STE WILLIAMS

US Customs and Border Protection (CBP) officials announced on Tuesday that an initial investigation into the breach of a subcontractor that maintains databases of photos indicated the leak involved images of fewer than 100,000 people. 

The announcement is the first assessment of the impact of the breach, disclosed by the border security agency on June 10. The incident involved a CBP contractor, which had — in violation of CBP policies — copied sensitive files of border crossings and stored images of license plates and travelers on an insecure computer. The agency stressed that its computer systems and infrastructure were not involved in the attack.

“Photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period,” CBP said in a statement. “No other identifying information was included with the images.”

The breach is yet another incident reminding companies and government organizations to regularly assess the security of their suppliers. Earlier this month, LabCorp and Quest Diagnostics were notified by AMCA, their supplier of debt collection services, that information on nearly 20 million of their customers had been potentially compromised by attackers. And in April, Mexican media firm Cultura Colectiva inadvertently leaked 540 million records from Facebook users because it did not protect the Amazon S3 container on which it stored the data.

“It is critical that organizations prioritize the security and access controls of their vendors, providers, and partners,” said Sherrod DeGrippo, senior director of threat research and detection at data security firm Proofpoint. “These groups regularly handle sensitive data and must be examined by organizations thoroughly as they have the same culpability as the organization itself.”

DeGrippo recommends that subcontractors’ security posture be regularly reviewed and threat profiles created to establish needed defenses.

CBP did not name the latest subcontractor. Yet earlier in May, an attacker breached the network of government contractor Percepsys, a maker of license plate scanning and recognition systems, posting more than 65,000 files online, according to a May 23 article in The Regster.

In its statement, however, CBP stressed it has not see any malicious use of the data to date. “As of today, none of the image data has been identified on the Dark Web or Internet,” the agency’s spokesperson said in a statement.

The breach notification comes at a time when the CBP is expanding its technologies used to track travelers, including facial recognition, license plate identification, and social media tracking. Pointing to the current breach, the American Civil Liberties Union (ACLU) called the plans dangerous because government agencies and their contractors cannot keep such information safe.

“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, in statement. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”

In 2015, the Office of Personnel Management discovered that the records of 25.7 million people had been stolen through a series of network intrusions, including into the systems of contractors.

In both breaches, because a government agency isinvolved and it is difficult to prove that the breaches caused harm, there will be little that consumers or citizens can do, said Robert Cattanach, a partner at the international law firm Dorsey Whitney. 

“US Courts have been reluctant to award damages absent a showing of specific and concrete harm,” he said in a statement. 

Governments are finding it difficult to create policy to deal with the rapid advancement of technology.

“Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile,” he said.

CBP is currently scrutinizing its subcontractor’s investigation into the breach, the agency said.

“CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor,” it said. “CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures.”

Related Content

• Healthcare Breach Expands to 19.6 Million Patient Accounts
• Third Parties in Spotlight as More Facebook Data Leaks
• Medical Debt Collector Breach Highlights Supply Chain Dangers
• Report: Hackers Arrested By Chinese Government Suspected Of OPM Breach
• No Sign of ‘Material’ Nation-State Actor Impact on 2018 US Midterms

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/suppliers-spotlighted-after-breach-of-border-agency-subcontractor/d/d-id/1334936?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cross-site scripting (XSS) errors that allow attackers to inject malicious code into otherwise benign websites continue to be the most common web application vulnerability across organizations.

Bug bounty firm HackerOne recently analyzed data on more than 120,000 security vulnerabilities reported to organizations through the end of 2018 by the hacker community via public and private bug bounty programs. HackerOne’s customers classified the vulnerabilities and ranked the top 10 of them by impact, severity, and weakness type.

The analysis showed XSS to be the most common issue for most organizations, even though the threat is often downplayed because it does not always lead to large-scale information breaches,” says Miju Han, director of program management at HackerOne.

“Our data tells a different story because companies pay out for XSS far more than they do for any other vulnerability class,” Han says. In fact, of the $55 million that bug hunters in HackerOne’s program have earned so far in total, some $8 million has been from reporting XSS vulnerabilities alone, she says. “XSS is important for companies to guard against. XSS is here to stay,”

HackerOne’s vulnerability analysis revealed other trends as well. The growing adoption of hybrid and multicloud environments, for instance, is putting organizations at increased risk from vulnerabilities such as server-side request forgery (SSRF). These are flaws that allow attackers to read, update, and modify internal resources and connect to services such as HTTP-enabled databases. Much of the exposure is the result of organizations that previously didn’t store data online now going all-in on cloud technologies without knowing how to protect their data first.

Information disclosure weaknesses in an application, such as a broken or missing control, are another category of security vulnerabilities that organizations are increasingly becoming exposed to as they adopt cloud environments.

HackerOne’s analysis showed that the security vulnerabilities that organizations are willing to pay the most for — on a per vulnerability disclosure basis — include SSRF, privilege escalation flaws, and insecure direct object reference (IDOR) issues that allow attackers to bypass authorization and access control measures.

Such flaws are not as commonly reported as XSS flaws. However, many companies actively give incentives to hackers to search for them because of the risk they pose, according to HackerOne’s report summarizing its findings. Other low-volume but high-impact web application security flaws for which organizations are willing to pay more include business logic errors and code injection errors.

Interestingly, only four of the vulnerabilities in HackerOne’s top 10 list are also on OWASP’s top 10 list — a resource that many organizations use to identify top risks. The overlapping flaws including XSS, information disclosure, and code injection errors. But some security vulnerabilities, like XML external entities (XXE) flaws, which ranks fourth in OWASP’s Top 10, are nowhere to be found on the HackerOne list.

The reason for the difference is that HackerOne’s list represents real-world security risks and not just vulnerabilities ranked by volume, Han says.

“Companies are awarding bounties for these vulnerabilities because they could actually have substantial impact on their businesses,” she notes. “Our data tells the story of which attack vectors hackers are most likely to employ and then which attack vectors are the most valuable to companies.”

Related Content:

• Bug Hunting Paves Path to Infosec Careers
• Bug Bounty Awards Climb as Software Security Improves
• Safe Harbor Programs: Ensuring the Bounty Isn’t on White Hat Hackers’ Heads
• Effective Pen Tests Follow These 7 Steps

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cross-site-scripting-errors-continue-to-be-most-common-web-app-flaw/d/d-id/1334935?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One of the most common mechanisms used to secure web browser sessions — and to assure consumers that their transactions are secure — is also being used by criminals looking to gain victims’ trust in phishing campaigns. The FBI has issued a public service announcement defining the problem and urging individuals to go beyond simply trusting any “https” URL. 

Browser publishers and website owners have waged successful campaigns to convince consumers to look for lock icons and the “https:” prefix as indicators that a website is encrypted and, therefore, secure. The problem, according to the FBI and security experts, is that many individuals incorrectly assume that an encrypted site is secure from every sort of security issue.

Craig Young, computer security researcher for Tripwire’s VERT (vulnerability and exposure research team) recognizes the conflict between wanting consumers to feel secure and guarding against dangerous over-confidence. “Over the years, there has been a battle of words around how to communicate online security. Website security can be discussed at a number of levels with greatly different implications,” he says.

“On its own, however, the padlock does not actually confirm that the user is actually connected with a server from the business they expect,” Young explains. “Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness.”

In the FBI’s PSA, the bureau points out that criminals are increasingly incorporating website certificates in phishing email messages impersonating known companies and individuals. The trustworthy-looking URLs take the victims to pages that seek sensitive and personal information.

“This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. He explains, “In 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks.”

Bocek says that researchers have found definitive evidence of TLS certificates for sale on the dark web, with prices for highly trustworthy certificates reaching more than a thousand dollars. He sees greater visibility and transparency as key assets in fighting the proliferation of these “trustworthy” certificates used in fraudulent ways.

Other technologies may eventually provide additional weapons against the criminals. Young says, “In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthN to prevent naïve users from inadvertently divulging site credentials to a phisher.”

The FBI’s PSA doesn’t recommend new technology, instead suggesting behavioral defenses against the phishing attacks. The Bureau recommends questioning the intent of email messages, confirming the authenticity of messages before divulging sensitive information, looking for mis-spellings or domain inconsistencies, and tempering the overall trust in a site simply because it displays a green lock icon.

Related content:

• TLS 1.3: A Good News/Bad News Scenario
• Up to 100,000 Reported Affected in Landmark White Data Breach
• Government Shutdown Brings Certificate Lapse Woes
• Executive Branch Makes Significant Progress As DMARC Deadline Nears
• 6 Security Scams Set to Sweep This Summer

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/fbi-warns-of-dangers-in-safe-websites/d/d-id/1334930?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Season 8 of the award-winning and critically acclaimed HBO Game of Thrones series ended a long, exciting saga spanning almost a decade, keeping viewers spellbound by the citizens of Westeros and Essos. It was dominated by three powerful women: Daenerys Targaryen, Arya Stark, and Cersei Lannister. Each of these fictional leaders has a lesson for us in the real world of cybersecurity.

Lesson 1: Security policies shouldn’t lay waste to user productivity.
First is Daenerys Targaryen. As Daenerys evolves through the series — and gets kicked around by everyone — she finally gives in to her worst instincts. In the end, she unleashes her most formidable weapon, Drogon, her last dragon, in an epic example of overkill, burning to the ground the very center of power she coveted: Kings Landing and the Iron Throne. Cybersecurity leaders, who live day to day with the frustrations of managing enterprise security, can take a lesson from Daenerys in how to avoid implementing heavy-handed policies.

For example, if an employee triggers a security incident by opening an Excel file from an unknown email sender, you would never implement a total ban on the use of Excel. Similarly, punitive measures against users who repeatedly fail a phishing test would likewise not be a productive response. Nor would you excoriate the user for their stupidity, however tempting. You want the organization on your side, including your most valuable allies in the various lines of business and the C-suite. After all, you don’t need stealth IT to rise from the ashes of a scorched earth policy or an army of disgruntled users attacking your rear flank. Rather than chastising users or calling them out, help them by reinforcing the value of security training.

Lesson 2: Value your eccentrics and white hat hackers.
Up next is Arya Stark, who wields a small sword in her left hand, is wolf-blooded, impulsive, and “always difficult to tame.” She offers a metaphor for staffing challenges in the face of ever-more-sophisticated criminals probing your attack surface with innovative new types of malicious code and delivery mechanisms. As defending your corporate networks becomes more and more of a black art, you need the small players and specialists like Arya who was bored by embroidery and other “lady-like” pursuits. These brilliant minds may be fascinated by cyber war and training in the use of technical arms. Also, like Arya, they may not care about the throne. They may not be ready for leadership roles but their specialized skills can be invaluable in key individual contributor roles.

What’s more, when you embrace diversity and welcome the nonconformist into your team, it could pay handsomely in knowledge and the building of problem-solving tools. An unconventional employee, for example, might be the penetration tester who saves you when hackers launch what amounts to your cyber battle of Winterfell. Seek out the strengths of your analysts; that person may have the ability to think like a criminal or a bad actor, and may even have the cybersecurity equivalent of a Valyrian steel dagger up her sleeve when it’s needed.

Lesson 3: Be careful when you engage your adversary by hacking back.
Hail Cersei Lannister, the First of Her Name and Protector of the Seven Kingdoms — and our third and perhaps strongest woman leader in GoT. Well, at least she was until she made the fateful mistake of provoking Daenerys to attack King’s Landing by killing her friend, Missandei. We know that didn’t work out so well. It’s the same mistake many IT professionals make when they embark on offensive security: They underestimate the will and tenacity of the enemy, who often has little to lose.

The popularity of offensive hacking — counter-attacking a hacker as deterrence — is betrayed by the lack of offensive hacking courses available. So, consider well before taking your armies down this road. First of all, there are legal issues around hacking anyone — even a criminal or part of your own organization. An even more important consideration when triggering your cyber enemies: You have only a few people who are most likely already stretched thin defending a large attack surface. And on the other side of your firewall? There may be a provoked adversary with time, numbers, technology, and persistence on their side. Once you engage them, be prepared to survive an onslaught. Cersei, too, had a wall. But it didn’t offer much protection against a flying, fire-breathing dragon, and an endless stream of the Unsullied and Dothraki.

Related Content:

• GoT Guide to Cybersecurity: Preparing for Battle During a Staffing Shortage
• GoT the Inside Threat: Compromised Insiders Make Powerful Adversaries
• Breaches Are Coming: What Game of Thrones Teaches about Cybersecurity

Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize … View Full Bio

Article source: https://www.darkreading.com/cloud/what-3-powerful-got-women-teach-us-about-cybersecurity--/a/d-id/1334906?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Troy Hunt is seeking a buyer for Have I Been Pwned (HIBP), the online service he built to inform consumers and businesses of compromised data.

Hunt founded HIBP in 2013, around the time data breaches were ramping up, to help people learn when their usernames and passwords were compromised in a breach and how many times their credentials had been exposed. In the six years since, HIBP has grown to include nearly 8 billion breached records and about 3 million subscribers, Hunt said in a blog.

Commercial subscribers rely on HIBP to alert members of identity theft programs when their data is found in a breach, enable security companies to provide services to their customers, protect large online assets from credential-stuffing attacks, and prevent fraudulent purchases. Global governments use it to protect departments; law enforcement uses it in investigations.

As data breaches have grown in size, number, and complexity, Hunt continued to manage the site solo, updating HIBP with breached records and alerting victims. But things reached a turning point in January with the Collection #1 breach: Hunt, himself, discovered 87 GB worth of data in a folder containing 12,000-plus files, nearly 773 email addresses, and more than 21 million unique passwords from data breaches going back to 2008. He uploaded it all to HIBP; since then, the site has seen a massive influx in activity, taking him away from other responsibilities.

But Hunt also acknowledged the need for support was a long time coming. “Each and every disclosure to an organisation that didn’t even know their data was out there fell to me (and trust me, that’s massively time-consuming and has proven to be the single biggest bottleneck to loading new data),” he wrote. Further, he handled every media interview, support request, and task needed to run HIBP. Hunt was the single point of failure, which he said had to change.

The acquisition is dubbed Project Svalbard (named for the world’s largest seed bank, in Norway), and Hunt is working with KPMG to find a buyer. He plans to remain with HIBP following the acquisition and continue to build new capabilities into the platform.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/have-i-been-pwned-is-up-for-sale/d/d-id/1334932?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft today patched 88 software vulnerabilities and issued four advisories as part of its monthly Patch Tuesday update. Four are publicly known; none have been seen exploited in the wild.

The June fixes released today cover a broad range of products and services including Microsoft Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, ChakraCore, Skype for Business, Microsoft Lync, Exchange Server, Azure, and SQL Server. Twenty-one patches were deemed Critical in severity, 66 are categorized as Important, and only one is ranked Moderate.

While none of the bugs patched this month are under active attack, this is an especially large batch of fixes.

Here are some of the noteworthy bugs in Microsoft’s June roundup.

Publicly known vulnerabilities were disclosed by security researcher SandboxEscaper via Twitter last month: CVE-2019-1053 (sandboxescape) is a flaw in the Windows Shell that could allow elevation of privilege on affected systems by escaping a sandbox; it affects all Windows operating systems. CVE-2019-1069 (BearLPE), an elevation of privilege vulnerability in Windows Task Scheduler, exists in the way Task Scheduler Service validates some file operations.

Other publicly known bugs include CVE-2019-0973 (InstallerBypass), which occurs when the Windows Installer fails to properly sanitize input, leading to an insecure library loading behavior. An attacker could exploit this to run malicious code with elevated privileges. CVE-2019-1064 (CVE-2019-0841 BYPASS) could also be used to elevate privileges on target systems.

Exploits for all of these were posted on GitHub by the researcher, who had published zero-days in the past. When the bugs were publicly disclosed in May, researchers predicted the likelihood of danger was low; still, there remained a chance the code would be integrated into malware. Even though the proof-of-concept code was posted online, this didn’t happen.

Remote code execution (RCE) vulnerabilities were common. Three Critical vulnerabilities patched were Hyper-V RCE bugs (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722). This stood out to Jimmy Graham, Qualys’ senior director of product management. All would let an authenticated user on a guest system run arbitrary code on the host. While Microsoft says exploitation is less likely, he says “these patches should still be prioritized for Hyper-V systems.”

Also patched today were CVE-2019-1019, a Windows Security Feature Bypass Vulnerability, and CVE-2019-1040, a Windows NTLM Tampering Vulnerability. Both were reported by Preempt.

Greg Wiseman, senior security researcher with Rapid7, calls CVE-2019-1019 a “nasty-looking” bug that could enable an attacker to steal a session key using a specially crafted NETLOGON message; in doing so, they could access other systems by posing as the original user, he says. Researchers found that although domain controllers would deny requests if the expected machine name was different from the one that established the secure channel, the controllers would accept requests if the computer name field was missing, they explain in a blog post.

As for CVE-2019-1040, Preempt researchers bypassed the Message Integrity Code protection in NTLM authentication and could change any field in the NTLM message flow. The bypass could let attacker relay authentication attempts which have negotiated signing to another server, while removing the signing requirement. All servers that don’t enforce signing are vulnerable.

Related Content:

• WannaCry Lives On in 145K Infected Devices
• Microsoft Urges Businesses to Patch ‘BlueKeep’ Flaw
• When Security Goes Off the Rails
• 6 Security Scams Set to Sweep This Summer

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-issues-fixes-for-88-vulnerabilities/d/d-id/1334934?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple