STE WILLIAMS

Security analysts know they are a hot commodity in the enviable position of writing their own ticket. Here’s how to keep them engaged, challenged, and happy.

Finding and hiring talented cybersecurity analysts is difficult enough. Keeping them on board after they’re trained and acclimated to your organization’s IT infrastructure and operations is an even bigger challenge. If high-performing security operations center (SOC) staff are unhappy or unfulfilled, they’ll move on, and they have plenty of options.

According to ESG and ISSA’s “The Life and Times of Cybersecurity Professionals 2018” (registration required), 44% of survey respondents were solicited by recruiters at least once a week and 76% were solicited at least once a month. My job keeps me in front of SOC staff, their managers, and (usually) up the org chart to the CISO. So, when someone leaves, I hear multiple perspectives on why so many analysts job-hop. Here’s what drives them out the door:

1. No Room for Growth
The problem with managing smart, ambitious people is that they are smart and ambitious. The best cybersecurity analysts are highly intelligent and fast learners, and they love a good challenge. Unfortunately, the day-to-day operations of your SOC can get monotonous. Over time, this can leave your best people unsatisfied. Managers who balance the mundane aspects of the job with more strategic projects are much more likely to keep SOC staff engaged. You should also look for ways to reward and advance your highest-performing team members.

2. Burnout and Alert Fatigue
Your best analysts can fly through a mile-high stack of alerts at breakneck speed and never miss a thing. And how do you reward them? With more work. On the one hand, it’s perfectly fair. You hired them for their expertise, efficiency, and ability to perform under pressure. But you also need to be aware of burnout and alert fatigue. Too many alerts create a particularly pernicious type of stress that occurs when a person has no control over the pace of incoming work — work that literally never ends. If an analyst feels she or he is stuck on a hamster wheel, they are unlikely to stay.

3. Lack of Executive Support and Engagement
It is difficult for analysts to remain motivated when they feel like the powers that be don’t have their back. That support can take many forms, but one very clear indicator that security isn’t a business imperative is if the organization fails to provide critical tools analysts need to do their daily work. Modern networks are way too complex for analysts to do their jobs without sophisticated tools. Don’t set them up for failure. Make sure cybersecurity is a valued and part of your corporate culture — a culture that will motivate your best team members to stick around.

4. Money
Yes, money matters. Financial compensation plays a big role when analysts look for new opportunities. With zero percent unemployment and a growing skills shortage, upward pressure on salaries will continue for the foreseeable future; there’s no way around this one. Keep up to date on salary and compensation trends and make sure you are competitive.

5. Not Enough Professional Development/Skills Training
Roughly 96% of the 267 cybersecurity professionals responding to the survey believe that organizations face a significant disadvantage against cyber adversaries if they don’t keep up with their skills, and 66% say that keeping up with their skills is difficult to do because of the demands of a cybersecurity career. This conundrum is pervasive, but don’t let training get pushed aside due to the grueling pressure and demands of a SOC. Budget and schedule training sessions as “non-negotiable” and get creative and fun about new ways to challenge team members and develop their skills. Ask any analyst. They will tell you that training keeps them engaged, challenged, and happy.

Next time the industry is aflutter about the latest attack strategy, give your team members a chance to jump in and learn to defend against it. Put their response skills to the test in as realistic a setting as possible. It will get their blood pumping and give them the pride and confidence of knowing that they are ready to face dangerous and capable attackers. Capture the Flag is a Black Hat tradition for a reason — competitions are essentially team trainings that bring people together and provide participants with a forum to practice and show off their skills.

Analysts know they are a hot commodity, in the enviable position of writing their own ticket. If you want yours happy at home in your SOC, keep them at the forefront of emerging trends and methodologies and make sure their contributions to the business are acknowledged.

Related Content:

• More Supply, More Demand: Cybersecurity Skills Gap Remains
• How the Skills Gap Strains – and Constrains – Security Pros
• Burnout, Culture Drive Security Talent Out the Door

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Edy Almer leads Cyberbit’s product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company’s sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and … View Full Bio

Article source: https://www.darkreading.com/perimeter/4-reasons-why-soc-superstars-quit/a/d-id/1335127?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CISA released an alert telling users about the updates to firmware in Intel SSD and Processor Diagnostic products.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert for IT staff to be aware of two new updates from Intel, one for the firmware in certain data center solid-state disk (SSD) devices and the other for the Intel Processor Diagnostic Tool.

The SSD update is in response to CVE-2018-18095. The vulnerability, discovered internally at Intel, could allow attackers to gain access and update their privileges to then launch attacks on other system components.

Intel updated its Processor Diagnostic Tool in response to another privilege escalation vulnerability, this one discovered by Jesse Michael from Eclypsium and described in CVE-2019-11133. This is a higher-priority vulnerability than that in the SSD because it could allow privilege escalation, information disclosure, or denial-of-service attack against the victim.

For more, read here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/intel-releases-updates-for-storage-and-diagnostic-tools/d/d-id/1335204?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

GE Healthcare has released a statement claiming the bug is not in the machine itself and does not pose direct risk to patients.

The US Department of Homeland Security’s Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory for CVE-2019-10966, a vulnerability in GE Aestiva and Aespire Anesthesia machines (versions 7100 and 7900) found by CyberMDX.

If an attacker gains access to a hospital network where either of these devices is connected to a terminal server, they could break into the machine without knowing its IP address or location and force it to use an earlier, less secure version of the communication protocol. This would enable them to remotely change parameters without authorization, forcing severe results.

With this level of access, an attacker could alter the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents; change the barometric pressure settings and anesthetic agent type; remotely silence alarms; and change the time and date settings on a machine.

Anesthesiology is a precise science, and anesthesiologists have strict protocols requiring them to document dosages, procedures, vital signs, and other medical data. Reporting is why anesthesia machines are required to the network – it helps accurately record the details. If patients’ stats are changed or jumbled, it can compromise the integrity of audit trials.

The vulnerability has been assigned a CVSS score of 5.3, indicating “medium severity,” the ICS-CERT reports.  It can be exploited remotely and can be exploited with a low level of skill.

GE Healthcare has issued a statement in which it says the vulnerability is not in the device itself and this scenario doesn’t grant access to data or pose a direct risk to patients. While the machine is in use, any potential gas composition parameter changes, device time changes, or remote alarm silencing “will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm,” officials explain. GE admits alarms can be silenced; however, physicians would see a visual alert if something went wrong.

Read more details here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/vulnerability-found-in-ge-anesthesia-machines/d/d-id/1335208?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It may seem obvious, but many companies lose sight of the fact that they can’t protect what they don’t know they even have.

There is one simple truth of effective cybersecurity: You can’t protect what you don’t see. Comprehensive visibility is the foundation of good security — and it is becoming increasingly difficult to achieve. The ultimate goal is to have a platform designed to simplify security by providing a single source of truth for IT, security, and compliance.

Seismic Shifts in the IT Landscape
The modern IT environment presents many challenges. As companies transition to the cloud, the result in most cases is a hybrid environment that includes both on-premises and cloud resources — sometimes scattered across a multicloud environment. At the same time, the network perimeter has become irrelevant and the lines of “inside” and “outside” the network have blurred. The explosion of Internet of Things devices, the use of mobile devices, and the rise of DevOps and containers mean an exponential increase in the number of resources connected to your network. A consequence of this expanding and shifting IT landscape is a lack of cohesive visibility.

The hodgepodge of tools yields a segmented, partial view of crucial information. For many organizations, the only way to achieve some semblance of “complete” visibility is an ineffective manual effort to combine and correlate data from the various tools. Ultimately, the manual effort is time-consuming and inaccurate, and it quickly becomes obsolete as the environment changes rapidly. The manual effort is also inefficient because it utilizes highly trained IT and security engineering personnel for menial tasks rather than allowing them to focus their skills on executing projects and making better business decisions.

The Inherent Challenges with IT Asset Data
To begin to solve this problem, you have to first understand the three challenges of IT asset data: volume, velocity, and variance.

Hybrid IT environments are volatile and dynamic. The number of managed and unmanaged devices connected to your network at any time can be massive. These environments are continuously changing at an unprecedented speed — software upgrades and configuration changes, containers and virtual machines being spun up and down. 

Perhaps the biggest challenge is variance. The same data point may be referenced in different ways or under different names across various products and services. As technology providers go through mergers and acquisitions, new tools and platforms are integrated into the mix, and correlating all of the IT asset data together can be complex.

Dealing with the volume, velocity, and variance in IT data could become quickly overwhelming. Legacy tools that attempt to collect partial data at infrequent times fail to deliver the foundation required for an effective security architecture framework.

Foundation of Your Security Architecture
A report from the U.S. Department of Defense Inspector General released in July 2018 found that none of the commands or divisions of the three military branches maintains an accurate inventory of their software. They all have gaps in visibility of what is on their own internal networks — resulting in a variety of negative consequences, such as software being underutilized, obsolete software that creates risk, duplicate or redundant applications being purchased, and — perhaps most importantly — no way to identify or remediate vulnerabilities or accurately assess security posture.

One example of the importance of effective IT asset management is the Wannacry ransomware attack in May 2017. Microsoft issued a critical patch in March 2017 that would have prevented systems from being compromised, yet nearly a quarter-million systems across 150 countries were paralyzed when the attack hit. In many cases, the reason organizations were caught off-guard is that the ransomware compromised vulnerable systems — primarily end-of-life systems and unauthorized software — on their networks that they were not even aware of.

You most likely have all of the data you need — you just need an efficient method of pulling in data from all facets of the company to harness it effectively. You need to be able to monitor and update asset inventory in real time, and normalize, categorize, and enrich it with context to ensure its relevance and accuracy. It’s also important to have seamless integration with your CMDB (configuration management database) and service ticketing system to facilitate remediation and resolution of any issues.

Achieve Your First Compliance Milestone
Accurate IT asset management is also essential for compliance. You can’t claim that you are taking reasonable steps to secure and protect assets or data that you aren’t even aware of.

There’s a reason why the Center for Internet Security (CIS) starts its list of 20 Critical Security Controls with these two:

• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software

CIS estimates that organizations can slash their risk of cyberattack by a whopping 85% if they apply these two controls, along with the next three (Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers; Continuous Vulnerability Assessment and Remediation; and Controlled Use of Administrative Privileges).

First Steps
Effective cybersecurity and compliance are essential for organizations around the world, across every industry, and regardless of size. Businesses must look at assets in a different way than they have traditionally to address the shifting threat landscape and encourage cooperation and collaboration between DevOps and cybersecurity teams. Visibility is becoming increasingly important, and a single source of truth for IT asset management is crucial to simplify and streamline security and compliance.

Related Content:

• The Cloud Security Conundrum: Assets vs. Infrastructure
• ‘CARTA’: A New Tool in the Breach Prevention Toolbox
• To Manage Security Risk, Manage Data First

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Pablo Quiroga is a Director of Product Management at Qualys. He has 12 years of experience in enterprise IT and security. At Qualys, he leads product definition, road map and strategy for IT asset management solutions. Pablo has helped numerous customers gain significantly … View Full Bio

Article source: https://www.darkreading.com/perimeter/why-you-need-a-global-view-of-it-assets/a/d-id/1335102?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Instagram on Monday announced that it’s now using artificial intelligence (AI) to detect speech that looks like bullying and that it will interrupt users before they post, asking if they might want to stop and think about it first.

The Facebook-owned platform, hugely popular with teens, also plans to soon test a new feature called “Restrict” that will enable users to hide comments from specific users without letting them know that they’ve been muted.

In the blog post, Instagram chief executive Adam Mosseri said the company “could do more” to stop bullying and help out its victims:

We can do more to prevent bullying from happening on Instagram, and we can do more to empower the targets of bullying to stand up for themselves.

These tools are grounded in a deep understanding of how people bully each other and how they respond to bullying on Instagram, but they’re only two steps on a longer path.

Think before you post

Instagram posted one example of what would-be bullies are going to see if its AI interprets their comments as offensive: a user who types “you are so ugly and stupid” gets interrupted with a notice saying: “Are you sure you want to post this? Learn more”.

If the user taps “learn more”, they get this notice: “We are asking people to rethink comments that seem similar to others that have been reported.”

Can you really reason with bullies? Sometimes: Mosseri said that giving users a chance to reflect has been effective in talking “some people” out of spewing their bile.

From early tests of this feature, we have found that it encourages some people to undo their comment and share something less hurtful once they have had a chance to reflect.

How many would-be bullies backed off during testing? Mosseri didn’t share numbers, but any improvement could literally save lives. Instagram has been under pressure for bullying following widely reported suicides, such as that of 14-year-old Molly Russell, who took her own life in 2017.

Her family blamed Instagram in part for her death: when they looked into her Instagram account, they found distressing material about depression and suicide. Molly’s father said that Instagram “helped kill my daughter,” as it was making it easy for people to search on social media for imagery relating to suicide.

In February 2019, Instagram banned images of self-harm in response to the tragedy. Critics saw it as too little, too late: Peter Wanless, CEO of the UK’s National Society for the Prevention of Cruelty to Children (NSPCC) said at the time that Molly Russell’s death was yet one more example of how social networks have over the years failed to protect their young users.

Restrict

Since he took over the reins at Instagram in October 2018, Mosseri pledged that he would wage war on bullying. He’s said that Instagram wants to lead the industry in the fight. Thus we get Monday’s announcement of the two new features: the two first steps in this battle.

Besides trying to stop bullying from happening in the first place, Instagram is also looking to help those who get targeted when it does. That’s where the “Restrict” feature comes in.

Think of it as a smarter way to block bullies and trolls – one that takes into account research showing that teens are reluctant to simply block or report peers who bully them, given that shutting down communications means that a victim can no longer monitor what bullies are saying about them. Plus, it betrays hurt feelings, according to Francesco Fogu, an Instagram product designer who works on well-being. Time quoted him:

[Blocking or reporting peers] are often seen as very harsh options.

Restrict offers a more clandestine way to control the content that bullies post. While blocking a user is easy for that user to spot – they can’t see their victims’ content after they’ve been blocked – Restrict doesn’t keep bullies from seeing their targets’ posts in their feed as they usually do.

Once a user Restricts someone, comments they make on their target’s posts will only be visible to that person. The user can choose to make a restricted person’s comments visible to others by approving their comments, or not – without them knowing their comments have been filtered out. Restricted users are also not able to see when their targets are active on Instagram or when they’ve read direct messages from the Restricted user.

Fogu:

The goal here is to basically put some space between you and them.

This is hard

In mid-May, Time published an in-depth report on Instagram’s war on bullying. It makes one thing crystal clear: bullying is a shape-shifter. It’s constantly evolving. It’s kind of like porn in that “I know it when I see it” way and that all makes training AI to sniff it out extremely tricky.

It’s relatively easy to train AI to spot bullying text. Once you leave text out of it, it gets far tougher. For example, there are Instagram “hate pages”, where anonymous accounts are dedicated to making fun of or tormenting people – say, a guy who tags his ex in posts that show him with other girls.

Slang also rapidly evolves, and teens or trolls rapidly think up new ways to be hateful – in fact, on a weekly basis, Instagram has found. Time quoted Instagram head of public policy Karina Newton:

Teens are exceptionally creative.

How do you even define bullying? And in a way that an algorithm could pick up on? This foe is difficult to pin down, as Time reports:

[…] a girl might tag a bunch of friends in a post and pointedly exclude someone. Others will take a screenshot of someone’s photo, alter it and reshare it, or just mock it in a group chat. There’s repeated contact, like putting the same emoji on every picture a person posts, that mimics stalking. Many teens have embarrassing photos or videos of themselves shared without their consent […]

I don’t envy Instagram this work. Research makes clear that bullying comprises a tangled web of words, actions, inactions, images, group behavior and subtle slights.

Instagram, good for you for stepping up to the plate to deal with these issues and do whatever you can to keep kids safe. True, it’s not just your job. It’s the job of parents, schools and the kids themselves.

But it’s a good, overdue sign that tech companies are no longer throwing up their hands and refusing to take responsibility for what their users do on their platforms. Let’s hope we see more progress, from more companies, and that this battle moves to and stays at the top of their priority lists.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s2oF5qE6xjY/

You know those Android dialogue boxes that pop up when you first run an app, asking you what permissions you want to give the software? They’re not as useful as we all thought.

New research has revealed that apps are snooping on data including location and the phone’s unique ID number – even when users haven’t given permission.

The research comes from researchers at the University of Calgary, U.C Berkeley. the IMDEA Networks Institute, the International Computer Science Institute (ICSI) and AppCensus, which offers a searchable database detailing the privacy issues with individual apps. Called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, the paper spotted dozens of apps circumventing permissions-based protections in Android to get the data they want.

Android apps must ask for permission to access sensitive resources on the phone, like the GPS, the camera, or the user’s contacts data. When you say that an app can’t access your location data, the operating system can prevent it from doing so because it runs the app in its own sandbox. That also stops the app in question interacting with other apps.

Sidestepping permissions

The researchers analysed over 88,000 Android apps to see what data they transmitted from the phone, and where they sent it. They ran the test on a variety of Android systems, with the most recent being Android Pie (2018). They matched this against the permissions that the user had granted the app to see if apps were harvesting data that they shouldn’t be. They found dozens of apps transmitting data they shouldn’t have accessed, along with thousands more containing the code to do so. They reverse engineered the code and found two main methods for circumventing permissions protections.

The first is known as a side channel attack. In this context, they happen when sensitive information is available in more than one place on a mobile phone.

For example, apps are meant to request access to the phone’s GPS if they want location data. However, the researchers found apps accessing the MAC address of the Wi-Fi base stations that the phone connected to by reading a locally stored, unprotected cache. That gave the apps the location data that they needed.

The second, more insidious attack is known as a covert channel, and it’s a communication from one privileged app to another. One app might be allowed to read the phone’s International Mobile Equipment Identity (IMEI), for example, which is a unique identifier for the phone, and could give that data to another app that wasn’t.

The researchers found software libraries from Baidu and South Korean company Salmonads doing this. They used the SD card to store the phone’s IMEI, making it readable to apps that couldn’t access the data directly from the phone.

According to the researchers, the app from image printing service Shutterfly took a novel side channel approach to location harvesting by using the geolocation information stored in an image’s EXIF metadata.

Shutterfly responded, telling us:

If the user allows their images to be tagged with metadata, including geolocation, that information is included with the photos that are either uploaded to the Shutterfly app, or accessed locally on the user’s phone with their express permission.

The app’s use of the data was in accordance with the Android developer agreement, it added.

Between them, the Salmonads and Baidu SDKs provided data to at least 37.5m installed apps that don’t have permission to see it. Salmonads failed to return our request for comment. Baidu couldn’t reply by our deadline.

Serge Egelman, research director in usable security and privacy at ICSI, argued in an email that a lot of consumers would be shocked to find out what was happening, and he pointed out that the paper is hosted on the Federal Trade Commission’s website:

I presented this at an FTC event in order to make them aware of these specific issues. These are clearly deceptive practices, and therefore entirely within the agency’s purview to take action.

What to do?

We’ve been telling you to watch the permissions you give apps on your phone for a long time. It’s still a sensible thing to do, but now that Android users don’t seem to be able to trust apps to follow the rules, what can they do? Egelman was pessimistic:

There’s not much that Android users can do, unfortunately.

There is a way of out this. Google paid the researchers a bug bounty after they disclosed them last year, and has vowed to address many of the issues in the forthcoming Android Q. However, that still leaves many Android users stranded. Egelman warns that the company should treat them as serious security vulnerabilities and offer over-the-air patches rather than addressing them in the next OS. He said:

Privacy shouldn’t be treated like a luxury good, where only those with the money to buy a newer device capable of running Android Q will be protected.

In any case, the problem is more endemic, he concluded, going beyond these two kinds of attack:

It’s also worth noting that permissions don’t regulate many of the persistent identifiers that are used for tracking. Worse, app marketplaces post policies for app developers that are often completely unenforced.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EeE4m6mDyxI/

Patch Tuesday this month offers fixes for a total of 77 vulnerabilities, of which 15 are marked critical, rounded out by two zero-day flaws just to make things interesting.

However, with an operating system estate as large as Microsoft’s these days, numbers don’t tell the whole story.

A good example of this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including two overlaps, are patched for seven and six flaws respectively, all rated critical, and all remote code execution (RCE) flaws in the most vulnerable part of a browser, the web scripting engine.

It’s worth drawing attention to this because it’s easy to overlook the security of software bundled in Windows 10 which some users either use infrequently, or do not use at all.

As explained in previous coverage, this is particularly the case with IE 11, which many Windows 10 users don’t even realise is there but hangs around to maintain backwards compatibility. Compare that to Windows 10 64-bit version 1903, which earns only one critical, CVE-2019-1102.

Zero days

The two zero days are CVE-2019-0880 and CVE-2019-1132, both Elevation of Privilege (EoP) flaws currently being exploited in the wild by unnamed threat groups. The first affects the Windows splwow64 print spooler while the second is in Win32k.

Although both are rated ‘important’, a notch down from critical, good patchers aren’t fooled by such distinctions. Most likely, all that means in practice is that they have to be used in conjunction with other flaws, the QED being that each has been detected in such scenarios (we await details from the companies that reported them).

Disclosed flaws

Microsoft has also patched five publicly disclosed vulnerabilities, including the CVE-2019-0865 denial-of-service bug in the SymCrypt Windows 8/10 cryptographic library, made public last month by Google’s Project Zero.

The other four are CVE-2018-15664 (a Docker EoP), CVE-2019-0962 (affecting Azure), CVE-2019-1068 (an MS-SQL Server RCE), and CVE-2019-1129 (Windows appXSVC EoP).

It’s become a job to keep up with the sequence of vulnerabilities (and fix bypasses) disclosed by the researcher called SandboxEscaper and this month we get another one under the moniker Polar Bear – CVE-2019-1130, also in appXSVC.

BitLocker fix

Finally, with Adobe almost taking a month off (bar three advisories affecting Dreamweaver, Experience Manager, and Bridge), the July 2019 bulletin does feature one general bug fix with a bearing on security, described by Microsoft as addressing:

An issue that may cause BitLocker to go into recovery mode if BitLocker is being provisioned at the same time as updates are being installed.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/12aLo-zTwDQ/

Patch Tuesday Summer is now firmly upon us, and depending on where you are, the weather could be just about anything from stupidly hot to unbearably wet and cold right now given the state of the climate.

Well, anyway, Microsoft, Adobe, and SAP have dropped the July editions of their monthly security updates, so there’s at least one storm to weather. How’s that for a silky smooth transition?

Redmond plugs up SQL holes, leaky containers, and the usual crop of browser bugs

For Microsoft, July brings fixes for a total of 78 CVE-listed vulnerabilities.

Among the more serious flaws addressed this month is CVE-2019-1068, a remote code execution vulnerability in SQL Server. An attacker could exploit the flaw by sending a specially-crafted query to execute code with the permissions of the Database Engine. The bug was publicly disclosed earlier, but so far no attacks have been spotted in the wild.

Real-world exploitation is unlikely, in our eyes, because a hacker would have to somehow execute an arbitrary SQL query, and if that’s the case, the installation is essentially pwned anyway.

“It doesn’t provide you keys to the kingdom, but it does have elevated privileges,” noted Dustin Childs, of the Trend Micro Zero Day Initiative, though.

“The update also impacts SQL Server 2017 on Linux and Linux Docker Containers. Considering SQL Servers are generally part of an enterprise’s critical infrastructure, definitely test and deploy this patch to your SQL Servers quickly.”

Docker was also the focus of CVE-2018-15664, a privilege escalation flaw that would let an attacker escape the container and acquire full read/write privileges on the host machine. The exploit can be triggered via the Docker command line. That vulnerability was also publicly disclosed prior to today, but was not targeted in the wild.

The same can not be said for CVE-2019-0880 and CVE-2019-1132, a pair of elevation of privilege vulnerabilities in Windows that require local access. Trend Micro says both flaws have been exploited in the wild, but in-depth details had not been disclosed.

Other patches of note include the fix for CVE-2019-0785, a remote execution vulnerability in DHCP for Windows Server. That flaw, which was not exploited or disclosed publicly, allows remote code execution by way of a malformed DHCP packet, if the DHCP server is configured in failover mode.

“A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server,” Redmond notes.

“An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server. However, the DHCP server must be set to failover mode for the attack to succeed.

“The security update addresses the vulnerability by correcting how DHCP failover servers handle network packets.”

As it does every month, Microsoft addressed a handful of remote code execution bugs in the scripting engines for its Edge and Internet Explorer browsers. Those vulnerabilities, 11 in all, were critical flaws that allow for remote takeover by way of poisoned web pages. None have been exploited nor disclosed publicly… yet.

Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patched

READ MORE

Outlook for Android users will want to pay attention to CVE-2019-1105, a spoofing vulnerability that would allow an attacker to use a specially ncrafted email message to allow for further cross-site scripting attacks.

Redmond also addressed two remote code execution flaws (CVE-2019-1110 and CVE-2019-1111 and one information disclosure bug (CVE-2019-1112) in Excel and one cross-site scripting flaw (CVE-2019-1137 in Office SharePoint.

Adobe forgoes Flash and Acrobat fixes, SAP cleans up SMDAgent hole

It looks like two of the most popular exploit targets on the internet are getting a bit of a break this month. Neither Flash nor Acrobat/Reader are getting security patches from Adobe for the first time in years.

Instead, there are updates to address an information disclosure bug in Bridge CC, a DLL hijacking flaw in Dreamweaver and three information disclosure vulnerabilities in Adobe Experience Manager.

SAP posted 20 security fixes this month, including a fix for an OS command injection flaw in Solution Manager Diagnostic Agent (SMDAgent) that potentially allows for remote takeover of the targeted machine.

“The Diagnostic Agent is a component that manages the communication between every SAP system and Solution Manager related to monitoring and diagnostic events,” said Onapsis security researcher Agus Dendarys.

“In short, exploiting this OS command injection vulnerability in SolMan’s Diagnostic Agent would allow an attacker to bypass a whitelist validation, take full control of the admin user, change critical security configurations or stop a system.”

Happy patching one and all. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/10/patch_tuesday_july/

Mozilla on Tuesday added digital certificates belonging to security biz DarkMatter and its subsidiaries to Firefox’s OneCRL blocklist, based on concerns that the UAE-based company will misuse its power as a certificate authority (CA) to intercept online communications.

In a post to Mozilla’s security policy forum, Wayne Thayer, certification authority program manager for the public benefit browser and software maker, said multiple independent reports have raised credible allegations that DarkMatter has been involved in spying.

“While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users,” said Thayer.

“I will be opening a bug requesting the distrust of DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also recommend denial of the pending inclusion request, and any new requests from DigitalTrust.”

DigitalTrust is the name of DarkMatter’s CA business; “Kathleen” refers to Mozilla program manager Kathleen Wilson.

Web browsers depend on a list of authorities that vouch for the authenticity and integrity of the digital certificates presented by websites. An untrustworthy CA could issue a fake certificate to a website that allowed it to spy on interactions between the site and its visitors, even if the connection appeared to be secure.

Snoop links

DarkMatter has been trying to become a root certificate authority for the past two years. In January, Reuters reported that DarkMatter personnel assisted in a hacking operation called Project Raven, run by an Emirati intelligence agency and assisted by former US intelligence officials. The goal of Project Raven involved compromising the internet accounts of journalists, human rights activists and foreign government officials, it’s alleged.

DarkMatter has denied that report; the company didn’t immediately respond to a request for comment from The Register.

In February, the Electronic Frontier Foundation urged Mozilla and other maintainers of root certificate databases like Apple, Google and Microsoft to reject DarkMatter’s bid to become a root certificate authority and to revoke its intermediate certificate, which allows the issuance of certificates under the oversight of a recognized root CA.

Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround

READ MORE

“Giving DarkMatter a trusted root certificate would be like letting the proverbial fox guard the henhouse,” said Cooper Quintin, senior staff technologist at the EFF at the time.

In a statement emailed to The Register, Selena Deckelmann, senior director of engineering at Mozilla, defended DarkMatter’s banishment, a punishment meted out to China’s CNNIC in 2015.

“We made the decision to revoke trust in DarkMatter’s intermediate certificates and to deny the pending inclusion request,” she said. “We are confident this is the right decision, but it was not made lightly. Two important obligations guided our decision: first, that trust in our CA root store is a critical component of the security underpinnings of the web and second, our responsibility to protect individuals who rely on Mozilla products.”

Deckelmann said in light of credible evidence from multiple sources that DarkMatter participates in spying, Mozilla’s responsibilities to the web and those who rely on its software have led it to conclude that continuing to trust the security biz would endanger the web and users of Mozilla products. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/10/mozilla_darkmatter_ban/

Updated Zoom Video Communications, whose web conferencing service is used by millions, is under fire for installing a hidden web server on Macs in order to bypass user consent when joining a meeting.

Researcher Jonathan Leitschuh, a member of the security team at Gradle Inc, investigated how the Zoom client opens automatically when you receive a meeting link.

Leitschuh discovered that when you install Zoom on a Mac, it installs a web server on port 19421. If you then click on a Zoom conferencing link, the page loads an image from the web server on localhost, where the size of the image returned represents a status code – a hack to get around CORS (Cross-Origin Resource Sharing) restrictions which apply to Ajax requests.

The result is that you can get a user to join a Zoom call simply by embedding a Zoom link into a website, for example, by using an iframe (inline frame). The user sees an ordinary web page URL but the iframe loads the Zoom link automatically.

The default Zoom configuration leaves it to the host to determine whether or not the camera is automatically enabled. Therefore, an attacker can view the user’s webcam simply by persuading them to visit the attacker’s site.

As Leitschuh observes, the consequences could be more serious if there are other exploitable vulnerabilities in the Zoom client – such as the “Zoom Unauthorized Command Execution” bug – which Tenable reported in November 2018 but is now fixed.

Just to save a click?

Leitschuh reported the problem to Zoom, along with a related denial-of-service vulnerability. He was offered a financial bounty, which he declined, because it was conditional on never publicly disclosing the bugs.

Zoom responded by changing the host’s ability to choose whether the camera is enabled – but the fix regressed and Leitschuh also found that the iframe workaround mentioned above bypassed it.

There are further concerns. One is that even if you uninstall Zoom on the Mac, it leaves the Zoom web server in place. The web server has the ability to reinstall the Zoom client, rendering the uninstall attempt ineffective. This ability is also a security incident waiting to happen, since if an attacker managed to gain control of one of the allowed domains for downloading the client, it could install some other executable.

“To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files,” Leitschuh explained.

Zoom has made two statements about the matter. In a blog post, Richard Farley, Zoom’s chief information security officer, said that Zoom users can set a preference for video on or off when joining a meeting. “The host or any other participant cannot override a user’s video and audio settings to, for example, turn their camera on.”

This is not inconsistent with what Leitschuh claims. The host does determine whether or not the participant’s camera is on, but this is subject to the user’s preferences. As ever, the majority of users accept the defaults, so if the default is ON then video will be on. A clean install of Zoom will indeed have this setting, though it is reversed, which means you have to check “Turn off my video when joining meeting” to avoid it.

This setting, which defaults to ON, controls whether a Zoom meeting has video automatically enabled

Further, Farley justifies installing the web server even though this is specifically to bypass a security feature introduced by Apple in Safari 12, writing:

When Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.

The company also issued a public statement (PDF) with a similar claim that installing a local web server is a reasonable workaround “to avoid this extra click before joining a meeting”. The statement adds that a July update will add a feature to “apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings”.

This does not sound like a full solution.

What about Windows users? No hidden web server perhaps; but that is because on Windows the “extra click” is not needed. The meeting opens automatically, with video (tested in Firefox, Chrome and Edge), provided the browser has set the association with .zoommtg links – a once-only operation. Depending on preferences, you might also get a conference options prompt in front of the meeting, but you have already joined. Whether browsers should allow this without a further prompt is a moot point, and one which Apple attempted to fix in Safari.

If you do not like this behaviour, remove the association with .zoommtg in your browser. For example, here is the setting in Firefox:

Click to enlarge

The Mac web server running on localhost is an extra security risk, though, especially as it has an unpublished API. An attacker could have an IMG tag on a page, for example, set to a src=URL on your Zoom web server. It is hard to understand how Zoom’s security officer can justify risks like these in the name of avoiding “poor user experience”. On the other hand, this does demonstrate the lengths to which a company will go to achieve a slight advantage in ease of use, never mind the consequences.

Security-conscious Mac users may want to remove all traces of Zoom at least until the risks are better understood. Tape over the camera? Maybe. ®

Updated to add

Amid a surge of online outcry today, Zoom’s blog post about the webcam vulnerability has been updated repeatedly to eventually confirm that a security patch is being pushed out now to Mac users. It should be installed as soon as you can, or you may install it manually from here.

This July 9 release will “remove the local web server entirely, once the Zoom client has been updated,” and “allow users to manually uninstall Zoom.” That’s good news as it kills off the undocumented web service, and allows you to boot the whole thing off your Mac completely for good.

Another patch is due to land on July 12 that will ensure “first-time users who select the ‘Always turn off my video’ box will automatically have their video preference saved,” and “returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.”

It is hoped this will address concerns over the software’s video-on-by-default nature: basically, you should be able to tell the program to not open up the video as soon as you click on or trigger a Zoom link, regardless of the host’s call settings.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/zoom_mac_webcam_security_patch/