STE WILLIAMS

New tools and updates aimed at addressing ongoing challenges with insider threats and sensitive data classification.

Microsoft today kicked off its 2019 Ignite conference, bringing with it a wave of security-related announcements across its products and services. A few key focus areas surrounding today’s updates are data protection and governance, insider risk management, and threat detection.

While the industry often talks about advanced attacks, what businesses need to focus on is basic protective steps and defending against the threats they face on a daily basis, says Rob Lefferts, corporate vice president at Microsoft Security.

“Unfortunately, we continue to see success with the same sets of techniques,” he explains, noting “there is a need to swing the pendulum to think about protection.” Defenders have a “truly endless” to-do list in terms of what they can do to improve on threat prevention.

“We need to use that kind of insight — what’s going on in the threat landscape, geography, industry [and] what are the most important things they can act on so they’ll be ready for the next wave of attacks,” says Lefferts.

This idea of driving defense has driven many of the announcements coming from Ignite today: Microsoft is extending Application Guard container protection to Office 365 starting today, in limited preview. It’s also adding endpoint detection and response (EDR) capabilities to Microsoft Defender ATP for Mac, available in public preview this week. Moving forward, it plans to offer Microsoft Defender ATP for Linux servers for broader network protection.

Below are a few more updates from the Orlando conference today.

Insider Risk Management
A top concern among Microsoft customers is the threat of an insider attack, says Alym Rayani, senior director of Microsoft 365 compliance. More than 90% feel vulnerable to this type of attack, he says, and most don’t have a way to deal with it.

Now in private preview is Insider Risk Management, a tool to help identify and remediate threats coming from within the organization. It leverages signals from Microsoft Graph and other services to pull file activity, communications sentiment, and suspicious behavior from Office, Windows, and Azure. Companies can also collect third-party signals from human resources systems such as SAP and Workday. Insider Risk Management comes with a set of configurable “playbooks,” which correlate signals to identify hidden patterns and risks.

Admins have a summary of individual risks throughout the company, including a timeline of activities and trends associated with each identified user. “You have this curated view of the individual risks in the organization,” says Rayani. For example, an admin could see if someone downloaded files, copied them to a USB drive, and submitted their resignation in the same day.

“You can get a picture of the context of why something might be happening,” he adds. To maintain confidentiality, display names for risky users can be anonymized by default. Workflows are integrated so people in security, HR, legal, and compliance are involved in acting on risks.

Data Protection in Power BI
Microsoft is bringing new data protection capabilities to Power BI in an effort to improve governance and data security. Users can now classify and label sensitive Power BI data with the same Microsoft Information Protection sensitivity labels used in Office. These labels are managed by admins, who can configure labels for both Power BI and all Microsoft 365 apps.

This means governance policies can be enforced when Power BI content is exported to Excel, PowerPoint, or PDF to ensure it’s protected as it travels. Power BI data protection is also integrated with Microsoft Cloud App Security, so admins can monitor and protect users’ interactions with sensitive data with alerts, session monitoring, and risk remediation. As Power BI data is shared across platforms, this helps admins maintain control over who is using it.

These capabilities are now available in public preview and active when Power BI is paired with Microsoft Information Protection and Microsoft Cloud App Security.

Labeling and Classification in Outlook
As part of its efforts to build out data classification, labeling, and protection, Microsoft is making user-driven sensitivity labeling natively available in Outlook Mobile on iOS and Android. Further, automatic classification-based content inspection will be available in Word, Excel, PowerPoint, and Outlook for customers running the Office 365 ProPlus version of Office apps.

Microsoft also debuted “trainable classifiers,” which teams can use to train the classification engine to automatically organize datasets, label data, and apply policies. For example, the classifier can point to the SharePoint library and recognize documents that share a trait that makes them sensitive. The user can validate this and deploy policies across Microsoft 365.

Automatic classification can apply sensitivity labels based on context. If you’re typing something related to personally identifiable information (a credit card number, for example), it can recognize this and offer a recommendation in case the user wants to classify the file. The level of protection shows up natively in the apps or on SharePoint library, says Rayani. The ability to use classifiers in combination with sensitivity labels will be available in preview later this year.

Compliance Score
With compliance requirements changing by the day, Rayani says, organizations have trouble keeping up. Compliance Score, now in public preview, is a new tool intended to simplify compliance and help them be more proactive by scanning environments and providing guidance on information protection, governance, and device management. This way, even admins who aren’t compliance experts can monitor risks in the business and remain compliant.

Related Content:

• To Secure Multicloud Environments, First Acknowledge You Have a Problem
• 8 Holiday Security Tips for Retailers
• Raising Security Awareness: Why Tools Can’t Replace People
• Quantifying Security Results to Justify Costs

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-tools-focus-on-insider-risk-data-protection-at-ignite-2019/d/d-id/1336267?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Excel’s handling of an old macro format gives unauthenticated remote attackers a way to take control of vulnerable systems, Carnegie Mellon’s CERT/CC says.

A Microsoft security setting designed to keep users safe from Internet-borne threats has actually made users running the latest versions of Microsoft Office for Mac more vulnerable to remote attacks.

Carnegie Mellon University’s CERT Coordination Center (CERT/CC) on Friday warned that systems running Microsoft Office for Mac — including fully patched Office 2016 and Office 2019 versions — can be attacked remotely because of a trivially exploitable bug in Excel involving XLM, an old macro format.

The bug results in XLM macros being enabled to run without prompting on a vulnerable system when a user has configured Excel to do exactly the opposite — that is, to disable all macros without notification.

In a note Friday, CERT/CC at Carnegie Mellon University described the issue as giving unauthenticated remote attackers a way to execute arbitrary code on systems running Office for Mac.

By convincing a user to open specially crafted Microsoft Excel content on a Mac that has “Disable all macros without notification” enabled, a remote attacker can gain the same level of access to the system that the legitimate user has, CERT/CC said in its vulnerability note.

“Attackers can do anything that they want by exploiting this issue,” says Will Dormann, senior vulnerability analyst at CERT/CC. “They could install a virus, steal private files, or install ransomware. The sky’s the limit.”

In a statement, a Microsoft spokeswoman said Microsoft was committed to investigating reported security incidents. “We will provide updates for impacted devices as soon as possible.”

The problem lies in how Microsoft Excel handles XLM content in SYLK (SYmbolic LinK) files, Dormann says.

XLM is a macro format that used to be available in Excel versions up to and including Excel 4.0. Though Excel versions since then use VBA macros, Microsoft has continued to support XLM macros in later Excel releases, including those available with the latest Office versions for Mac.

SYLK itself is a file format that has been around since the 1980s for transferring data between the spreadsheet, database, and other applications. Though it is barely used these days, SYLK files continue to be supported in recent Office and Excel versions.

Macros in the SYLK format are problematic because Microsoft Office does not open them up in in Protected View — a mechanism for protecting against files downloaded from unsafe locations, CERT/CC said. As a result, SYLK files gives attackers an opening to try and sneak in malicious content on a device without generating any of the usual Microsoft security alerts.

Researchers from IT security firm Outflank last year showed how attackers could embed malicious XLM content in a SYLK file and get it to auto-execute in Office 2011 for Mac without generating any user alert or macro prompt, Dormann says.

At that time, Microsoft had noted that Excel for Mac 2011 was not supported anymore and thus not eligible for security updates, Dormann says. The company had pointed to Mac Excel 2016 and Mac Excel 2019 as responding correctly in the same situation, Dormann says.

But the reality is that while Excel 2016 and 2019 do indeed prompt before running XLM macros in SYLK files, they do so only with the default security setting of “Disable all macros with notification,” he says.

If a user were to choose the stronger “Disable all macros without notification” option, the XLM macro would do the opposite. It would run without generating any macro prompt and not just with Office 2011 for Mac, but with Office 2016 and Office 2019 for Mac as well, Dormann notes.

“It’s clearly a mistake,” he says. “Microsoft can fix the logic error in the handling of the macro setting in Excel for Mac, but this will require them to both fix the software and also deploy the fixed version.”

Until that point, the best option for Mac users is to use “Disable all macros with notification” setting instead. “The trade-off with using this setting is that it increases the risk for modern (VBA) macros, but will prevent automatic exploitation with SYLK XLM macros,” Dormann says.

Ever since Outflank published its technique of using XLM macros in SYLK files, attackers have been exploiting the issue in the wild, Dormann says. What’s new with CERT/CC’s advisory is that a security setting “that should protect against exploitation of the technique ironically makes Mac systems more vulnerable,” he adds.

Related Content:

• Microsoft Office Dominates Most Exploited List
• Microsoft Office Bug Remains Top Malware Delivery Vector
• Researchers Dig into Microsoft Office Functionality Flaws
• 7 Steps to Web App Security

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-security-setting-ironically-increases-risks-for-office-for-mac-users/d/d-id/1336268?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple just pushed out an update to its widely used software development toolkit, Xcode.

New Xcode releases are pretty common immediately after updates to macOS or IOS, typically to provide official support and documentation for new programming features in the latest operating system versions.

The Xcode 11.2 release was a bit different, however, even though it followed closely on the heels of the recent macOS 10.15.1 and iOS 13.2.1 updates.

Xcode 11.2 comes with its own security advisory urging you to get (and then to verify that you have correctly installed) the new version, thanks to a pair of security flaws denoted CVE-2019-8800 and CVE-2019-8806.

These flaws are described in Apple’s typically perfunctory fashion in APPLE-SA-2019-11-01-1 (SA stands for security advisory):

Processsing a maliciously crafted file may lead to arbitrary code execution.

In other words, it sounds as though the supposedly innocent task of just compiling, or building, a software project – something that’s supposed to be ‘mostly harmless’ – could inject malware onto your system.

That might sound like an unspectacular sort of vulnerabiity, given that the first thing you usually do after building a new source code release is to test it, which means running the application you just created, warts and all.

So, crooks who wanted to invade your network via your build system could just add malicious code into the source itself, ready to be compiled directly into the output of the build process.

Then the crooks would just wait for you to run the Trojanised app after you’d built it, which you are almost certainly going to do, otherwise you wouldn’t have bothered to build it in the first place.

Why infect the build system?

However, there’s still a serious issue here, namely that in many companies that build their own software, the build system itself is assumed to be correct and inviolable – it’s carefully and purposefully configured so that the software it creates is never actually executed there.

Simply put, you usually keep the process of creating a new program from source code separate from testing and approving it for deployment.

That way, if there is a dangerous bug in the newly-built app – whether accidentally or deliberately introduced – then you have a fighting chance of finding it during your test process, rather than putting the build system or your live network at risk.

Test systems are generally rebuilt afresh each time they’re used, for example using virtualisation and configuration management software, so that each test stands alone and can’t be affected for better or worse by what happened last time.

For example, if an app requires a specific DLL installed alongside it in order to work, and you want to test that the needed DLL is correctly installed if it’s missing, you need to be sure that it wasn’t left behind from a previous test, perhaps of a different version of the software.

But build systems aren’t always treated the same way, so malware that specifically targets the build process can cause an enormous and hard-to-find headache.

When developers become “trusted malware spreaders”

Ten years ago, a virus called W32/Induc-A spread widely around the world, and took months to get rid of, precisely because it targeted software developers to turn them into “trusted spreaders”.

The Induc malware only actively infected your system if you had the Delphi compiler installed, otherwise it just sat there quietly, doing very little to draw attention to itself.

If you were a Delphi developer, however, the virus rewrote one of the source code files that was part of the build system itself.

The result was that any program you compiled thereafter would be infected with the malware, but it wouldn’t show its hand again until the newly-compiled program was installed on another developer’s computer.

Ironically, in many companies with in-house development teams, this temporarily turned traditional security advice on its head, because Delphi software built internally was as good as guaranteed to be infected, whereas even unknown and untrusted software downloaded from random sites on the internet had at least some chance of being clean.

In a similar sort of two-stage attack, the infamous Stuxnet virus affected industrial control devices (allegedly, the centrifuges in Iran’s uranium enrichment plant at Natanz) by infecting the computers on which the control sofware was built and downloaded to the devices themselves.

What to do?

We updated our own installation of Xcode as soon as we received the security advisory.

Unfortunately, it wasn’t quite as easy as suggested in the the advisory email, which told us to visit https://developer.apple.com/xcode/downloads/, where we found only the beta 2 version of Xcode 11.2 [2019-11-02T16:00Z]:

Neither About This Mac nor the App Store showed any updates for us, either, with the former assuring us our macOS was up-to-date, and the latter showing no updates outstanding for any of our installed apps [2019-11-02T16:13Z]:

In the end, visiting https://developer.apple.com/download/more/ and searching for Xcode took us to our goal:

If you’re an Apple developer, we suggest you do the same.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FxxcQ0wOZOo/

Cassie was studying for the computer security industry qualification CISSP when the harassment started.

A friend she had met at a nearby hacker meetup offered to help her prepare for the exams, and guide her through the world of infosec.

“He asked me about what my goals are and offered to mentor me. He also offered to provide me with resources to study for the CISSP certification exam,” she said.

“I gladly accepted his offer in hopes of advancing my career and provided him with my email address.”

As is often the case, he wanted to be more than friends, and when she turned down his romantic advances, the once seemingly friendly gestures deteriorated into sustained harassment. Cassie said that, despite making it clear she was not interested, the man continued to pester her with messages, and approach her at infosec events.

“While I was studying for the CISSP exam, he would frequently invite himself over. He would insist that I needed to relax and that he would teach me to pick locks,” Cassie told The Register. “I politely declined his offers. I was okay with being around him in public, but not alone.”

This experience is not unique. People in nearly every profession have complained of harassment from their colleagues and superiors for decades. For hackers, however, there are various factors that can make reporting a harasser particularly difficult for those who are trying to break into the field.

‘A desire to protect and defend’

Gabrielle Hempel, a junior pen-tester with BlackMirage, told The Register she has seen firsthand and through conversations with other women how the tightly knit hacker culture can intimidate those who want to speak up. Really, that close-knit culture should use its energy to defend and stand up for victims of abuse, rather than maintain the status quo and shield abusers.

“The hacker community largely came about as a subculture, and I think there is a strong sense of loyalty among people in it,” Hempel said. “When you all share this hobby or passion and run in the same circles in an industry where everyone seemingly knows each other, there’s a desire to protect and defend some of the established people in the industry.”

Indeed, when allegations surfaced against prominent men in the world of cyber-security, it was clear that the victims in each case had their early complaints of harassment and abuse swept under the rug or shouted down by other members of the community.

As angels, rich dudebros suck: 1 in 5 Y Combinator women tech founders say they were sexually harassed

READ MORE

“We put people up on pedestals and then we don’t want to hear about it when they do something wrong,” said Cooper Quintin, a staff technologist at the Electronic Frontier Foundation. “You get this sort of myopia to anything they do wrong because of all the good work and stuff they have done. I really think that that is at the heart of the problem.”

This was certainly the case for Cassie, who said that after she finally stepped up and tweeted about the harassment she was receiving, all hell broke loose. Her harasser had friends within the infosec world who began to target her and those close to her with further attacks.

“I tried to come out about this the end of July and [his friend] had her followers coming for me. I was very stressed out,” she said. “I left work early one day because I was having a panic attack. This is a social media nightmare and she also involved my significant other which I did not appreciate.”

This, again, is not something exclusive the infosec and hacking community. It is not too dissimilar to the entertainment, media, and music businesses, in which newcomers, particularly young women, are subjected to harassment or worse by powerful figures who are protected by others.

“I have worked with women who have had no idea where to start or what to do because they knew the person harassing them was in a position of power within our industry, and they were worried about the repercussions,” said Hempel. “I do know of quite a few women who have come forward and been attacked from all angles by supporters and friends of their harasser. I think it’s definitely part of the problem.”

So, what is the solution?

For one thing, the hacking community needs to change the way it treats its heroes, or even rethink who its heroes really are. While the allure of the “rock star” hacker with the big personality can be hard to resist, most of the best research is being done by people with little desire for the power and attention that is so often used to abuse others.

“The thing is, you never hear from the people that are quietly doing the work, because they are just doing the work,” noted Quintin. “The people that are doing the work don’t want the attention, they don’t have time to go on stage, they do it quietly and they are not being recognized.”

Cassie, meanwhile, has started an organization dedicated to protecting those new in infosec: Gate Breachers provides resume review, mentorship, and career advice for women and those of underrepresented genders.

She also has advice for people facing harassment amid their efforts to pursue careers in information security.

“I would advise speaking to other women even if it’s through the whisper network. If enough women see a pattern of this behavior being exhibited then come together and say something,” she said. “Chances are you aren’t the only one. Your voice could help 10 other women.” ®

We’ve changed Cassie’s name to protect her real identity.

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/04/hackers_and_harassment/

Mozilla has asked American politicians to probe the data-collecting policies of US broadband giants, claiming the ISPs made false statements to derail DNS-over-HTTPS so that they can continue to snoop on subscribers’ internet activities.

DNS-over-HTTPS (DoH) is a recently-ish developed technique to transmit domain-name queries – by which human-readable domain names like theregister.co.uk get mapped to computer-friendly IP addresses like 104.18.234.86 – to a DNS server over an encrypted HTTPS connection rather than the unprotected old-fashioned way in plaintext. This wrapper of security ensures that the DNS service provider can answer the query while preventing eavesdroppers on the network from snooping on or tampering with the requests.

Mozilla and Google recently made DoH available in their respective browsers. So ISPs, worried about being denied user valuable data, are pushing back. In a letter [PDF] last month to members of US Congress, telecom industry groups urged lawmakers to look into Google’s implementation of DNS. And the House Judiciary Committee has reportedly begun doing so, based on antitrust concerns. Meanwhile, Comcast privately lobbied in Washington DC against DoH.

A week ago, Google tried to dispel what it characterized as misconceptions about its DoH implementation. The Chocolate Factory insisted that it isn’t forcing people to switch to its own DNS service, Google Public DNS, and that existing content controls won’t be affected.

Rather than being so conciliatory Mozilla has opted to go on the offensive, urging lawmakers to look into why ISPs are lobbying against DoH.

“Right now these companies have access to a stream of a user’s browsing history,” said Marshall Erwin, senior director of trust and security at Mozilla, on Friday. “This is particularly concerning in light of to the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DoH.”

Erwin points to the 2017 Congressional repeal of the Broadband Privacy Order as a reason for current industry interest in user data. That rule change opened a privacy gap by removing a requirement that service providers had to seek permission to share and sell customer data.

Chrome devs tell world that DNS over HTTPS won’t open the floodgates of hell

READ MORE

In his letter [PDF] to lawmakers, Erwin said the telecom groups’ letter contains “a number of factual inaccuracies” – challenged [PDF] by advocacy groups supportive of DoH – and asked legislators to examine telecom industry data practices to understand what’s happening to customer data.

Erwin cites a long history of ISP privacy abuses, including the sale of real-time location data, manipulation of DNS to serve ads, and the use of supercookies for user tracking, as justification for greater industry scrutiny.

“Telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data,” Erwin said. “This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use.”

Mozilla’s goal, he said, is to prevent browsing activity from being intercepted, manipulated, and collected. Telecom providers like ATT, Comcast, and Verizon, he suggests, have other ideas. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/04/mozilla_doh_congress/

With their lens into the human side of business, human resources can be an effective partner is the effort to train employees on awareness and keep an organization secure.

Throughout Cybersecurity Awareness Month we examined the different ways some organizations are building a culture of security awareness and getting employees and executives on board with viewing security as everyone’s responsibility.

One department we haven’t spoken to yet is human resources. And according to Marcy Klipfel, SVP of Employee Engagement at benefits administration tech company Businessolver, HR is uniquely equipped to humanize and promote security within an organization, and IT is missing out on an opportunity to use HR skills and insight to enhance risk mitigation.

The Edge asked Klipfel for her thoughts on why HR should be more involved in security and why it is an important move in creating improved security culture.

Most businesses go to the IT department to develop policies and procedures around employee security awareness. You say they should be consulting HR too. Why?

While technical sophistication is vital to any successful cybersecurity strategy, putting fancy locks on the doors won’t keep the company safe if employees are opening the windows. Human error is one of the greatest threats to an organization. But HR leaders can engage employees in recruitment, culture, and education to boost awareness and adoption of new policies to help IT teams develop a “human firewall” for your organization, turning employees – your greatest security threat – into your greatest asset.

Creating a “human firewall” is also the mission of security training that the infosec team brings to the table. What different perspectives and value can HR bring to the security conversation?

HR approaches security through the lens of the organization’s people. HR teams can drive a cybersecure culture by ensuring that employees know what is expected of them to keep the organization safe from security issues. While IT is typically consulted to outline policies and procedures, HR can communicate the importance of new policies and execute IT’s plans to protect the company through training and modules to ensure proper adoption.

So should HR be involved in employee awareness training and testing procedures? To what extent and how?

From day one, HR can help current and prospective employees understand a company’s commitment to a cybersecure culture. HR professionals can offer creative ways to spice up training modules, including gamification and learning management systems (LMS), and they can aid with mock testing to allow employees to learn from their mistakes. At Businessolver, we regularly send a fake phishing email from a seemingly reputable sender to random employees asking them to click a link and/or share personal or professional information. If an employee follows through, they receive a message telling them that it was a phishing attempt, thus increasing their vigilance for the future.

Some might say: What does HR know about technology? How can they really add value? What is your reaction to that attitude?

The world of technology and cybersecurity is constantly changing, making it difficult for even the best IT professionals who work in the field every day to keep up. The role of HR is their expertise in engaging with employees and demonstrating the importance of protecting data and information, which is critical to the success of any cybersecurity program. They can help employees navigate technology and turn them into partners in securing the organization.

Should HR be involved in technology conversations, such as purchasing decisions, that revolve around security?

HR professionals receive valuable personal information from all employees when they are hired and throughout their tenure, so it’s important for the HR department’s technology platforms and tools to be secure. Additionally, HR can provide insight into how new technologies should be incorporated into the workforce to maximize participation and adoption.

How can organizations get started with a conversation between IT and HR?

A great place to start is by setting up an initial meeting where IT and HR leaders can coordinate on current cybersecurity plans and how to address any security pain points from an employee perspective. From there, it’s best to meet regularly – typically every quarter– to discuss how to best train the workforce, create an emergency response plan with team roles and responsibilities should an attack occur, and share key learnings or insights from recent tests or trainings.

Related Content:

• The Real Reasons Why the C-Suite Isn’t Complying with Security
• What Has Cybersecurity Pros So Stressed — And Why It’s Everyone’s Problem
• ‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training
• 2019 State of the Internet: Phishing — Baiting the Hook (from Akamai)

 

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-hr-and-it-can-partner-to-improve-cybersecurity/b/d-id/1336256?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sumo Logic plans to integrate JASK’s autonomous security operations center software into a new intelligence tool.

Sumo Logic today said it has acquired JASK Labs, provider of cloud-native autonomous security operations center (ASOC) software. It plans to combine Sumo Logic’s cloud security information and event management (SIEM) and compliance tools with JASK’s ASOC software to create a new security intelligence platform.

JASK was founded in 2015 and has raised a total of $39 million in funding over the course of three rounds. Its ASOC platform aims to improve visibility into on-premises and heterogeneous multicloud environments so analysts can understand the context and impact of a cyberattack. The software also aims to cut down on alert fatigue by automating repetitive tasks. ASOC integrates with Sumo Logic’s cloud SIEM to help analysts identify and respond to security alerts.

Sumo Logic plans to use this technology to build out its security intelligence portfolio with a new Sumo Logic ASOC solution, as well as the Spec Ops tool for threat hunting. Both of these will be delivered as a service; the latter is expected to be available by the end of this year.

JASK CEO Greg Martin has been appointed vice president and general manager of the Sumo Logic security business unit. JASK employees will also join Sumo Logic as part of the deal. Terms of the transaction were not disclosed by either company. JASK, which was founded in 2015, has so far raised $39 million over three rounds of funding, Crunchbase reports.

In a survey conducted by Dimensional Research, 93% of security pros report traditional SIEM tools are ineffective in the cloud. Two-thirds identified a need to consolidate and rethink traditional security tools, a demand also driven by an onslaught of alerts, poor visibility across the application stack, and siloed tools and teams needed to effectively operate a modern SOC. Hybrid and multicloud environments often pose a challenge to legacy SIEM technologies.

Read more details here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/sumo-logic-buys-jask-labs-to-tackle-soc-challenges/d/d-id/1336263?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Crashing honeypots alerted the researcher who found the Bluekeep vulnerability.

Bluekeep, a remote code execution vulnerability in Microsoft’s Remote Desktop Services, has been exploited in the wild. The vulnerability, designated CVE-2019-0708, was discovered earlier this year and patched in May. The critical vulnerability was considered so significant that Microsoft took the unusual step of issuing patches for out-of-support Windows versions in an attempt to stop exploitation.

Kevin Beaumont (@GossiTheDog), who discovered Bluekeep, found the exploit when his Bluekeep honeypots began crashing this past weekend. He shared his data with researcher Marcus Hutchins, who verified the results. In analyzing the code crashing the honeypots, Hutchins found the obfuscated payload ultimately installed a cryptocurrency miner on the victim system.

“It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized,” Hutchins wrote in a blog post sharing the exploit’s analysis. 

And while the vulnerability has been patched, the patch must be applied to be effective. “According to BinaryEdge, there are over 700,000 vulnerable systems that are publicly accessible, including over 100,000 in the United States alone. The risks here cannot be overstated — organizations must patch their systems immediately,” says Satnam Narang, senior research engineer at Tenable.

Read more here and here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/first-bluekeep-exploit-found-in-the-wild/d/d-id/1336265?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Adding to the growing chorus of concern about Chinese technology and potential espionage, the US Department of the Interior (DOI) announced on Wednesday that it’s grounding all Chinese-made drones or drones with Chinese-made parts as it reviews its drone program.

The exception: drones “currently being utilized for emergency purposes, such as fighting wildfires, search and rescue, and dealing with natural disasters that may threaten life or property,” the department said.

This is a decided turnaround from the enthusiastic embrace of drone technology that the DOI has exhibited over the past few years. Besides using unmanned aircraft systems (UAS) in emergency situations, the devices have also been put to work to monitor dams and floods, inspect land for property and environmental damage due to erosion, monitor endangered species, survey habitats, conduct archaeological mapping and mapping of landslides, and to assess groundwater discharge, among many other uses.

According to a 2018 use report, as of last year, the department owned 531 drones and had conducted 10,342 flights across 42 states and US territories – a 108% increase over 2017.

That number apparently jumped yet again: according to the Wall Street Journal, the department now has more than 800 drones. A person familiar with the matter told the WSJ that all of the devices are either made in China or have Chinese parts.

According to The Verge, Interior Secretary David Bernhardt made the order to ground the drones on Wednesday. The drones will stay grounded until the DOI completes a review of the security risks they might pose.

DOI spokesperson Melissa Brown sent this statement on the matter:

Secretary Bernhardt is reviewing the Department of the Interior’s drone program. Until this review is completed, the Secretary has directed that drones manufactured in China or made from Chinese components be grounded unless they are currently being utilized for emergency purposes, such as fighting wildfires, search and rescue, and dealing with natural disasters that may threaten life or property.

As the WSJ reports, the DOI’s concerns include that the drones could be used to transmit data, including photography and video, of sensitive US infrastructure that may be the subject of future cyberattacks.

This is just the latest move the US government has taken to push away China, which security experts have pointed to as the most active nation-state when it comes to cyberespionage against the US government, its corporations and its allies.

In September, a bipartisan group of US lawmakers introduced a bill – the American Security Drone Act of 2019 – that would ban federal departments and agencies from purchasing any commercial off-the-shelf drone or small UAS manufactured or assembled in China or other countries identified for national-security concerns.

Last week, US lawmakers said that TikTok – the Chinese-owned, massively popular, kid-addicting, fine-accruing video-sharing platform – is a potential threat to national security.

The government has already taken steps to limit potential dangers posed by the Chinese company Huawei, two senators pointed out in the TikTok inquiry. In 2018, due to concerns about spying, the Pentagon banned the sale of Huawei and ZTE phones at military exchanges – only one of multiple warnings about using gear from companies that might be under China’s thumb.

Any ban on Chinese drones will most particularly hurt DJI, the world’s largest maker of consumer drones. The company, which is based in China, disputes the security concerns. In response to the introduction of the American Security Drone Act of 2019, the company said that users can stop their drones from transmitting data back to the company or connecting to the internet, and that whatever data DJI has, the Chinese government has never come after it.

In response to the DOI’s announcement last week that it will be grounding Chinese drones, DJI sent this statement to The Verge:

We are aware the Department of Interior has decided to ground its entire drone program and are disappointed to learn of this development. As the leader in commercial drone technology, we have worked with the Department of Interior to create a safe and secure drone solution that meets their rigorous requirements, which was developed over the course of 15 months with DOI officials, independent cybersecurity professionals, and experts at NASA.

We will continue to support the Department of Interior and provide assistance as it reviews its drone fleet so the agency can quickly resume the use of drones to help federal workers conduct vital operations.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_3c5fdPKPRI/

Investigative journalist Katarzyna Pruszkiewicz spent six months working undercover, creating fake social media accounts and sending them out to troll on either side of the political spectrum, for Cat@Net – a troll farm in Wroclaw, Poland that calls itself an “ePR firm.”

We already have some insight into the inside of a disinformation factory: A few months ago, we heard an account from a fake news writer who says she saved her sanity with the rationale of “If people are stupid enough to believe this stuff…”

But Pruszkiewicz’s findings paint an even more detailed picture of how fake accounts are being used by private firms to influence political discourse, by fooling unsuspecting voters and consumers into thinking that they’re chatting with actual people.

Last week, her account was published by Investigate Europe – a consortium of European investigative reporters – as well as by its media partners.

Together with her troll colleagues, the undercover journalist managed almost 200 fake accounts on Facebook, Twitter and Instagram, has written thousands of messages and comments, has promoted her clients’ products, has trolled their competitors, and has run hidden support campaigns for, and smear campaigns against, politicians.

Some of what Pruszkiewicz, working with Polish journalism NGO Fundacja Reporterów (Reporters Foundation), discovered:

• Cat@Net employs a mere 14 people to run 170 troll accounts on social media. Don’t let that small workforce fool you, though: Pruszkiewicz says that this constitutes a “powerful army,” as many of those accounts have thousands of followers, and they work hard to make sure their posts are viewed as much as possible – sometimes up to tens of thousands of times.
• The farm has both left- and right-wing troll accounts. That makes their smear and support campaigns more believable: instead of just taking one position for a client, it sends trolls to work both sides, blowing hot air into a discussion, generating conflict and traffic and thereby creating the impression that people actually care about things when they really don’t – including, for example, about the candidacy of a recently elected member of the Polish parliament.

The Guardian gave a vivid example of how the fake accounts build fake personas that engage in fake discussions: in this particular case, Cat@Net workers fabricated two conservative activists to sneer at Poland’s divided liberal leftwing.

In this conversation, the fake accounts discuss a newspaper story about a former campaign adviser to Barack Obama and Emmanuel Macron coming to Warsaw to address a group of liberal activists:

Girl from Żoliborz, a self-described “traditionalist”: I burst out laughing!
Magda Rostocka, whose profile says she’s “left-handed with her heart on the right”: The opposition has nothing to offer. That’s why they use nonsense to pull the wool over people’s eyes.

They’re both fakes. But “Girl from Żoliborz” was a double fake: behind the bogus persona was Pruszkiewicz, who’d penetrated the firm after responding to a job posting from Cat@Net.

The firm was looking for a “telecommuter” – somebody who could work at home, had some journalistic experience, and could “build a positive image of our customers on social media and on the internet.”

As Investigate Europe tells it, Cat@Net’s customers include “large and small companies […] as well as other entities, including public administration institutions and private individuals.” The firm was unaware that Pruszkiewicz was an investigative journalist, since she had a “clean” online record, with no profile to identify her as such.

Her marching orders: create a credible, convincing, and fake Twitter account and profile. Put some flesh on that imaginary person’s bones, her boss told her. She did, bragging online about what she cooked, posting a picture of her new nail polish, and adding a photo of the university that her fake person purportedly attends. She posted pictures of flowers, her cat, and her favorite chocolate.

“After all, my life is not only politics,” Pruszkiewicz explains about the persona she crafted.

Keep it controversial, and make the social and political posts popular, the Cat@Net team coached her. Some of the things her fake account accordingly posted about:

April is the time of a nationwide teachers’ strike in Poland; they demand higher pay. The ruling party and their public radio and TV propaganda portray teachers as parasites, losers and sly dogs. My fictitious account chooses the #notsupportingteachersstrike hashtag. I write that teachers are holding students hostage; they are selfish and that their demands are unjustified.

In the coming weeks I lash out at the LGBT movement. I say that I fell asleep while watching ‘Tell No One’, a documentary about child sex abuse in Poland’s Roman Catholic Church.

Two men kissing on Eurovision? That’s outrageous! How can you expose children to such content?

Pride parade? – more like #PervertsParade

Those kind of posts impressed her bosses. By June 2019, after her 3-month troll trial, Pruszkiewicz had become a trusted troll. She was invited to a private Cat@Net Slack channel called “Kulawa Rebelia” – which translates as “Lame Rebellion” or “Rebellion on Crutches.”

The name has to do with the fact that most of Cat@Net’s employees are believed to be disabled, which enables the company to get public subsidies from Poland’s National Disabled Rehabilitation Fund. According to the Reporters Foundation, the company has received about 1.5 million zloty (USD $388,044) from the fund since November 2015.

Pruszkiewicz describes the chat room as “the company’s engine room.”

Every day people with different degrees of disability, including those using wheelchairs, meet here and talk. All internet operations are controlled by two managers who send trolls to react under specific posts or on specific Twitter accounts. The managers decide what to write and publish.

Rising up in the troll ranks

By September 2019, Pruszkiewicz had done so well at her trolling, she was promoted. Her new duties included managing a group of trolls and working with the copywriters who pre-formulate opinions and comments for the trolls. She described how she also helped Cat@Net document results for its clients:

As a manager, I have to collect all comments in one Excel file and send reports to my superiors on a daily, weekly and monthly basis. By reporting the activities of troll accounts, I have to show them that the tasks commissioned are being implemented.

Cat@Net’s vehement denial

In October, Investigate Europe, Reporters Foundation and Pruszkiewicz confronted Cat@Net and the politicians allegedly involved in its campaigns.

When they emailed Cat@Net’s CEO to ask him about troll profiles and his connection to Bartłomiej Misiewicz – a close aid to the Polish defense minister who was arrested for alleged corruption in a January 2019 raid on Cat@Net’s headquarters that prompted the journalists’ investigation – the CEO didn’t respond. But within a few hours of the email being sent, the internal employee chat groups were deleted.

On Friday, Cat@Net issued a statement in response to the journalists’ reports. It denies being a troll farm, describing its business as the outsourcing of marketing activities and saying that it adheres to the same rules as other agencies of this kind. The firm…

…strongly den[ies] that the influencer accounts kept by the company’s employees use hate, hate speech or misinformation.

How the troll farms compare

Some of Cat@Net’s alleged tactics resemble those used by Russia and its infamous troll factory.

That factory, which goes by the name of the Internet Research Agency (IRA), set loose both right-wing and left-wing trolls. There were elements of flame-fanning on either side of the political divide, similar to how Cat@Net trolls reportedly worked both the left-wing and the right-wing on behalf of its clients.

Fomenting any and all political sides has become a standard modus operandi of disinformation/media manipulation efforts. Tactics aside, when it comes to motivation, it might be illustrative to compare Cat@Net’s alleged activities and those that take place in the thriving fake news manufacturing city of Veles, in Macedonia, where hundreds of producers of fake US news have established a profitable fake-news industry based in the small city.

That’s where that “If they’re stupid enough…” fake news writer hails from.

In one news report, a CNN reporter talked to one such producer who claimed to be making as much as $2,000 to $2,500 per day off of his fake news site, which had around a million Facebook likes at the time. To get around account shutdowns, the producer said, he’d buy Facebook accounts off of kids for two euros. That’s more than those kids ever had, he said.

For firms like these, it’s all about the clicks, which is all about the money, and that translates further into being able to demonstrate it can deliver clicks and engagement for paying clients.

But the Cat@Net investigation also uncovered a slew of what sounds like favors being done for politicians and industries.

The Guardian details one such campaign, which sought to influence what kind of fighter jet the Polish government spent its zloty on:

The accounts were used to undermine public support for the Polish government’s decision to place a major order with the American contractor Lockheed Martin for the F-35 fighter jet, promoting instead the Eurofighter Typhoon. […] Cat@Net employees were reminded by their managers that “the F-35 is our enemy number one” but “don’t be too pushy with the Eurofighter, otherwise they will know they are being trolled”.

Political favors, corruption, money: these are hard to disentangle. They’re all part of the same ball of wax. All those motivations well might also be at play in the fake-news industry that fake-news writers are part of.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C6Rb8RS3-Z8/