STE WILLIAMS

It’s the time-saving technique employed by many coders in a hurry – copy and paste snippets of code from crowd-sourcing ‘QA’ websites and forums to solve tedious or difficult programming problems.

One of the most popular sites for this is Stack Overflow, and most of the time it works out fine.

But what if some of that code introduces bugs that might compromise the security of the software it ends up being used inside?

The tricky bit, as a new study called An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples, is working out which code is OK and which isn’t.

After analysing real code from Stack Overflow, the researchers found a small but still significant number of examples where this happened over a 10-year period to 2018.

The team reviewed 72,483 C++ code snippets for weaknesses defined by the industry Common Weakness Enumeration (CWE) guidelines, finding 69 representing 29 different types of security flaw, most often CWE-150 (‘Improper neutralization of space, meta, or control sequence’).

This sounds like a small percentage, but those 69 vulnerable snippets found their way into a total of 2,859 projects on the Microsoft-owned software development platform, GitHub.

The idea that vulnerable code might be floating around on sites such as Stack Overflow is hardly a revelation, although this is apparently the first study that has looked closely at C++, a language that remains widely used for specialised programming tasks.

Bad snippets

One issue the researchers don’t address is whether QA code sharing is as good an idea as some assume it to be.

Because most developers are unlikely to ditch the advantages of code sharing because of a few bad snippets, the researchers’ answer is a new class of tools to assess its quality.

This should arrive soon in the form of a Chrome extension which can be used to check copied code against the team’s database of vulnerable code:

The extension then recommends non-vulnerable similar code snippets from other Stack Overflow posts, so that the developer can reuse those safe code snippets instead of the vulnerable code snippet.

Interestingly, when the researchers gave 117 of the affected GitHub project owners the bad news about their use of borrowed code, only 15 responded.

Of those who did, several either refused to fix the issue or offered excuses as to why a vulnerability might not be as risky as it appeared.

This suggests that for some coders, bad or insecure code is either too small a problem to be worth fussing about or an acceptable downside of meeting deadlines.

And once it’s inside software, it’s someone else’s problem.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/owsdar3-5Ug/

October brings a relatively light patch load for admins and users, thanks to Adobe’s decision to sit out this month’s update bonanza.

Cloudy patch bundle from Microsoft

For Microsoft, the Patch Tuesday update is a manageable 59 CVE-listed bugs for Windows, Edge, Office, and Azure.

Among the nine critical issues patched this month is CVE-2019-1372, a flaw in Azure that allows end-users running on virtual machines to send and execute code on the host machines.

This is particularly bad because it is, in essence, both an elevation of privilege bug and a remote code execution vulnerability.

“An attacker could use this vulnerability to have an unprivileged function run by a user execute code at the level of System. That provides an attacker a nifty sandbox escape,” explained Dustin Childs of the Trend Micro ZDI.

“Microsoft gives this an ‘Exploitation Less Likely’ Exploit Index rating, but if you use the Azure App Service, don’t depend on that and do apply the patch.”

Aside from the Azure flaw, October’s update addresses many of the usual security holes in Microsoft’s offerings. Seven critical fixes address remote code execution flaws in the Chakra and VBScript tools that can be exploited through a poisoned web page.

The remote desktop client continues to be an area of concern, thanks to CVE-2019-1333. That flaw allows a bad actor to achieve remote code execution by tricking the mark into connecting to a malicious server.

While Microsoft doesn’t usually consider Office bugs to be critical, admins should also pay special attention to those flaws, including CVE-2019-1327. An attacker would be able to get remote code execution by tricking the user into opening a poisoned file.

Considering how often users in a business setting will open Excel spreadsheet attachments without a second thought, we would argue this flaw is just as dangerous as any browser-based flaw.

Windows 10 Mobile also got in on the Patch Tuesday fun this month, as the platform was subject to CVE-2019-1314. The security bypass flaw lets users work around the Cortana lock screen to access a device.

“Although Microsoft details the bug, they aren’t fixing it. Instead, they recommend users of Windows 10 Mobile disable Cortana on the lock screen,” explained Childs.

“If your organization uses devices with this OS, start rounding them up to make the change.”

No Adobe fixes, but Android needs patching

Notably absent this month is Adobe. The media giant has opted not to post any fixes for Flash, Reader, Acrobat, or any of its other offerings. The most recent Adobe release was the September 25 update for ColdFusion.

Meanwhile, there is a late-arriving monthly patch from Google for Android. The mobile platform has received a number of fixes, most notably patches for three remote code execution bugs in the media framework that allow attacks via poisoned files.

Those who have Google-branded devices can get the Android updates directly from the Chocolate Factory, while others will have to wait for their device vendor or carrier to get around to releasing the patch.

Eight patches from SAP

MacOS ‘Catalina’ 10.15 comes packed with exclusive security fixes – gee, thanks, Apple

READ MORE

SAP, on the other hand, was more than happy to take part in this month’s Patch Tuesday. The enterprise software powerhouse released patches for eight CVE-listed flaws.

Among the most serious were CVE-2019-0379, a security bypass bug thanks to a missing authentication check in NetWeaver and CVE-2019-0380, an information Disclosure bug in SAP Landscape Management.

Admins are advised to test and install all of the patches as soon as possible.

While October saw a reduced patch load thanks to the absence of Adobe and Google, those who dragged their feet on the updates for MacOS and Cisco may have those patches to install on top of today’s bundle. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/08/you_know_the_deal_october_2019_pwned_by_a_spreadsheet_patch_your_stuff/

Twitter says it was just an accident that caused the microblogging giant to let advertisers use private information to better target their marketing materials at users.

The social networking giant on Tuesday admitted to an “error” that let advertisers have access to the private information customers had given Twitter in order to place additional security protections on their accounts.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” Twitter said.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”

Twitter assures users that no “personal” information was shared, though we’re not sure what Twitter would consider “personal information” if your phone number and email address do not meet the bar.

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties,” the mea cupa reads.

UK ads watchdog bans Burger King Twitter jibe for condoning chucking milkshakes at politicians

READ MORE

“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”

Earlier this year, Facebook was handed a $5bn fine by the US government for playing fast and loose with the personal information of its customers. It is not clear what this incident could mean for Twitter legally, if anything. The FTC declined to comment on the matter.

Users, however, do not look to be happy with either the mishap or the way Twitter is handling the disclosure.

No problem, @twitter! These things happen. Even if it wasn’t unintentional, let’s be honest: your company selling us advertising is a lot more important than the trust and safety of your user base. https://t.co/4FCvXoJ7gU

— Matthew Green (@matthew_d_green) October 8, 2019

Perhaps, and I’m just spitballing here, the database Twitter uses to guard the security of people around the world could be separate from the one selling us stuff? Also, maybe they could tell us about this aw-shucks whoopsy-daisy sooner than 21 days after it’s been addressed? https://t.co/ZFFCakUtt1

— Drew Harwell (@drewharwell) October 8, 2019

Aside from being a violation of privacy and potential legal liability for Twitter, the incident will have the added effect of making users less safe by discouraging them from using phone numbers and email verification as additional levels of security.

All in all, this is a bad look for Twitter that isn’t likely to go away any time soon. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/09/twitter_data_leak/

Just one per cent of all Indicator of Attack (IOA) warnings are actually caused by network attacks.

This according to security giant Kaspersky, who analyzed (PDF) customer data over the first six months of 2019 and concluded that, 99 per cent of the time, alarms are being raised as the result of something other than a hacker.

The Kaspersky team analyzed more than 40,000 reports generated by its Managed Protection service and found that of those, just 515 were actually traced back to an attack on the customer’s network.

This isn’t unusual, says the security house. In fact, somewhat astonishingly Kaspersky argues that if you’re not up to your armpits in such reports, you’re doing something very wrong.

“If you don’t see a large number of false-positive events in your network, that probably means that you are missing a lot of important security incidents,” explained Sergey Soldatov, head of the security operation center at Kaspersky.

“Therefore, you should switch towards more wide-scale usage of Indicators of Attack methods, among other tools. While IoA-based alerts are much trickier to investigate due to the necessity to perform a lot of research to create efficient IoA and then a lot of manual analysis (when the IoA are triggered), our statistics show that these are most prone to false positives yet, they are the most effective and allow you to find really critical incidents.”

Here’s the thinking: IOA warnings are based on the behavior Kaspersky and other researchers notice hackers using while they carry out attacks on networks. Increasingly, those attacks are designed to mimic legitimate network activities.

If your org hasn’t had a security incident in the last year: Good for you, you’re in the minority

READ MORE

For example, Kaspersky said that 37 per cent of the attacks were taking place in code execution – a sign the attackers were hijacking legitimate processes to do their dirty work. Another 16 per cent of the attacks were detected performing lateral movement between systems on the network, another activity that happens legitimately every day.

In other words, companies are getting so many false positives from everyday activity because the bad guys are doing more to disguise their activities as everyday network traffic and system activity.

“The low IoA conversion rate reflects the need to detect advanced threats which use a ‘living off the land’ approach , with behaviors that are very similar to legitimate activity,” Kaspersky writes.

“The more a malicious behavior mimics the normal behavior of users and administrators, the higher the rate of false positives and, consequently, the lower the conversion rate from alerts.”

The alternative is that Kaspersky and other vendors could, you know, just produce better software that doesn’t deluge admins with false positives, but you shouldn’t hold your breathe on that score. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/08/kaspersky_attack_alert/

Three scientists have won the Nobel Prize in physics for the discovery of how the early universe evolved after the Big Bang and finding the first exoplanet orbiting a faraway star.

One half of the prize, a sweet 4.5 million Swedish kroner – about $492,800 or £368,400 – goes to James Peebles, 84, a Canadian-born retired cosmology professor from Princeton University. Peebles was instrumental in producing detailed analytical models describing the universe unfolding fractions of a second after it came to be, all the way until the present, and the future. Along the way, scientists uncovered new fundamental principles.

“James Peebles took on the cosmos, with its billions of galaxies and galaxy clusters,” said The Swedish Academy, an organization responsible for awarding Nobel laureates. “His theoretical framework, developed over two decades, is the foundation of our modern understanding of the universe’s history, from the Big Bang to the present day.”

His work revealed what the universe looked like when just 5 per cent of its contents was known, the other 95 per cent was made up of dark matter and energy. One of his seminal papers published in 1965 described how the first galaxies could only form when the universe had sufficiently cooled down enough for matter to clump together under gravity.

The energy leftover from the Big Bang is still observable today. As the universe expanded, the wavelengths have increased over time to become the cosmic microwave background.

“When I started working in this subject — I can tell you the date, 1964 — at the invitation of my mentor, Professor Robert Henry Dicke, I was very uneasy about going into this subject because the experimental observational basis was so modest. … I just kept going,” Peebles said over the phone during the Nobel news conference. “Which particular step did I take? I would be very hard-pressed to say. It’s a life’s work.”

The first exoplanet in 1995

The second half of the prize will be shared by two Swiss astrophysicists: Michel Mayor, 77, a researcher working at the Observatory of Geneva, and one of his doctoral students, Didier Queloz, 53, a professor at the University of Geneva and the University of Cambridge.

IN 1995 the pair found the first exoplanet, 51 Pegasi b, orbiting a main sequence star, 51 Pegasi, similar to our own Sun, about 50 light years away in the Milky Way. Mayor and Queloz will each receive a quarter of the prize money – 2.25 million Swedish kroner ($246,400 or £199,800).

Nearly 4,000 otherworldly planets have been confirmed so far. The most popular method used to scout out these bodies is the Doppler shift, which involves monitoring a star’s brightness levels over time.

If it is harbouring an exoplanet, it’s brightness should periodically dip as an orbiting body crosses in front of it. Other techniques like the radial velocity allow astronomers to estimate the exoplanet’s mass.

Mayor and his colleagues built a new type of spectrograph that made it possible for them to observe a large number of stars covering a patch of sky in wavelengths from 390 to 680 nanometers.

They hit the jackpot when they published their paper titled “A Jupiter-mass companion to a solar-type star” in Nature. They discovered that 51 Pegasi b was just eight million kilometers from its parent star, a distance closer than Mercury is to our Sun. They believed that it was a gas-giant planet that was brought closer to its star over time.

“Discovery opened our exploration of these brand-new worlds, and now 24 years later we are at the verge of finding out if we are alone in the universe,” Lisa Kaltenegger, an accomplished exoplanet hunter and director of Cornell University’s Carl Sagan Institute, commented.

“The next steps, inspired by the amazing discovery 24 years ago of the first exoplanet, is to collect enough light from these small planets in the habitable zone to figure out if there are signs of life in their atmosphere. We are already building the telescopes that can collect enough light to answer the fundamental question of whether we are alone in the universe – or not.” ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/08/nobel_prize_physics/

Webcast Stop press: there are miscreants out there, and they are looking to break into your computer systems and steal your data. But you knew that, right?

More interesting is that different countries can face very different threats. In today’s webcast, we will speak to Carbon Black about their latest cyber-security research data, study global trends, and drill into two specific countries, with findings such as:

Singapore businesses are facing a dramatically escalating threat environment in which attack volumes have grown exponentially in the past 12 months. In particular, Singapore’s strong government and local authority sector is proving an attractive target for cyber-criminals, with CIO, CTO, and CISOs in this sector reporting significantly elevated attack frequency.

In Australia, businesses are battling a sustained threat environment where attacks continue to grow in sophistication and complexity, making network breaches an all but inevitable consequence. 97 per cent of Australian organizations participating in the study said they have suffered one or more computer security breaches in the past 12 months due to external cyber-attacks.

But there’s more. A threat is only a threat if it isn’t challenged, so we’re looking to go beyond attacker behaviours and pose the question: what are organizations doing to defend themselves, in terms of tooling and process perspectives.

We’re going to ask what differentiates our focus countries, what to do in response, and, overall, how to set priorities, keep current, and plan for whatever is around the corner.

Click here to watch today’s webcast, brought to you by Carbon Black.

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/08/apac_security_threats/

As in any battle, understanding and exploiting the terrain often dictates the outcome.

The best prevention capabilities don’t lead to the best cybersecurity. The trouble is, most security teams don’t even have a full understanding of the terrain they’re trying to defend, which makes it impossible to move to a more effective, proactive cybersecurity posture.

As more networks incorporate the cloud and an increasing number of Internet of Things devices, the challenge of understanding the full cyber terrain is only growing. That’s why now is the time for security teams to focus on knowing what they have to protect, by thinking about what their adversaries are after. Patching yesterday’s problems doesn’t necessarily prevent tomorrow’s attack. The future is a terrain and threat landscape that is continuously shifting at a rapid pace. Security teams must focus on the very, very specific things that the vast majority of cyber weapons systems are implemented to attack. And teams need the ability to definitively measure the impact of the specific assumptions, hypotheses, and decisions they make in this effort. To do any of this, they must have a complete understanding of their cyber terrain.

Understanding Cyber Terrain
The cyber terrain is the sum of all of operational assets, security controls, data assets, and overall decision-making within an organization. It’s a cumulative topography of an organization’s cybersecurity posture. It might sound like a basic notion, but cyber terrains are difficult to understand because they’re inherently malleable, changing dramatically after new capabilities are introduced, new decisions are made or based on whether adversary approach vectors are closed or opened.

A lack of visibility across their entire terrain was reported as a major security pain point for 53% of organizations, according to Fidelis’ “State of Threat Detection” report. This disconnect between recognizing the urgency of monitoring their networks and actually executing attempts to do so points to an industrywide gap in understanding how critical mapping out the cyber terrain truly is.

In real-world conflicts, people often rely on their home-field advantage, scoping out their entire terrain so that the enemy struggles for visibility. In cybersecurity, it’s the enemies that too often have the “high ground” and strategically use “cover” and generally benefit from the environment, leaving the companies they’re infiltrating at a disadvantage. For example, the adversary can perform active reconnaissance of the network, such as port scans, to understand terrain prior to an attack and in some cases, have a better understanding of the terrain than the network defenders.

Where real-world conflict and cyberattacks diverge greatly is in the rate of adaptability. Unlike physical battlegrounds, cyber terrains change instantaneously and so their particular advantages can too. Organizations typically understand how adversaries exploit this; however, fewer understand how to weaponize this potential liability for their own protection.

Gaining a Holistic View
An organization that cannot see its entire cyber terrain will fail to defend it properly. Over 55% of organizations report lowered confidence in their ability to identify insider threats as result of not having control over blind spots. Companies cannot defend terrain they cannot see. To correct this, enterprises must follow three key steps to gain a holistic view of their cyber terrain: discovery, mapping, and prioritizing deep visibility.

Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems. The software installed on these individual assets must also then be identified, run through vulnerability assessments and tagged if deemed a vulnerability — data must be continuously collected and analyzed; otherwise, attackers can take advantage of the seams created between scans.

At a time when only about 7% of organizations believe they’re using their security stack to its full capability, it’s more important than ever to “Marie Kondo” the network infrastructure. After discovery, companies will be able to map out what their current and desired capabilities are, making redundancies clear. Security holes in their cybersecurity framework will also become increasingly clear so they can operationalize capabilities against existing threat frameworks, such as National Institute of Standards and Technology’s Cybersecurity Framework, MITRE’s ATTCK framework, or the Department of Defense’s DoDCAR framework. These frameworks are easily digestible for organizations struggling to inform their larger security strategy and will allow them to better assess what cyber capabilities they have and which they lack.

Companies may become complacent after gaining a thorough understanding of assets, capabilities, and vulnerabilities, but to stop here would be to forget the basic notion of how inherently malleable cyber terrains are. At this stage, enterprises must invest in deep visibility, which means they must dig through rich, indexable metadata to provide content and context around security incidents. In this way, organizations will become better able to highlight potential or existing attack vectors.

Capitalize on the Advantage
Only after understanding the basic concept of the cyber terrain and fully achieving a holistic view can organizations truly capitalize on their home-field advantage. Just as in any war, organizations can strategically set up deception techniques full of ambushes and traps to prevent threat actors from causing damage. Newly emerging strategies open up a world of possibilities, allowing organizations to set up honey pots or decoys or even leave breadcrumbs for attackers to follow. As in any battle, whether in cyberspace or not, understanding and exploiting the terrain often dictates the outcome.

Related Content:

• 7 Malware Families Ready to Ruin Your IoT’s Day
• A Safer IoT Future Must Be a Joint Effort
• Is Your Organization Suffering from Security Tool Sprawl?
• Why You Need to Think About API Security

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Active Directory Security Tips for Your Poor, Neglected AD“

As Chief Technology Officer at Fidelis Cybersecurity, Craig Harber directs the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry. This follows a distinguished career at the … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/for-cybersecurity-to-be-proactive-terrains-must-be-mapped/a/d-id/1335965?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New audit finds that privacy policies on 70% of the sites have no limits on data sharing.

Sixteen of the 23 current US presidential campaigns have websites that fail to meet basic privacy standards for user data, a new study by the Internet Society’s Online Trust Alliance (OTA) has found.

The audit found that the sites have privacy policies that are poorly written and ambiguous, and they allow visitor data to be shared freely with third parties. Four campaigns had no privacy policies at all, and two did not have any email authentication measures in place to protect users against phishing attacks.

The seven sites that made the cut are those associated with the campaigns of President Donald Trump and Democratic candidates Bernie Sanders, Pete Buttigieg, Beto O’Rourke, Kamala Harris, Amy Klobuchar, and Marianne Williamson. Sites failing the audit included those associated with the campaigns of Joe Biden, Cory Booker, Elizabeth Warren, Michael Bennet, and Andrew Yang.

“The number of campaigns that failed to pass the 2020 Presidential Campaign Trust Audit is alarming given the increased attention to privacy and security issues over the last four years,” Jeff Wilbur, technical director of the OTA, wrote in a statement.

Sites that OTA audited serve as the primary online presence for the presidential campaigns and are a venue for direct communication with voters, data collection, and fundraising. The weaknesses that OTA uncovered were primarily on the data privacy side and not with site security.

OTA audited the websites and email practices of 2020 US presidential campaigns using the same metrics it uses to evaluate the privacy, security, and consumer protection practices of some 1,200 organizations across multiple sectors.

The audit examined the privacy notices and the data sharing, retention, and third-party tracking polices on the campaign websites. It also examined the websites for security vulnerabilities and for protections such as encryption for securing web sessions and firewalls for blocking threats. In addition, the OTA examined whether the sites used measures such as email authentication and associated technologies to protect users from phishing and other attacks.

Results showed that 70% of the websites are putting visitors at unnecessary risk by not having proper privacy and security mechanisms in place. Twelve campaign sites had privacy policies that failed to give proper notice about data sharing, retention, and use by third parties.

Though third-party tracking on these sites appeared to be minimal, several had privacy statements that allowed the campaigns to share voter data with “like-minded third parties” and unidentified others. The language in the privacy statements effectively put no limits on how the campaigns could use personal data, including donor information, OTA said. Four sites — belonging to candidates Joe Walsh (R), Mark Sanford (R), Tim Ryan (D), and Wayne Messam (D) — had no privacy policies at all. Only one site had language explicitly stating no data would be shared with others.

Troublingly, none of the campaigns had any language indicating how third parties would handle voter data. The absence of such information is a real concern, says Bob Rudis, a cybersecurity researcher and former managing principal of Verizon DBIR. “In an age where our personal information is handed out like Halloween candy, not having strictly enforced policies is an open invitation to misuse and privacy loss,” he says.

Website Security Measures
Most presidential campaigns scored relatively well on the website security front, likely because they were built on new, recently secured platforms, OTA said. All of the websites, for instance, used trusted SSL/TLS certificates, and 53% used TLS 1.3, the latest encryption protocol. Fifty-eight percent of the websites used a web application firewall to protect against online threats. The OTA audit did not detect malware on any of the sites.

Those findings are going to be of some relief for those concerned about campaign sites being abused. Sloppily protected sites can cause all sorts of problems for candidates and voters, says Ilia Kolochenko, CEO of ImmuniWeb, a web security company whose tool was used in the OTA research.

“It all depends on the intent of attackers and their eventual goals,” Kolochenko says. Scammers can start a fake fund collection campaign to steal money from a candidate by hosting a hidden section on the website with their own bank account. Or a nation-state attacker could breach a candidate’s website and use it to spread fake news

Such scenarios may cause considerable damage to democratic processes, Kolochenko notes. “The risks for website users go from theft of their data stored on the website to being infected with drive-by-download malware.”

All but two of the campaigns also had email authentication mechanisms in place to protect users against phishing attempts. Eighty-seven percent of the websites used both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols, allowing email recipients to verify the identity of the sender. Sixty-one percent used Domain-Based Authentication, Reporting and Conformance (DMARC) for identifying forged and spoofed emails.

Rudis says the comprehensive use of TLS/SSL configurations across all presidential campaign sites and the above-average use of email safety protocols such as SPF, DKIM, and DMARC is very encouraging. “However, given the myriad hacking issues during the previous major campaign cycle, the fact that only 30% of campaigns made it to the honor roll is a pretty damning statistic,” he says.

Digital interaction is the primary method of communication between campaigns and citizens, he notes. “In 2019, there is no excuse for not ticking all the boxes that ensure the security, safety, and privacy in each interaction and for each data element captured.”

Related Content:

• Iranian Cyberattack on US Presidential Campaign Could Be a Sign of Things to Come
• Senate Report: US Election Security ‘Sorely Lacking’ in 2016
• Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
• Third-Party Cyber-Risk by the Numbers

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Active Directory Security Tips for Your Poor, Neglected AD.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/most-us-presidential-campaign-websites-offer-little-privacy-protection/d/d-id/1336029?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Girl Scouts Cyber Challenge event, later this month, pledges to give middle and high-school girls a realistic, and fun, look at cybersecurity careers.

Mary Kim comes from a family of medical professionals. While she admired what they did, growing up she knew one thing for sure: She did not want to be a doctor.

“Math has always been my strong point,” she says. “I knew I wanted to go into engineering. My dad fostered that when I was a kid. I enjoyed solving problems, like putting together the air conditioner at home. I liked having my hands on things.”

Kim took those interests and turned them into a career in cybersecurity. She’s now a senior principal cybersecurity engineer at Raytheon and is based in the DC area. But in her two-plus decades in the field, she has continued to remain solidly in the minority as women remain far outnumbered by men in the profession. Some studies put the percentage of women in security at a mere 11%, although more recent research from (ISC)2 puts it now above 20%.

“We have a gap,” Kim says. “And eventually we all get older, so the next generation needs to come in and change things. We need young women to know this is a viable career choice. It is not only something financially advantageous, but where there is flexibility for work-life balance.”

So what better organization to engage and interest young girls in cybersecurity than the Girls Scouts? On October 19, approximately 3,000 Girl Scouts across the country, grades 6 to 12, will participate in the first-ever Girl Scouts National Cyber Challenge. Raytheon, with the help of mentors within the organization including Kim, has partnered with the 107-year-old youth organization for girls for the one-day event, which will cover such topics as cryptography, forensics, social engineering, and ethics.

Organizers say the girls will be prompted to respond to a futuristic simulation scenario: a moon colony has been hacked. They’ll learn cybersecurity skills and team up to identify the hackers, trace the origin of the cyberattack, and secure the colony’s safety.

Aashka Shroff, a high school junior and Girl Scout from Plano, Texas, helped plan the challenge in her region. She is hoping the chance to engage in the activities will convince more girls that security is not only fun but applicable to a broad range of real-world applications.

“It’s one step in involving more girls and explaining to them that there is so much encompassed in cybersecurity – just like business,” Shroff says. “And those opportunities are only going to get bigger and bigger. This will help them realize this is fun. This is cool.”

Shroff says she was first exposed to cybersecurity through her own scouting experience at a camp, and that piqued her interest in learning more. Then, after a five-week camp on a local college campus, she was hooked.

“I thought cybersecurity was only coding and computers. And I didn’t want to be stuck behind a computer. But I learned it’s not just about coding – it can be used in fashion, music, sports. Everyone needs their data protected, and there are so many aspects of cybersecurity.”

Raytheon’s Kim says her interest in getting involved in the challenge is for that exact reason: to spread awareness among young women of types of careers in cybersecurity.

“For a lot of people [cybersecurity] is a buzzword, but that’s it,” Kim says. “People think it’s computer stuff. They think you’ve got to like computers to do it. And I think while there’s some exposure in high school, those certain classes can be daunting, and the conclusion they come to is, ‘It’s not for me.’ In this event, there so many types of scenarios for the girls to engage in. There are a number of aspects in security beyond the technical part of the house. And that’s the messaging in this challenge.”

The Girl Scouts expect to be able to reach thousands of young women around the country with the upcoming challenge. More information on the event can be found on the Girl Scouts website.

Related Content:

• Lack of Role Models, Burnout Pay Disparity Hold Women Back
• An Attacker’s Mindset Alex Trebek
• How Intel Unlocks the Powerful Potential of Diversity in Cybersecurity
• Meet 5 Women Shaping Microsoft’s Security Strategy
• 10 More Women in Security You May Not Know But Should

 

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/can-the-girl-scouts-save-the-moon-from-cyberattack/b/d-id/1336030?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Vulnerabilities with Pulse Secure, Fortinet, and Palo Alto Networks VPNs are called out in the advisory.

The National Security Agency (NSA) this week issued an advisory with remediation steps for recently disclosed vulnerabilities in virtual private network (VPN) products from Palo Alto Networks, Fortinet, and Pulse Secure.

“Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices,” the NSA said in the alert.

The intelligence agency provided “additional actions” for organizations to recover from an attack, as well as “longer-term” steps for hardening their systems against the attacks. NSA cybersecurity advisories are not common: The last such advisory from the agency was issued in June, concerning remote desktop services in legacy Windows versions.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Can the Girl Scouts Save the Moon from Cyberattack?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/nsa-issues-advisory-on-vpn-vulnerability-trio/d/d-id/1336034?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple