STE WILLIAMS

Find Your Next Favorite Cybersecurity Tool at the Black Hat USA Arsenal

Learn new enterprise-grade techniques for identifying vulnerabilities, improving Active Directory security, and building trust with customers at Black Hat USA this summer.

On the hunt for new cybersecurity tools? Check out the Arsenal at Black Hat USA in Las Vegas this August, where all Black Hat passholders are invited to see live demonstrations of the latest open-source security tools.

For example, you could swing by the Arsenal (located in the Business Hall) and catch a demonstration of Smalien, a security tool for information flow analysis and information leakage detection on Android devices.

Once you give an application to Smalien, it understands the application thoroughly by executing static information flow analysis of Dalvik bytecode files extracted from the application. Smalien performs not only static analysis but also dynamic analysis, implicit information flow detection, and privacy policy enforcement at runtime by parasitizing the application.

You may also want to see a demo of Objection: Runtime Mobile Exploration, a runtime mobile exploration toolkit built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.

Objection allows for many common pentesting tasks to be performed such as disabling SSL inspection, interacting with the applicable platforms keystore/keychain as well as the ability to upload/download files from a device. Additionally, more advanced usages such as code path tracing and live Java object inspection is also possible.

Black Hat USA will also host a smorgasbord of complementary Briefings featuring expert speakers sharing tools and techniques that can help you put these tools to good use. Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps is a good example. This 50-minute Briefing from Google will detail the differences in reversing and analyzing pre-installed Android applications compared to the user-space applications on which most security research focuses.

This will include detecting signals that the pre-installed app may be colluding with other components and be only one piece of the puzzle, and how bad behaviors can change when they are run in the more privileged context of a pre-installed application. You’ll also dive into case-studies of Android pre-installed security issues Google discovered in 2018 and 2019: malware, security misconfigurations, and remote code execution backdoors!

In New Vulnerabilities in 5G Networks you’ll get an in-depth look at the security features of 5G radio networks and new vulnerabilities affecting both the operator infrastructure and end-devices (including mobiles, NB-IoTand laptops). Plus, you’ll see how these new vulnerabilities in the 5G/4G security standards can be exploited using low-cost hardware and software platforms.

For more information about these Briefings and many more check out the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event!

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/find-your-next-favorite-cybersecurity-tool-at-the-black-hat-usa-arsenal/d/d-id/1334974?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Life-Changing Magic of Tidying Up the Cloud

Most companies’ cloud security operations would benefit significantly from clean-up, alignment, and organization.

In 2019, most organizations are using the cloud. However, many businesses are paying for cloud services without a strategic plan that maximizes productivity and competitive returns while managing security and compliance benchmarks.

Like a new two-car garage that seems attractively spacious and infinitely useful at first (before it’s overrun by tools, workbenches, and projects in progress), most cloud operations would benefit significantly from clean-up, alignment, and organization. It is essential for these companies to have insight into where their data is stored and who has access to what information.

In keeping with pop culture’s recent focus on killing clutter that’s hurting performance and joy, here are a few principles to tidy up and organize how your teams use powerful cloud resources.

1. Organize privileges.
For the sake of speed and cross-training, many companies have “flat” data access controls, giving practically any employee access to assets such as source code, customer data, and sensitive corporate financial info for the sake of multitasking and cross-training. This makes it hard to put reasonable controls on access and prevent unchecked risk, especially given employee turnover. Decide how much granular access controls you need over data. If your business is in retail, for example, your data requires different handling than electronic health records or attorney-client files.

2. Reevaluate risk and number of third parties.
The more partners, the higher the risk — that’s just reality. So, to keep the attack surface/risk surface more manageable, assess which partners are truly necessary. In cases where providers can be consolidated pared them down to those willing to demonstrate a more serious commitment to security.

3. Map cloud usage to tame clutter.
Enterprises can license internal departments and users with cloud accounts to enable their teams to apply additional cloud-powered horsepower and fluidity to their respective missions. But the flip side of this is that cloud use can grow in silos, going astray from centralized oversight and policies. The key for these larger companies is to evaluate how internal teams are using the cloud. Taking inventory of what information is being stored and where it is essential to keep information secure. For example: How is the finance or HR team using Google Drive? How is the help desk or DevOps team using cloud services.

4. Securely dispose of what’s old.
Just like shredding boxes of past bank statements or wiping an old PC’s hard drive brings peace of mind, companies should securely tidy up by discarding any abandoned, orphaned, or partially (indefinitely) uncompleted projects in the cloud or on corporate networks. Developers, business development leaders and marketers often build proof-of-concept apps, databases, or other items that are fed live production/customer data, and that data might not be securely removed or wiped when the project is phased out. Because the cloud is so fluid, it’s easy to securely dispose of these occurrences, once you account for them in policies and planned actions.

5. Organization takes teamwork.
Once you have done the heavy-lifting of cleaning out your cloud/IT footprint, slash the hours and lift upkeep going forward by creating a cross-functional team — for example, the heads of business units relying on the cloud in your organization (sales, IT, finance, developers). Get their commitment to meet regularly over lunch or coffee to talk through their cloud usage needs, priorities, concerns, and lessons learned. When everyone is on the same page, disconnects that cause a lot of duplication, silos, and clutter are eliminated.

In life and technology, organization follows accumulation. Like attics, workshops, and garages, cloud spaces are seized on by technical and business leaders across an organization for the sake of getting things done. Only when assets grow and activity increases does it become apparent that there might be a lot of clutter, waste, or potentially dangerous conditions in different areas. Fortunately for those of us charged with keeping IT organized and humming, automated and process-driven controls can help make tidying up happen every day. This gives SecOps teams more time for security and compliance management.

Related Content:

Kaus Phaltankar is the CEO and Co-Founder at Caveonix. He most recently served as a Senior Vice President for Dell Technologies. Before that, Kaus was Global President of Virtustream Security Solutions, a Dell Technologies company, where he was an evangelist and a technology … View Full Bio

Article source: https://www.darkreading.com/cloud/the-life-changing-magic-of-tidying-up-the-cloud/a/d-id/1334928?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Utilities, Nations Need Better Plan Against Critical Infrastructure Attackers

The attackers behind the Triton, or Xenotime, intrusions into critical infrastructure (CI) safety systems are testing their skills against electric power companies. Options for defense are still limited, however.

In February 2019, the group behind the Triton attack on oil and gas companies changed their tactics: The group started scanning electric utility companies for vulnerabilities, according to critical infrastructure security firm Dragos.

The switch in targeting is the first publicly known instance of a group behind a specific critical infrastructure attack targeting multiple infrastructures, says Sergio Caltagirone, vice president of threat intelligence for Dragos. The capability to attack more than one target suggests the actors in the group have become more sophisticated and better-funded, he says.

“The challenge is that for as long as we have been tracking industrial threats, the threats have effectively stayed in their own silo,” Caltagirone says. “They have either been geographically focused or sector-specific, and the reason is that it costs so much time and resources to attack one specific sector of industrial that there really hasn’t been any publicly known group that has been able to cross over.”

The problem is that, while attackers have increased their capabilities, defenders still remain stuck with a limited number of tools—both technological and political—to dissuade the attacks on their networks. Most governments and companies targeted by such attacks are left with a single option: Learn about the attackers and then kick them out of the infrastructure. 

“We need a strategic response,” Caltagirone says. “There has to be some sort of recognition that we are all in the same space, and we have to somehow find a way to put pressure on them to stop.”

Critical infrastructure owners have a harder cybersecurity problem than most companies. Creating a reliable infrastructure has always been a priority, and that means not creating chaos with major changes or software updates. For that reason, industrial devices and critical infrastructure are designed to be deployed for decades rather than years, making the standard software security approach of frequent updates more a logistical nightmare, said Tim Mackey, principal security strategist at Synopsys.

“With digital sensors and computing devices within industrial plants having lifespans far exceeding those of commercial devices, a comprehensive patch management strategy designed with a detailed understanding of the software supply chain powering these devices is a critical component of ongoing threat mitigation,” he said in a statement.

For the most part, critical infrastructure companies keep watch on adversaries by passing around indicators of compromise (IOCs) among themselves through information sharing and analysis centers (ISACs). With adversaries changing their tactics frequently, however, they need to do more. 

“We have to get beyond IOCs—we have to, have to, have to,” Dragos’s Caltagirone says. “We have to start monitoring and identifying behavior. Because over time, over a year plus, these adversaries’ (tools) are going to change so many times, it will be nearly impossible to protect yourself.”

On the national level, despite the constant attacks on critical infrastructure, strategic options to dissuade such attacks seem in short supply. In 2018, the U.S. Department of Justice, for example, continued to use legal tools against such attackers, indicting both Russian and Chinese actors for attacking election infrastructure and private industry, respectively. The U.S. has imposed sanctions against both countries as well.

Nations and their critical industries need to go beyond those measures and cooperate on both limiting critical infrastructure attacks and improving defenses against such measures. 

“There has to be a defender that is not just the utility—meaning governments, transnational organizations, industry sharing groups, and so forth,” Caltagirone says. “You can’t have, say, Idaho protect against the Russians and have Mississippi have to do the same—that is an untenable request to make, and we don’t make that request in any other domain.”

For now, the intent of attackers—most of which are likely rival countries—is to find their way into targets of interest, according to Caltagirone. This activity, called “access operations,” teaches attackers a great deal about the targets of interest and what countermeasures the defenders are deploying. 

“What they are doing right now is very intelligent. This is what a mature organizations does—they take the time to figure out what organizations they want to beat,” he says.

Yet, in the end, if we don’t figure out a way to deal with the attackers—whether through technology or policy or both—then the outcome is grim, Caltagirone says. “If we don’t accept that understanding of the world and defend in that way, the adversary is going to walk right through all our defenses,” he says.

 

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/utilities-nations-need-better-plan-against-critical-infrastructure-attackers/d/d-id/1334977?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Widely used medical infusion pump can be remotely hijacked

Researchers have found two security vulnerabilities, one severe, in Becton Dickson (BD) infusion pumps: the devices used in hospitals for supplying power and network connectivity to multiple infusion and syringe pumps that deliver fluids, including intravenous fluids, painkillers and medications such as insulin.

Such pumps are often hooked up to a central monitoring station so that hospital staff can check on multiple patients at the same time.

The flaws, in BD’s Alaris Gateway Workstation (AGW), were discovered by the healthcare cybersecurity firm CyberMDX in September 2018. The firm’s researchers said on Thursday that one of the security flaws – the most critical, according to an advisory issued by the Department of Homeland Security (DHS), also on Thursday – could allow the devices to be remotely hijacked and controlled.

The researchers said that the exploit could be carried out by…

… anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files.

The vulnerable part of the pumps is the firmware in the onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, which is Microsoft’s operating system for embedded devices and devices with minimal memory. That operating system later came to be known as Windows Embedded Compact.

No exploits to date

On Thursday, Becton Dickson said in an advisory that there haven’t been any reported exploits of the critical vulnerability.

Nor does it affect the latest firmware version 1.3.2, nor version 1.6.1. Only older software versions for 2.3.6 – which was released in 2006 – and below are affected, the company said.

The affected products aren’t sold or used in the US. They are, however, widespread in Asia and Europe.

The silver lining

Also on the plus side is the fact that exploiting the more critical of the two vulnerabilities takes a good amount of know-how, as BD outlined in a security bulletin published on Thursday.

In order to access this vulnerability, an attacker would need to gain access to a hospital network, have intimate knowledge of the product, be able to update and manipulate a CAB file which stores files in an archived library and utilizes a proper format for Windows CE.

Attacker could alter infusion rate or completely stop pump

In the worst-case scenario, if an attacker were able to pull that off, they could then adjust commands on the pump – including adjusting the infusion rate on some specific, mounted infusion pumps that BD listed in its advisory, or, as DHS explained, turning off the pump completely.

An attacker could, in other words, cause a patient to get far too much or too little of a medication, with a potentially lethal outcome.

Beyond exploit of that critical vulnerability, an attacker could also exploit a vulnerability on the AGW. In order to do that, BD said the attacker would need to…

… create an executable with custom code that can run in the Windows CE environment, understand how the internal communication protocols are utilized within the product and create a specific installer for the CAB file, with settings required to run the program.

This second vulnerability could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser. BD called it “difficult to exploit.”

BD said that no patient information is stored on the interface “by default” but that a successful exploit could allow an attacker to view information including event logs and to change a workstation’s network configuration.

The ‘Oh, crap’ lining

On the flip side of the silver lining, the critical vulnerability, which allows for remote access without any steps having to be taken on the part of the hospital staff and which is being tracked as ICS-CERT Advisory CVE-2019-10959 – has been given the maximum score on the vulnerability scale: CVSS 10, due to the fact that no authentication is required to access the device and upload malicious files.

DHS noted that these vulnerabilities mark the fourth time that it’s sent out cybersecurity notices about BD’s Alaris line of products. One of the prior vulnerabilities received almost as high a score as the new firmware problem, DHS said.

One such was a slew of medical devices found to be vulnerable to KRACK Wi-Fi attacks last year.

KRACK, or, more properly, the KRACK Attacks, stands for Key Reinstallation Attack(s). They work by exploiting a flaw in WPA and WPA2 protocol encryption, which these days covers most wireless access points where encryption has been turned on.

What to do?

BD is telling users to mitigate the firmware threat by blocking a client-server communication protocol used for sharing access to files. It said that customers should…

  • Utilize the latest firmware to eliminate the vulnerability.
  • Block the SMB protocol.
  • Segregate their VLAN network.
  • Ensure that only appropriate associates have access to the customer network.

BD will share details about an additional response within the coming two months.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TK4IMM2Sj8E/

Why are fervid Googlers making ad-blocker-breaking changes to Chrome? Because they created a monster. And are fighting to secure it

Analysis In a mild PR blitz, Google engineers this month insisted the ad giant’s shake up of Chrome browser extensions won’t kill advert blockers. Instead, we’re told, Googlers are making the plugins safer. Those engineers have more work to do than it may seem.

Setting aside for a moment Google’s public filings about the revenue threat posed by web ad blockers, and actions the corporation has taken in the Google Play Store to limit interference with mobile app ads, the internet goliath has reason to overhaul its Chrome Extension ecosystem – because it’s as fragile as a house of cards.

Google insists it’s dealing with the situation, noting that malicious extension installations have declined 89 per cent since early 2018. But the tech titan’s coders are still addressing the root cause – a platform with few guardrails.

Chrome Extensions have obvious utility, for developers and users. They can enhance privacy, add functionality and improve the web browsing experience. But they’re so powerful they can be easily abused and the security process Google has in place for the Chrome Web Store isn’t foolproof.

Overprotective parent illustration, a child under glass

Google: We’re not killing ad blockers. Translation: We made them too powerful, we’ll cram this genie back in its bottle

READ MORE

The primary problem is that Chrome Extensions can undo the browser’s security model and grab sensitive data. A reader who wrote in to elaborate on this issue suggested that if people really understood how unconstrained Chrome Extensions are, they would be given a 10.0 CVE score and banned from enterprises.

That may be something of an overstatement given that the API at the center of this mess, specifically blocking capability of the webRequest API, will continue to be available to enterprises after the pending platform renovation is completed because it’s so useful.

Raymond Hill, the developer of uBlock Origin, disagrees with that characterization because, he says, the ability to change headers is intrinsically part of the design of the webRequest API – not an oversight.

“There is no CVE issue here because extensions are opt-in, and what they can do is disclosed to the users choosing to install them,” he said in an email to The Register.

But Google’s platform design decisions have security implications. And Mozilla’s too, since Firefox also supports the webRequest API for Add-ons (aka extensions).

At Canadian security conference SecTor in October last year – coincidentally the same month that Google announced its Chrome Extensions revision plan, known as Manifest v3 – Lilly Chalupowski, security application developer at GoSecure, gave a presentation called The Chrome Crusader.

Security stripped

Chalupowski demonstrated that Chrome Extensions have the ability to strip away HTTP headers, including security headers, from website interactions. The result is that it’s trivial to craft an extension that breaks the browser’s Same-Origin security model.

As she put in a phone interview with The Register, “Injection is a feature.”

“When you have injection as a feature, that’s when you have to start being concerned,” Chalupowski said, “especially when you’re handing over functionality to modify secure headers on the fly and change them to literally whatever you want.”

During her demonstration, Chalupowski showed how to craft a basic Chrome Extension that interacts with Flask command-and-control server – running locally for the demo – to steal passwords from an online banking website.

Google, it should be said, keeps an eye out for malicious extensions, but Chalupowski suggested a few ways miscreants might avoid detection.

Chalupowski has posted PoC code on GitHub; The Register hasn’t yet determined whether any changes made to Chrome since the initial publication of the PoC code affect its functionality.

“uBlock Origin and a few others use this capability to modify headers for good purposes, for security,” she said. “At the same time, those same features will be used in Chrome and Firefox for malicious purposes.”

And therein lies the problem: A developer with good intentions can craft extension code that’s beneficial and a developer with bad intentions can use the same API to abuse trust and steal information.

Back in 2010, when the webRequest API was being developed, there was some discussion of privacy and security implications, but it wasn’t the overriding concern. The design document mentions the issue in passing:

How could this API be abused?

There may be privacy issues since extensions can collect detailed information about network traffic via this API.

Chrome Extensions used to be even more open. Hills said that back in 2013, Chrome extensions could see the network requests of other extensions via the webRequest API. It was a useful feature but also an abusable one and so was removed.

Google may need to make webRequest less of a risk but among those who develop extensions, there’s hope that the price of security isn’t ineffective content blocking and subpar privacy controls.

Hill argues that Google should implement a more finely grained permission model for loosening CORS and CSP headers. That way, extensions requiring certain capabilities could ask for them directly rather than settle for a less capable API. He also suggested Google could deny the webRequest API access to a broader range of request headers, as it already does in some instances.

“Right now the browser just inherently trust the browser extensions will be nice,” said Chalupowski. Changing that, she said, “is nothing but good news for users.”

For developers and users capable of making responsible choices about the software they install, it’s a bit more complicated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/17/chrome_extensions_security/

10 Notable Security Acquisitions of 2019 (So Far)

In a year when security companies have been snapped up left and right, these deals stand out from the chaos.PreviousNext

(Image: Itchaznong - stock.adobe.com)

(Image: Itchaznong – stock.adobe.com)

Anyone watching the cybersecurity market has likely noticed a wave of acquisitions making headlines. The MA activity that remained constant last year has only increased in 2019.

“It’s like something’s in the water right now,” says Hank Thomas, CEO at Strategic Cyber Ventures (SCV), where experts had anticipated growth in the cybersecurity market. “We predicted the ability of the market to do this, and we thought it might be this year.”  

Cybersecurity Ventures reports more than $7 billion in cybersecurity deals during the first quarter of 2019 alone, and the market certainly hasn’t quieted since them. The industry is in a time when large companies are sitting on lots of cash and pondering their security capabilities.

Of course, some technologies are hotter than others. Cloud computing and application security are two notable types ripe for acquisition this year, for example. Service-focused businesses are looking to acquire “as-a-service” companies and wrap their services into their platforms, explains Jeff Pollard, Forrester vice president and principal analyst for security and risk professionals.

He calls this “a bit of an unconventional acquisition scenario, where services companies acquire intellectual properties they can build services around.” An example of this can be seen in NTT Security’s acquisition of WhiteHat Security, a deal confirmed in March. This acquisition also reflects a trend of companies investing in application security, which Pollard also has noticed.

“Applications generate revenue,” he says. The applications companies are building, and the software they’re making, go into products and services. “It’s not that every company is a software company — it’s that every company is making money with software now.” Application security goes to the forefront of their priorities because this is technology they use to protect revenue-generating applications, websites, mobile apps, and other products, Pollard continues.

The cloud is a hot target for traditional and legacy vendors, which are still slow to embrace the cloud and adopt native cloud functionality. Vendors struggle to offer the same experience in the cloud as they do on-premises, a challenge that has led to increased activity in cloud-focused MA, he adds.

These trends are evident in the cybersecurity acquisitions to take place so far this year. Here, we highlight 10 deals that stood out and discuss where the industry is headed. Any transactions you’re not seeing? Feel free to share your thoughts in the Comments section, below.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full BioPreviousNext

Article source: https://www.darkreading.com/cloud/10-notable-security-acquisitions-of-2019-(so-far)/d/d-id/1334973?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Hat USA axes anti-abortion congressman as keynote speaker after outcry – and more news from infosec land

Roundup Here’s a quick roundup of recent infosec news beyond what we’ve already reported.

Black Hat USA cans planned keynote speaker following outcry

This year’s Black Hat USA has axed keynote speaker US House rep Will Hurd (R-TX) after outcry over his politics and voting record.

Attendees and presenters threatened to boycott the annual security conference due to the congressman’s support for anti-abortion laws, efforts to defund Planned Parenthood, and unwillingness to back women in STEM, TechCrunch first reported.

Given the much-needed push for more diversity and inclusion in the worlds of technology and information security, Hurd’s invitation to speak at the event irked parts of the cyber-community. He is, for what it’s worth, said to be one of the more tech-aware congresscritters in America.

After 24 hours or less of pressure, Black Hat’s organizers said in a statement to The Register on Friday that Hurd will not be lecturing security nerds in Vegas this year as planned:

Black Hat has chosen to remove U.S. Representative, Will Hurd, as our 2019 Black Hat USA Keynote. We misjudged the separation of technology and politics. We will continue to focus on technology and research, however we recognize that Black Hat USA is not the appropriate platform for the polarizing political debate resulting from our choice of speaker. We are still fully dedicated to providing an inclusive environment and apologize that this decision did not reflect that sentiment.

Meanwhile, Hurd’s office responded:

And because this is the internet and it is 2019, we also have outcry over the outcry, which is generating backlash against the backlash…

Hey, so, who’s up for DEF CON, then?

Radiohead hackers beat band to post recordings

Fans of mopey British rock outfit Radiohead were given a treat this week when the band unexpectedly put online a collection of studio recordings to purchase and download – audio that, apparently, had been earlier stolen by hackers who threatened to publicly leak the files unless a ransom was paid. In response, the band released the recordings themselves via Bandcamp rather than pay out the six-figure demand.

That online release only came after the bad guys had already given up on receiving the dosh and had dropped the collection on the dark web. Researchers at Israeli cybersec outfit Sixgill claim they spotted the recordings linked from a Pastebin post that went up a full two days before the band decided to emit the songs officially, and they provided this screenshot to The Register to prove it:


Screenshot of Radiohead leak post

That doesn’t mean you should rifle through the dark web for the files, and ignore Radiohead’s official channel to get the tunes, however. Aside from being the right thing to do, each sale helps benefit climate change charity Extinction Rebellion.

Emuparadise loses million-plus user accounts to forum hack

Vintage gaming site Emuparadise is the latest website to see its user account details fall into the hands of hackers. A collection of more than a million accounts was reported to be on offer in crimeware forums and were added to tracking service HaveIBeenPwned.com. The hackers were said to targeted the emulation site’s user forums and made off with names, salted and hashed passwords, IP addresses, and email addresses.

Not a major breach, but if you have an Emuparadise account you should make sure your password is not being re-used on other sites.

Cisco posts patch for CSRF bug

Admins of Cisco IOS XE gear will want to spend a few extra minutes today checking for any applicable patches after Switchzilla issued a warning for a cross-site request forgery bug.

The vulnerability is only found in the web interface of IOS XE, but if exploited it could allow an attacker to perform arbitrary commands with the current user’s clearance level. Other versions of IOS and those that do not have the web interface enabled should be safe.

Evite incite user fright

Invitations service Evite has had to put up an alert after discovering an attacker had made off with a data backup file that had been archived all the way back in 2013.

While the archive is six years old, the information in it is rather sensitive. The hackers were able to get names, usernames, email addresses, passwords, and in some cases the user’s date of birth, phone number, and mailing address.

The company said it is in the process of notifying users, but everyone who was on the site back in 2013 would be well advised to change their password just to be safe.

Watchdog barks at MI5 for careless data handling

Britain’s iconic MI5 spy agency took heat this week after Blighty’s Investigatory Powers Commissioner found problems with the snoops’ handling of people’s data.

The watchdog said MI5 was not doing enough to secure the personal information it gathered and stored en masse under the power of warrants. In addition to not properly securing that sensitive data, it is said MI5 also held on to the info for far longer than is legally allowed.

Exim patches server flaw

Last week we warned of the command-execution flaw that had been disclosed for the Exim email server software. While admins could have patched the bug weeks ago by updating to the latest version, this week a patch was issued for earlier builds as well.

Those running Exim versions 4.87 through 4.91 will want to check out this announcement and make sure they have the fix in place, as working exploits for the flaw have recently been spotted being used in the wild to compromise vulnerable systems.

Report outs UK human rights champion as spyware house owner

British gallery owner and human rights campaigner Lana Peel has been accused of having ties to a notorious spyware developer.

The Guardian says that Peel, CEO of Serpentine Galleries, also has an ownership stake in NSO Group. That biz develops notorious surveillanceware Pegasus, which is sold to governments around the world to slip into targets’ devices so they can be snooped upon. NSO, which is majority owned by investment biz Novalpina Capital, claims it doesn’t flog its software to bad people, though human rights campaigners aren’t so sure.

“The Peel family has an investment in Novalpina. I have no involvement in the operations or decisions of Novalpina, which is managed by my husband, Stephen Peel, and his partners,” Lana Peel said in a statement.

In brief…

Meanwhile, Citizen Labs and its pals in academia have produced a report [PDF] on stalkerware and its effects.

AVG antivirus and Firefox clashed this week, resulting in people’s saved passwords disappearing due to a certificate update. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/15/security_roundup/

Better Cybersecurity Research Requires More Data Sharing

Researchers at the Workshop on the Economics of Information Security highlight the cost savings of sharing cybersecurity data and push for greater access to information on breaches, attacks, and incidents.

Good data on attacker tactics, security incidents, and breaches is key to identifying trends in cybersecurity, but datasets — even among academic researchers — are often not made public and just as often are of poor quality, according to security researchers who presented their conclusions at the annual Workshop on the Economics of Information Security (WEIS) conference.  

In a previous sampling of some 965 papers, a group of researchers from the University of Tulsa found that only 6% created their own datasets and made them public. Yet the value of such data exceeds $663 million just in cost savings to subsequent research efforts, according to a paper presented at the WEIS conference by the same group.

“There is a lot of value there,” says Tyler Moore, one of the authors and an associate professor of cybersecurity at the Tandy School of Computer Science at the University of Tulsa. “Cybersecurity research datasets do create a lot of value by making the data available to other researchers.”

Data is key to a variety of initiatives in cybersecurity. From training machine-learning systems to detect threats to analyzing whether breach regulations actually results in better defenses, researchers and security professionals need more and better datasets. 

Yet sharing of data — even among researchers — does not happen often enough, says Sam Ransbotham, co-chairman of the WEIS 2019 conference and associate professor of the Carroll School of Management at Boston College.

“Everyone wants to use these datasets, but no one wants to create them and release them,” he says. “Companies want to show you all the cool stuff that they have done, but ask for their security data and that is a problem.”

Seven years after their original research into the costs of breaches, a group of researchers from the University of Cambridge pulled together the best data on current breach costs. The data is very scattershot and authoritative information is still not available, but the researchers are doing the best with the information they can obtain, Ransbotham says.

“The problem, trying to get more data, goes throughout all the papers,” he says. “None of this data is perfect. If you look at almost everything they talked about — and this is not negative — it is the current state of uncertainty.”

The value of the data is significant, the University of Tulsa researchers found. In the paper they presented at the WEIS conference, Moore and the other researchers analyzed a collection of cybersecurity datasets funded by the US Department of Homeland Security (DHS) and known as IMPACT; they found that almost 2,300 people have requested data from the system. With the average dataset valued at $291,000 in saved costs, those requests total $663 million. 

“The research community has to decide what our norms will be and what our values are,” Moore says. “There should be a default to make data sets available in order to view research as a scientific contribution.”

In previous research, Moore and other University of Tulsa researchers found that of a sample of 965 research papers, 55% used data in some form. About 44% of those papers using data did not create their own dataset, while 56% did. Yet only 6% of 965 papers both created their own data and publicly shared that data, according to the University of Tulsa research.

That leaves many researchers struggling to find creative ways to use existing data sets to produce new insights, says Boston College’s Ransbotham.

“These are people using trace data in some new and clever ways,” he says. “They are trying to figure out stuff from the data that is leaked out there in ways that are new.”

For many researchers, the problem is that sharing data gives no significant payoff. However, the University of Tulsa team found that a slight benefit: Research papers that included public datasets were cited an additional four times per year, which is small but significant, Tyler says. 

Still, that may not be enough to convince many researchers to share, he acknowledges.

“There needs to be a recognition in the community to share more widely, but how do we get there?” he says. “It would be great to have benefactors because right now you only have a very small amount of money from DHS.”

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/better-cybersecurity-research-requires-more-data-sharing/d/d-id/1334972?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Common Hacker Tool Hit with Hackable Vulnerability

A researcher has found a significant exploit in one of the most frequently used text editors.

Security researcher Arminius has discovered a hackable vulnerability and exploit in Vim, arguably the most commonly used text editor among developers, hackers, and system engineers.

Vim is generally included as “vi” in most Unix and MacOS distributions. The vulnerability takes advantage of a vim feature called modeline, which is typically used to create custom settings for the way text or formatting will be handled in a file, for a project, or for all occasions of the editor’s use.

In the exploit, a particular text string can be entered that causes the editor to accept arbitrary code and execute it outside of the sandbox in which most modeline commands are executed, regardless of whether that code has anything to do with the editor. The exploit is possible because, in many implementations, modeline is enabled by default, regardless of whether the system owner is using the feature.

The vulnerability has been patched in Vim patch 8.1.1365 and a Neovim patch (released in v0.3.6), but Arminius recommends that users explicitly disable modeline on their systems.

Read more here and here

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/common-hacker-tool-hit-with-hackable-vulnerability/d/d-id/1334975?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cop arrested following explicit chat with bogus 16yo girl

A California cop recently recognized for his leadership has been arrested for allegedly exchanging explicit messages with somebody he thought was a 16-year-old girl.

In reality, it was a male college student who used Snapchat’s gender-swapping filter to pose as an underage girl online in order to catch sexual predators.

The San Jose Police Department last week said that its Internet Crimes Against Children (ICAC) Task Force / Child Exploitation Detail (CED) had arrested Inspector Robert Edward Davies, a 40-year-old officer with the San Mateo Police Department.

Davies was arrested last week on suspicion of contacting a minor to commit a felony.

In an interview with NBC Bay Area on Tuesday, the student said he fears retaliation and thus only wanted to be identified by his first name, Ethan. He said that he was inspired to pose as an underage girl so as to catch sexual predators because of the history of a close friend who’d been molested as a child.

Ethan opened up a phony Tinder account for a 19-year-old named “Esther.” He knew that Tinder doesn’t allow minors to open accounts, so he then doctored the profile photo with a Snapchat filter to make himself look like a young girl.

Ethan allegedly began chatting with Davies on Tinder on 11 May 2019. Next, they picked up the conversation on Kik. It was at that point that Ethan told Davies that “she” was 16 – an admission that Davies acknowledged.

Davies then asked “Esther” to switch to Snapchat, where they also discussed her age and started to chat about hooking up.

NBC Bay Area quoted Ethan:

I believe he messaged me, ‘Are you down to have some fun tonight?’ and I decided to take advantage of it.

“Esther” asked if her age of 16 bothered Davies. Police say that screen captures show that it did not. After moving to a new chat app, it got more sexual, Ethan said:

We started texting on there, and it got a lot more explicit.

Are you down to get arrested tonight?

Ethan said that he and Davies texted back and forth for over 12 hours. He sent screen captures of their conversation to Crime Stoppers. Ethan said that he wasn’t out to catch a cop, per se. It’s just that as it happened, the first man to allegedly reach out to him was a cop:

I was just looking to get someone. He just happened to be a cop.

A statement released last week by San Mateo police Chief Susan Manheimer about Davies’ arrest:

This alleged conduct, if true, is in no way a reflection of all that we stand for as a Department, and is an affront to the tenets of our department and our profession as a whole. As San Mateo police officers, we have sworn an oath to serve and protect our communities. I can assure you that we remain steadfast to this commitment to serving our community with “Professionalism, Integrity, and Excellence.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KQFkpUe4NkY/