STE WILLIAMS

Apple Safari now blocks all third-party cookies by default

“The long wait is over,” Apple WebKit engineer John Wilander announced on Tuesday: the latest update to the Safari browser is blocking third-party cookies by default for all users.

Safari 13.1 was released on Tuesday, bringing full cookie blocking and other updates to Apple’s Intelligent Tracking Prevention (ITP) privacy feature. What it means: online advertisers and analytics firms will no longer be able to use our browser cookies to follow us around like bloodhounds as we wander from site to site, tracking and mapping our interests and behavior for whatever profit-motivated, privacy-wrecking purposes they might have.

Is this is a big deal? Not really, Wilander said in a post on the WebKit team’s blog, given that previous work has meant that most cookies are already blocked:

It might seem like a bigger change than it is.

But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.

Safari thus joins other browsers that either plan to or are already blocking third-party tracking cookies by default, including the Tor browser. Mozilla rolled out the privacy enhancement in September 2019, announcing that Firefox would block both tracking cookies and cryptomining by default.

Brave also blocks most third-party cookies, though it makes exceptions for a few popular third-party embedded sites. In January 2020, Google announced that it would gradually kill third-party cookies in Chrome over the course of two years.

But while it might appear that Apple beat Google to the third-party cookie kill fest, Google actually gets the credit for pushing browsers down the no-tracking path. In a May 2019 post, Google said that it planned to update Chrome to provide users with more transparency about how sites use cookies and would require developers to explicitly specify which cookies are allowed to work across websites and which could thus be used to track users.

But there are other ways to track us beyond cookies, as Google’s post explained, referring to browser fingerprints: a way to track users that doesn’t rely on cookies but instead gets identifying information from your browser that marks you as unique, such as what fonts are installed, what HTTP headers your browser sends, your screen size and your timezone. Naked Security’s Mark Stockley has called it “the cookie you can’t delete” and says it’s an extremely accurate way to identify your browser:

That collection of information varies so much from one browser to the next that it’s enough to tell any two browsers apart with startling accuracy.

In the announcement about third-party cookie blocking on Tuesday, Wilander said that the privacy enhancement will disable browser login fingerprinting: a technique that allows a website to invisibly detect where you’re logged in and which is viable in any browser without full third-party cookie blocking.

Since ‘global browser state’ has been top of mind in the web privacy community as of late, we’d like to point out that cookies themselves are global state and unless the browser blocks or partitions them in third-party contexts, they allow for cross-site leakage of user information such as login fingerprinting.

Wilander listed these other benefits of third-party cookie blocking:

  • Disables cross-site request forgery (CSRF) attacks against websites through third-party requests. [An example: Facebook suffered from a CSRF bypass flaw, which could have let attackers hijack accounts, in February 2019.] Apple notes that developers still need to protect against forged requests that come in through top frame navigations and pointed them to its materials on SameSite cookies for guidance.
  • Removes the ability to use an auxiliary third-party domain to identify users. Such a setup could otherwise persist IDs even when users delete website data for the first party.
  • Simplifies things for developers. Wilander says it’s now “as easy as possible: If you need cookie access as third-party, use the Storage Access API.”

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tSXaqw_foeY/

Watch out! Scummy scammers target home deliveries

Thanks to the team at SophosLabs for sending us the SMS used in this scam.

If you’re sitting at home right now, sheltering from the coronavirus pandemic – and there’s a good chance you are – then you are probably either thinking about a home delivery, or waiting for one.

In the UK, for example, even people who have no symptoms of the virus, and who haven’t been in contact with anyone who’s infected, have been instructed to make their shopping outings “as infrequent as possible”.

Indeed, many stores considered non-essential have been forced to shut, including electronics shops, so the new HDMI cable or the replacement mouse you need for working from home may only be available online.

So, with home delivery companies seriously stretched and long shipment times, we suspect that lots of people will be anxiously watching their phones for text messages like this one:

The URL in this case was a short domain name with a brief coded sequence of letters and numbers at the end – pretty usual for links in text messages, which are typically shortened to fit in the limited length of an SMS.

And given that no one wants to see their lovingly awaited shipment of toilet rolls go astray at the very last step of the way for something as minor as an address glitch, it’s tempting to click through to check what’s going on.

As you can see, the site has a reassuring HTTPS padlock, meaning that transmission to and from the site is secure, but the site itself is just a visual ripoff of the Canada Post/Postes Canada brand (this SMS was received by SophosLabs in Vancouver, BC):

In case you are wondering about that HTTPS certificate, here’s what it looks like – we used Firefox on our laptop, where clicking on the padlock in the address bar makes it easy to inspect the details:

The server is running on the popular cPanel web hosting service, which provides a web certificate automatically (that’s a good thing, because unencrypted web traffic can be snooped on and tampered with far too easily).

Highlighted above is the fact that the certificate was created on 2020-03-24, the very same day that this scam campaign went out.

Anyway, your delivery is held up by a mere $3 shortfall, which is the sort of amount you’d probably consider paying anyway and arguing about later, if the alternative is to lose your delivery slot.

If you do proceed, then the crooks first want you to confirm your address, as stated in the original SMS message…

…and then they want to “process” your $3 payment by capturing your credit card details to complete the transaction:

(By the way, in Anglophone Canada, monetary amounts are written with the dollar sign at the front; only in Francophone Canada would you expect the dollar sign at the end – so that’s one of many hints here that something is not right.)

Above, we put in non-existent credit card information to see what would happen next – some phishing scams of this sort redirect you to a genuine page on the courier company’s or the card company’s real site in order to throw you off the scent – and we were presented with a bogus “card declined” message.

If you’re a regular Naked Security reader, this screenshot might ring a bell, and that’s because it is not merely similar to but in fact exactly the same as the bogus “payment back-end” that we wrote up in a similar scam at the very start of 2020.

The payment form you see is actually a sub-window hosted on and delivered by a different server, which is presumably meant to mirror the way that a lot of genuine payment processing sites work, where the actual payment part of the transaction is handled by your financial provider.

The trick of pretending to decline your card is a canny one, because it not only provides the crooks a plausible way to terminate their scam, but also gives them a chance that they might phish you twice in a row.

As we pointed out last time:

As you can see, the crooks are still phishing for more, even at the end, brazenly suggesting that you try another credit card and thus giving them two-for-the-price-of-one.

Of course, if you get this far you’ve just handed over your card details to the crooks, including the CVV (security short code) from the back of your card that no legitimate merchant would store.

What to do?

  • Don’t be fooled just because you’re expecting a delivery. The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
  • Treat delivery SMSes as notifications instead of links. It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
  • Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
  • Use a third-party security product on your phone. Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
  • Report compromised cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)

P.S. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the [Finish] button.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cDnzPF-UbmE/

S2 Ep32: ZoomBombing, Android malware and the WhatsApp Martinelli hoax – Naked Security Podcast

In this episode, Greg looks at why the WhatsApp Martinelli hoax has come back in a big way, Duck decompiles some coronavirus-themed Android malware, and Anna tells you what ZoomBombing is and why you really, really need to get the security settings right on your Zoom meetings.

Join host Anna Brading with Sophos experts Paul Ducklin and Greg Iddon.

Listen now!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k5Tig7t35TM/

Hey, China. Maybe you should have held your hackers off for a bit while COVID-19 ravaged the planet. Just a suggestion

Proving that no good crisis ever goes to waste, Chinese government hacking crew APT41 launched a campaign that abuses vulns in Citrix Netscaler and Zoho ManageEngine, according to threat intel outfit FireEye.

As well as targeting load balancers and network management suites, the Chinese interference operatives spent three months, at the height of Wuhan’s COVID-19 coronavirus outbreak, exploiting weaknesses in Cisco routers.

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” intoned FireEye in a statement.

Their targets were indiscriminate, ranging from governments, banking and finance, oil and gas, pharmaceutical, tech, defence and more.

During January and February APT41’s attacks were concentrated against Cisco devices using previously revealed vulnerabilities and what FireEye speculated was a pre-compiled list of vulnerable devices connected to the internet. Those devices did not have mitigations applied.

In early March the Chinese hackers picked up on CVE-2020-10189, a zero-day remote code execution vuln in Zoho ManageEngine Desktop Central. The proof of concept was released on 5 March; three days later APT41 was using it to exploit “more than a dozen FireEye customers”, the firm said in a blog post.

While Zoho published a workaround for the vuln back in January, and a full patch was published on 7 March, that two-day gap was all the Chinese needed.

“It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter,” commented FireEye. “While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.”

Earlier this year APT41, also known as the Winnti Group, was seen targeting Hong Kong protesters as part of the communist state’s ongoing campaign to crush pro-democracy sentiment in the one-time British colony. The crew’s first publicly noted tactics were the use of stealing security certificates to rip off video games firms, among others. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/26/fireeye_apt41_chinese_hackers_zoho_citrix_cisco/

China-Based Threat Group Launches Widespread Malicious Campaign

The motives behind the attacks remain unclear, but likely triggers include the ongoing trade war between the US and China and the unfolding COVID-19 pandemic.

APT41, a prolific advanced persistent threat group believed to be working on behalf of the Chinese government, has sharply ramped up its activities in recent months after a relative lull.

Researchers from FireEye who have been tracking the activity said APT41 attacked as many as 75 of its customers between January 20 and March 11 alone.

The targeted organizations are scattered across 20 countries, including the US, UK, Canada, Australia, France, Japan, and India. Organizations from nearly 20 sectors have been impacted, including those in the government, defense, banking, healthcare, pharmaceutical, and telecommunication sectors.

Though only a handful of the attacks resulted in an actual security compromise, FireEye described APT41’s activity as one of the broadest malicious campaigns ever by a Chinese threat actor in recent years.

Chris Glyer, chief security architect at FireEye, says the reason for APT41’s sudden burst of activity is unclear. Based on FireEye’s current visibility, the attacks appear to be targeted, but it is hard to ascribe a specific motive or intent behind APT41’s behavior, he says.

But likely triggers include the ongoing trade war between the US and China and the unfolding COVID-19 pandemic. It is possible that these events are driving China on a quest for intelligence on a variety of topics, including trade, travel, communications, manufacturing, research, and international relations.

“The most likely explanation for the broad targeting set is to enable both current as well as future potential collection requirements that would enable APT41 to complete their mission objectives quickly,” Glyer says.

In several of the attacks, the threat actors attempted to exploit a previously known remote code execution flaw (CVE-2019-19781) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices. The flaw was first disclosed last December, and exploits for it became available this January. 

The flaw evoked considerable concern among security researchers because it impacted a Citrix technology that is widely deployed in enterprise settings and also because of how trivial it was to exploit. The concerns were exacerbated by the fact that exploits for the flaw became available before Citrix had a patch for it. Though Citrix and others, including the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), urged organizations to patch or otherwise protect against the flaw as soon as possible, many systems are believed to still be unpatched and vulnerable to the bug.

Dangerous Vulnerabilities
CVE-2019-19781 enables an attacker to execute arbitrary code on a vulnerable device, Glyer says. One of the worst-case scenarios would be an attacker compromising an ADC device, accessing credentials stored in the device, and then using the credentials and network access to move laterally and escalate privileges within a victim’s internal network, he says.

According to Glyer, APT41 appears to have managed to successfully exploit the Citrix flaw at just one of the several organizations it targeted in its newest campaign.

In recent weeks FireEye researchers observed the China-based threat actor attempting to exploit a zero-day vulnerability [CVE-2020-10189] in Zoho ManageEngine. That flaw was disclosed earlier this month, and a proof-of-concept for exploiting it is already publicly available. FireEye counted attacks attempting to exploit the Zoho bug at more than a dozen of its customers. At least five of them were subsequently compromised and had malware installed on their systems.

In all of the exploitation attempts that FireEye observed, APT41 actors only leveraged publicly available tools, such as Cobalt Strike and Meterpreter, FireEye said in its report this week. In 2020, APT41 has emerged as one of the most active threat groups, Glyer says.

“APT41 is one of the most prolific and capable threat actors that we track,” he says. “Organizations should take the information provided in the blog and evaluate whether they might have been targeted by APT41.

FireEye has previously described APT41 as a dual cybercrime and espionage group. Its espionage operations on behalf of the government in China have previously focused on healthcare, high tech, and the telecommunications sectors. APT41’s modus operandi has typically been to break in, establish, and maintain strategic access on victim networks. The group’s financially motivated cybercrime activities, on the other hand, have been purely for personal gain, FireEye said.

 Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/china-based-threat-group-launches-widespread-malicious-campaign/d/d-id/1337412?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Introducing Zero-Trust Access

It’s too early to tell whether ZTA will be a VPN killer or not, but major players are ramping up products in this new class of security technology that focuses on the cloud.

Working remotely has been a reality for many knowledge workers for many years, enabled by the growth and development of the Internet, Wi-Fi connectivity, and mobile computing devices. Indeed, it was this trend that powered the evolution of virtual private network (VPN) technology to secure connections from anywhere other than the corporate LAN, with VPNs now constituting a multibillion-dollar business.

In recent years, Omdia has observed the emergence of a new class of technology, again focused on remote access to corporate assets but now encompassing the cloud environments where an increasing proportion of the application infrastructure resides and with the promise of more stringent control of that access. We call this type of technology Zero-Trust Access (ZTA).

I began work on a report, along with my colleague, Omdia associate analyst Rob Bamforth, at the end of 2019. I was interested in explaining the whys and wherefores of this emerging VPN replacement technology. That was before the coronavirus, even in its original Chinese iteration, was making the headlines, and long before it was billed as a global pandemic making a huge impact on world health and driving millions to self-isolate, many of them now working from home. It is a sad coincidence that our report appears at this time, giving it an added relevancy, albeit in tragic circumstances. The fact is, though, that the need for secure remote access technology has never been greater.

The global VPN market is estimated at anywhere between $25 billion and $40 billion, with the difference resulting from how the market is defined — i.e., whether VPN services from carriers are included and so on. It was already predicted to enjoy healthy growth rates even before the current situation, with one analyst house forecasting a CAGR of 18% between 2018 and 2025. VPNs have their limitations, however, as our report, “Omdia Market Radar: Zero-Trust Access,” (registration required), explains.

VPNs’ shortcomings
First, there is the fact that VPN technology was developed in an era when all corporate applications lived in the company’s data center. In that scenario, VPN clients on remote laptops could log in to a concentrator located in that data center, with contact then being set up to the nearby application. Now, by contrast, an increasing proportion of the applications are in the cloud, whether in infrastructure-, platform-, or software-as-a-service (IaaS, PaaS, or SaaS) environments. This forces traffic flowing between the end user’s device and the application to “trombone” through a concentrator on your premises, which is both inefficient and potentially detrimental to the end user’s experience, if significant latency is added.

Second, VPNs grant access to a company’s entire IT infrastructure, such that if an attacker steals an employee’s credentials to get in, they can then roam around on reconnaissance, or lay in wait until they find assets that are of value, elevate their access rights accordingly and purloin the relevant data.

ZTA addresses both these issues, as there is no need for a concentrator on company premises. It typically resides in the cloud, and access is granted on a restricted basis — i.e., only to the application the user needs to get to for a particular task.

The Two Flavors of ZTA
Omdia divides the ZTA market into two distinct approaches, one of which can be licensed software that the customers themselves deploy and operate, though some vendors also offer a service. The other is a SaaS offering, on account of the product’s architecture. The former is called Software-Defined Perimeter (SDP) technology and the latter, Identity-Aware Proxy (IAP). The vendors profiled for the report are:

SDP
– AppGate
– Okta
– Opswat
– Pulse Secure
– Safe-T
– Verizon

IAP
– Akamai
– Cloudflare
– Palo Alto Networks
– Perimeter 81
– Zscaler

The list is by no means exhaustive, but it is a good representation of the major players in each category. We omitted the likes of Google, which was a pioneer in ZTA but will roll out an enterprise IAP service for accessing any corporate asset, regardless of where it resides, only later this year, and Symantec, which acquired SDP vendor Luminate in 2019, but has undergone a lot of corporate reorganization since being acquired by Broadcom later that year.

These are still early days for ZTA, but Omdia expects ZTA-as-a-service to outgrow the licensed software side of the business, given the broader trend for technology to be delivered in this way. As for market sizing, Gartner predicts that as many as 60% of the VPNs in place today will be replaced by some form of ZTA technology by 2023. Given the size of the VPN market, this would put the value of the ZTA market at somewhere between $20 billion and $24 billion by 2023.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.

Rik is a principal analyst in Omdia’s IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of … View Full Bio

Article source: https://www.darkreading.com/cloud/introducing-zero-trust-access-/a/d-id/1337362?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Technology Empowers Pandemic Response, But Privacy Worries Remain

As technology companies and the medical community work to find ways to track and test for the virus, privacy might fall by the wayside.

In late January and early February, a study of influenza had the ability to reveal whether subjects in the Seattle area were infected by the novel coronavirus. But medical privacy rules scuttled the idea until researchers, on February 25, decided to go ahead and test anyway. They discovered that COVID-19 had already contributed to the deaths of two people.

In China, Singapore, and Israel, government officials used citizens’ cell phones to track who may have had contact with infected individuals, a capability the European Union is considering as well. Market intelligence service Unacast has used its system of tracking citizens — originally to determine mobile users’ music preferences — to produce scorecards of how well the citizens of nations, regions, and cities were social distancing to reduce spread.

The different ways that nations approach the problem of the coronavirus pandemic often conflicts with privacy rights, says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professional (IAPP). 

“There is a balance between the usefulness and effectiveness of measures and the ability to protect privacy and civil liberties, and China weighed in very heavily on one side,” he says. “They sacrificed privacy and civil liberties — of course, they did not have much to begin with — to reinforce the public health interest. The US will have to find its own place on the scale.”

Natural and human disasters typically redraw the lines between civil liberties and security. Following the September 11 terrorist attacks, the US government curtailed many privacy provisions to try to enhance security. Most experts, in hindsight, believe the government went too far, and some of the privacy protections have been restored. 

The rush to find ways to use technology to combat COVID-19 has given governments visibility into the spread of the novel coronavirus but will likely result in citizens sacrificing privacy — at least for the time being. The pandemic poses a different threat, one that could have a lasting impact on medical and personal privacy, according to Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF).

“We must be sure that measures taken in the name of responding to COVID-19 are, in the language of international human rights law, ‘necessary and proportionate’ to the needs of society in fighting the virus,” she said in a post. “Above all, we must make sure that these measures end and that the data collected for these purposes is not repurposed for either governmental or commercial ends.  

Yet privacy rules have arguably delayed the response to the coronavirus pandemic. The Seattle Flu Study, for example, had already been surveilling influenza infection rates in the city when researchers heard of the spread of the novel coronavirus. The medical researchers offered in late January to start testing for coronavirus, but medical privacy and ethics rules prevented them from extending the effort beyond its original scope and notifying participants of their status, according to The New York Times, which broke the story.

The researchers eventually expanded testing on their own initiative weeks later and were shut down by state officials, but not before confirming that the disease had spread to the Seattle area. On March 22, the group got permission to restart testing and was retasked as the Seattle Coronavirus Assessment Network, or SCAN.

“Everyone who takes part in this effort will help us understand how coronavirus is spreading in the Greater Seattle area,” the group now states on its website. “We are increasing capacity and responding to public health priorities as they come up.”

Market intelligence firm Unacast has used its ability to track mobile users to create scorecards for the social-distancing efforts of citizens of different regions. The commonwealth of Massachusetts, for example, gets an “A” for its efforts, while Hawaii garnered a “D” grade.

Efforts to monitor potential infected citizens will likely run afoul of privacy rules but can pay dividends, says Ambuj Kumar, Fortanix CEO and co-founder of encryption firm Fortanix. He points to two apps that show the possibilities if privacy issues are resolved: One is China’s Alipay Health Code app, which tracks citizen movements and uses a color code to restrict the movement of people as a more authoritarian solution. Singapore used a different app, TraceTogether, which records movements within two meters of other people to determine whether people were exposed to the virus. 

New techniques, such as privacy-preserving data analysis, could allow extremely private data to be tracked from multiple sources without exposing an individual’s private data.

“It’s unlikely that more open democracies with established privacy laws will be able to implement similar systems without additional privacy protections,” he says.

The EFF has warned that in fighting the epidemic technologists should consider the privacy consequences. 

We need to “make sure that we both take advantage of how technology can help us now and, equally importantly, that we emerge from this time with our freedom and democracy as strong, if not stronger, than when we went in,” the EFF’s Cohn said, adding that “we also need to be vigilant so that we come out the other side of this crisis with a society we want to live in and hand down to our kids. We can — and must — do both.”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/big-data/big-data-analytics/technology-empowers-pandemic-response-but-privacy-worries-remain/d/d-id/1337417?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SANS is offering fully certified cybersecurity training – without leaving your bunker

Promo Amid this planet’s ongoing pandemic and stay-at-home measures, if you’re keen to repurpose all that time previously spent commuting, attending conferences, and so on, why not take a look at the SANS Institute’s Online Cybersecurity Training.

SANS has been researching and educating the cybersecurity industry since 1989, building its fully GIAC-certified training courses around in-person events held worldwide. Over the past 15 years, a whopping 40 courses have been made available online, featuring top-class instructors from across the industry. This archive amounts to several months of tuition and materials, and is quite simply the highest quality insight and information of its kind available anywhere in the world today.

With subjects ranging from deep dives into cloud security architecture to wireless penetration testing, and even slightly wilder areas, such as good cybersecurity writing, these online courses are an an ocean of high-quality education – and they tend to work out cheaper than travelling to in-person, multi-day sessions.

Free remote workforce essentials kit

As social distancing bumps online training into the foreground, together with remote working for many organisations, SANS Security Awareness has created a Work From Home Deployment Kit designed to ensure that life goes on as normal and safely. The kit contains everything you need to quickly train and secure your remote workforce with essential resources and training materials. This is a combination of public resources and paid training materials, which SANS is releasing for free.

SANS Online Cybersecurity Training is recommended by 94 per cent of its students, and every single one of Fortune’s Top 30 companies have used it on some level.

Anyway, don’t just take our word for it. Founder of Counter Hack Ed Skoudis, and SANS curriculum lead Rob Lee, have put together a webcast to tell you themselves. Filling you in on the pathways and topics followed online by tens of thousands of students over the past decade and a half, the Understanding SANS CyberCast will show you how learning online with SANS is So Much More Than Live Virtual Training.

Sign up and watch the SANS CyberCast here.

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/26/sans_certified_cybersecurity_training/

If there’s something strange in Symantec’s neighborhood, who you gonna call? Not Broadcom, it seems: Systems go down, cut off customers

Symantec customers, or rather Broadcom customers these days, were taken offline for a while on Wednesday when the security service’s data centers around the planet went down.

The Web Security Service (WSS) platform, acquired when Broadcom hoovered much of Symantec’s operations last year, sells web-based site and file scanning for businesses. It is also integrated with some network appliances to provide patches and updates.

Broadcom reported on its status page that WSS facilities across all regions went down for about two hours between 1542 UTC and 1742 today.

“We are aware of multiple data centers located around the world currently having connectivity issues,” Bro, er, Symantec said at the time. “Customers may experience connectivity issues during this incident.”

Why is this such a problem? Allow Broadcom’s own marketing diagram to explain:

Symantec WSS diagram

Put a big red X over that middle part, and you have Wednesday’s problem

So, yeah, no WSS data centers, no web connectivity for the companies that use it. Symantec’s internet filters were down, blocking connections flowing through them.

One admin at a WSS customer, who asked to remain anonymous, confirmed to El Reg that the outage did, indeed, prevent their workers from getting online. “Presumably this will keep things even more secure than normal,” our tipster mused.

Fortunately, the downtime was resolved after only a couple of hours, and by 1742 the all-clear was given.

“We have confirmed that all data centers have been restored and customers should no longer be impacted,” Broadcom told punters. “We will continue to monitor the data centers to ensure the service is fully restored.”

Once all of the data-centers were back online, Broadcom said it was investigating the matter, though it did not say when it may have an explanation for the exact cause of the global fallover.

The Register pinged Broadcom for details on just what went wrong, and will update should we hear back.

It seems that Symantec-related headaches have, unfortunately, become rather routine for Broadcom, post-merger. For weeks now the mega-org has been breaking support forum links, and struggling to deal with disappearing licenses as a result of staff turnover at the combined company. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/25/broadcom_wss_outage/

Missing Patches, Misconfiguration Top Technical Breach Causes

Less than half of businesses surveyed can patch critical vulnerabilities within 72 hours. Why does the process take so long?

Nearly 60% of data breaches in the past two years can be traced back to a missing operating system patch or application patch, researchers report. Poor patch management can be linked to the high costs of downtime and disruption, both of which are magnified in larger organizations and are poised to escalate as businesses rush to support fully remote staff as COVID-19 spreads.

The stat comes from Automox, where a team polled 560 IT and security pros at companies with 500 to 25,000 employees. They learned 81% had suffered a breach in the past two years. Thirty-six percent of those incidents stemmed from a phishing attack, which was the most common root cause, followed by missing OS patch (30%), missing application patch (28%), OS misconfiguration (27%), insider threat (26%), credential theft (22%), and brute force (17%).

“Everyone is aware that phishing attacks are a top root cause for data breaches,” says Jay Goodman, strategic product marketing manager with Automox. “What we found is there is a surprising amount [of] OS patches, application patches, and misconfiguration mistakes that led to root the cause for data breaches.”

This data indicates improved patching processes could strengthen enterprise defense against cybercrime; however, patch management has historically been a nightmare for IT and security teams: 12,174 common vulnerabilities and exposures (CVEs) were reported last year, and applying these patches takes time. Less than half of businesses Automox surveyed would be able to patch critical vulnerabilities within 72 hours of their disclosure, and only 20% could patch zero-day flaws within a 24-hour period.

“It’s a scale issue and it’s a prioritization issue,” says Stephen Boyer, co-founder and CTO at BitSight. “Think about all the vulnerabilities coming at you. The key question is which vulnerabilities [to patch] and when.”

Patching is pricey, and larger businesses suffer greater losses in disruption and downtime. Boyer refers to a defense contractor as an example: There, he says, it could cost $250,000 to roll out a single patch. Not all fixes are this expensive, but let’s say the average hourly wage for a company is $25 per hour, and updating a system disrupts work for 10 minutes per employee. With an employee base of 50,000 people, that amounts to about $208,000 in lost productivity.

“Of course, not all patches will cause this much disruption, but you can see how it can add up,” he explains. Patching requires IT and security to juggle complexity, scale, and prioritization. “It’s a very, very difficult problem in practice,” Boyer notes, and it’s not a trivial task for security teams to handle when tens of thousands of vulnerabilities are being disclosed each year.

“It’s easier for small businesses because they don’t have the overhead of the processes associated with patching that larger organizations have to implement,” says Goodman. Security teams need to verify a patch works, make sure it doesn’t interfere with other systems, and slowly roll it out to a small subset of users to ensure it’s working as it should be.

Larger organizations are also at a disadvantage because they’re more likely to run older OS versions. When Microsoft ended support for Windows 7 in January, nearly 90% of firms with more than 10,000 employees were still running it on at least one machine. Only 61% of businesses with fewer than 1,000 employees were doing the same, BitSight reported at the time.

Costly downtime and disruptions mean even “fire drill” vulnerabilities don’t get patched. Boyer refers to BlueKeep, the Remote Desktop Protocol flaw Microsoft disclosed last summer. As of July 2019, about 788,214 systems remain vulnerable to BlueKeep, BitSight found. As of about a week ago, there were still 377,944 systems exposed, Boyer says, citing a new pool of data.

Remote Work Won’t Make It Easier
While respondents to Automox’s survey say they prioritize patching and hardening their systems, there are several issues that get in the way. Practitioners cite difficulty patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in both SecOps and IT operations.

Many of today’s businesses have begun to support fully remote staff to protect them from the spread of COVID-19. The shift is likely to exacerbate existing patch management challenges. “It’s a huge problem,” says Boyer of the rapid transition. “You just exploded the attack surface of an organization.” Instead of employees working behind a firewall on corporate Wi-Fi, they are working from home networks. Many don’t even have a corporate machine, he points out.

“The scale and speed with which it happened is scary, and the environments people are working in now are way different from corporate environments,” Boyer continues.

To effectively patch systems in this climate, remote management is needed on every machine. But what if something goes wrong in the middle of an upgrade? What if a user can’t log in to an application, or they don’t have something installed when they should? If someone’s software upgrade doesn’t go smoothly and interferes with critical software, are they out of luck? Businesses will be forced to decide on how long someone can hold off on a patch, Boyer explains.

“Remote employees are falling behind in terms of patching,” says Goodman. “How is that going to grow over time as organizations face the new work-from-home reality?”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/missing-patches-misconfiguration-top-technical-breach-causes/d/d-id/1337410?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple