STE WILLIAMS

IT environments at primary and secondary schools are complex and full of security gaps, leaving them more vulnerable to attacks such as ransomware and crypto-miners, according to an analysis of 1,200 schools in the US and Canada.

The analysis, conducted by managed security services provider Absolute and released this week, found that the typical school in North America has to manage hundreds of versions of applications across dozens of operating-system builds. Overall, the company found more than 250 versions of major OSes — such as Windows, Mac, Linux, and ChromeOS — and 137,000 unique versions of applications installed on devices managed by the 1,200 schools. 

School districts’ IT teams are hard-pressed to manage such complex environments, says Josh Mayfield, director of security strategy at Absolute. Ransomware attacks against US school systems surged by more than 30% in 2019, driven in part by the difficulty that overworked IT teams have in securing the complex environments, he says.

“The amount of tech complexity in K-12 environments is overwhelming, as their attack surfaces have grown by several orders of magnitude,” he says. “In this new reality, there are too many tangles and limited visibility, leaving gaps open to exploit and space for attackers to camp out, which has set the stage for ransomware.”

With knowledgeable security professionals in short supply and technology proliferating in school systems, the cybersecurity picture for schools continue to grow darker. In the first nine months of 2019, the number of security incidents at K-12 schools jumped to 160, exceeding the number of incidents in all of 2018 by 30%, according to Absolute’s accounting of public data. 

Schools are now the second largest group of victims, behind municipalities, according to cloud security services firm Armor.

“Due to the volume of device types, operating systems, and applications, managing and patching devices is a huge challenge,” Absolute’s report stated. “The potential impact of this cannot be overstated.”

The education sector has always been hard-pressed to protect its networks and systems. School districts’ reliance on public funds means low salaries for IT and IT security workers. Education also relies on the open sharing of information, making stringent security measures not generally possible. 

Little wonder, then, that the educational sector as a whole has received failing grades from ratings firms.

Most school districts — 53% — rely on the default patch management and client controls that ship with the chosen devices and operating systems. But such utilities and controls have a 56% failure rate, with more than a third of devices requiring at least one repair a month, Absolute found.

“Each time that situation arises … it means that the agent not only failed, but that it failed repeatedly due to … complexity and decay … with other tools foreclosing access to machine resources,” Mayfield says.

Rather than add security, each layer of security often added complexity to the detriment of the overall security of the organization, Absolute stated in the report. 

“[E]very additional security tool only increases the probability of failure as agents and controls conflict with one another on the endpoint,” the report stated.

Students also cause significant complexities for IT administrators and security teams. Unlike workers who have an incentive to follow the rules of IT security, students are often incentivized to get around controls and are often more tech-savvy than teachers.

The report found that 42% of students use virtual private networking (VPN) software or Web proxies to get around security controls. Absolute found 319 such applications and services across the 1,200 schools in its dataset. 

“Even if K-12 organizations accounted for the complexity and bolted on maximum strength defenses, they still are left with rogue students swinging open the door to attack and industrious users who simply disable controls,” Mayfield says. 

Students often do not understand the consequences — or are not concerned — when they circumvent security measures. Yet more education is not the answer, he says.

“Turn it into a game. Teach them what attackers do, test them on practical examples, and give each of them a sense of achievement when they win,” Mayfield says. “Let them know what villains may try to do, and challenge them to step up and help stop them. Make them the hero of the cyber-resilience story.”

Related Content:

• Back to School? ‘Not So Fast,’ Cybercriminals Say
• No Quick Fix for Security-Worker Shortfall
• University Networks Become Fertile Ground for Cryptomining
• 72% of Educational Institutions Lack Designated InfoSec Staff
• Education Gets an ‘F’ for Cybersecurity

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/security-management/complex-environments-cause-schools-to-struggle-for-passing-security-grade/d/d-id/1335998?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers with Google’s Project Zero have disclosed a zero-day local privilege escalation vulnerability in its Android mobile operating system that could let an attacker assume control of affected devices. Evidence shows the bug is being exploited in the wild, they report.

Hundreds of millions of Android phones are vulnerable to CVE-2019-2215 given a patch has not yet been released. Models include the Google Pixel 2 running Android 9 and 10 preview; the Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, and Oreo LG phones; and the Samsung S7, S8, and S9 running 8.x releases. Pixel 3 and 3a are not affected.

This issue was patched in December 2017 on earlier Android versions, said Project Zero researcher Maddie Stone in a blog post, but source code review indicates newer versions are vulnerable.

The use-after-free vulnerability is considered a “high-severity” bug on Android, Google’s Tim Willis also wrote. By itself, it requires the target to download a malicious application for potential exploitation. An attacker would have to chain this bug with an additional exploit to remotely infect and control a target device through the Web browser or another attack vector.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone explained. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Data from the Technical Analysis Group and third parties indicate an Android exploit can be attributed to Israel’s NSO Group, which in the past has been known to develop and sell exploits to governments. In February, an exploit seemingly part of NSO Group’s Pegasus spyware program was used to install surveillance software onto target mobile phones via WhatsApp.

Willis says Pixel 1 and 2 devices will be receiving fixes for this bug in the October update. Android partners have been notified and a patch is available on the Android Common Kernel.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/android-0-day-seen-exploited-in-the-wild/d/d-id/1335999?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

No matter how much we invest in defense and how many new solutions hit the market every year, we still face an onslaught of highly successful cyberattacks. Hackers are savvy and persistent, and our failure to keep pace is leading to a problem projected to eclipse $3 billion in losses, according to 2018 data.

Particularly as the cyber arms race has ratcheted up over the years, I have seen a fixation on technology and consistently poor investment in people and process to operate it. We absolutely need the technology, but we can’t forget or overstate the importance of humans working methodically to make it effective, especially for security monitoring.

I have long seen organizations of all kinds fail to approach security monitoring with the same discipline and rigor they afford to other business programs. For cyber defenses to be effective, we must begin to view and manage security monitoring as an essential business service.

Here are the common pitfalls I see, and how to overcome them.

Inadequate Resourcing
When a business function is regarded as critical, it is resourced with the time and talent it requires. Could a security breach render your organization helpless? If you answered yes, security monitoring is more than just a “nice-to-have.”

I routinely see organizations task folks with security monitoring duties while still expecting them to drive other IT initiatives and work on a myriad of unrelated issues. This best-effort approach lacks the experience, training, focus, and proper staffing necessary to run an effective monitoring program. Tasking even your most skilled generalist with security monitoring is the equivalent of asking a sales rep to take over an entire marketing function. They may have dabbled, but they need expertise, a team, and ample time to do it right.

Your monitoring analysts need to know what they’re looking for and looking at. It’s a tough role to fill, and analyst burnout is a thing. That makes developing this team one of the more difficult challenges for a security leader. However, taking the time to recruit and retain good analysts will pay dividends in threat detection and ultimately business risk reduction. Moreover, as team members begin to perform a deeper analysis of environment activity, they will likely arm you with valuable insights about the implementation and efficacy of your broader security infrastructure investments and overall program.  

Failure to Identify and Drive Toward Outcomes
There’s an assumption that security analysts inherently know what constitutes an “incident” and how to find it, and to some extent this is true. But if the organization hasn’t defined and prioritized the kinds of incidents that might cripple or cost the business, there’s a good chance that important events will never even cross the analysts’ radar.

Consider a business with an e-commerce presence. Should the security monitoring program be extended to the applications and infrastructure delivering that service? Let’s assume it should. Does the monitoring program look for traditional network-based attacks? Application-level attacks? Insider activity? Account takeovers? Compliance-impacting events? You see where this is going.

Each one of these monitoring use cases is supported by special telemetry and processes, and some may warrant special service-level agreements. Without careful planning and prioritization, it’s quite likely that the monitoring team doesn’t even have visibility into some of these events, let alone the ability to deliver consistent outcomes the business requires.

Make sure your monitoring program has clearly defined and prioritized service deliverables, then be sure to establish the telemetry and processes necessary to fulfill these essential business objectives.

Forgetting the Basics
We invest in security infrastructure with the hope of becoming less penetrable or better equipped to detect and respond to those events that warrant our attention. Unfortunately, many businesses make major technology purchases, then fail to get those technologies fully integrated into the environment and the business operations they serve.

Take firewalls, for instance — a basic, decades-old technology that is synonymous with network security. They remain a table-stakes infrastructure investment in every organization with a modicum of cybersecurity concern. At the same time, firewall management practices are straight from the Wild West in many, many organizations.

Time and time again, I have encountered organizations, even enterprise environments, that have no semblance of configuration standards, porous rule sets, and unenabled features. In many of these organizations, each firewall configuration looks like a complete one-off. In the rush to next-gen devices, many implementation efforts were declared complete immediately after performing a like-for-like migration of outdated Cisco Adaptive Security Appliance policies.

What does this have to do with monitoring? Everything.

Firewalls are just one example of monitoring telemetry. When telemetry is not implemented correctly, consistently, and completely, your monitoring effort will have visibility gaps. When these gaps are the result of inconsistent implementations, they may go undetected for some time, all the while leaving you with a false sense of security. Your telemetry (all that security technology you’ve invested in), where it’s placed, how it’s configured, and how it’s managed is critical to your monitoring program success.  

Conclusion
People, process, technology: We all know how important these are, yet we often lose sight of that fact. Hopefully, these insights help you to maintain the balanced view required to monitor your environment effectively.

Related Content:

• 8 Tips for Monitoring Cloud Security
• 12 Free, Ready-to-Use Security Tools
• 4 Reasons to Take an ‘Inside Out’ View of Security
• In Security, All Logs Are Not Created Equal

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

Aaron Sierra, Sr. Security Architect at Alagen cybersecurity services firm, is a passionate cybersecurity leader and consultant with nearly two decades of developing, leading, and advising diverse security programs. Leveraging this deep experience, Aaron advises security … View Full Bio

Article source: https://www.darkreading.com/risk/common-pitfalls-of-security-monitoring/a/d-id/1335929?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data breaches don’t always involve cracked passwords and criminal outsiders. American Express is proving this with its notice to certain cardholders that an employee accessed personal information in an attempt to commit fraud.

According to the company, this employee was able to look at information including full name, physical and/or billing address, Social Security number, birth date, and credit card number.

American Express says that the individual, who is no longer employed by the company, is now under criminal investigation. In the notice sent to affected cardholders, American Express offered two years of free credit monitoring through Experian Identity Works.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/american-express-insider-breaches-cardholder-information/d/d-id/1335988?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researchers have discovered a link between Magecart Group 4 and Cobalt Group, a well-known, financially motivated group in operation since 2015. Findings indicate Group 4 is not only conducting client-side skimming but was, and likely still is, doing the same server-side.

Magecart is an umbrella term for at least seven cybercriminal groups responsible for installing skimmers onto e-commerce websites with the goal of lifting payment data. The threat quickly gained notoriety as groups planted skimmers on websites including British Airways and Ticketmaster.

Researchers across cybersecurity have been ramping up efforts to connect Magecart operators with known attack groups. This initiative started with RiskIQ and Flashpoint’s Inside Magecart research; more recently, IBM publicly connected Group 6 with FIN6. Now researchers with Malwarebytes and security firm HYAS have found patterns linking Group 4 with Cobalt Group.

Group 4 is one of the more advanced groups. Its operators use sophisticated techniques to blend into normal traffic — for example, registering domain names seemingly connected with analytic providers or advertisers. The group also seems to have a history in banking malware, the same area of expertise as Cobalt Group, otherwise known as FIN7 and Carbanak Group.

“We knew that Group 4 was different from other groups based on their skill level,” says Jerome Segura, head of threat intelligence at Malwarebytes. “We knew it was not just an average threat actor that decided one day to do some skimming.”

Given its expertise and track record with banking malware, the researchers’ attention turned to APT groups to find a connection. They reached out to HYAS, which reported it had also linked Magecart to an APT group.

Malwarebytes had been tracking the different Magecart groups and trying to find a trail, Segura continues. Researchers looked for pieces of infrastructure used by Magecart groups, as well as connections between domain registrations and IP locations. They used indicators of compromise, domain registration, and code from TTPs (tactics, techniques, and procedures) to conclude that Cobalt Group may have shifted to Web skimming.

Both the client-side and server-side skimmer domains were registered to a protonmail address that RiskIQ researchers had linked to Group 4. Researchers checked their exfiltration gates and connected these domains to other registrant emails. They noticed the email addresses used to register Magecart domains for Group 4 followed a certain pattern of [firstname] [initial] [lastname] – the same pattern Cobalt Group had recently adopted with protonmail accounts. In addition to the same email service, Cobalt Group was also using the same privacy protection.

“Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor besides those who registered both the Cobalt Group and Magecart infrastructure,” researchers said in a writeup of their findings. What’s more, 10 of the seemingly separate accounts only reused two of the same IP addresses.

Server-Side Skimming
While checking infrastructure related to Group 4, Malwarebytes identified a PHP script they think was mistakenly served as JavaScript. It’s the type of source code you’re not supposed to see unless you have access to the server, and it’s a script that exclusively skims server-side.

“It’s invisible to any scanner or crawler because everything happens on the actual compromised server,” Segura explains. Magecart reports typically focus on browser-side skimmers; server-side skimmers aren’t often covered because many companies don’t have visibility into the back-end servers of compromised websites. “These are much harder to detect,” he points out.

Client-side skimming is easier for attackers to do and for defenders to detect. The malicious JavaScript skimmer usually loads at one of two points: when a shopper heads to checkout or when they transmit their banking details. At either of these points, security software can jump in and stop the malicious script from loading. Most tools can block domain names, IP addresses, or malicious code because the activity is always happening within the browser, Segura explains.

In server-side skimming, there is no JavaScript loaded into the broader; data exfiltration happens entirely in the server. For defenders who want to block malicious activity on a machine, there is nothing to see. If the server has been compromised, it’s already too late.

As far as Web skimming goes, most of the discussion revolves around client-side activity because the skimmers are available for purchase online and are easier to customize. Attackers can track their activities and automate and scale. It’s “fairly easy” to rent a skimmer kit, buy some exploits to compromise sites, and start skimming, which explains the recent increase of newcomers in the space, Segura says. Server-side skimming, in comparison, involves more effort to customize and maintain each skimmer for every e-commerce website targeted, he adds.

Over time, as this activity continues to mature, Segura says he anticipates we’ll see more players and a greater spectrum of sophistication as advanced attackers specialize in areas of expertise. It’s already happening, he says. Some groups are going after high-value targets, foregoing smaller sites in favor of plug-in providers, analytics providers, and other parts of the supply chain.

Related Content:

• Fin7 Cybercrime Gang Rises Again
  
• APT Groups Make Quadruple What They Spend on Attack Tools
  
• Getting to Know Magecart: An Inside Look at 7 Groups
  
• Cybercriminal’s Black Market Pricing Guide

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/researchers-link-magecart-group-4-to-cobalt-group/d/d-id/1335990?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A security researcher this week posted details on a new remotely exploitable vulnerability in WhatsApp that attackers could leverage via a malicious GIF image to steal messages, video, audio, and other content from devices running the app.

The disclosure on GitHub, by a researcher using the handle “Awakened,” is the second critical vulnerability involving WhatsApp in recent months, suggesting that secure messaging apps are not as secure as many users might perceive. In May, Facebook, which owns WhatsApp, warned about an attacker — thought to be a private company working on behalf of a government — exploiting a security flaw on WhatsApp to spy on human right organizations.

In the latest case, the bug impacts WhatsApp for Android versions 2.19.230 and before on devices running Android 8.1 and 9.0 devices. Facebook has acknowledged the issue and patched it in the latest WhatsApp version 2.19.244.

The bug does not exist in WhatsApp itself but rather in an open source library that the application uses to parse media files. The so-called double-free vulnerability (tracked as CVE-2019-11932) stems from how memory is allocated when GIF images are parsed in WhatsApp. A double-free vulnerability involves an app calling the same memory space on a device twice, resulting in a memory leak.

Ashlee Benge, threat researcher at ZeroFox, says one likely exploitation scenario involves an attacker sending a potential victim a malicious GIF file.

If the attacker’s phone number is in the recipient’s contacts — which could happen via social engineering, for instance — the GIF file could be downloaded to the recipient’s device without any kind of user interaction, Benge says. “Then, when the recipient goes to open the WhatsApp Images folder, like if they were sending an image in a message, the exploit will be triggered,” she explains.

If the sender was not a contact, the recipient would have to be tricked into saving the image prior to the exploit being triggered, Benge says.

Not Easy to Exploit
The new vulnerability in WhatsApp is not especially easy to exploit, adds Jonathan Knudsen, senior security strategist at Synopsys. “It’s not like the old Ping of Death or the more recent bug where a malformed message would cause an iPhone to fail,” he says. The WhatsApp  vulnerability requires the attacker already have another toehold on the target’s device. Only then could the attacker be able to deliver a crafted GIF that would take control. An attacker that exploited the flaw would be able to do anything on the device that WhatsApp has permission to access, he says. 

“Successful exploitation of this could trigger the application crashing or, in worst-case scenarios, grant the attacker the ability to execute arbitrary code on a victim’s device,” Benge says. It could allow attackers to access the WhatsApp message database and other sensitive files on the user device.

The most troubling part about the vulnerability is that it exists in a software component that other application developers are likely using as well. So the threat is not confined just to WhatsApp but to any app using the vulnerable open source media library. There’s no telling how many apps use the same library and are similarly vulnerable, Knudsen says.

In a brief statement, a Facebook spokeswoman said the issue was reported to the company and quickly addressed last month. “We have no reason to believe this affected any users, though, of course, we are always working to provide the latest security features to our users.”

Awakened, the security researcher who disclosed the bug, is urging WhatsApp uses to update to the latest version of the messaging apps to stay safe from potential attacks.

“From a user perspective, the most important takeaway is being vigilant about updates,” Knudsen says. “Vulnerabilities happen all the time, so the best a user can do is keep software current so that known vulnerabilities are addressed.”

Related Content:

• Commercial Spyware Uses WhatsApp Flaw to Infect Phones
• WhatsApp Messages Can Be Intercepted, Manipulated
• Weakness in WhatsApp Enables Large-Scale Social Engineering
• Email, Social Media Still Security Nightmares

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/facebook-patches-critical-whatsapp-security-flaw/d/d-id/1335993?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple