STE WILLIAMS

The next form of biometric identification may be a heart scan.

A group of computer scientists have proposed a system called Cardiac Scan, which uses a cheap and cheerful Doppler radar to wirelessly map out the dimensions of your beating heart. They say your old ticker’s shape and pulsations are unique, and therefore useful for identifying you, authenticating access, unlocking devices, and so on.

Wenyao Xu, the lead author of a paper on the technique, said on Monday: “No two people with identical hearts have ever been found. And people’s hearts do not change shape, unless they suffer from serious heart disease.”

To test their radar design, the team conducted a study of 78 people. Their technology scored a 98.61 per cent balanced accuracy with an equal error rate of 4.42 per cent. Test subjects had to sit completely still in a chair in front of the sensor hardware a metre away during the trials. Random body movements and noise can affect the accuracy of the system. It can fail to work when the signals from “large body movements” cause circuit saturation.

Crucially, it only works properly when the heart is beating, so you can’t steal it from a person, or otherwise kill them, and still use the God-given blood pump to authenticate the victim.

The researchers will present their paper at Mobicom, the International Conference on Mobile Computing and Networking, next month in Utah, US.

During cardiac motion, the heart’s atria and ventricles cycle through stages of contraction and relaxation to circulate oxygen-rich blood around the body. Since no two people have the same heart, the exact changes in size and position will be distinct to an individual.

Cops’ use of biometric images ‘gone far beyond custody purposes’

READ MORE

“Moreover, since cardiac motion is intrinsically connected to multiple biological functions, it is extremely difficult to counterfeit or to be hidden for a living individual,” the paper stated.

Cardiac Scan was developed over three years, we’re told. Its Doppler radar takes about eight seconds to complete a scan for the first time; the system then, fingers crossed, later recognizes the heart from this data. The sensor works at a frequency of 2.4GHz, a bandwidth of 5kHz, and a sample frequency of 40Hz. Wi-Fi and Bluetooth signals use the same frequency band but do not disrupt with the system, we’re told.

“Though Wi-Fi and Bluetooth also work at 2.4GHz, our cardiac motion signal will not be interfered by them,” the paper stated.

“This is because the motion information to be detected is only a few Hertz, which means the received signal and the transmitted signal are only separated by a few Hertz, while other signals from potential interferes (e.g., WiFi, Bluetooth) have a much higher frequency separation and are easily rejected by the baseband signal. In another word, the transmitted signal and the received signal are “coherent”, whereas other signals are not coherent with the transmitted signal.”

Privacy

Xu, who is an assistant professor at the University of Buffalo in the US, said the team “would like to use it for every computer because everybody needs privacy,” and envisions that the heart scan would replace current methods used to log in and out of networks and gadgets.

It has several advantages over fingerprint, retinal scanning and facial recognition systems, the team reckoned. It doesn’t require direct contact, and it monitors users constantly. If the system detects a different person standing in front of the computer screen, the PC will not operate.

The signal strength of the Doppler radar “is much less than Wi-Fi”, and does not pose any health hazards, Xu insisted. “We are living in a Wi-Fi surrounding environment every day, and the new system is as safe as those Wi-Fi devices,” he said.

The researchers hope to miniaturize Cardiac Scan so it can be installed onto the corners of keyboards, as well as mobile phones or even airport scanners. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/heart_scan_biometric/

DerbyCon Electronic medical equipment is supposed to help humans save lives, but their lamentable security could result in considerable death, we were warned over the weekend.

Speaking at DerbyCon in Kentucky, USA, on Saturday, two infosec experts and two doctors who have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren’t good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed.

Not all of these flaws are remotely exploitable, but many are, “and it only takes one,” said Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative and one of the aforementioned speakers. “Governments aren’t ready for this and hospitals certainly aren’t – 85 per cent of US hospitals don’t have any IT security staff,” he added.

Four years ago, Corman and others launched I am the Cavalry to investigate and tackle computer security that affects public safety. He gave his DerbyCon talk alongside his deputy director Beau Woods, and infosec-minded Dr Christian Daneff and Dr Jeff Tully.

Dr Daneff highlighted the effects of the WannaCry ransomware epidemic on the UK healthcare system, and said the US had been very, very lucky not to have similar infections of malware. The main fear is a software nasty disrupting computers and network-connected equipment to the point where patients are prevented from receiving vital treatment in time.

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

READ MORE

“When you look at stroke or heart attack victims you’ve got a very small time window to medicate and avoid further damage,” Dr Daneff explained. “A serious delay might not kill people but can certainly leave them crippled. I’m pretty confident someone died due to this [WannaCry] attack.”

The group ran a simulation exercise with the authorities in Phoenix, Arizona, that revealed alarming results. The three-day simulated cyber-disaster involved one hospital in the city being infected by destructive malware that crippled essential services, followed by other digital assaults on hospitals across the city on the second day, and then a physical attack similar to the 2013 Boston marathon bombing on day three.

To their surprise, the simulations calculated deaths would occur almost immediately on day one. With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive.

By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated. Typically, people are triaged so that the sickest or most seriously injured get treated first, but instead doctors had to switch to prioritizing those they could realistically save and left the more seriously sick to die.

Youtube Video

All of these deaths, in the simulation, were caused by simple hacking, usually not even requiring physical contact with the devices to exploit their weaknesses, we’re told. Many older medical machines can’t be patched at all to secure them, making it pretty easy to pwn them once you’re on the network or find them on the public internet, while the makers of newer systems are proving frustratingly slow to respond to security vulnerabilities.

A case in point is the St Jude pacemaker case. It took a year after a security firm pointed out the failings of the pacemaker’s firmware for the health biz to release a patch and get it approved for use, and that isn’t uncommon.

Hospitals can’t even rip and replace systems and equipment to address the problem of poor device security. In general, it takes about six years to get approval from American regulators on a new medical devices and that rises to 10 if the device has to be implanted into a human. During that time, networks and kit remain potentially vulnerable to any malware that worms its way into a facility. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/malware_hospital_simulation/

The developer behind the popular iTerm2 software, an alternative to Apple’s Terminal emulator has posted an urgent security fix after a user noticed it could inadvertently leak sensitive data when attempting to resolve URLs.

In a case underlining how well-intentioned plans can go badly awry, v3.0.0 of the application, launched in July 2016, included a helpful feature that made URLs into clickable links.

When the Cmd key was pressed the application tried to determine if the text under the cursor looked like a URL. If the text passed a few rudimentary tests the application performed a DNS lookup, sending the text out into the ether, unencrypted.

Of course not everything under the cursor was a URL.

iTerm2 would happily perform DNS lookups on anything that passed its tests, including sensitive data such as passwords or private keys. The feature was also easy to trigger accidentally too, wrote developer Peter van Dijk, who first researched the problem:

In the act of selecting text and Cmd-C’ing it to Copy, it is very easy to trigger this for passwords.

The developer’s response was to release a revised version, v3.0.13, which allowed users to turn the feature off. Except that the issue would have remained live for anyone who didn’t update their software, or who left the application in its default state.

The vulnerability also had a second, less obvious consequence, for security researchers, explained another user:

Domains should not be queried through DNS to determine whether they are highlighted in iTerm. The current behavior can compromise a security analyst or incident-responders investigation by querying a URL unintentionally while in iTerm.

Often hackers/attackers monitor their attacking infrastructure for such investigators and these types of queries coming from a target’s network.

Last week, months on from the original complaint and under pressure from some users, iTerm2 was updated to v3.1.1, which rectifies the problem by completely disabling DNS lookups.

In fairness to iTerm2 developer George Nachman, checking that URLs actually work before allowing users to click on them would have looked like a user-friendly feature. The whole point of turning to an alternative to the macOS terminal is to make life slightly easier in myriad small ways after all – which the application achieves.

Admirably, Nachman has published his own short post-mortem of how the original problem occurred and why he overlooked fixing it when it was reported last year.

I don’t have an excuse: I just didn’t give this issue enough thought. I apologize for the oversight and promise to be more careful in the future. Your privacy will always be my highest priority.

The application has since received another tweak, taking it to v3.1.2. Anyone running v3.0.0 is advised to update to v3.1.1 or later as soon as possible.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0IeuEolNibY/

The websites of US telly giant CBS’s Showtime contained JavaScript that secretly commandeered viewers’ web browsers over the weekend to mine cryptocurrency.

The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site’s administrators. One Monero coin, 1 XMR, is worth about $92 right now.

However, it’s extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites’ source code to insert the mining JavaScript and make a quick buck.

The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers’ pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime’s systems.

Here’s a screenshot of the code on showtime.com, seen by El Reg before it was removed:

Click to enlarge

And on Showtime Anytime:

Click to enlarge

We contacted both Showtime and New Relic today asking for more details. Showtime refused to comment. New Relic told us it had nothing to do with the mystery code.

“We take the security of our browser agent extremely seriously and have multiple controls in place to detect malicious or unauthorized modification of its script at various points along its development and deployment pipeline,” New Relic’s Andrew Schmitt told us.

“Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic’s agents. It appears they were added to the website by its developers.”

We also asked Code Hive for details on the user account the injected code was mining for. “We can’t give out any specific information about the account owner as per our privacy terms,” the outfit informed us. “We don’t know much about these keys or the user they belong to anyway.”

The outfit did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.

Pirate Bay

Coin Hive’s mining code was at the center of some attention last week when file-sharing search engine The Pirate Bay admitted it had added the coin-gathering JavaScript on its pages in order to test its profitability in an effort to get rid of ads on its site.

The code was poorly configured – web admins are allowed to set the hashing rate – and resulted in people’s machines slowing to a crawl, sparking complaints. Following the outcry, The Pirate Bay acknowledged the presence of the mining script, calling it “only a test” and promised to limit the CPU usage to make it less annoying. A few days later, the organization dropped the idea all together.

Pirate Bay digs itself a new hole: Mining alt-coin in slurper browsers

READ MORE

Code Hive not only offers in-page mining but also mining through URL shorters and CAPTCHAs. The huge advantage to the website operator using the code is that not only does the script use someone else’s processing power but also their electricity, meaning that you can make money with very little effort. So long as you are willing to annoy your visitors.

Coin Hive’s pitch is that this script could allowed publishers to pull annoying ads from their website – which is something that could become more important as browsers increasingly block ads.

However, the code has already been inserted in browser extensions and on typosquatted websites. And now, it looks as though someone may have tried to hack Showtime’s website in order to insert the code and make money while not having any direct impact on the website itself.

If Coin Hive wants to be seen as legitimate rather than a tool for hackers and malware authors, it is going to have to rapidly figure out a better authorization system for big websites and work on making itself less attractive to scammers. Meanwhile, ad blocking tools are now killing the JavaScript on sight. ®

Hat tip to badpackets.net for alerting us to this mystery.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/

Muhammad Rabbani, international director of human-rights non-profit CAGE, was today convicted under UK anti-terror law for refusing to unlock his iPhone and laptop for police when entering the country.

Rabbani, 36, was found guilty at Westminster magistrates’ court of willful obstruction under Schedule 7 paragraph 18(1)(c) of the 2000 UK Terrorism Act. This law gives Brit cops the right to detain anyone entering Blighty on suspicion alone and hold them incommunicado for up to nine hours.

The plod also insists the anti-terror powers allow officers to demand people’s login details for their laptops, phones and other devices, so that data can be extracted for forensic examination and storage.

The Londoner was cuffed at Heathrow airport in November after returning to the UK from attending a wedding in Qatar. While over there, Rabbani had interviewed someone who claimed to have been detained and tortured by the US authorities.

After landing in England, the human-rights activist was ordered by police to unlock his hardware at the airport. He refused, saying he had sensitive legal documents on his devices that he wanted to keep private to respect his client’s confidentiality. He was later charged with willful obstruction. Below is a video of Rabbani explaining his reasoning.

Youtube Video

“The importance of passwords and privacy cannot be overstated in the 21st century,” chief magistrate Emma Arbuthnot acknowledged during today’s sentencing hearing. He was also of good character, she said, but declared that Rabbani had taken a “calculated risk” in not providing passcodes to the police.

During his trial in the UK capital, the court was told Rabbani had been detained at least 20 times by the police when entering the country, but said he had never had to give up his passcodes before. He faced a possible three months in prison but instead was given a 12-month conditional discharge, meaning he is free to go, and told to pay £620 ($835) in court costs. He’ll be back in court for re-sentencing if he breaks the law again within the next year.

Bloke charged under UK terror law for refusing to cough up passwords

READ MORE

“Today’s judgment based on the judge’s and prosecution’s acceptance that I am of good character and worthy of belief, highlights the absurdity of the Schedule 7 law,” Rabbani told The Register in a statement.

“They accept that at no point was I under suspicion, and that ultimately this was a matter of having been profiled at a port. There are important implications for our collective privacy as Schedule 7 acts as a digital strip search. If privacy and confidentiality are crimes, then the law stands condemned.”

CAGE said that it would be appealing the case to the High Court and claimed it had “won the moral argument.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/25/rabbani_guilty_of_terrorism_charge_for_refusing_to_give_uk_police_iphone_password/

The IAPP-EY Privacy Governance Survey shows marked interest in the Privacy Shield framework to transfer personal data.

More organizations plan to secure personal data in transit from the European Union to the United States in 2018, as reported in the upcoming Privacy Governance Survey from EY and the International Association of Privacy Professionals (IAPP).

The survey annually monitors privacy practices among global organizations and this year covered 548 organizations. Nearly half (47%) of businesses transferring personal data from the EU to US will use Privacy Shield in 2018, an increase from 34% last year.

Small-to-medium-sized businesses are especially interested in Privacy Shield; 67% of those with less than 5,000 employees will use it as a data transfer mechanism in 2018. Excluding healthcare and financial services firms, which are not regulated by the FTC, which oversees Privacy Shield, 49% of US companies and 53% of EU companies will participate.

Privacy Shield is not the most common method of transferring data from the EU to the US. Standard contractual clauses will be used among 88% of respondents, researchers found. These findings come at a time of uncertainty for many businesses, which are increasingly interested in the derogations for data transfer outlined in GDPR, set to go into action in May 2018.

Full results of the survey will be revealed at the IAPP Privacy. Security. Risk. Conference Oct. 16-18.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/privacy-shield-framework-gains-popularity-in-eu-us-report/d/d-id/1329968?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Intrusion may have resulted from company’s failure to properly secure a key administrator account.

Big Four accounting giant and cybersecurity consultancy Deloitte has suffered a data breach that ironically enough may have resulted from the firm’s failure to follow its own security advice to clients.

The Guardian on Monday reported that an intrusion at Deloitte between October and November last year exposed emails containing highly sensitive data belonging to an unknown number of large US companies and government organizations.

The intrusion, which Deloitte did not discover until March 2017, apparently stemmed from the company’s failure to use two-factor authentication to protect a critical administrator account — something that it advocates as a best practice for clients. Attackers used the account to get privileged and unrestricted access to Deloitte’s entire Azure-hosted email system.

During the multiple months that the threat actors managed to remain undetected on Deloitte’s network, they potentially had access to some 5 million emails. The attackers also had potential access to usernames, passwords, health information, and highly sensitive data belonging to an unspecified number of Deloitte’s clients, The Guardian said.

Deloitte itself has claimed that the actual number of emails and the scope of the data that was affected is only a “fraction” of the number suggested by The Guardian.

In an emailed statement to Dark Reading, Deloitte confirmed the breach and said the attackers had accessed data from the company’s email platform. Deloitte’s investigation of the incident has enabled it to understand precisely what data was at risk and what the attackers actually accessed.

Only a “very few” clients were affected, the company said. “No disruption has occurred to client businesses, to Deloitte’s ability to continue to service clients, or to consumers,” the statement noted. Deloitte immediately informed the appropriate government authorities upon breach discovery and contacted each of the clients that were affected, it added.

It’s unclear how the threat actor might have obtained access to the administrator account that The Guardian reported as being used for the theft. But the company’s apparent failure to properly protect it came in for some criticism Monday from security executives. 

Several feel that the company, as one of the largest cybersecurity consultancies in the industry, should have known better than to use a single password for the account, especially at a time when credential theft and misuse have become rampant.

“Clearly, they don’t exactly practice what they preach,” says Gaurav Banga, founder and CEO of Balbix. Based on the details available so far, the attack itself does not appear to be particularly sophisticated, he says. “If there is no two-factor authentication on administrative accounts, and unencrypted emails are floating around, then the adversary does not need to work very hard after an initial breach-head is established.”

The apparent fact that Deloitte did not discover the intrusion for several months is not entirely surprising in this context, adds Rich Campagna, CEO of Bitglass.

“Breaches involving credential compromise often take months to identify and remediate,” he says. “From an IT perspective, it can be difficult to notice unusual activity from hijacked accounts — it may simply appear that users are going about their jobs normally. At Deloitte’s scale, manual review of each somewhat suspicious transaction isn’t a feasible option.”

The main takeaway from incidents like these is that organizations must mandate two-factor authentication on all external accounts and services, adds Mark Dufresne, director of threat research and adversary prevention at Endgame.

“This is another example of a case in which the actors didn’t need exploits or malware to gain access,” says Dufresne, “but were simply able to capitalize on employees’ poor cyber hygiene.”

Related content:

• Multi-Factor IT Authentication Hampers Progress, Say 47% US Companies
• Report Says Death of the Password Greatly Exaggerated
• The Secret Life of Stolen Credentials
• 7 Takeaways from the Equifax Data Breach

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/breach-at-deloitte-exposes-emails-client-data/d/d-id/1329973?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Automation can help manage and respond to alert overflow, but will come with its own specific set of challenges.

Microsoft plans to integrate automation and remediation capabilities into Windows Defender Advanced Threat Protection (ATP), addressing an industry-wide need for improved threat response at a time when alert volumes outweigh resources needed to handle them.

Windows Defender ATP was first announced in March 2016 and has since undergone a series of updates addressing detection, investigation, hunting, prevention, and response. Now Microsoft is adding automation and remediation, following its acquisition of Hexadite. The artificial intelligence firm’s automation technology will help businesses manage security alert overflow.

“One of the biggest challenges security teams have is there are so many issues, every new technology you have results in more alerts,” says Jeff Pollard, principal analyst for security and risk professionals at Forrester. Better detection capabilities have solved the visibility challenge but tightened resource constraints as teams scramble to address all the alerts they generate.

The imbalance is driving companies like Microsoft and other security vendors into orchestration, which Pollard says will help businesses “prioritize the sharpest needles in the haystack” instead of digging into every single event.

When Windows Defender ATP picks up alerts from other detection systems, its automation tech will start to collect and analyze network and endpoint data to investigate the full extent of the breach, says Rob Lefferts, director of program management for Windows and Enterprise Security. From there, it will be able to determine the best course of action for each alert.

As part of the added capabilities, Windows Defender ATP will be able to both prioritize and fix breaches. Admins can opt to run actions automatically for simple cases, or review them prior to execution in more complex scenarios.

“Resources are short, alert volumes are high, and prioritization is key,” says Lefferts. “We needed to bridge the gap between detection and remediation to deliver a seamless and continuous cyber-incident response.”

With a 90 to 95 percent automation rate on actionable alerts, organizations can better investigate alerts that would normally take an IT pro an average of six or seven hours, he adds.

In general, the rise of automation has its benefits but will also come with its own set of security challenges, says Pollard.

“One of the big downsides is that automation requires mature, sound processes,” he explains. “If you decide to automate certain actions, you need to make sure you’re not automating the wrong thing.”

Let’s say, for example, you automate the process of containing a machine in your environment because it’s associated with an outbreak. It could be the right thing to do unless you decide to contain business-critical systems and eliminate their ability to communicate with the network.

In a false-positive situation, you could potentially stop the business because you weren’t mature enough or lacked documentation, he says. The danger of automation is if you don’t understand your environment, you could automate yourself into disaster.

“If you don’t investigate as a person you have to hope the tech got it right … it’s not the thing you missed, it’s the thing you made the wrong decision about and it comes back to haunt you.”

Pollard says this update demonstrates Microsoft’s commitment to becoming an enterprise security player. In the past, the company had integrated security functionality but didn’t have a management interface. Its focus on user experience has been a catalyst for changing its position as a major competitor. Now admins have an improved interface and don’t have to manage it via group policy, increasing the likelihood they will use Microsoft’s security tools.

“Part of the challenge for security is not just finding breaches and threat actors … usability is equally important,” Pollard explains. Microsoft’s focus on cloud services like Azure and Office 365 has demanded the company prioritize user experience; as a result, he has noticed improvement across their entire ecosystem.

Microsoft says the new automated response capabilities will be available for preview later this year. You can check out a 90-day trial and read more details in Lefferts’ blog post on the news.

Related Content:

• 10 Hot Cybersecurity Funding Rounds in Q3
• PassGAN: Password Cracking Using Machine Learning
• Americans Rank Criminal Hacking as Their Number One Threat
• CCleaner Malware Targeted Tech Giants Cisco, Google, Microsoft

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-builds-automation-into-windows-defender-atp/d/d-id/1329974?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Election officials in swing states Florida, Ohio, and Pennsylvania among those who report Russian state-sponsored attackers targeted their systems.

The US Department of Homeland Security notified election officials in all 50 states on Friday, informing 21 that their states had been targeted by Russian state-sponsored cybercriminals during the 2016 election campaign, the Associated Press reported. 

There continued to be no evidence that any votes were changed, according to the DHS. Incidents in most states amounted to vulnerability scans. 

Although the DHS had previously stated that 21 states were targeted in such probes, the agency had not contacted the state election officials themselves until now. The DHS left it to state officials to decide whether or not to publicly release whether or not they had been targeted. Election officials in Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington, and Wisconsin cofirmed for HuffPo and the Associated Press that they’d been told they were targeted.

“It’s unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I’m relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election,” Sen. Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee, said in a statement.

“The delay by the DHS to notify the 21 states targeted by Russian hackers is significant,” said Merike Kaeo, CTO of Farsight Security, Inc. in a statement. “Transparency and timely dissemination of information to affected parties is critical and a year seems like a long time for notifications. … To ensure the future integrity of our election system, it is important that the DHS disclose the reason behind the notification delay and put the proper processes in place to ensure the delays won’t happen again. Every security incident is a validation or improvement opportunity of incident response processes.”

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/after-dhs-notice-21-states-reveal-they-were-targeted-during-election--/d/d-id/1329972?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Version 3.8 of Joomla, the world’s second-most popular website content management system (CMS), is out. The update includes fixes for two security issues including a very serious flaw in Joomla’s LDAP Authentication Plugin.

Although the CMS’s popularity is a distant second behind the juggernaut that is WordPress, it is running on over 3% of the world’s websites today (that’s tens of millions of sites).

The first vulnerability fixed in the 3.8 release is an LDAP injection vulnerability that has been kicking around for almost a decade, until its recent discovery.

LDAP (Lightweight Directory Access Protocol) is a protocol for sharing directories of information, such as lists of users and their passwords, throughout a network.

Dr. Johannes Dahse at RIPS Technologies found the injection vulnerability and describes it as a bug that allows an attacker to “extract all authentication credentials … in 20 seconds” including the administrator credentials.

Credentials, he explains, are guessed “character by character”:

The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.

Dahse’s proof of concept shows that an attacker could gain administrative access within a matter of seconds. With an administrator password an attacker could log in to a Joomla-powered website’s control panel and do just about whatever they like.

This vulnerability is newly-discovered but has apparently existed in Joomla for a very long time, as the affected versions go all the way back to version 1.5.

LDAP is popular with enterprises and is less likely to be used by small business websites or on personal deployments of Joomla, so the sites affected could represent a self-selecting group of high value targets for attackers.

Joomla rates this vulnerability (CVE-2017-14596) as a medium-severity bug, perhaps because LDAP isn’t the default authentication mechanism. If you use LDAP you should upgrade now (Joomla promises “3.8 is a one-click update just like previous 3.x versions.”)

The second bug fixed in Joomla 3.8 (CVE-2017-14595) affects all versions of Joomla 3.7, and it’s a SQL bug that could allow an attacker to access an article’s introductory text even if that article is archived (when it shouldn’t accessible at all).

Joomla rates this one as a low severity vulnerability, though upgrading to version 3.8 will fix both this issue and the nastier LDAP injection bug.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PNqHgsBtOdk/