STE WILLIAMS

A former Yahoo software engineer pleaded guilty in federal court on Monday to being a lech who broke into mostly young women’s Yahoo accounts – 6,000 of them – trying to sniff out salacious photos and videos.

According to the US Attorney’s Office for the Northern District of California, in his guilty plea, Reyes Daniel Ruiz admitted to cracking Yahoo users’ passwords and using his access to internal Yahoo systems to get at accounts, including those of his personal friends and work colleagues.

After he got into his victims’ Yahoo accounts, he’d make copies of their intimate content and stash them at home. He’d also pivot from their Yahoo accounts, branching out to break into and grope through his victims’ iCloud, Facebook, Gmail, DropBox, and other online accounts for whatever other salacious content he could find.

Yahoo saw what it thought was suspicious behavior. The Department of Justice’s press release didn’t give details of how Ruiz got wind of his former boss’s suspicions – was he confronted? Did a mass email go out, telling employees to keep their paws to themselves? – but prosecutors did say that Ruiz admitted that after Yahoo got wind of his unsavory forays, he demolished the computer and hard drive that he was using to store the ripped-off imagery.

Ruiz, 34, of Tracy, California, was indicted by a federal grand jury on 4 April 2019. He was charged with one count of computer intrusion and one count of interception of a wire communication, but under the plea agreement, he just pled guilty to the computer intrusion charge.

Ruiz is now out on a $200K bond. He’s looking at a maximum sentence of five years in prison and a fine of $250,000 plus restitution, though maximum sentences are rarely handed out. He’s scheduled to be sentenced on 3 February 2020.

Just for comparison’s sake, we can look to how much prison time the celebrity e-muggers have received as payback for prying open the iCloud and Gmail accounts of Hollywood glitterati in the Celebgate mini-series – when primary scumbags preyed on celebrities and non-celebrities alike to steal their nudes, and secondary scumbags had a field day sharing the material online.

There’s Edward Majerczyk, for one: he was sentenced to nine months in federal prison in January 2017 for hacking into more than 300 iCloud and Gmail accounts. He phished his way into their intimate photos: he crafted an elaborate phishing scam in which he sent messages doctored to look like security notices from ISPs.

Then too, there’s Ryan Collins, who was sentenced to 18 months in jail in October 2016. He used the same shtick as Majerczyk: he sent phishing emails spoofed to look like they came from Apple or Google that asked victims for account credentials.

Hmm, looks like they should both be out of jail by now. Let’s hope that they’ve learned their lesson, and, preferably, that they don’t get hired as software engineers anywhere. We don’t need to write any more stories about IT employees from hell, thank you very much.

Insider threats are real, whether we’re talking about cluelessness, avarice, malice, or lechery, as in this case and similar ones at, say, the National Security Agency (NSA) or the Minnesota police department.

How to protect against insider threats

Details are scant. We don’t know how long Ruiz was romping around with the special access afforded to a Yahoo insider, but at least at some point, Yahoo got wind of what he was doing. May all employers be on the lookout for this kind of abuse.

For help in figuring out exactly how to do that, and to help organizations defend against insiders wreaking havoc, the CERT Insider Threat Center at Carnegie Mellon University has published this Common Sense Guide to Mitigating Insider Threats.

There’s a lot involved, and this guide is regularly updated to stay on top of it all, including everything from the basics of instituting stringent access controls and monitoring policies on privileged users, to incorporating insider threat awareness into ongoing security training, to staying vigilant with regards to what employees are posting to social media.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aH0yMJKQHEU/

On 12 September, Zynga released a low-key statement saying that it had been beset by an “unfortunate reality” of doing business today: PR-speak for a data breach.

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – said at the time that it had immediately launched an investigation. The early good news: it didn’t look like any financial information had been ripped off from players of the targeted games, Words With Friends and Draw Something.

Well, that unfortunate reality has now become a lot more unfortunate: it’s 218 million account passwords worth of misfortune to the Words With Friends players whose accounts were allegedly breached.

On Sunday, Hacker News reported that it’s been in touch with the threat actor known as GnosticPlayers, who claims to be responsible for the Zynga breach.

Another GnosticPlayers feeding frenzy

He/she/they have been in the headlines for gargantuan breaches this year: in March 2019, the hacker(s) put up 26 million records for sale, stolen from six online companies. As we reported then, the first of what would turn out to be four data caches had gone up for sale in early February, when GnosticPlayers tried to sell a database of 617 million records pilfered from 16 companies for $20,000.

Days later, GnosticPlayers added 127 million records stolen from eight websites, before adding a third round on 17 February comprising another 93 million from another eight sites.

Then, in May 2019, GnosticPlayers struck again, claiming to have gotten away with data for roughly 139 million users of Canva, an online design tool.

Names, emails, passwords and more

This time, the repeat offender told Hacker News that they’d breached Words With Friends, Zynga’s popular multiplayer crossword-style game, and gotten access to details on more than 218 million users.

GnosticPlayers said that they got at the details of all Android and iOS game players who installed and signed up for the game on and before 2 September 2019. This is the stolen data that Hacker News found in the sample GnosticPlayers sent over:

• Names
• Email addresses
• Login IDs
• Hashed passwords, SHA1 with salt
• Password reset token (if ever requested)
• Phone numbers (if provided)
• Facebook ID (if connected)
• Zynga account ID

We don’t know exactly what “SHA1 with salt” means, but we do know that it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognised password hashing function you’d hope and expect to have been used.

At any rate, GnosticPlayers also claimed to have drained data from other Zynga-developed games, including Draw Something and the discontinued OMGPOP game, which allegedly exposed clear text passwords for more than 7 million users.

Zynga’s initial breach announcement from 12 September said that it had immediately launched an investigation when it found out about the breach, contacting law enforcement and calling on the help of “leading third-party forensics firms”.

Zynga also said that it had “taken steps to protect these users’ accounts from invalid logins” and that “We plan to notify players as the investigation proceeds further.” Zynga declined to comment on GnosticPlayers’ claims and says it doesn’t have any update on its investigation beyond its 12 September statement.

What to do?

Given Zynga’s mellow first breach announcement, it wouldn’t be very surprising if a good number of players didn’t change their password after being notified about it.

We don’t know if all of GnosticPlayers’ claims are spot-on, but at the very least, they’re a good reason to change your password if you haven’t already. Make it beefy, and whatever you do, make it unique. If you’ve used the same password on other sites or services, change it on those, too, lest GnosticPlayers gets it into their massive maw and adds it to the ever-expanding cache of details they’ve been peddling on the darkweb.

Here are some tips on how to choose decent passwords.

Also, you can watch our video on how to pick a proper password:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5iXJ4_o_gJ4/

Remember the O.MG cable? Back in February, we covered its early development: A project by self-taught electronics hacker _MG_, it’s a malicious Lightning cable that looks just like the regular overpriced piece of wire that connects your iPhone to a computer.

Embedded in it is a tiny Wi-Fi transceiver that can operate as an access point or a wireless client. When the victim plugs it into their computer, an attacker within radio distance can connect to the cable with a mobile app and use it to manipulate the computer.

An attacker can reach the O.MG cable from 300 feet away using Wi-Fi from a regular phone, but a suitable booster antenna connected to your computer or phone could enable a connection from even further away.

@_MG_ has been steadily working on it along with a team of fellow hackers, and says that he spent over $4,000 on what is effectively a “negative profit project”. He spent months hand-milling the tiny integrated circuit boards and then painstakingly putting them inside the ends of Apple lightning cables. He gave these prototypes away at DEF CON in August 2019. Now, having perfected the performance of the cable and created a design suitable for manufacturing, he is preparing to sell them through penetration testing hardware site, Hak5.

The project has come a long way, with some extensive work on the kinds of payload it can deliver.

Intercepting lock screen passwords

One of the most interesting is LockScream, a Mac-focused attack that intercepts the user’s lock screen password. The attacker sends the user a conventional text message to distract them from their Mac for a moment, and then quickly sends the LockScream payload. This runs in a small terminal window, password-locking their screen. When they look up from their phone and enter their password to unlock their Mac, LockScream sends the password back to the attacker’s phone. From there, the attacker can send a second-stage payload that unlocks the machine when the user is away. That would be handy if they left their machine on, but locked, while visiting the coffee shop restroom, for example.

The O.MG app brings up a menu with a selection of different payloads including opening a Terminal on the user’s machine. Another payload allows the attacker to kill the O.MG cable’s functionality remotely, perhaps to cover your tracks after an attack. Other goodies in the O.MG cable include the ability to reflash the computer, and to chain payloads together.

Custom payloads

There is also an editor and parser for Duckyscript – the scripting language used by the Rubber Ducky offensive USB drive – which acts as a virtual keyboard and launches keystroke injection attacks. That alone opens up a wide array of custom payloads for the O.MG cable. There also appear to be attack payloads for Windows and Ubuntu systems.

In April 2019, when the video was released, MG and the team of hackers working on the embedded cable were also developing extra functions such as detecting user activity/inactivity. According to the Hak5 listing, they also appear to have cracked another key problem: USB enumeration.

When you plug in a USB device, your computer normally tries to detect it and install drivers, which can involve displaying a window. If a victim plugged in the cable without a device connected to it, that would alert them that something was amiss. However, Hak5 says that O.MG features no USB enumeration until payload execution, suggesting that the design team has achieved true stealth mode.

When it becomes available, the cable will target red teams, the site blurb says. These are legitimate penetration testing teams sanctioned to carry out offensive security testing. Of course, there’s nothing to stop your average black hat buying them, which raises a pertinent question: How can you stop yourself falling victim to an attack using one of these cables?

What to do?

• Beware offers for cables that seem too good to be true.
• Don’t leave your bag or computer unattended in public places.
• Keep your cables safe, and mark them somehow for extra-easy identification.
• Exercise caution when using other people’s cables and chargers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P7a9UkBNKp0/

Remember the critical remote code execution (RCE) vulnerability in the Exim email server, CVE-2019-15846, from mid-September?

Barely two weeks later, and the software’s maintainers have issued an advisory for another potentially troublesome bug, identified as CVE-2019-16928, which has been given the same critical rating.

Affecting all Exim versions between and including 4.92 to 4.92.2, this one’s described as:

A heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.

The “currently known exploit” refers to a proof of concept created by QAX A-Team, which first reported the flaw.

This could lead to at least a denial of service crash in the software but also, more worryingly, the possibility of remote code execution.

The flaw isn’t being targeted in the wild yet, but there is a risk this might be a matter of time given that it looks relatively easy to exploit.

It’s not as if there aren’t plenty of Exim mail transfer agents to aim at – Shodan estimates the number running vulnerable versions to be around the 3.5 million mark, just over half the email servers on the internet.

Fixing the bug was simple enough, wrote Exim developer, Jeremy Harris:

It’s a simple coding error, not growing a string by enough.  One-line fix.

However, there are no mitigations for the bug so it’s a case of applying the patched version 4.92.3 as soon as possible.

Keeping up

Exim’s been in the wars recently. In addition to this week’s CVE-2019-16928 and last month’s CVE-2019-15846, July saw another RCE in the form of CVE-2019-13917, which arrived only weeks after CVE-2019-10149, a flaw leading to remote command execution.

All unpatched flaws matter but given the history of attackers targeting Exim, perhaps these matter more than most – attacks targeting CVE-2019-10149 were detected within a week of the flaw becoming public knowledge, for instance.

Earlier this year, Exim admins were prompted to hurry up and patch CVE-2018-6789, a flaw from February that at least half a million servers hadn’t patched weeks later.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MxuCX_Qs0nA/

Thomas Cook’s former breach detection contractor has warned of a sharp spike in scammers setting up fake websites to lure ex-staff and customers alike.

Digital risk biz Skurio said it has spotted “a flurry of web domain registration activity” focused on Thomas Cook-themed domain names. These appear to have been set up by scammers looking to make a quick buck out of the desperate, stranded and newly unemployed alike.

The world’s oldest travel agent, which also had its own airline, collapsed into liquidation at the end of September, taking 9,000 jobs with it. The Civil Aviation Authority is in the midst of a two-week rescue operation using chartered airliners to bring holidaymakers back home, with 44 flights ferrying passengers just today.

Thomas Cook had hired Skurio to keep an eye out for any data breach evidence that popped up on cybercriminals’ known online hangouts. Its service “looks for domains set up with subtle spelling errors or additional terms a customer might expect to see,” said the infosec firm, “in order to send phishing emails, create fake social media accounts or capture customer details online.”

Since Thomas Cook’s liquidation announcement on 23 September, Skurio said it had detected 53 new domains with names relating to Thomas Cook in just seven days. While acknowledging that “some of these have been registered with good intentions and for legitimate purposes”, it also said – unsurprisingly – that a “significant number” had been set up “in order to exploit ex-employees and customers of Thomas Cook, particularly those seeking advice or compensation.”

“Customers should visit the dedicated CAA site https://thomascook.caa.co.uk/ for information about compensation claims,” advised Skurio.

Scammers have long targeted popular events in order to catch a few gullible marks. Chinese students were recently seen to be being targeted by a visa scam that used a fake police website. Every year there’s always a flurry of tax-related scams around the end of the tax year, with phishing site operators setting up fake tax return websites to hook the time-crunched and desperate.

Infosec biz Palo Alto Networks goes as far as to advise corporate sysadmins to simply block access to any domain less than a month old. Perhaps that’s sound advice. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/02/thomas_cook_scam/

Recognising that not everyone has climbed aboard the Windows 10 train, Microsoft has thrown a Window 7 Extended Support lifeline to more businesses… for a price.

Microsoft 365 veep Jared Spataro had already cut laggardly enterprises some slack in September last year, and the kindly software giant has now extended its largesse to businesses not using Windows 7 Pro and Enterprise in volume licensing.

The Extended Security Update (ESU) licences will be sold on a per-device basis from 1 December 2019, giving those businesses just over a month to sort things out before free extended support ends on 14 January 2020. Those who cannot bear the thought of being parted from their Windows 7 installations can keep the lights on until January 2023.

The cost will increase per year, because Microsoft really wants those users to make the move.

The support can be purchased through Microsoft’s network of Cloud Service Providers (CSPs) although, according to one we spoke to, the price has yet to be published for the UK.

It would seem perverse if it were not close to the price paid by enterprises. So expect the first year to hover around the £42 mark in order to keep those fixes flowing (less if on software assurance).

Either sniffing an opportunity or admitting defeat, Microsoft has been quietly finding ways to extend support for users reluctant to migrate from perfectly functional systems.

Alas, there appears to be no reprieve for consumers happy with their elderly Windows 7 installations. We’ve asked Microsoft for clarification and will update if there is a response. In the meantime, it may finally be time to take a deep breath and buy that new PC with Windows 10.

Businesses delighted to put off Windows 10 day should also be aware that these are security updates. That money won’t secure regular updates or fixes – just security. In addition, it is worth keeping in mind that that other stalwart, Office 2010, will also drop out of support on 13 October 2020 – unless Microsoft blinks. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/02/windows_7_extended_security/

Attack simulation tool will be integrated into ReliaQuest’s GreyMatter platform.

Security management platform vendor ReliaQuest today announced that it has purchased Austin, Texas-based attack simulation firm Threatcare. ReliaQuest plans to add Threatcare’s technology to its GreyMatter security platform for security operation centers (SOCs) and security teams.

Threatcare founder and CEO Marcus Carey will join the chief technology officer at ReliaQuest, and all of Threatcare’s team members will become part of Tampa, Florida-based ReliaQuest. Financial details of the deal were not disclosed.

GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare’s technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization’s network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.

Brian Murphy, CEO and founder of ReliaQuest, says that adding Threatcare’s function to the platform will enhance the “quality and efficacy” of organizations’ automated detection and response operations. “There’s something really valuable about taking rules, alerts, and dashboards and correlating them” and then adding the ability to regularly test security controls, he says.

Threatcare’s Carey says the goal is to create an attack simulation when a new threat emerges: “Then push that content to GreyMatter to the security team, and automatically test it on the fly,” he says.

ReliaQuest, which is privately held, to date has some 200 large enterprise customers from the Fortune 1000, according to Murphy.

Read here for more details on the acquisition.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Etiquette of Respecting Privacy in the Age of IoT.”

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Akamai security architect Marc Pardee tells the story of cutting his security teeth as an NSA intern and why all cybersecurity professionals can benefit from learning how to break things.

Marc Pardee has very strong opinions about who should succeed Alex Trebek as host of Jeopardy! His position on Major League Baseball’s use of instant replay is also clear. (Kill it.) And he is positively certain that learning to attack computer systems makes one better at defending them.

Now a cloud security architect at Akamai, where he works as a technical security presales expert, Pardee began his career 10 years ago like many of us do: as an intern.

An intern for the NSA.

That NSA internship led to a second NSA internship, which turned into a full-time job as a cyber exploitation analyst for the National Security Agency, “which was really interesting,” says Pardee, “because all through undergrad I didn’t study anything on cybersecurity.”

For three years, Pardee performed network analysis to include target characterization, exploitation usage, documentation, and exploit planning to help the intelligence agency extract insights from targets. Yet he’d begun as an electrical engineering major, with dreams of working on mobile communications, and was initially hired by NSA to work on power distribution logistics.

Pardee didn’t have any training on cyberattacks or defense. What he did have was a strong set of critical thinking, logic, and problem-solving skills – a highly translatable skillset that was further honed by his NSA work. The agency trained him on the rest.

“Looking back on it, I got a lot of interesting classes and experiences there to learn about security from the other side first. Everything was taught through an attacker’s lens,” he says. “Now, as I’ve continued my career, I see how valuable that is.”

Many IT professionals, he explains, will begin their careers learning about the right way to do things. They’ll be trained in best practices and provided checklists for writing good applications and building strong networks. Conversely, Pardee admits he didn’t learn the “right” way to do things until later in his career; his first lessons were “what happens when I push the ‘wrong’ button.” And that, in his opinion, has been beneficial.

“I don’t think there’s really a better way to understand how something works than breaking it,” Pardee says. A team with professionals who “have certain skills breaking certain systems and networks will translate naturally into having a stronger understanding of how to set up and design those things — and prevent someone like them from breaking back in.”

“Regardless of your position,” he says, “whether you’re an analyst or sales or whatever it might be, you have this insight that can contextualize the decisions that are being made or the traffic you’re seeing. Is that noise or is that an attack? If you have that background [in offensive cybersecurity], you can help stakeholders understand the threat landscape they’re facing.”

That same rule applies to Pardee in his current position helping companies solve cloud security challenges — challenges they know they have but don’t fully understand. He gives himself “the mom test” when presenting complex security concepts.

“How would I explain this to my mom so she doesn’t get phished by somebody or have ransomware take over her computer? Similarly, when I have customers I’m dealing with on the cloud platform, how do we help them keep people like my mom … from being targets of these credential abuse or account takeover attacks?”

Some employers may still shy away from hiring security professionals with “scary” backgrounds as “hackers,” concerned that they might one day become a malicious insider threat. Yet Pardee notes that credentials like the Offensive Security Certified Professional and Certified Ethical Hacker may help employers find talent they can trust.

“There are organizations, including the government, that struggle today to hire any kind of talent because of things they perceive to be as those kinds of risk, but they still go through with it,” he says, “because what is the saying? It takes a fox to guard the hen house.”

FAVORITE TECH OF ALL TIME: The Samsung Alias2 flip phone, equipped with a full QWERTY keyboard, e-Ink screen, and a dual-hinge design so you can view the screen in portrait or landscape. He still has his. “If flip phones are ever a fad again, I’ll be ready.”

FAVORITE TECH NOW:  Smart doorbell. “That thing tickles me to no end.”

HOW ‘SMART’ IS YOUR HOME: “I get the [privacy and security] concerns, I understand them. … But when I’m bored working from home I can always just talk to the [Google Home] speaker, pretend that the FBI is listening on the other end, and share how my day is going with somebody. … There are legitimate concerns, but I guess I’m going to ignore them to my eventual demise.”

WHEN NOT WORKING, YOU … : “What I would like to be doing is anything in the mountains. Hiking. Skiing. Professionally speaking, I’d love to be spending more time setting up labs and poking around vulnerable machines.” (However, grinding toward a graduate degree in information systems is largely preventing those pursuits.)

SECRET FANBOI OF: Ken Jennings, the author and computer scientist who famously won 74 consecutive games of Jeopardy. “I’ve always been a big kinda trivia nerd. So I think I was just caught up in the swell of what he did on the show. And he seemed very affable. And he’s continued. He writes books — his sense of humor hits me to my core.”

SO THEN THE NEXT JEOPARDY HOST SHOULD BE: “Ken has to get the job. If he doesn’t, we might as well just cancel the whole thing. Although, if Alex Trebek, who does not know me, called me up and said, ‘Hey, you’ve got the skills and the right stuff for the job, we love what you do in security, love this interview you gave to Dark Reading, please please come here, we think you’ve got what it takes,’ then, yeah, absolutely. That’s a dream job.”  

IF YOU COULD CHANGE ONE THING ABOUT ANYTHING: Pardee would instill and teach more deep critical-thinking skills. “I think some of the biggest frustrations we see in the industry, the world at large, [are that] folks cling to an answer that sounds good or fits with whatever your preconceptions are, without ever really thinking it out or challenging it. We would be in a better place if everyone stopped and scrutinized their problems a little more deeply.”

Related Content:

• ‘It Takes Restraint’: A Seasoned CISO’s Sage Advice for New CISOs
• Haas Formula 1 CIO Builds Security at 230 Miles per Hour
• DHS’s Bob Kolasky Goes All in on Risk Management
• Frank Taylor: Better Processes Lead to Tighter Security

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/the-inestimable-values-of-an-attackers-mindset-and-alex-trebek/b/d-id/1335952?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The focus on digital transformation and compressing development release cycles is appealing, but that means security can be left behind. How should security practitioners address this challenge?

Enterprises are increasingly using the cloud for their test and development spin-ups, to make development instances quickly available for their application development teams. This process empowers organizations to assume a faster release cycle, use DevOps, and enjoy the nimbleness and flexibility of the cloud. But it also introduces increased security and privacy risks when developers migrate sensitive data, in the clear, into the cloud.

A basic cloud migration flow to support this development model involves a source database of production data and a non-production or development target database that developers can use to build and test their applications against. Sometimes, there are tools available to help you move large data sets to Amazon Web Services (AWS) or Azure using database migration services. Inevitably, using clones of production data can create a replica of sensitive information in a cloud database in the clear that may violate security and compliance policies or may not receive the same level of security that a production environment typically receives.

The downstream effect is that a non-production deployment without protection may be left running, and as a result, an attacker or Internet scanner may uncover cleartext records. Over the past few years, there have been several instances of open or non-production environments having their data exposed.

The Security Challenges of This New Reality
In a cloud migration, developers as well as database administrators can access all of your data, in the clear, even if you are using an at-rest encryption solution or tablespace/transparent data encryption to protect that data.

Furthermore, several recent data exposures have been linked to unattended or misconfigured cloud deployments. Last year’s Starwood/Marriott breach involved about 339 million records — and may draw a $124 million fine under the General Data Protection Regulation (GDPR).

First American Financial Corporation leaked 885 million records starting as far back as 2003.

And more recently, there is the example of Capital One’s AWS deployment and a misconfigured web application firewall. In that scenario, an unauthorized user was able to access sensitive data records, putting 106 million customers at risk.

Transparent data encryption (TDE) was unable to protect these companies or their users because it was never meant to do so. It was designed to protect against what we call the “Tom Cruise threat model” — where someone breaks into a data center and drops down from the ceiling (as in Mission Impossible) to steal disks that hold your data. The reality is that hackers aren’t physically breaking into data centers in today’s world. They are hacking using compromised credentials and then moving laterally in your environment. Encrypting the physical disks or using database encryption at-rest does nothing to protect the data from these modern-day attacks.

The “shared responsibility model” requires users to secure everything in the cloud, while the cloud provider ensures the security of the cloud. One cannot blame a cloud provider for open or misconfigured buckets. That has been and will always be the cloud user’s responsibility.

New Attacks Require New Methods of Defense
It is clear  that traditional approaches (such as encrypting data at rest and in motion) are no longer enough to protect against new methods of attacks, particularly as developers spin up and migrate to cloud test and dev environments.

For far too long, security practitioners have used these technologies as a “check the box” method to achieve compliance. Modern attacks, however, require us to rethink our processes to defend what is most important: the data itself, not the systems or perimeter defenses surrounding it.

I’m encouraged in particular by MongoDB’s announcement in June 2019 that it will begin to implement “field-level encryption,” which enables users to have “encrypted fields on the server — stored in-memory, in system logs, at-rest and in backups — which are rendered as ciphertext, making them unreadable to any party who does not have client access or the keys necessary to decrypt the data.” While it would allow limited operations on that encrypted data, it certainly is a step in the right direction. More companies in security should recognize that the traditional approach to encryption is inadequate to defend what’s most important.

Proactive, Not Reactive, Measures
To prevent a significant amount of data breaches, which trigger significant regulatory fines, why not nip this issue in the bud? Regulators would do well to expand mandates to encrypt data in the entire environment from “at rest” and “in motion” only to also include “in memory” and “in use.” Doing so would prevent some data breaches — especially in the cases described above — negative headlines, legal and reputational issues, and regulatory fines before they occur. Building encryption into the data migration process would protect sensitive data at all times, automatically, preventing inadvertent exposure.

The consequences of inaction are growing significantly, as regulators have clearly caught on to the importance of data privacy. Just look at the $5 billion Federal Trade Commission fine against Facebook for its failure to protect data from abusive third parties (such as Cambridge Analytica). Five billion dollars is about 10% of the company’s 2018 revenue, and 20% of its 2018 profits.

GDPR, which went into effect in mid-2018, sparked a wave of new data privacy regulations in the US. The most significant of these is the California Consumer Privacy Act, which provides unprecedented power for consumers to control the collection, use, and transfer of their data. Up to 40 other states are also in various stages of implementing data privacy regulations.

Putting it All Together
As I wrote in a previous Dark Reading column, security should not be a bottleneck and slow down business functions. When done correctly, security can actually empower a business and create a sustainable competitive advantage.

Related Content:

• 7 Biggest Cloud Security Blind Spots
• 5 Common Cloud Configuration Mistakes
• A Tale of Two Buzzwords: ‘Automated’ and ‘Autonomous’ Solutions Aren’t the Same Thing
• Capital One Breach: What Security Teams Can Do Now

 

Ameesh Divatia is Co-Founder CEO of Baffle, Inc., which provides encryption as a service. He has a proven track record of turning technologies that are difficult to build into successful businesses, selling three companies for more than $425 million combined in the service … View Full Bio

Article source: https://www.darkreading.com/cloud/controlling-data-leakage-in-cloud-test-dev-environments/a/d-id/1335909?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

MacOS network admins are being advised to update their copies of the Jamf Pro management software following the disclosure of a critical security flaw.

The Jamf Pro 10.15.1 update includes among its fixes a patch for a security flaw that, depending upon the version being used, could allow for file deletions or remote code execution.

No attacks have been reported in the wild.

The flaw only impacts Jamf Pro server meaning end users who run Mac and iOS devices managed by Jamf are not vulnerable. This is a patch that will mostly just concern admins who use Jamf Pro to manage their devices.

That said, if a company’s Jamf Pro server is compromised, it’s pretty much game over for any of that server’s managed devices as well.

“This vulnerability does not pose a risk to private data or managed devices. It does have the potential to impact the integrity and availability of your web server,” Jamf product marketing manager Garrett Denney told customers.

“Cloud customers will be automatically upgraded during the upgrade window (Sept 28-29). Premium and Custom customers can contact their Customer Success representative to schedule an upgrade. On-premise customers can download the installer via the My Assets page on Jamf Nation.”

The flaw, which has not yet been assigned a CVE number, is exploited when an attacker sends network packages to a vulnerable box.

“A request containing specially crafted JSON that is sent to certain endpoints in Jamf Pro could result in the deletion of files on the server and/or Denial of Service,” Jamf CISO Aaron Kiemele said in a statement to El Reg.

“In affected versions of Jamf Pro prior to 10.14.0, these requests could also result in remote code execution.”

As Kiemele noted, the severity of the vulnerability depends on your version of Jamf Pro. For companies running versions 9.4 through 10.13, the risk is the highest as a successful attack will open the door to remote code execution.

On version 10.14 through 10.15, the attacker would be able to delete files on the server, but not install or execute code.

Stop us if you’ve heard this one before: Yet another critical flaw threatens Exim servers

READ MORE

While most devices were not vulnerable, Jamf’s handling of the patch release and its support for customers leaves a lot to be desired. Initially, Jamf only released a support post that told admins there was a new version available and they would need to update in order to address a “critical security vulnerability.”

Naturally, and rightly so, this drew protests from admins who explained that they needed details such as CVE numbers and CVSS scores in order to properly assess the flaw and plan the patching.

Jamf, however, said it would only provide those details to individual administrators via email, and posts relaying that information to others were promptly deleted by moderators.

It was only after angry customers reposted the emails on public sites including GitHub that the details on the vulnerability were made public. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/01/jamf_server_security_fix/