STE WILLIAMS

More security vulnerabilities were publicly disclosed in the first quarter of this year than in any previous three-month period.

Troublingly, nearly four-in-10 (38.2%) of them currently have no known fixes, according to Risk Based Security, which recently analyzed vulnerability data for the firts quarter of 2019 collected from its own proprietary search engine and from various security vulnerability-reporting sites.

The analysis showed a total of 5,501 vulnerabilities were disclosed via coordinated and uncoordinated disclosures during the first three months of this year. Nearly 38% of the vulnerabilities currently have publicly available exploits.

The total number vulnerabilities in Q1 2019 was about 1% higher than the 5,375 recorded in the same period last year, and is the highest ever in a quarter since Risk Based Security began conducting these studies. Web-related vulnerabilities as usual accounted for most (56.8%) of the reported vulnerabilities last quarter—an almost 10% increase from Q1 of 2018.

“Vulnerability disclosures continue to rise, and will continue to rise every year,” says Brian Martin, vice president of vulnerability intelligence at Risk Based Security. The trend highlights the need for organizations to have vulnerability mitigation plans and processes that go beyond just patching, he says.

“With some days seeing hundreds of disclosures, IT simply cannot patch all the vulnerabilities right away,” Martin notes. They need to triage that process and prioritize the high-impact vulnerabilities using more than just the risk rating provided by vendors and others. “They need to make more informed decisions based on their own deployment, availability of exploits, and more,” he notes.

Product Integrity

Sixty-three percent of the security vulnerabilities disclosed last quarter affected product integrity. Bugs that fall into this category include those that enable data manipulation, SQL injection, and code execution. Over half could be attacked remotely and one-third were user-assisted or context-dependent, meaning the ability for attackers to exploit these flaws depended on user actions and specific context.

Risk Based Security’s analysis showed that some 14% of the vulnerabilities that were disclosed last quarter were critical, with severity ratings of 9 or higher on the CVSS scale. Typically, these are bugs that are remotely exploitable, provide unauthenticated access, or give attackers a way to gain root access to a critical system or data. Thirteen percent of the reported flaws last quarter could only be exploited if attackers had local access to a system or a device.

Somewhat ominously for organizations, a higher-than-usual proportion of the vulnerabilities that were disclosed last quarter (38.2%) have no current fixes. In fact, only 60.8%–or 3,275—of the disclosed vulnerabilities have either an updated software version or a patch available. The number of vulnerabilities with available fixes last quarter was some 13.5% lower compared to Q1, 2018.

Martin says many of the vulnerabilities for which there are no fixes were disclosed by security researchers through channels outside the vendor’s purview. 

“If they release via an exploit site, their own blog, or anywhere else that a vendor doesn’t know to look, they wouldn’t be aware of it and know to start working on a fix,” Martin says.

In addition to such uncoordinated disclosures, researchers sometimes release vulnerability details publicly if they perceive the vendor as being too slow to issue a fix for it.

Also, there are some security vulnerabilities reported in projects that are abandoned and will not be updated and therefore no fix is available, Martin says.

Related Content:

• More Than 22,000 Vulns Were Disclosed in 2018, 27% Without Fixes
• Exploits for Adobe Vulnerabilities Spiked in 2018
• Orgs Are Quicker to Disclose Breaches Reported to Them Via External Sources
• Effective Pen Tests Follow These 7 Steps

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/application-security/q1-2019-smashes-record-for-most-reported-vulnerabilities-in-a-quarter/d/d-id/1334757?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A malware infection on a laptop can be troublesome or devastating: But is it art? Yes, according to artist Guo O Dong. The Persistence of Chaos, an art installation currently being auctioned (with a high bid, as of press time, of more than $763,000), features a laptop computer infected with a half-dozen pieces of malware: ILoveYou, MyDoom, SoBig, WannaCry, DarkTequila, and BlackEnergy.

According to the website for the piece, the malware included is responsible for at least $95 billion worth of damage worldwide. The intent of the piece, according to Dong, is to “…see how the world responds to and values the impact of malware.”

The installation features a Samsung laptop running Windows XP. The machine is physically isolated and air-gapped so that there is no risk of the malware being spread outside the installation to the Internet as a whole, according to security firm Deep Instinct, the firm assisting the artist with the installation.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/artist-uses-malware-in-installation/d/d-id/1334759?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The age of digital government is upon us. Consider the following:

• Roughly 92% of American taxpayers filed their tax returns electronically in 2017 — that adds up to more than 126 million Americans. These are impressive numbers considering that only 67% of taxpayers e-filed a decade ago and 31% in 2001.
• More than 34 million Americans conduct their business with the Social Security Administration online.
• About 8.5 million people enrolled in individual health plans for 2019 through the HealthCare.gov website.
• More than 702,000 patients received healthcare through Veterans Affairs Department telehealth programs in 2016. That number appears to be rising steadily.
• Grants.gov processes roughly a quarter-million federal grant submissions to distribute more than $100 billion in grants annually.
• The US Census will conduct its first online decennial census next year. The outcome will be used to reapportion representation in Congress and distribute more than $675 billion per year in federal funds to support schools, hospitals, roads, public works, and other vital programs.

It’s clear that we finally have a digital government, and the government will continue to increase its use of digital services. Therefore, agencies must take steps to ensure that citizens’ trust and confidence in the security and reliability of those digital channels is high. 

However, surveys show that the public remains skeptical. A 2017 survey by the Pew Research Center showed that half of the respondents lacked confidence in the federal government’s ability to protect their data. So, although millions of Americans are conducting online transactions with the government every day, many are still uneasy about it.  

Even CEOs are concerned. According to an Accenture survey, 90% say a trustworthy digital economy is critical to their organization’s future growth, but only 30% are very confident in the security of the Internet. And this is forecast to decline to 25% slowly over the next five years.

As a nation, we are investing billions of modernization dollars to deliver and execute more government services digitally. We must be sure that these digital services are resilient, enabling trust, by building security into those services from the ground up. Citizens must trust that their digital interactions with government are secure, safe, and authentic. Without that trust, basic government functions will be questioned, and the effectiveness and efficiencies that modern, digital capabilities promise to deliver will be put at risk.

The following steps can help ensure that federal IT modernization efforts result in platforms and systems that are highly secure and resilient to cyberattacks:

• Bake security into the design, architecture, and application of modernization efforts.
• Design assets to be cyber resilient and therefore difficult to attack, minimizing the impact and potential loss when an event happens and continuously delivering the intended capability — no matter what.
• Leverage software-defined networking, which makes network pathways harder to find and attack.

Another important consideration is the governance, strategies, operating models, and policies that drive our cyber behaviors and activities. Some of those include:

• Providing governance and standards for the global community’s approaches and responses to security threats.
• Establishing minimum security standards for Internet of Things-related devices in the global marketplace.
• Leading international conversations over how individuals, organizations, and nations should be expected to behave on the Internet and decide on the appropriate response protocols when codes of conduct are violated.

By pursuing and aligning the right investments, decisions, and actions today, federal leaders can not only better protect federal digital operations, they can also help drive a trust turnaround for American citizens that will power the next phase of digital government.

Related Content:

• 8 Steps Toward Safer Elections
• US Government Cybersecurity at a Crossroads
• How We Collectively Can Improve Cyber Resilience

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Gus Hunt is Managing Director and Cyber Strategy Lead for Accenture Federal Services. He is responsible for developing differentiated approaches to dealing with the cyber threat environment and growing AFS’s cyber practice. Before joining AFS, Hunt was chief architect and the … View Full Bio

Article source: https://www.darkreading.com/endpoint/a-trustworthy-digital-foundation-is-essential-to-digital-government/a/d-id/1334680?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Another day, another unsecured database. An unprotected Elasticsearch database exposed information belonging to eight million people in the United States who submitted their personal details as part of online sweepstakes entries, surveys, and free product sample requests.

Survey websites typically offer samples, prizes, or contest entries in exchange for personal data that’s later used in marketing campaigns, BleepingComputer reports. The information collected by one organization was kept in an Elasticsearch database, which was found unprotected by security researcher Sanyam Jain. It contained data including the full names, physical and email addresses, phone numbers, birthdates, gender, and IP addresses of individuals who entered their info on survey sites.

Further investigation by Jain showed the site belonged to PathEvolution, an online marketing firm owned by Ifficient, another marketing company. Ifficient secured the database when contacted by Amazon, which Jain reached out to when contacting PathEvolution proved difficult. The business says it doesn’t capture or store social security numbers, drivers license numbers, state ID numbers, or financial account or payment card numbers in its database.

Ifficient also reports that due to a high number of duplicate records, the amount of records affected is lower than the 130 million that Jain saw in the Elasticsearch database.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/exposed-elasticsearch-database-compromises-data-on-8m-people/d/d-id/1334747?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In a week when multiple vulnerabilities made headlines, a standout was CVE-2019-0708: a critical remote code execution (RCE) bug in Windows’ Remote Desktop Services (RDS), formerly Terminal Services, affecting several in-support and out-of-support versions of Windows.

Microsoft reports that the RCE flaw, which has not yet been seen exploited in the wild, could be weaponized as a worm if exploited. The vulnerability is pre-authentication and requires no user interaction. Any future malware could propagate from vulnerable computer to vulnerable computer, similar to the way WannaCry spread to machines around the world in 2017.

How it works: once authenticated, attackers could connect to a target system via Remote Desktop Protocol (RDP) and send specially crafted requests. RDP is not vulnerable but it is part of the attack chain. If successful, the attacker could execute malicious code on the target system; install programs; view, edit, or delete data; or create new accounts with full user rights.

The fear of cybercriminals writing exploits for the bug prompted Microsoft to release security fixes and workarounds for older versions of Windows: Windows 2003 and XP in addition to still-supported Windows 7, Server 2008, and Server 2008 R2. In a blog post on the update, Simon Pope, director of the Microsoft Security Response Center (MSRC), called the out-of-band patch “unusual” and emphasized businesses to patch all affected systems as quickly as possible to prevent an attack.

But while a legacy patch may be rare for Microsoft, it’s with good reason: many companies still run older versions of Windows due to the complications and challenges of system upgrades. And leaving those systems without a patch for the new, wormable RCE flaw would leave them exposed to possible such attacks.

After Microsoft disclosed the flaw, Alert Logic researchers scanned more than 4,000 customer sites to determine which were vulnerable. Of those, they found 61% of workloads run Windows 7 and Windows 2008, and 2.4% run Windows XP and 2003 – meaning nearly two-thirds of all businesses included are using older or unsupported versions of the operating system.

“One of the reasons that small and medium sized businesses were particularly affected is due to the fact that these organizations are more likely to run older systems, as their budgets and staffing constraints make it harder to upgrade,” says Rohit Dhamankar, vice president of threat intelligence products at Alert Logic, adding that constant monitoring for them is “essential.”

Kelly White, founder and CEO at RiskRecon, says it’s “highly likely” cybercriminals are developing an exploit for this particular bug. Similar to the flaw exploited in the WannaCry campaign, CVE-2019-0708 has several traits to motivate attackers: exploitation yields remote system compromise, the service is commonly exposed online, it is remotely exploitable, and it doesn’t require authentication to execute. A RiskRecon analysis of 10,000 companies showed 13% operate RDP on Internet-facing systems, putting them at higher risk for attack.

“Due to those factors, it’s the perfect combination that motivates security researchers and exploit writers to write the exploit code for this, because a lot can be gained,” he explains. “For the hackers, it’s gold.”

As we saw with WannaCry, thousands of legacy systems remain unpatched because they’re running fragile software stacks nobody wants to touch, notes, Satya Gupta, cofounder and CTO at Virsec. But patching is always slower and more difficult than organizations want to admit because it’s a disruptive process and can cause unintended problems. While businesses should act on Microsoft’s alerts as soon as possible, there remain issues for “unpatchable” systems.

For Industrial Control Systems, Patching is Perilous

“Microsoft used a few key words in their advisory that should get everyone’s attention: WannaCry, worm, pre-authentication, and remote code execution,” says David Atch, vice president of security research at CyberX, a Boston-based IoT and ICS security company. In a recent analysis of traffic from more than 850 production OT networks, CyberX found 53% of websites were still running outdated versions of Windows, including Windows XP and 2000. Forty percent of industrial sites have at least one direct connection to the Internet.

Industrial firms will remember the damage caused by WannaCry, which “spread like wildfire” and disrupted production at Boeing, Honda, Nissan, Renault, FedEx, and Telefonica, he adds. CVE-2019-0708 gives attackers the ability to install backdoors, ransomware, and cryptomining malware on ICS/SCADA systems to disable safety controllers or shut down manufacturing lines. Many industrial companies rely on RDS to give remote operators and engineers access to control system environments. An attacker could target one machine to install code that could wreak havoc across the network.

“ICS environments are at greater risk of attackers exploiting this vulnerability due to such environments operating older Windows systems and systems that receive less frequent updates,” explain Dragos intelligence analyst Selena Larson, and vulnerability analyst K. Reid Wightman, in a blog post on the bug. Engineering workstations, human machine interfaces, data historians, and OPC servers all run Windows, they point out.

Unlike most IT systems where “just patch” is frequent advice, Atch notes that patching ICS systems is a challenge because the process causes downtime and may being instabilities to production processes. “Upgrading to newer versions of Windows is also challenging because many of these systems are still running applications that were developed 10 or 15 years ago – especially in manufacturing environments – and upgrading them may cause applications to stop working, requiring access to developers that may no longer be available,” he says.

Atch recommends a risk-based approach, and to prioritize patching for Internet-facing systems and corporate jumpbox systems that provide secure remote access from the IT network to the ICS network. He also advises network segmentation of the OT network, and isolating the OT network from IT network, to prevent the spread of malware in the event of an attack.

Related Content:

• Microsoft Patches Wormable Vuln in Windows 7, 2003, XP, Server 2008
• New Intel Vulnerabilities Bring Fresh CPU Attack Dangers
• Microsoft Builds on Decentralized Identity Vision
• The 2019 State of Cloud Security

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/perimeter/when-older-windows-systems-wont-die/d/d-id/1334749?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

During the May 2 ransomware attack on their users, popular repository-service providers Atlassian, GitHub, and GitLab all rushed to analyze the origins of the incident and help their users recover. 

As part of the response, the security teams at the three companies began to share data on the attacks and how the attackers operated. The collaboration worked so well, in fact, that the companies plan to make it permanent, says Kathy Wang, director of security at GitLab. Among the ongoing collaboration, the companies will explicitly search for files stored in their users’ repositories that may contain credentials to the other services, she says.

“We realized that it was so much better for us to work together for the common good of the Git user community than stay siloed,” Wang says. “If we can work with them to report these types of things, we can do better security hygiene for our users.”

Sharing information on threats between competitors has increasingly become the norm, rather than the exception. Other industries have created information sharing and analysis centers (ISACs), and several subsectors of technology companies regularly share information — especially among groups of security firms — but this is the first time a group of developer-focused companies have banded together.

This week, Atlassian, GitHub, and GitLab posted to each of their sites the results of a joint analysis created through collaboration among the companies security teams.

“The security and support teams of all three companies have taken and continue to take steps to notify, protect, and help affected users recover from these events,” the joint blog post stated. “Further, the security teams of all three companies are also collaborating closely to further investigate these events in the interest of the greater Git community.”

On May 2, Atlassian, GitHub, and GitLab had to scramble to figure out whether the ransomware attack on their users meant that attackers had somehow breached their services. The repositories of approximately 1,000 users had been wiped and replaced with a ransom note, stating:

“To recover your lost data and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address [deleted] and contact us by Email at [email protected] with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.”

The three companies confirmed independently that in every case, the attackers compromised accounts using a variety of legitimate credentials. In addition to usernames and passwords, the attackers used application passwords, API keys, and personal access tokens, they said. Rather than reused credentials stolen in other breaches, the collection of passwords and keys likely came from repositories that inadvertently published files containing the secrets.

“Subsequently, the bad actor performed command-line Git pushes to repositories accessible to these accounts at very high rates, indicating automated methods,” the analysis stated.

Working together, the companies identified a file containing the collected credentials for about a third of the targeted developers. The so-called “credential dump” was hosted on the same online provider that was identified as the source of the attacks, the three companies discovered.  

As late as May 10, the attackers continued to systematically scan for credentials mistakenly stored in the configuration files for Git, the program that acts as the conduit between developers and the various repository services. The scan came from the same IP address as the account compromises, the analysis stated.

The attacks continue a trend among cybercriminals and nation-state actors in targeting developers. From compromising their systems, as in the case of the malware inserted into an update for Piriform’s CCleaner, to a series of attempts to poison open source projects, attackers are attempting to insert their code into the software supply chain, says Danny Grander, co-founder and chief security officer of software-security service Snyk.

“This is just one of the many ways that developers are the target,” he says. “There is a rise in open source packages that are malicious and the targeting of developers with simple spray-and-pray types of attacks.”

Developers should take their defense more seriously, Grander says. He and the three repository firms all say that would have prevented the ransomware attack. 

Meanwhile, Atlassian, GitHub, and GitLab will continue to share information with each other on attacks targeting repositories. The benefits of the collaboration became apparent during the response to the attack.

“As that whole initial exercise dissolved, we decided to permanently have a threat-intelligence sharing initiative between us,” GitLab’s Wang says. 

Currently, the companies just have a shared Slack channel, and that is working well for now, she said.

Related Content

• Password Reuse, Misconfiguration Blamed for Repository Compromises
• CCleaner Malware Targeted Tech Giants Cisco, Google, Microsoft
• Secure Code: You Are the Solution to Open Source’s Biggest Problem
• Third-Party Cyber-Risk by the Numbers

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/devops-repository-firms-establish-shared-analysis-capability/d/d-id/1334756?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple