STE WILLIAMS

SOC security analysts shoulder the largest cybersecurity burden. Automation is the way to circumvent the unavoidable human factor. Third in a six-part series.

We all make mistakes sometimes, which is why we need to factor in human error as part of the cybersecurity process. This series explores the human element of cybersecurity from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. So far, we have addressed end users and security leaders. This week, we cover security analysts.

Security analysts work in dedicated security operations centers (SOCs) as part of a team, which often works in shifts around the clock, to prevent, detect, assess, and respond to cybersecurity threats and incidents. Security analysts are sometimes responsible for fulfilling and assessing regulatory compliance pertaining to security as well. While there are a variety of managed security service providers who handle SOC activities as an outsourced function, organizations — especially enterprises — often develop their own in-house capabilities to handle some, if not all, of the SOC work.

Typically, these security analysts are cybersecurity professionals who are responsible for reviewing/triaging alerts and incident response. They can have expertise in network analysis, forensic analysis, malware analysis, and/or threat intelligence analysis. Their skill set is difficult to find; there is a well-publicized cybersecurity workforce shortage and currently 0% unemployment in the industry, according to Cybersecurity Ventures. Security analysts usually report to cybersecurity managers, who then assimilate and deliver SOC information and insights to be delivered to boards and C-level executives.

Common Mistakes
The average SOC receives 10,000 alerts each day from layers of monitoring and detection products. Some of the alerts are attacks from an ever-growing number of threat actors of varying sophistication, but a significant percentage (in many cases upward of 80%) are false positives. With such an overwhelming barrage of alerts, it is almost inevitable that an analyst will eventually miss or ignore an alert, or fail to identify a high priority alert due to “alert fatigue” or incorrect prioritization. Resource-constrained security analysts who may lack time, understanding, a well-trained eye, or in some cases, motivation, often triage only less than 10% of incoming alerts, prioritizing incidents that have out-of-the-box priority levels or are similar to what they have seen before. In addition, when an incident needs lengthy analysis, the security analyst may not be given the time to conduct a full analysis and consequently reports inaccurate or incomplete information about the attack.

Beyond triage and response mistakes, security analysts may make other errors such as incorrectly configuring security products. When an incident has been missed, or a configuration error has been made, security analysts may not be inclined to reveal the extent of the damage because of the potential for personal repercussions, compounding the problem.

Repercussions
When a security analyst fails to address or prioritize an alert, response can be significantly delayed or neglected entirely and a device or system can be compromised. This naturally could lead to a data breach, disruption of business, data exfiltration, and/or data destruction. Often the incidents are discovered and responded to much later than they would have been otherwise, amplifying the complexity and cost of containment and remediation as the security analysts identify the attack vector and extent of the attack. Moreover, deliberate or accidental misinformation from security analysts could put security leaders in a position where they deliver inaccurate reports, which in turn could be relayed externally with varying implications for important stakeholders.

Minimizing Mistakes
Given the sheer volume of alerts that security analysts see, we must concentrate on reducing the volume burden. This can be achieved by fine-tuning security solutions to reduce false positives, paring down any overlap in monitoring that creates redundancy, and automating as many analyst tasks as possible. Additionally, the number of alerts can be reduced when there is a strong prevention base. This starts with coordinating with the vulnerability management team to ensure that devices, operating systems, and applications are configured and patched properly. Beyond that, we need solutions that effectively triage and calculate priority values, incorporating threat intelligence, and organization-specific data such as the criticality of affected systems. In addition, we have to accept that security analysts need time to thoroughly conduct analysis and that updates they provide as they progress may differ from their final reports.

Change the Paradigm
As the resources on the front line, let us recognize that SOC security analysts shoulder the largest cybersecurity burden — in many cases addressing incident detection and response 24 hours a day, 365 days a year — and many of the analyst positions need refactoring. The job of Tier 1 analysts who are triaging and reviewing alerts is unsustainable in its current form. The role needs to transition to a fully automated process and a movement is already underway to do so. By automating manual “crank-turning” with new technologies, analysts have an opportunity to learn higher-tier skills and apply more critical thinking and advanced analysis to the true incidents that need in-depth investigations. But these higher-tier security analysts also need adequate training as well as the time and space to do their work effectively, without having to fear personal repercussions when they make mistakes, as all humans do.

In addition, we have to hold detection product vendors accountable for the false-positive rates of their standard configurations. While it may be in the vendor’s best interest to err on the side of reporting an alert if there is any possibility of it being a true positive, that methodology does a disservice to the end users who end up inundated with useless noise that detracts from finding the signal.   

Join us next time to examine the fourth perspective in our series: IT security administrators.

Related Content:

• Cybersecurity and the Human Element: We’re All Fallible
• Security Leaders Are Fallible, Too
• 7 Real-Life Dangers That Threaten Cybersecurity
• Creating a Security Culture Solving the Human Problem

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/security-analysts-are-only-human/a/d-id/1333910?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A crafty joker seized control of the British Army’s “influence and outreach” Twitter account – and labelled the military unit “fun sponges” when they tried to get it back.

77 Brigade is the Army’s social media influence unit. Rather than posting branded Instagram selfies and the like, they carry out information operations and similar things. It is staffed by a mix of full-time soldiers and part-time reservists.

As the unit’s official page puts it in impenetrable military management-speak, its job is to “challenge the difficulties of modern warfare using non-lethal engagement and legitimate non-military levers as a means to adapt behaviours of the opposing forces and adversaries”.

This very serious psyops-a-like unit failed to see the funny side when someone who only identified himself to El Reg as “boredbloke” found a way of taking over the brigade’s Twitter account.

Boredbloke told El Reg: “The facts are, we have a unit that works in information and communication that uses social media to aid their recruiting process. The myth is we have an elite unit of hackers, propagandists and ne’er-do-wells who crawl social media to plant stories, influence opinion and generally manipulate things on behalf of government. So a juicy target if they were hacked themselves!”

Click to enlarge

He continued: “I spotted a gaping hole. Had a ‘bad person’ spotted the same hole, it would have led to chaos and at the least embarrassment; at the worst, something much more sinister or damaging.”

Thus did the @77th_Brigade Twitter account find its way into the hands of someone who was very much not part of 77 Brigade. Boredbloke told us this was because actually reporting the vuln he had spotted was rather hard.

“I tried to tell them. Have you ever tried to contact the Army, Navy or RAF? Emails go unanswered and phoning them, whilst easy, is a nightmare of finding the right person, especially when trying to remain anonymous,” he told us. “‘Bug bounty’, you say? Do not have one for this type of attack. Whistle-blowing was an option, but you need to tell them who you are and that has really bad karma. There are numerous examples of grey-hats telling organisations about gaps in the fence but then immediately ending up in the cross hairs.”

Click to enlarge

It was like removing the car keys from a neighbour’s ignition

On whether it was right to take over the account, Boredbloke said: “I viewed it to be like seeing your neighbour’s car sitting in their drive with keys in ignition and engine running for hours and hours. So I had taken the keys but if then caught with them by the police, I would have some explaining to do.”

Eventually, after taunting the Army’s official (and, apparently, better-manned) Twitter accounts the @77th_Brigade account, which Boredbloke renamed @79th_Brigade, was eventually recovered by the military – and was quickly locked so non-followers can’t read its tweets.

Army social media psyops bods struggling to attract fresh blood

READ MORE

In spite of its name, 77 Brigade is not an actual brigade, a military formation that normally covers thousands of personnel. Instead it is slightly smaller than a battalion, comprising around 450 bods compared to the 650 who are normally employed in a full-strength infantry unit.

A couple of years ago we reported that 77X was struggling to recruit. The unit is named after Brigadier Orde Wingate’s famous Chindits of the Second World War, who carried out daring special ops raids many miles behind Japanese lines in the Far East.

Pointing out that 77 Bde, according to its own blurb, counts a number of people in its ranks “who think differently to the norm”, Boredbloke concluded: “I assumed they would have had the whole Brigade trying to get control of an account that I had just dumped back into the wild. But nobody did. It just sat there. So I tried to get it back. And it worked, I got it back for the second time – but in this case I had warned them, told them, explained it in DMs and yet I could still do it.”

Our source passed on this message, which will hopefully be read by someone who cares: “Can I suggest you set up a mechanism for vulnerabilities to be notified [and] that you have a business continuity plan in place for when this happens again?”

The Twitter account has since been made, er, private.

The Ministry of Defence denied that 77 Brigade had a Twitter account, with a spokeswoman telling us: “77th Brigade does not currently have any social media accounts. We were aware of a parody account posing as 77th Brigade.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/21/77_brigade_twitter_account_hacked/

Poorly maintained IT systems on container ships are leaving the vessels open to cyber-attack and catastrophe, it is claimed.

This is according to folks this week at security house Pen Test Partners, who found that in some cases, connected maritime devices dating back to the early 1990s are being left open to the public internet for miscreants to play with. Many devices also have hardcoded and easily discoverable passwords.

This may all seem like some kind of fantasy based on the plot of the hit 1990s movie Hackers, in which heroes Acid Burn and Zero Cool and their cyber-pals race to stop malware sinking a bunch of oil tankers. However, UK-based Pen Test Partners (PTP) have dug up legit vulnerabilities before, so forgive us if we give them the benefit of the doubt here.

“If one was suitably motivated, perhaps by a nation state or a crime syndicate, one could bring about the sinking of a ship,” explained PTP consultant Ken Munro. “Maybe one wanted to delay an LNG shipment in winter to a country running out of gas, affecting spot prices.”

And how exactly would the theoretical hacker go about sinking or waylaying the ship? Munro says that wreaking havoc on your average container ship would be as simple as messing with its ballast tanks, shifting the distribution of the weight from one part of the vessel to another and causing it to tip.

Modern container ships are basically floating hulls that are stacked high with cargo that has been weighed to make the boat stable. Blowing the ballast tanks on one side and filling the others might well make a craft unstable, particularly if coupled with an attacker forcing the ship to make a sharp turn at 25 knots.

This, explains Munro, would be terrifyingly easy to accomplish once the hacker gains a foothold within the ship’s computer network, such as by finding a vulnerable edge device like a digital compass or GPS receiver, or simply by getting malware onto the personal laptop of a captain or crew member.

IT at sea makes data too easy to see: Ships are basically big floating security nightmares

READ MORE

Once within the ship’s network, the attacker would likely encounter little in the way of resistance or protections that would stop access to the industrial controllers that manage the critical ballast pumps and autopilot or navigation (ECDIS) systems. Shipping systems rarely have firewalls or intrusion detection systems and, once in place, malware usually has a free rein.

“Consider that some ECDIS devices still run Windows XP, and to a lesser degree Windows NT, released in 1993 don’t forget,” Munro explained.

“Any half-decent attacker can happily abuse these operating systems all day long and still cover their tracks effectively. This means that trying to establish confidence in the data that these systems hold will be difficult at best, impossible at worst.”

This isn’t the first time Munro and his crew have taken the maritime industry to task for lax security protections. Last summer, Pen Test Partners put together a full presentation showing the myriad ways miscreants can mess with vessels on the high seas by exploiting bugs in connected appliances and tracking gear on board. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/21/boat_hacking_case/

Cisco emitted on Wednesday a bunch of security updates that, your support contract willing, you should test and roll out to installations as soon as possible.

There are 17 advisories in all, including revised versions of previously issues bulletins, with six marked as high in terms of severity and the rest medium. The worst of the lot grants root access to a local attacker, closely followed by another that allows any remote miscreant in without authorization.

Here’s a summary of the high-severity security blunders:

• CVE-2018-15380: Cisco HyperFlex Software Command Injection Vulnerability

  A logged-in rogue user can execute commands as the root superuser without authentication. “An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process,” says Cisco. “A successful exploit could allow the attacker to run commands on the affected host as the root user.”

• CVE-2019-1664: Cisco HyperFlex Software Unauthenticated Root Access Vulnerability

  A logged-in miscreant can gain root access to all nodes in a Cisco HyperFlex Software cluster without authentication. “An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user,” Switchzilla explained. “A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster.”

• CVE-2019-5736: Container Privilege Escalation Vulnerability Affecting Cisco Products

  This is a patch for Docker’s give-me-root runc hole, which we previously reported, that affects Cisco products. This is version 1.2 of an earlier advisory, with more Switchzilla gear now listed as being vulnerable to the privilege-escalation flaw.

• CVE-2019-1659: Cisco Prime Infrastructure Certificate Validation Vulnerability

  An unauthenticated man-in-the-middle attacker can intercept, decrypt, and snoop on the SSL-encrypted tunnel between Cisco’s Identity Services Engine (ISE) and Cisco Prime Infrastructure.

• CVE-2019-1662: Cisco Prime Collaboration Assurance Software Unauthenticated Access Vulnerability

  An unauthenticated, remote attacker can access installations of Cisco’s Quality of Voice Reporting (QOVR) service of Switchzilla’s Prime Collaboration Assurance (PCA) Software as a valid user.

• CVE-2019-1681: Cisco Network Convergence System 1000 Series TFTP Directory Traversal Vulnerability

  An unauthenticated, remote attacker can download arbitrary files from the TFTP service of Cisco Network Convergence System 1000 Series software, possibly resulting in the disclosure of potentially sensitive information.

The remaining medium-severity holes include a Webex Teams for iOS Arbitrary File Upload Vulnerability (CVE-2019-1689), IoT Field Network Director XML External Entity Vulnerability (CVE-2019-1698), Hyperflex Stored Cross-Site Scripting Vulnerability (CVE-2019-1665), and a Cisco Unity Connection Reflected Cross-Site Scripting Vulnerability (CVE-2019-168).

Interestingly enough, the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module can be crashed (CVE-2019-1700) by sending it maliciously crafted network packets from an adjacent subnet. This causes its FPGA, a chip that can have its circuitry rewired pretty much as desired, to lose the plot, and stuff the machine sideways.

“The vulnerability is due to a logic error in the FPGA related to the processing of different types of input packets,” says Switchzilla. “An attacker could exploit this vulnerability by being on the adjacent subnet and sending a crafted sequence of input packets to a specific interface on an affected device.”

That must have been an interesting bug to find and fix, we reckon. It was found while diagnosing a customer support query, we’re told. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/21/cisco_vulnerabilities/

Companies covered under the EU mandate can get policies for up to $10 million for fines, penalties, and other costs.

Cyber insurance provider Coalition has announced new policies explicitly designed to cover fines and costs stemming from violations of the EU’s General Data Protection Regulation (GDPR).

The policies are targeted primarily at small and midsize companies that handle data on or offer goods and services to EU residents. Policy limits range from $25,000 to $10 million, covering defense costs as well as fines and penalties resulting from GDPR violations, says Joshua Motta, CEO and founder of Coalition.

The costs for Coalition’s policies range from $50 per year to over $100,000 per year for companies that want the full $10 million coverage. The average cost for a Coalition policy with a $1 million to $2 million limit will be around $4,000 a year. “This includes fines and penalties resulting not only from data and privacy breaches, as are commonly covered in the cyber insurance market, but also, importantly, a company’s failure to comply with their privacy policy,” Motta says.

Unlike other data privacy laws, GDPR imposes penalties even when there is no actual data breach. In fact, since the regulation went into effect last May, EU regulators have taken action against numerous organizations for either failing to comply with their own policies or for not fully complying with GDPR requirements for privacy disclosures, data collection, processing, and use. One example is French data protection authority CNIL’s 50 million euros fine on Google last month for the company’s “lack of transparency, inadequate information, and lack of valid consent” when collecting data for ads personalization.

Historically, data breach insurance policies have been sufficient because fines and penalties under existing privacy laws have only been triggered in the event of a breach, Motta notes. “[With GDPR], companies can now be fined even if they’ve never lost a single piece of customer data, introducing a significant gap in coverage across most cyber insurance policies,” Motta says. Coalition’s new policy is aimed at addressing this gap, he says.

Swirling Uncertainity
Questions about the availability of insurance for GDPR violations and the insurability of fines and penalties under the statute remain mostly unanswered nine months after the law went into effect. In a report last November, the National Law Review doubted whether existing cyber insurance policies cover fines and penalties related to GDPR violations. The article pointed to several studies that called into question whether any company would be able to insure against the huge fines that can be imposed under GDPR. The law allows for fines of up to 4% of a company’s annual global revenues, or up to 20 million euros if that amount is higher.

One of the studies quoted in the National Law Review article was from insurance giant Aon and law firm DLA Piper. The study, conducted just before GDPR went into effect, found that, with the exception of Norway and Finland, GDPR fines are not insurable in almost any other EU nation. Even so, insurance needs to be a component of an organization’s GDPR risk management strategy, the report noted.

Robert Stines, a partner at law firm Freeborn Peters, says the effectiveness of cyber insurance as a risk-transference method for GDPR remains untested and will depend on the language in the policy. “If there is broad language that will cover all administrative fines and all claims under the GDPR, then cyber insurance might be an effective risk-transference measure,” Stines says.

But often insurance policies have exclusions and limiting language that leave them open to interpretation, he cautions. When considering a policy, organizations need to be wary of sublimits, exclusions, and how specific terms such as “claims,” “damages,” and “fines” are defined.       

Many US companies do not have the technical capabilities to address liability risks caused by GDPR requirements, such as data pseudonymization or anonymization, providing users with portable copies of their data, and deleting data upon a user’s request, Stines says. But GDPR is still so new that it is not clear how the mandate will be enforced, especially on US companies that do not operate in the EU but handle data on EU residents, Stines says.

The expectation that GDPR will create new exposure and risk for companies is driving demand for GDPR-related insurance, he says. “Insurance companies are trying to supply products to meet the demand,” Stines adds. “The difficulty that insurance companies have is underwriting this risk because GDPR is so new and untested.”

Before considering a policy, organizations need to have a clear understanding of how they collect, store, use, and destroy data related to EU residents. “If the GDPR applies, insurance is an excellent measure to augment cyber resilience, but it cannot be the primary source,” Stines says.

Related Content:

• Over 59K Data Breaches Reported in EU Under GDPR
• GDPR Suit Filed Against Amazon, Apple
• 8 Things Every Security Pro Should Know About GDPR
• 6 Ways to Strengthen Your GDPR Compliance Efforts

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/insurer-offers-gdpr-specific-coverage-for-smbs/d/d-id/1333928?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s a “helpful tip” making the Facebook rounds, and it’s a little bit helpful but a lot not so much.

It’s about using Bluetooth to detect credit card skimmers at gas stations:

Here is a helpful tip:
When you pull up to a gas station to fill your car. Search your phone for Bluetooth devices. If a sequence of letters and a sequence of numbers shows up in your device list do not pay at the pump. One of the pumps have a card reader installed. All card readers are bluetooth.

The post refers to a card “reader,” but what it means is card “skimmer.”

The first is a legal way for you to pay, while the latter is a piece of thief-ware, be it a plastic gadget clumsily glued on to the face of an ATM or gas pump or technology that’s installed internally.

Credit card skimmers are devices that capture details from a payment card’s magnetic stripe, then (sometimes) beam them out via Bluetooth to nearby crooks.

The “sometimes” is just one thing that makes this viral post less than helpful.

Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that send information to fraudsters’ phones via text message.

So convenient! …and so not Bluetooth.

From a thief’s point of view, Bluetooth has limitations, notably that Bluetooth has limited range, so any thief who uses a Bluetooth-enabled skimmer needs to hang around nearby.

It also means that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”

That includes, of course, all of us law-abiding, viral-post-reading phone users.

So yes, the post is correct in saying that the Bluetooth sensor on a mobile phone can indeed be used to detect some card skimmers, but it’s incorrect because these sensors can’t detect them all.

As Naked Security’s Paul Ducklin points out, some skimmers use Wi-Fi, some use the mobile phone network, and others just store their data quietly on an SD card that the crooks come back for later on.

But that’s only one thing that makes this viral post less than helpful.

Bluetooth names tell you “everything and nothing”

Your phone may well pick up on nearby Bluetooth devices, but the names alone don’t really help, Paul says:

Just doing a scan for nearby Bluetooth device names tells you everything and nothing. You might as well decide if a gas station is crooked based on whether the fuel price ends in an odd or an even number of cents per gallon, and here’s why: sniffing or skimming devices might not show up at all, or they could have innocent-sounding names like “Car radio” or “My iPhone”.

On the other hand, the perfectly harmless video game that the kid in the next car is playing might be announcing itself with some sort of scary-looking autogenerated name like “AF09E856”.

Two green tips that really do flummox skimmers

If you want to stop skimmers dead in their wireless/texted messages/stored-SD-card-enabled tracks, there’s an age-old technology that the thieves haven’t yet managed to crack remotely – it’s called cash:

If you think that the chance of being skimmed is lower if you go to the cashier and pay, then simply do that every time. If you’re worried about gas station skimming in general, you can always use cash — as it says on the bill, ‘This note is legal tender for all debts, public and private.’

Using sweet green cash (that’s the color in the US, at any rate!) is one way to avoid getting your payment card skimmed at the gas pump.

Here’s another green technology that blocks gas-stop skimmers: a bike!

That’s Paul’s solution:

Switch to a bicycle, like I did, and laugh in the face of gas stations for ever.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/W1QD6frjlgA/

Privacy warriors have filed fresh evidence in their ongoing battle against real-time web ad exchange systems, which campaigners claim trample over Europe’s data protection laws.

The new filings – submitted today to regulators in the UK, Ireland, and Poland – allege that Google and industry body the Interactive Advertising Bureau (IAB) are well aware that their advertising networks flout the EU’s privacy-safeguarding GDPR, and yet are doing nothing about it. The IAB, Google – which is an IAB member – and others in the ad-slinging world insist they aren’t doing anything wrong.

The fresh submissions come soon after the UK Information Commissioner’s Office (ICO) revealed plans to probe programmatic ads. These are adverts that are selected and served on-the-fly as you visit a webpage, using whatever personal information has been scraped together about you to pick an ad most relevant to your interests.

Typically, advertisers bid for space on a webpage in real-time given the type of visitor: the page is fetched from a website, it brings in ad network code, which triggers an auction between advertisers that completes in a fraction of a second, and the winning ad is served and displayed (assuming the advert isn’t blocked.) This transaction, dubbed real-time bidding or RTB, happens automatically and immediately when an ad is required, and it can be fairly convoluted: ad slots may be passed through a tangle of publishers and exchanges before they arrive in a browser.

Netizens known to be wealthy and with a lot of disposable income, or IT buyers with big spending budgets, for example, will command higher ad rates than those unlikely to buy anything through an ad. This is why ad networks and exchanges, like Google, love to know everything about you, all that lovely private data, so they can tout you to advertising buyers and target ads at you for stuff you’re previously shown an interest in.

The ICO’s investigation will focus on how well informed people are about how their personal information is used for this kind of online advertising, which laws ad-technology firms rely on for processing said private data, and whether users’ data is secure as it is shared on these platforms.

Meanwhile, these latest filings follow on from gripes lodged by the same online rights campaigners late last month and in 2018.

Ad-tech industry: GDPR complaint is like holding road builders to account for traffic violations

READ MORE

The privacy warriors allege the aforementioned auction systems fall foul of Europe’s General Data Protection Regulation (GDPR) because netizens do not have much or any real control over the massive amounts of ad-related data lobbed between sites and services. Moreover, this information can be highly personal – sometimes including location coordinates along with pseudonymous identifiers, personal interests, and the site they are browsing.

The complaints, which point the finger of blame at the IAB’s openRTB and Google’s Authorized Buyers systems, were filed to watchdogs in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of browser biz Brave; and in Poland by the Panoptykon Foundation.

The IAB has consistently stressed that the complaints should not be directed at RTB technology makers, such as itself – and that doing so is like holding road builders accountable for people who break the speed limit. In other words, the tech can be abused, but apparently not by its developers. And the industry body claimed the complainants have only proven it is possible to break the law, not that it has been broken.

As such, the privacy warriors hope to add more weight to their arguments, and today submitted a fresh set of documents to regulators in the aforementioned trio of nations. This cache includes examples of the data passed through RTB systems, and the number of daily bid requests ad exchanges make, which reach 131 billion for AppNexus and 90 billion for Oath/AOL.

Programmatic trading, or is that problematic trading?

The complainants have also filed documents they claim prove the IAB has long been aware that there is a potential problem with RTB systems and their compliance with GDPR.

Among the latest cache is an email from 2017 – obtained under a Freedom-of-Information request – sent from the CEO of IAB Europe, Townsend Feehan, to senior staff in the European Commission Directorate General for Communications Networks, Content, and Technology.

The email reveals Feehan lobbying commission staffers against proposals for a new ePrivacy Regulation – which was meant to come into force with GDPR but has been stuck in negotiations – saying it could “mean the end of the online advertising model.”

Programmatic trading would seem, at least prima facie, to be incompatible with consent under GDPR

The exec attached an 18-page document to the email detailing IAB Europe’s reasoning, which discussed the impact of proposals to tighten rules on the use of people’s private data to the same level as that of GDPR, particularly the requirement of someone’s consent to share their information. Crucially, consent under GDPR requires that people are told clearly what’s going on with their sensitive info, which means website visitors must be told the identity of the data controller(s) processing their data and the purposes of processing. Given the instantaneous and convoluted nature of ad bidding, it is seemingly impossible to alert netizens prior to the real-time auctions, it is claimed.

This, essentially, is the rub between GDPR and today’s on-the-fly web advertising, it would seem.

“As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR,” the IAB said.

Brave’s Johnny Ryan said this acknowledges the issue at the core of the campaigners’ complaint – and suggests the IAB doesn’t think adtech’s operating model can work with GDPR.

The IAB has since launched a “Consent and Transparency Framework” to help companies involved in RTB systems meet their legal requirements – but opponents argue that this doesn’t change the facts at the heart of the matter.

Similarly, a document from May 2018 produced by the IAB Tech Lab – a group that produces standards, software, and services for digital publishers, marketers, media, and adtech firms – acknowledged concerns about GDPR compliance. In it, the lab said publishers were concerned “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad but need a way to clearly signal the restriction for permitted uses in an auditable way.”

It also said that “surfacing thousands of vendors with broad rights to use data w/out tailoring those rights may be too many vendors/permissions.” And elsewhere in the 2017 document, the IAB said that, since third parties in adtech have “no link to the end-user [they] will be unable to collect consent.”

All your basis are belong to…?

It is question-marks like these, from the industry itself, that the privacy campaigners hope will bolster their case. These concerns were also highlighted by the ICO’s tech policy lead Simon McDougall in a blog post earlier this month outlining the body’s plan to look into adtech.

“The lawful basis for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent,” he said. “There seem to be several schools of thought around the suitability of various basis for processing personal data – we would like to understand why the differences exist.”

He added that the ICO was interested in how and what people are told about how their personal data is used for online advertising, and how accurate these disclosures are.

A third prong of the ICO probe will consider the security of the data that is widely and rapidly shared during the auctions. “We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure,” said McDougall.

The ICO stressed that it was in the fact-finding stages of its work, and that it wanted to listen to all the “diverging views” on adtech.

And, for their part, the complainants in the case against IAB Europe and Google have said that they aren’t, necessarily, seeking an end to online advertising. Rather, they want to see adtech firms operate without sharing the highly personal information they do at the moment. For instance, Ryan said that the IAB RTB system allows 595 different kinds of data to be included in a bid request. Scrapping the use of just four per cent would be an “easy, long overdue, fix.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/20/iab_rtb_complain_fresh_evidence/

CheckPoint infosec eggheads are today laying claim to discovering a Windows archiving security flaw that appears to have been lingering since 2005.

The programming cockup can be potentially exploited when a user accidentally opens a malicious archive, perhaps one sent by email or downloaded from a website: unpacking it can lead to malware smuggled within the file executing on the next reboot, as a result of this flaw.

The vulnerability itself lies in unacev2.dll, a library used to parse ACE archives, a little-used compression format that dates back to the 1990s. In practice, the vulnerability would be targeted via WinRAR or other popular archive extraction tools that include and use this wonky .dll. In other words, you get someone to open the archive in WinRAR, which passes it to the library, and then, if the stars align, your victim gets owned.

Specifically, according to CheckPoint, an attacker can craft a poisoned ACE archive, disguised as a RAR file, that, when opened by WinRAR, exploits a path traversal flaw in unacev2.dll to trick the archiving tool into extracting the files into a path of the attacker’s choosing.

This alone would be a potentially bad flaw but in some situations, however, the bug could pose a critical risk. The CheckPoint researchers found that while WinRAR by default does not have access to the Windows startup folder, (C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp), a second directory, at (C:Usersuser nameAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup) was accessible. This means that an attacker who knew the user name of the target (such as in a spear-phishing situation) could get the files to extract into the startup directory and, when the PC was restarted, launch them automatically to effectively get remote code execution on the targeted machine.

North Korea’s antivirus software whitelisted mystery malware

READ MORE

Due to the age of the vulnerable component, a fix was not easy to pull off. The last commercial program to offer ACE archiving was released in 2007, and the company making that software went dark in 2017. The vulnerable .dll itself hadn’t been updated since 2005.

Because of this, WinRAR says it is just going to drop the entire dated ACE format, killing off the vulnerability.

“Nadav Grossman from Check Point Software Technologies informed us about a security vulnerability in UNACEV2.DLL library. Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives,” WinRAR said.

“WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.”

The ACE format has been removed in 5.70 beta 1, so all versions of WinRAR after that release will be protected from the bug. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/20/winrar_security_bug/

Website admins are today urged to update their Drupal installations following the disclosure of a potentially serious vulnerability in the web publishing software. And when we say potentially serious, we mean, someone can potentially hack and hijack your site via this flaw.

The security hole, designated CVE-2019-6340, is a remote-code-execution flaw caused by Drupal neglecting to properly check data from RESTful web services.

A successful exploit of the vulnerability would allow a hacker to remotely run malicious code on the targeted website’s server, effectively commandeering the site. Drupal has classified the bug as “highly critical,” and recommends admins patch the flaw ASAP.

“Some field types do not properly sanitize data from non-form sources,” Team Drupal said in disclosing the vulnerability. “This can lead to arbitrary PHP code execution in some cases.”

A website is open to attack if it is powered by Drupal 8 core with the RESTful Web Services (rest) module enabled, and it handles PATCH or POST requests, or the site has another web services module enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

For those running Drupal 8, the vulnerability can be patched by updating to version 8.6.10 or 8.5.11. Earlier versions of Drupal 8 are not supported and will not be getting the patch. While Drupal 7 itself is not directly vulnerable, the bug may be present in various contributed modules, so admins should check those for security updates.

In the meantime, Drupal says all sites can mitigate the flaw, effectively closing off the attack vector, by disabling PUT/PATCH/POST requests on web services, or by simply turning off web service modules.

“Note that web services resources may be available on multiple paths depending on the configuration of your server(s),” says Team Drupal. “For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.”

Credit for discovery and reporting of the bug was given to Samuel Mortenson, a member of the Drupal security team.

Drupal are no strangers to high-priority security patches. Last summer, a pair of critical bugs dubbed “Drupalgeddon” triggered mutliple releases of high-priority patches as the website building biz sought to help admin close flaws that would potentially allow for remote server hijacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/20/drupal_cve_2019_6340/

A recent wave of cybercrime has targeted organizations with employees in Belgium, France, Germany, Poland, Romania, and Serbia.

Microsoft is expanding its AccountGuard cybersecurity service to 12 new European markets to help organizations defend against a rise in cyberthreats as they prepare for upcoming Parliament elections.

Nation-states and other attackers aim to influence elections and disrupt democracies around the world. The 2017 French presidential election was subject to hacking and disinformation attacks, and European leaders have predicted more attacks will continue in Europe this year.

These threats extend outside campaigns to hit think tanks and nonprofits that work with government agencies on electoral integrity, public policy, and democracy. Recent attacks, reportedly by Strontium, have targeted 104 accounts of employees of the German Council on Foreign Relations, The Aspen Institutes in Europe, and the German Marshall Fund. Workers were located in Belgium, France, Germany, Poland, Romania, and Serbia, Microsoft reports.

Microsoft is expanding availability of AccountGuard to France, Germany, Sweden, Denmark, the Netherlands, Finland, Estonia, Latvia, Lithuania, Portugal, Slovakia, and Spain. It already was available in the US, Canada, Ireland, and the UK, bringing the total to 14 European countries.

AccountGuard is available at no extra cost to political candidates, parties, and campaign offices at local and national levels, as well as think tanks, nonprofits, and non-governmental organizations working on democracy and electoral integrity. The service, which alerts users to cyberthreats across personal and enterprise email accounts, is free for Office 365 users.

Read more details here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-expands-accountguard-to-help-europe-prep-for-cyberattacks/d/d-id/1333918?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple