STE WILLIAMS

Microsoft’s first Patch Tuesday update of 2019 primarily tackles remote code execution (RCE) vulnerabilities, with nearly half of 47 total fixes focusing on RCE. Businesses are also urged to apply a December out-of-band Internet Explorer patch after active attacks in the wild.

Seven of the common vulnerabilities and exposures (CVEs) are ranked Critical in severity, 40 are Important, and two are Moderate. The patches and advisories issued today cover Internet Explorer, Microsoft Edge, Windows, Office, Office Services and Web Apps, ChakraCore, Visual Studio, and the .NET Framework.

As pointed out by Dustin Childs of Trend Micro’s Zero-Day Institute in a blog post, RCE flaws make up half of CVEs addressed for January 2019. Eleven of these involve the Jet Database Engine. One (CVE-2019-0579) is publicly known and classified as Important in severity; exploiting this vulnerability could let an attacker execute arbitrary code on a victim system, Microsoft reports. This requires user interaction; a target would have to open a specially crafted file for execution.

While only rated as important, the disclosure of this vulnerability means enough information has been released to the public that an attacker could have an easier time developing exploits for the flaw, says Chris Goettl, director of product management for security at Ivanti.

Also highly prioritized is CVE-2019-0547, an RCE vulnerability in the Windows DHCP client. A memory corruption vulnerability exists in the client when an attacker sends specially crafted DHCP responses to a client, Microsoft reports. Successful exploitation would let an adversary execute arbitrary code on the client machine.

“Code execution through a widely available listening service means this is a wormable bug,” Childs wrote. “Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable.” He noted it’s interesting this flaw is in the latest version of Windows but not previous ones, likely because the component was rewritten for newer systems, he added.

“If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list,” Childs wrote.

Another Office bug (CVE-2019-0560), found by Mimecast, could enable unintended leakage of data in previously created Office documents and files. While it’s tough to use it as a code execution vulnerability, it could be used to harvest data users were unintentionally exposing.

“While it is certainly possible to exploit this vulnerability to execute a remote execution attack, this would require relatively high technical expertise on behalf of the attacker,” says Matthew Gardiner, security strategist at Mimecast.

“What is more concerning in the immediate time frame is the potential for previously created Office files to have sensitive content in them without the knowledge of the organization or user that created them,” he explains.

Much of the discussion this month revolves around CVE-2018-8653, an out-of-band patch Microsoft issued for an Internet Explorer memory corruption vulnerability in December 2018. The flaw could corrupt memory in such a way that someone could execute arbitrary code in the context of the current user, says Microsoft, and an attacker could gain the same user’s rights.

“That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms,” says Allan Liska, senior solutions architect at Recorded Future. “If you have not patched this vulnerability yet, it should be the No. 1 priority.”

Related Content:

• 6 Ways to Anger Attackers on Your Network
• Your Life Is the Attack Surface: The Risks of IoT
• Bug Bounty Awards Climb as Software Security Improves
• Threat of a Remote Cyberattack on Today’s Aircraft Is Real

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/remote-code-execution-bugs-are-primary-focus-of-january-patch-tuesday/d/d-id/1333612?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A fraction of a bitcoin anonymously dropped into your cyberwallet may seem like a bit of good fortune, but opinions can change rapidly when you’re labeled a likely criminal. That’s the situaton companies and individuals are finding themselves in when they’re the victims of “crypto-dusting” – one of the newer, and more challenging, hacks involving popular cryptocurrency.

The anonymous bitcoins were coming from BestMixer.io, a cybercurrency “mixer” often used to anonymize cybercurrency transactions to improve privacy or hide criminal activity. If you look inside the transaction record, says Dave Jevans, CEO of CipherTrace and chairman of the Anti-Phishing Working Group, you find a plan-text message that’s a welcome from the BestMixer team.

But this “gift” comes with a price: “You have engaged in a transaction with a known money-laundering service, so it will raise the risk on your accounts for any exchange that has implemented anti-money laundering protocols,” he says.

In addition, creating hundreds of thousands of newly tainted accounts could provide a smokescreen for the illegitimate transactions regulatory algorithms are supposed to catch. As for choosing their victims, Jevans says the methodology is simple: “They’re just putting it in your crypto wallet. When they do a run, they look at the last 75,000 addresses and send to them. When you open up your wallet, it’s there.”

“It’s logical, but I think it’s shortsighted,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “The whole notion of ‘tainted’ is specific to the way the algorithms are deployed today.” And, he points out, those algorithms can change.

While they’re changing, there are some specific steps that consumers and companies can take to protect themselves. “On the consumer side, when you receive money like this — a small amount from an unknown source — the best thing to do is go in and block it from being sent,” Jevans says. “If you ever spend it, it will wreak havoc with your privacy.”

Larger organizations and enterprises have a somewhat more complicated task. “They’ll need to work with their vendors on anti-money laundering and be able to cipher out the mixer coin that came from crypto duster attacks,” he says.

Fortunately, this is an attack method that may have a short lifespan, according to Hahad. It should be relatively easy to tweak the anti-money laundering algorithms used by regulators and law enforcement to ignore the tiny fractional transactions that are part of the attack.

“This is not something that regular folks should be worried about — it’s for regulators and law enforcement,” he explains. “It will make their lives more difficult for a while, but as soon as they can patch their algorithms they’ll be back in business.”

Related content:

• Crytpocurrency Exchange Targeted Via Attack on Web Traffic Analysis Firm
• Malware Campaign Targeting Jaxx Wallet Holders Shut Down
• 68% of EU, US Crypto Exchanges and Wallets Fail on Proper Customer Identity Checks
• The Good Bad News about Blockchain Security

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/new-crypto-dusting-attack-gives-cash-takes-reputation/d/d-id/1333613?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Software security issues aren’t going away anytime soon, as proven by the recently disclosed colossal breach at Marriott. Sure, we could rehash the typical post-mortem responses such as securing the software development life cycle, shifting left, DevSecOps, or other industry buzzwords associated with today’s security concerns. But in regard to Marriott’s recent breach, which affected over 500 million customers, it’s critical to look at a different aspect of security: the software exposure before and after mergers and acquisitions (MA).

MAs are a common business practice and have created some of the largest, most successful companies in the world. While the MA process is typically thought of as a boardroom issue, we must consider more than the financial activity that looks to increase revenues and customer base. Unfortunately, vetting the associated security risks is often neglected throughout the process. This shows the need for transparency and increased security awareness between IT/security professionals and the C-suite.

MA’s Security Risk
A report by West Monroe surveyed 100 senior global executives in early 2017 and found that cybersecurity continues to be a major issue in relation to MA, both in due diligence and after the deal closes. Fifty-two percent reported discovering a cybersecurity problem after closing the deal. It was also found that security was the No. 2 reason MA deals were abandoned, and the second most common reason buyers regretted closing a deal. When evaluating the entire MA process, respondents shared that the top three reasons deals often fail are security concerns (23%), financial and tax issues (23%), and problems with compliance (18%). While these are relatively low, the most anxiety appears to come after the deal is done. The study found that two in five respondents said problems during post-merger integration (41%) was their main worry when thinking about issues related to security.

Based on Personal Experience
From my own experience in MA, before I was at Checkmarx, I was responsible for vetting companies being acquired by other clients. In one case, as part of the recommended analysis, we thoroughly scanned a company’s software and found that it was full of vulnerabilities. To our dismay, we discovered a backdoor into the entire system. As a result, the entire process came to a halt and the deal fell apart. The security risk was too great. In a surprising turn of events, the acquiree attempted to take legal action against the security company I was with, claiming that we blocked the MA process. In my opinion, while we may have missed out on financial gains from the acquisition, we saved our client from a potentially costlier security compromise similar to Marriott’s.

Applying What We’ve Learned to Marriott
This same concept can be applied to Marriot’s recent breach. In 2016, Marriott International acquired Starwood Hotels Resorts Worldwide, creating the world’s largest hotel company. We can assume that for such a large business deal, there was a very long investigation into the financials, operating practices, market penetration, and other variables necessary to finalize such a large acquisition. But was security considered? Starwood reported an unrelated malware attack on their point-of-sale systems just two weeks after the original deal was signed. Had Marriott investigated and vetted Starwood’s software security prior to the acquisition, this particular vulnerability might have been found and resolved — or at the very least, triggered a major red flag around the security of Starwood’s software. Had this been elevated to executives facilitating the MA, the risk could have been properly evaluated, ultimately delaying or canceling the deal.

Fast forward to 2018, and the recently reported breach was in Starwood’s system, not Marriott’s. Unfortunately, as the parent company, Marriott is still responsible in terms of damage control. Marriott could have the best security program in the world, but because it owns Starwood, there will be significant financial and reputation damage to the entire brand. Was Marriott so focused on the financial and business aspects of the acquisition of Starwood that it was willing to accept the risk? Did Starwood know about this issue but did nothing because it knew it was going to be acquired and didn’t want to spend the money to fix the problem? Or did neither Marriott nor Starwood know about the issue? No matter what the truth is, the biggest losers here are the customers who have had their personally identifiable information (PII) compromised.

The Future of Security and MA
The major takeaway is that organizations must have a vetting process for the security of the companies with whom they are acquiring or merging. This process is just as important as due diligence around financials or expanded brand presence. At a minimum, during the MA process, companies should bring in a security team — whether it be a CISO, director of security, or other — to build out a repeatable security program, evaluate network security policies, and consider important factors such as the effectiveness of firewalls, endpoint protection, and other security tools. The acquirers should ask themselves, what are the homegrown, internally developed products, and how can those cause risk? Unfortunately, today, most acquirers simply turn their heads away from the problem because the profit margins seem greater than the risk.

The acquiring company now must do damage control on all fronts, even if it was something it didn’t do. The Marriott breach may have been avoided if proper security policies and or practices around vetting potential risk were in place. Today, any company that processes PII data — regardless of the industry it is in — should consider itself a technology company, and, therefore, security should be at the forefront of boardroom discussions, not just during MA but throughout the course of business. 

Related Content:

• 7 Steps to Start Your Risk Assessment
• How to Optimize Security Spending While Reducing Risk
• Equifax Breach Underscores Need for Accountability, Simpler Architectures
• How Well Is Your Organization Investing Its Cybersecurity Dollars?

Matt Rose has over 18 years of software development, sales engineering management, and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure … View Full Bio

Article source: https://www.darkreading.com/application-security/security-matters-when-it-comes-to-mergers-and-acquisitions/a/d-id/1333548?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Endpoint security vendor Sophos has acquired a small cloud security company that provides an artificial intelligence-based security analytics and DevSecOps platform.

Avid Secure is a two-year-old private startup based in San Francisco with security experts from LinkedIn, Yahoo, McAfee, Cisco, and Atlassian. The company focuses on AI and automation for monitoring and handling workload in cloud services like AWS, Azure, and Google.

“The accelerated adoption of public cloud environments is presenting new data security challenges to organizations. With the cloud workload protection and the cloud security posture management software from Avid Secure, Sophos will expand its current capabilities in cloud security and drive leadership in this growing space,” said Dan Schiappa, senior vice president and general manager of products at Sophos in a statement.

“We welcome the Avid Secure team to Sophos and are excited to bring their transformational technology into our portfolio, strengthening our ability to offer the best protection for our customers’ data on endpoints and networks, wherever their services are hosted,” Schiappa said.

Sophos did not disclose financial details of the deal. Read more here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/sophos-buys-cloud-security-company/d/d-id/1333604?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Quantum Key Distribution (QKD) network provider has received a vote of confidence from a noted cryptography expert, with Whitfield Diffie joining the advisory board of Quantum Xchange.

Diffie, who pioneered dual-key cryptography and is the co-developer with Martin Hellman of the Diffie-Hellman key exchange protocol, will serve as an advisor to the company.

Quantum Xchange offers a quantum-secured network to customers in the US northeast corridor with its service Phio that operates in conjunction with infrastructure partner Zayo Group. The first operational leg of the company’s service network has been accepting customers between New York City and New Jersey since November 2018.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/whitfield-diffie-joins-quantum-xchange-advisory-board/d/d-id/1333605?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Oct. 25, 2018, Bankers Life informed Humana of “unusual activity” affecting its systems. This was among the last breaches Humana disclosed in 2018 but far from the first.

Bankers Life, which does business with the health insurance company, first noticed suspicious activity on Aug. 7, 2018. An investigation with an external forensics investigator revealed that an unknown, unauthorized actor obtained system credentials for Bankers Life employees and gained access to websites where people can log in to apply for Humana healthcare policies, the company recently disclosed. 

Investigators found the breach affected consumer insurance applications and data within them, including their birthdates, addresses, last four digital of Social Security numbers, and insurance-related data (policy or application numbers, type and cost of coverage, for example). The intruder had access to the data from May 30 through Sept. 13, officials report.

“What is alarming are the timelines of the attack, which show that the attack ran from May through to September,” says Garrett O’Hara, principal consultant at Mimecast. “This is not unusual, but does raise questions around what activity was happening in the background.”

This incident did not compromise full Social Security numbers, banking or credit card data, or any information about individuals’ health or medical care, Humana explained in its breach disclosure. Bankers Life is offering a year of free identity repair and credit monitoring services, and “took steps to further restrict and monitor access to its systems and enhance additional security procedures, including additional training for certain employees,” the company said.

“Based on the current reporting, this breach appears to be pretty typical,” says Matthew Gardiner, security strategist at Mimecast. “In many cases, the attacker doesn’t even know what they are going to do with the stolen data until they steal and evaluate it.” It’s common, he adds, for cybercriminals to steal data before looking for secondary black market to sell it into.

Credential Compromise is Chronic 

Credential-harvesting attacks have become one of the most prevalent attack types not only in healthcare, but for all organizations, says Gardiner. However, because of legal requirements to report breaches, disclosures disproportionally appear in public from healthcare firms. The rise in online applications, combined with single authentication factors, makes credential theft “a natural stepping stone for cybercriminals” and results in these types of cyberattacks, he adds.

The Bankers Life incident wasn’t the first incident of credential stuffing for Humana in 2018. This summer brought a phishing attack to Family Physicians Group (FPG), a firm Humana acquired in April and one of the largest healthcare providers for Medicare and Medicaid patients in Central Florida, as per HIPAA Journal, which says FPG has 22 clinics in the area.

Similar to the Bankers Life incident, this one involved compromised credentials. Investigators analyzing the FPG attack learned an intruder broke into an employee’s email account with credentials they were given when an employee responded to a phishing message. The actor(s) broke into the account on Aug. 7, 2018 and continued to have access to it until Aug. 21.

In total, the FPG attack exposed the data of 8,400 patients. Affected information did not include financial data or Social Security numbers. It did include names, birthdates, physicians’ names, and health insurance information. FPG so far has no indication the data was abused but had employees change their passwords and took steps to protect email accounts from phishing.

Humana also notified members of a credential-stuffing incident in early July following an attack on Humana.com and Go365.com. In early June, the company detected a “significant increase” in secure login errors after several attempts to log into both Humana and Go365 from foreign countries. Its security operations team blocked the intruding IP addresses on June 4, 2018.

The volume of attacks indicated a “large and broad-based automated attack,” reported Jim Theiss, Humana’s chief privacy officer, in a letter dated June 21. It seems the attacker had a large amount of user IDs and passwords, and was attempting to see which combinations were valid. The amount of failures shows the ID/password combos didn’t come from Humana.

What to Do About It

Dr. Asem Otham, team lead for biometric science at Veridium, says health credentials are worth more than other credentials on the Dark Web. The Bankers Life/Humana breach demonstrates how priviliged access management, like database access, needs to be carefully managed with stronger authentication requirements and approval from administrators and/or supervisors.

Biometric authentication is making its mark in healthcare, says Dr. Otham. For example, patients seek touchless biometrics like FaceID and fingerprint logins. In some operating rooms, periocular (a scan of the eye area) and voice can both prove useful. “Replacing passwords with biometrics will ensure secure yet convenient access to health and insurance records, and provide true identity authentication, preventing leaks of PII as seen in the Bankers Life breach.”

While investment in technology for protection is crucial, says O’Hara, people will continue to be weak points in security as both sophisticated and simple social engineering attacks give attackers access to credentials. The value of healthcare data, combined with “traditionally limited budgets” for healthcare’s IT and security teams, increases the appeal to attackers.

“The huge downward pressure to do more with less will see legacy medical systems, often out-of-date and unpatched, being used as a stepping stone into more lucrative systems,” he adds.

Because of this, he strongly advises end-user education programs to help employees both understand cybersecurity and become invested in protecting the company they work for. Regular and relevant education, while difficult, can help get through to employees.

Humana did not respond to request for comment on this article.

Related Content:

• 6 CISO Resolutions for 2019
• Stronger DNS Security Stymies Would-Be Criminals
• Emotet Malware Gets More Aggressive
• Taming the Digital Wild West

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/humana-breaches-reflect-chronic-credential-theft-in-healthcare/d/d-id/1333607?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Today, there are more connected devices than humans. The unprecedented growth of connected devices has created innumerable new threats for organizations, manufacturers, and consumers, while at the same time creating opportunities for hackers. The world has seen the risks of this firsthand: Internet of Things (IoT) devices now constitute the largest-scale botnets, able to take down major websites like Twitter, GitHub, and the PlayStation Network. The many ways a hacker could access this data is apparent and quite disconcerting. The first step to protecting yourself is knowing where you’re vulnerable.

Connected Devices as the Fastest-Growing Attack Surface
A growing number of households now have an IoT hub — be it Echo or Google Home — a device that takes the place of or attaches to your wireless router and has permissions to do things on your behalf. One of the most immediate security concerns comes with this permission. If your device is set up to purchase things on your behalf, there is nothing to stop someone else within the microphone’s listening range, even on your TV or radio, from commanding “Alexa” to buy something for you.

This issue extends to other personal devices as well. For home security cameras, it might be backing up or storing video images. For health tracking devices, it’s personal health data such as heart rate, pulse, diet, etc. An Internet-connected stuffed animal was recently found to have exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts. In other words, this seemingly innocuous data is highly personal on the individual level and therefore a great risk to individual security.

The Role of Policy and Defenders
Thus far, IoT has gone unregulated and largely unsecured, and given the rapid growth of IoT devices it’s no surprise that these devices represent a major and growing threat — and a major opportunity for adversaries. The sheer number and types of the devices being networked and connected to cloud interfaces and on-the-Internet APIs is one the greatest challenges in security today. Each device has its own set of technologies, and thus its own set of security vulnerabilities. Additionally, some of these industries have never dealt with Internet-facing devices before, and their development staff is just not trained in the ways of web application security. High pressure, low awareness, and the absence of a governing body to police the market has resulted in an increase in attacks on these devices. That’s why it’s becoming imperative to implement global security standards.

Before the industry really starts inking policy, however, we’ll continue to rely on hackers to identify vulnerabilities and ultimately improve the way the industry addresses potential risks. This group will be essential for improving the security maturity of the market and ensuring the implementation of security controls for IoT devices, such as toys, thermostats, and even smart cars, which provides a fascinating breeding ground for best practices.

How to Prevent Cyberattacks
There is a lot of work to do for manufacturers, policymakers, researchers, legislators, and companies that are releasing IoT devices, identifying risks, and creating regulations. And unfortunately, IoT extends far beyond household gadgets. From your car to your pacemaker and your Fitbit, any device that connects to the Internet is a potential attack surface.

While the broader security industry addresses these issues, how can you personally prevent cyberattacks in your own digital life?

• Research your device before purchase: For any device you’re considering buying that’s connected to the Internet, determine whether the vendor is paying attention to security. Does it have security notes online? Has it had any security research directed at it before, and if so, has it responded well to that research? Use the answers to make a decision about which device to purchase. Amazon reviews and Better Business Bureau reports can be great indicators here.
• Use strong Wi-Fi encryption: Securing your Wi-Fi at home goes beyond plugging it in and setting a password. The choices for encryption standards typically can be found on vendors’ websites, so if you’re unsure, it’s a good idea to do some due diligence before choosing one. Implementing the most advanced encryption that your router can support (usually called WPA) is the difference between offering someone easy access to your home network and being secure.
• Check the device for additional security configurations: While updating the device regularly will help avoid unnecessary breaches, it’s also a good idea to ensure additional security configurations are in place if available. To find these, log in to the control panel of the device. In the settings section, there will often be additional controls. They can be cumbersome to set up but useful to keep you secure.
• Disable features not being used: These features will vary by device, but an example would be your laptop’s webcam, which could be a threat if it’s not disabled or obscured, especially in light of numerous well-documented attacks. Being aware of all enabled features is a great way as a consumer to protect yourself against IoT hacks and malicious actors accessing your personal devices on your network or other places you use devices.

The Future of IoT Security
From the takedown of Dyn to the distributed denial-of-service attack on Brian Krebs‘ website, the industry has learned some major lessons around IoT security in the past few years. This is causing standards to be created that will help reduce risks. However, change takes time. IoT security is in the standards phase right now, which means that legislators haven’t yet prescribed specific policies around what security devices need to have in place for manufacturers to ship them. Given this, consumers must take personal action and be aware of the risks.

Related Content:

• 7 Serious IoT Vulnerabilities
• The Economics Fueling IoT (In)security
• Hidden Costs of IoT Vulnerabilities
• IT-to-OT Solutions That Can Bolster Security in the IIoT

Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry’s relations with researchers. Jason’s … View Full Bio

Article source: https://www.darkreading.com/endpoint/your-life-is-the-attack-surface-the-risks-of-iot-/a/d-id/1333588?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple