered,” the report had noted.

Even DREs that support a voter verifiable paper audit trail are not foolproof because voters may not always verify their ballots before casting them. So it is possible that the information stored in a computer’s memory does not accurately reflect the voter’s intent, Schneider says. At the moment, the best way to mitigate such risks is to use hand- or machine-marked paper ballots.

“The most significant takeaway is that certain times in a nation’s history demand unity. This is one of them,” Schneider says.

The new report comes amid ongoing concerns over hacking and other forms of interference in US elections. A survey conducted at Black Hat by security vendor LastLine found 84% of the respondents saying there will be some form of hacking during the 2018 midterm elections. About 54% believed it would happen at a national level, while 47% expected disruption at the state level, with the goal of influencing state-level races. Nearly one-third believed that any hacking that takes place would be designed for propaganda purposes and not to affect the outcome of the election.

Related Content:

• Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
• The Votes Are In: Election Security Matters
• 70 US Election Jurisdictions Adopt Free Website Security Service
• 8 Steps Toward Safer Elections

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/risk/the-best-way-to-secure-us-elections-paper-ballots/d/d-id/1332757?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In the same way that food is fuel to our bodies, data is the fuel on which our security programs run. Here are 10 action items to put on your cybersecurity menu.

Most medical professionals would agree that a healthy diet plays an important role in a healthy lifestyle. On some level, it’s not difficult to understand why this is the case. Food is the fuel on which our bodies run. Most of us feel pretty good after a meal consisting of fresh fruits and vegetables, lean protein, and whole grains. On the other hand, if most of our meals regularly consist of a few hot dogs and a slice of cake, we likely won’t feel very healthy over the long term.

I am certainly not a nutritionist, but I am definitely a firm believer in “everything in moderation.” Consequently, there is an important security lesson that nutrition can teach us. In the same way that food is fuel to our bodies, data (for example, various type of information and intelligence) is the fuel upon which our security programs run. A healthy data diet is the secret to a healthy security program.

While many security programs focus on what to do with the data they receive, far fewer spend enough time on the quality of the data they receive. As the saying goes, “garbage in, garbage out.” Your organization might have talented people, great leadership, efficient processes, and the latest technology. But if the data feeding day-to-day security operations is of poor quality, it will bring down the entire security organization. A security organization with the potential to be great will be reduced to simply being mediocre or good.

How can security organizations improve their data diets? Here are 10 action items to put on your security menu:

Item 1: Make sure intelligence is actionable.
Whether open source or paid, intelligence sources abound. But if intelligence is not actionable, it can be hard to leverage efficiently on a day-to-day basis. Further, unreliable intelligence can actually do more harm than good by drastically increasing the number of false positives a security team must address.

Item 2: Consider context.
A piece of information without context is just that — information. Intelligence requires context. Context guides us as to how to take a piece of information and apply it within our environment. Without context, the chance that we will pollute our work queue with noise is high. Context helps to ensure that we maintain a healthy intelligence diet.

Item 3: Don’t just report on vulnerabilities.
We’ve all seen vulnerability scans that return a giant list of problems. But what does all of that data actually tell us? If we don’t assess the impact of the various vulnerabilities and prioritize accordingly, we won’t learn much of anything at all.

Item 4: Tie vulnerabilities to risk.
If you have an idea of the impact of a vulnerability, you can look to tie it to the risks and threats you’re looking to mitigate. Making this connection allows an organization to understand how vulnerabilities affect risk. This, in turn, allows for a logical, calculated approach to address vulnerabilities rather than trying to do so qualitatively.

Item 5: Manage your supply chain.
Do your vendors have vulnerabilities and could they introduce risk into your organization? Join the club. But what are you doing about it? Are you working with vendors to assess their security postures, identify and prioritize gaps, create action items to address those gaps, and ensure that the issues are resolved? If not, you’re probably generating lots of data on supply-chain risk, but you’re not feeding your security program a data diet it can use to improve the situation.

Item 6: Feed the work queue with risk-driven alerts.
Alerts sent to the security team’s work queue should be based on risks and threats that the organization is looking to mitigate. That is the only way that an organization can ensure that the queue is filled with alerts relevant to the risk it is looking to mitigate. The downside: Your organization will consume a data diet bloated with irrelevant noise.

Item 7: Shrink the rack.
Once upon a time, organizations required numerous highly specialized data sources to provide them visibility into their threat landscape. Over time, the volume and variety of those data sources increased dramatically in tandem with network bandwidth and network topology complexity. At the same time, advances in technology have allowed for the requisite visibility to be provided by fewer data sources. This is a great way for organizations to ensure that they get maximum value with minimum noise from their data diet.

Item 8: Move up the stack.
Many organizations feed a steady stream of Layer 3 or Layer 4 data to their security teams. But what does this data, with its limited context, really tell us about modern attacks? Unfortunately, not much. Attackers have moved up the stack to Layer 7 of the OSI model. It’s time that organizations do the same.

Item 9: Focus on data value.
There is an overwhelming tendency for organizations to focus on the volume of data they collect. For example, you’ll hear organizations say things like “we collect 4 billion event logs per day.” But what does that tell us about the relevance of the data to incident response? Not a whole lot. Focusing on the value and relevance of data to security operations is a much more reliable way to ensure that we are feeding our security programs the appropriate data diet.

Item 10: Ask better questions.
In security, asking the right question is often more important than getting the right answer. Asking the right question (or questions!) allows us to tailor the queries we run, the intelligence we seek, and the data we collect. 

Related Content:

• 6 Security Investments You May Be Wasting
• How ‘Projection’ Slows Down the Path to Security Maturity
• 6 Ways Greed Has a Negative Effect on Cybersecurity

 

Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to … View Full Bio

Article source: https://www.darkreading.com/risk/why-a-healthy-data-diet-is-the-secret-to-healthy-security-/a/d-id/1332718?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A data breach has a measurable impact on stock price, according to a report looking at incidents from the past six years

When a data breach occurs it’s not just confidential information that’s attacked: According to a new report, stock prices take a hit, too.

Comparitech analyzed 28 breaches suffered by 24 companies with shares listed on the New York Stock Exchange. While they found wide variations in share performance in the weeks and months following a breach, on average companies that suffered a breach under-performed the NASDAQ by -3.7% after one year.

According to the report, the most significant impact from a breach was felt 14 days after the event. After a month, share prices tended to catch up with the NASDAQ.

Comparitech found that the affected company’s industry and the nature of the breach each had an impact on the stock price, with finance and payment companies hit hardest and breaches featuring credit card and Social Security number having the greatest impact.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/report-data-breaches-hit-share-prices-too/d/d-id/1332753?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New research sheds light on the biggest threats to strike ICS systems in the first half of 2018, and what’s in store for the rest of this year.

Industrial control systems (ICS) are increasingly being targeted as attackers take advantage of the Internet to target machines on organizations’ industrial networks.

The Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (ICS CERT) today published the findings of research investigating the threat landscape for industrial automation systems in the first half of 2018. Researchers pulled data from ICS computers that the ICS CERT team deems part of organizations’ industrial infrastructure.

All machines in this study ran Windows and performed one or more of the following functions: data gateways, data storage servers, SCADA servers, stationary workstations of engineers and operators, and Human Machine Interface (HMI). Data also came from computers of industrial control network admins and developers who build software for industrial automation systems.

Data shows the percentage of ICS machines hit with cyberattacks is steadily rising, from 36.6% in the first half of 2017, to 37.7% in the second half of 2017, to 41.2% in the first half of 2018.

“In the first half of 2018, we’ve seen more evidence pointing to legitimate Remote Access Tools [RATs] used for penetration or involved in attacks against ICS,” says Kaspersky Lab security researcher Kirill Kruglov. Threat actors continue to use spear-phishing attacks jointly with legitimate software, like RATs, to penetrate and reinforce attacks on ICS machines.

Data shows attackers are getting more advanced, he notes. Researchers are seeing more targeted spear-phishing emails and malware used by threat actors for ICS routine automation.

The main motivation behind these attacks, at this time, is industrial and government espionage, Kruglov continues. Cryptomining and ransomware are rooted in financial gain. While he says some attacks are motivated by sabotage, few are.

Internet Is a Growing Attack Vector
Kruglov says researchers have seen a rise in Internet-sourced attacks due to malware URLs, infected websites, watering hole schemes, and the like. However, email-based attacks have greater success in breaching the perimeter of ICS machines.

The main attack vectors for machines on businesses’ industrial network infrastructure in H1 2018 were the Internet (27.3%), removable media (8.4%), and email clients (3.8%). One year ago, the Internet was the source of blocked threats on 20.6% of ICS computers.

“Contrary to the conventional wisdom about control networks being isolated, in the past years the Internet became the main source of infection for companies on organizations’ industrial networks,” researchers explained in a post on their findings.

About 42% of all machines in Kaspersky Lab’s data had regular or full-time Internet connections in H1 2018. The remainder were connected no more than once a month, and many less frequently. ICS servers and engineer/operator workstations often don’t have full-time direct online access because of restrictions limited to industrial networks. Access may be given during maintenance.

ICS Had a Meltdown, And Other Major Incidents
Researchers outlined a few of the major attacks hitting ICS machines in 2018, which began with news of the Spectre and Meltdown vulnerabilities. Industrial equipment including SCADA servers, industrial computers, and network devices were vulnerable to both attacks. Companies to report affected products included Cisco, Siemens, Schneider Electric, ABB, and Yokogawa.

Cryptominers have been a major ICS attack trend this year: Kaspersky Lab data shows the percentage of ICS machines attacked with cryptominers has spiked since April and hit 6% in H1 2018, up 4.2 percentage points in six months. The main problem with mining malware is the burden on industrial information systems, which could suffer from lack of stability and control.

The attacks continued: In April, Cisco IOS switches around the world were hit with cyberattacks exploiting CVE-2018-0171 in the Cisco Smart Install Client software. More than 168,000 devices were exposed, Cisco Talos reported. In May, the new VPNFilter malicious software was found infecting at least 500,000 routers and network-attached storage devices in 54 countries. The malware can steal credentials, detect SCADA equipment, and launch a botnet.

And while global ransomware numbers were down, they were up among ICS machines, where they increased from 1.2% to 1.6%. It may not seem like much, but the risk for industrial organizations “can hardly be underestimated” after the WannaCry and NotPetya campaigns, researchers report.

Related Content:

• The SOC Gets a Makeover
• 7 Ways Blockchain is Being Used for Security
• PowerPool Malware Uses Windows Zero-Day Posted on Twitter
• Authentication Grows Up

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/take-(industrial)-control-a-look-at-the-2018-ics-threat-landscape/d/d-id/1332754?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US government exposed dozens of people’s personal details, including social security numbers, due to an online mishap on a public transparency portal, it emerged this week.

FOIA.gov, a site that centrally administers freedom of information act requests, had been serving up the information for weeks, CNN reported on Monday.

People use the site, operated by the Environmental Protection Agency, as a single go-to source for requesting information from the government. They can submit requests concerning everything from data about criminal cases through to government expenses through the portal. The site then routes information requests through to the appropriate agencies and delivers the results.

Those requesting information may enter sensitive personal data and are even encouraged to do so by government agencies to help service their requests – information such as status on an immigration application or information about criminal cases.

A little too transparent

The problem stemmed from a software bug in the site’s search facility. This allows people to search existing FOIA requests and find out who has requested information about what. These records include personal details that the site normally withholds until the originating agency gives permission to reveal it.

That masking stopped working. Instead, the site began displaying all of the information by default, including sensitive data, effectively rendering it publicly available.

The software glitch meant that sensitive information about individuals, including birthdates, immigrant identification numbers, addresses and contact details were available online. CNN identified at least 80 full or partial Social Security numbers during its research.

According to the news site, the masking feature had been working properly until 9 July, when the website upgraded from version 2.0 to version 3.0. This means information would have been publicly available until shortly after reporters from CNN, tipped off by a source, alerted the government.

At that point, FOIA.gov attempted to re-mask sensitive information, but some data needed to remain publicly viewable. Last Thursday, it sent a notice to the relevant originating agencies asking them to review the publicly viewable information on the site to ensure that FOIA.gov was authorized to disclose it.

Exposing data on websites by mistake is becoming a common problem for governments. In August 2016, a security researcher discovered 15GB of voter registration data and other sensitive information on the website of Kennesaw State University, which had a contract with state government to help run its voting system.

In March this year, 7,000 documents were inappropriately downloaded from a provincial freedom of information site in Nova Scotia, Canada, after a programming error left them publicly accessible. Hundreds of them contained sensitive information.

Some mishaps see data exposed on third-party online services. In August, researchers found UK and Canadian government data, including server passwords, exposed on the project collaboration site Trello. Google had indexed them.

Additionally, misconfigured databases have also become common, with exposed MongoDB data proving a popular target for security researchers. In August, 2.3 million Mexican healthcare records were exposed via a MongoDB instance and indexed by IoT search engine Shodan.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HEd-Ai8CJBg/