STE WILLIAMS

53 Bugs in 50 Days: Researchers Fuzz Adobe Reader

Automatic vulnerability finding tools detect more than 50 CVEs in Adobe Reader and Adobe Pro during a 50-day experiment.

Researchers discovered 53 new and critical vulnerabilities in Adobe Reader over the course of 50 days by using common Windows fuzzing framework WinAFL, new analysis shows.

The number of new vulnerabilities reported in 2017 was about 14,000, a high point compared with previous years and more than double the amount found in 2016, according to Check Point, which conducted the experiment. Check Point researchers attribute the spike to the growing popularity of “fuzzers,” or automatic vulnerability-finding tools, which are maturing and growing more accepted as their capabilities are refined.

Fuzzers are not new – they’ve been around for more than twenty years – but they are becoming more accessible and capable. Fortinet’s Derek Manky anticipates AI fuzzing will increase in 2019 as artificial intelligence makes it more efficient and effective. The trend could make zero-day exploits more common and affect the process of securing devices and systems.

Professional threat researchers commonly use fuzzing in lab environments to find new vulnerabilities in hardware and software. They inject invalid and sometimes semi-random data into an interface or program and watch for crashes, potential memory leaks, undocumented jumps to debug routines, failing code assertions, and other activity, Manky explains.

Security experts often avoid fuzzers because they are perceived to be a hassle. While adoption is increasing, Check Point’s team wanted to see how many low-hanging fruit they were missing. Their 50-day experiment unearthed more than 50 new CVEs in Adobe Reader. An average of one vulnerability per day is “not quite the usual pace for this kind of research,” they point out.

For their fuzzer, researchers chose WinAFL, a common Windows fuzzing framework, and targeted Adobe Reader in “the most vanilla experiment we could think of,” they explain in a report on the findings. A 50-day timeframe was chosen for the full project: reverse-engineering code, hunting for potential vulnerable libraries, writing harnesses, and running the fuzzer itself.

WinAFL, a fork of AFL for Windows, is a coverage guided genetic fuzzer built and maintained by Ivan Fratric of Google’s Project Zero. The Windows version uses a different style of instrumentation, which let researchers target closed source binaries, they report. They found WinAFL to be effective in finding file format bugs, especially in compressed binary formats.

Knowing WinAFL is better at binary formats, they chose to focus their efforts and attack a specific parser. The challenge was finding a parser and writing a harness for it. In fuzzing, a harness is used to target complex software like Adobe Reader, researchers explain, as finding a target function (the entry point to the fuzzing process) in nature is relatively uncommon.

Before the fuzzing session begins, researchers had to check that the total path count was rising – a sign the fuzzer is reaching new paths with their harness. If the path count is zero or close to it, there are a few problems they can investigate, which Check Point experts explain in their write-up of the investivation. The stability of the harness, which should be above 80%, is critical as it affects the fuzzer’s accuracy and performance, they explain.

Running the fuzzers is pretty straightforward, they say, and should be done in the following order: run the fuzzers, check coverage and crashes, investigate coverage, employ the “cmin” process, and repeat. A bot should be used to check the status of all fuzzers, graph paths over time for each, crash triage and generate a report, and restart dead fuzzers.

“We can’t stress enough how important it is to automate these tasks,” they write. “Otherwise, fuzzing is tedious and error prone.”

Their strategy led to the discovery of 53 critical bugs in Adobe Reader and Adobe Pro, and they repeated the process for different parsers to come up with their final list of CVEs.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/53-bugs-in-50-days-researchers-fuzz-adobe-reader/d/d-id/1333507?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 18/12/2018
  • adm

Disk-Wiping ‘Shamoon’ Malware Resurfaces With File-Erasing Malware in Tow

As with previous attacks, organizations in the Middle East appear to be main targets, Symantec says.

Organizations in the United Arab Emirates and Saudi Arabia are once again being targeted in a new wave of attacks involving Shamoon, a malware strain that was used to destroy more than 30,000 PCs at oil giant Saudi Aramco in 2012.

The latest attacks come after a two-year lull and are doubly destructive since they include a new component, Filerase, for erasing files on an infected system before Shamoon wipes the master boot record clean, Symantec states in a report. The addition of Filerase makes it almost impossible for victims to recover data from impacted systems, the security vendor notes.

Based on a breach disclosure from Italian oil services firm Saipam, the new Shamoon attacks appear to have begun Dec. 10. Saipam, a leading provider of drilling services, described the attack as impacting up to 100 PCs and between 300 and 400 servers located in the Middle East, India, Scotland, and Italy.

“The attack led to the cancellation of data and infrastructures, typical effects of malware,” according to Saipem. “The restoration activities, in a gradual and controlled manner, are under way through the back-up infrastructures and, when completed, will re-establish the full operation of the impacted sites.” Reuters quoted a Saipem executive as saying the attacks had originated in the south Indian city of Chennai, though Symantec itself says it has no evidence to corroborate.

However, according to Symantec, its researchers have found evidence of attacks against at least two other organizations in the oil and gas industry in the Middle East during the same time.

Eric Chien, senior researcher at Symantec, says the company is still early in the investigation process and has so far been unable to determine whether the same group that was behind the original Shamoon attacks is behind the latest ones as well.

One of the companies impacted in the latest attacks was also recently attacked by Elfin/APT 33, an Iranian threat group that has been targeting aerospace and energy-sector targets. The proximity of the two attacks makes it possible the two campaigns are linked, Chien says.

The Hunt for Motives
At this time it’s unclear why the companies were targeted and how the attackers are distributing Shamoon and the new Fireraser component. Chien describes Filerase as deleting files in [ROOT_DRIVE]Users and on other drives that are less than 100 MB in size.

Once Filerase infects one system, it spreads across the victim network using a list of targeted systems and another tool called Spreader.exe. The list, in the form of a text file, is specific to each victim and suggests that the attackers likely gathered the information from previous reconnaissance activity on the network, Symantec said. Once Filerase has been successfully copied on all computers in the attacker’s list, the Spreader component simultaneously triggers it on the systems.

Symantec says it is possible that Shamoon itself was spread via the same mechanism on the impacted networks. “In at least one instance, Shamoon was executed using PsExec, indicating that the attackers had access to credentials for the network,” the company says in its report.

Baan Alsinawi, president and founder of risk management firm TalaTek, says that based on publicly available information about the attack on Saipem, there’s a good possibility the attackers had physical access to the Italian company’s systems. “The lack of a network component and a command-and-control center, as described, suggested the attacker had installed the malware manually and set a time for it to propagate” she says.

So while it is bad the attackers were able to inflict damage, if they first needed physical access, their ability to impact other companies is going to be somewhat limited, Alsinawi says. Gaining physical access, and likely needing escalated privileges, is a higher bar to achieve in these types of attacks, she says.

This is not the first time Shamoon has resurfaced after disappearing. “We’ve now seen the malware taken out of retirement every few years,” Chien says. After first emerging in 2012 and being used a series of very disruptive attacks against Saudi Aramco and other Saudi energy companies, the malware went dormant before making a comeback in late 2016, he notes.

“With the introduction of this most recent iteration, organizations need to remain vigilant and ensure that all data is properly backed up and a robust security strategy is in place,” Chien says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 18/12/2018
  • adm

Cyber Readiness Institute Launches New Program for SMBs

Program seeks to raise employees’ cyber awareness and give small and midsize business owners the tools to make a difference.

The Cyber Readiness Institute (CRI) has formally launched a new program geared to help small and midsize businesses (SMBs) create cyber awareness at their companies.

This afternoon’s launch, held at the National Press Club in Washington, D.C., featured a one-hour panel discussion on the role SMBs play in the supply chain, how important the security of SMBs are to the economy, and how everyone plays a role in cybersecurity today.

Kiersten Todt, executive director of CRI, said the program focuses on four areas: authentication, phishing, patching, and safer use of USBs.

“We also offer templates for companies to apply simple policies that anyone can understand and so that the SMBs don’t have to spend additional resources,” Todt said, adding that companies receive a certificate for completing the program.

In creating the Cyber Readiness Program, CRI held focus groups with SMBs in eight countries and a pilot with 19 SMBs worldwide. Some of the companies had as few as two employees, while others had close to 700.  

Why all the focus on SMBs?

The 2018 Verizon Data Breach Investigations Report found that 58% of data breach victims globally are SMBs. CRI has also found that many SMBs report doing very little to protect themselves because they lack the required resources, capabilities, and knowledge.

Valecia Maclin, general managing engineer, computer security and trust, at Microsoft, said owners of SMBs always come to her and say they don’t know what polices to develop or which tools to use – so there’s a real need for this type of program.

“I like to stress our interconnectedness,” Maclin said. “We’re not going back from here, and we’re only as strong as our weakest link … so I think we’ll see a progression in security where many of these security functions will become automated and easy to use.”

Behind the Scenes
Samuel J. Palmisano, retired president and CEO of IBM and current chairman of the Center for Global Enterprise, said the work on the Cyber Readiness Program dates back to President Barack Obama’s Commission on Enhancing Cybersecurity.

The new CRI program is a first step that will help create a culture of hygiene across the country, Palmisano said. He stressed the importance of increasing awareness among the staff at SMBs because the vast majority of attacks stem from issues caused by employees – for example, a phishing email they may have clicked on inadvertently.

“It’s proven that the vast majority of breaches can be counteracted by learning, education, and management processes,” Palmisano said. “And if procurement people at an SMBs’ major customer make it clear that they have to comply with the cyber readiness program, then that will bring a lot of people along. I think this is a very good time to do this because people are more aware of cybersecurity and privacy.”

Ajay Banga, president and CEO of Mastercard and co-chair of CRI, added that encouraging companies in their supply chains to get certified by the cyber readiness program is one of the more important roles corporate sponsors can offer.

“Understand that this is going to be very hard,” Banga said. “The first step is to get people to understand that there is a real issue and to raise the level of engagement. I think it will take a three- to four-year effort to change the nature of the dialogue.”

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cyber-readiness-institute-launches-new-program-for-smbs/d/d-id/1333510?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 18/12/2018
  • adm

Who’s watching you from an unmarked van while you shop in London? Cops with facial recog tech

London cops have been slammed for using unmarked vans to test controversial and inaccurate automated facial recognition technology on Christmas shoppers.

The UK capital’s Metropolitan Police are deploying the tech today and tomorrow in three tourist hotspots – Soho, Piccadilly Circus and Leicester Square.

The force has employed the tech – which scans people’s faces against a list of individuals of interest to the police – on numerous other occasions, including at the Notting Hill Carnival and a shopping centre in Stratford, east London.

This time, the tech will be attached to vans and run for eight hours on each day as the Met said it needed to put the tech through its paces for a longer time period.

However, use in a live environment is controversial because of poor success rates and a lack of governance and regulation.

In May, a Freedom of Information request from Big Brother Watch showed the Met’s facial recog had a 98 per cent false positive rate.

The group has now said that a subsequent request found that 100 per cent of the so-called matches since May have been incorrect.

A recent report from Cardiff University questioned the technology’s abilities in low light and crowds – which doesn’t bode well for a trial in some of the busiest streets in London just days before the winter solstice.

Even the cops don’t expect great things – police commissioner Cressida Dick said earlier this year that she didn’t think it would result in lots of arrests.

The lack of safeguards – such as rules on the retention and deletion of the biometric data collected – has led to legal challenges against forces using the tech.

“The police’s use of this authoritarian surveillance tool in total absence of a legal or democratic basis is alarming,” said Big Brother Watch director Silkie Carlo.

“Live facial recognition is a form of mass surveillance that, if allowed to continue, will turn members of the public into walking ID cards.”

And it isn’t just civil rights groups that are hot under the collar about such trials – defence think tank RUSI expressed concerns earlier this year that trials were going ahead in the field without a regulatory framework.

The Information Commissioner’s Office has also launched an investigation into facial recognition.

Police forces have insisted the controversial kit is only being trialled, but opponents have rejected this since officers use it as a basis to approach people.

The Met has also justified its public trials by saying the public are aware of what’s going on, saying of the latest trial:

The technology will be used overtly with a clear uniformed presence and information leaflets will be disseminated to the public. Posters with information about the technology will also be displayed in the area.

However, campaign group Liberty pointed out that the van doing the scanning isn’t marked and complained that the posters were not prominently displayed.

The Met said it was coming to the end of its trials – it had pledged to use it 10 times in 2018 – and has previously told The Register that an evaluation is due to take place at the end of the year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/17/met_police_facial_recognition_december_rollout/

  • 17/12/2018
  • adm

Influential cypherpunk and crypto-anarchist Tim May dies aged 67

Obit Friends of Timothy May have confirmed that the former Intel engineer and co-founder of the Cypherpunks mailing list died of natural causes at his home in California on Friday. He was 67. Bitcoin and blockchain, WikiLeaks, P2P software and information markets all owe a debt to the list.

At Intel, May solved the problem of bit-flipping caused by alpha particles. With Murray Woods, he received the Institute of Electrical and Electronics Engineers’ (IEEE) annual WRG Baker Prize for his paper Alpha-Particle-Induced Soft Errors in Dynamic Memories, published in IEEE Transactions on Electron Devices in January 1979.

By 1986, aged 34, and thanks to a hundredfold increase in his Intel stock options, he had more time to devote to writing. One result was what he called “a pastiche of the Communist Manifesto”, The Crypto Anarchist Manifesto, and this would define the contours and flavour of the Cypherpunks list.

The mailing list was started in September 1992. May had got to know cryptographer Eric Hughes and found a kindred spirit in John Gilmore, who had made a fortune as Sun’s fifth employee and founded Cygnus Solutions to support free software. Gilmore hosted the list server. The three founders were almost instantly mythologised by WiReD magazine – issue #2 (“1.02”) the following year put them on the front cover as “Crypto Rebels”. The three were wearing masks eerily similar to the disguise popularised by the V for Vendetta film over a decade later [though of course we know the comic book dates back to the ’80s – Ed]. An early rallying point was the Clinton administration’s desire to put a spy chip, “the Clipper chip”, into every PC – or, more accurately, a secure communications chip to which the NSA had the keys.

May was described as Cypherpunk’s “in-house theoretician”.

The unmoderated and unruly list was soon hosting sprawling discussions about the economic, financial and social impacts of cryptography and distributed systems. A young Julian Assange became an active participant. The notion of digital cash – and the things you could do with it, such as anonymous assassination – predated Bitcoin by decades.

(May recounts the genesis in The Cyphernomicon, an FAQ noting that Vernor Vinge’s cyberpunk novel True Names was as much an inspiration as the anarchist Peter Kropotkin.)

By the time the list had changed servers in 2001, Gilmore declared it dead. As we noted at the time:

However, the list’s two largest legacies were not to be felt for another decade. The cryptocurrency Bitcoin was informed by the cypherpunk principle of using cryptography to solve trust problems, and also its philosophy of decentralisation, bypassing the state. Bitcoin was, and is, a deeply political project. And WikiLeaks followed the trail blazed by John Young’s Cryptome.

However, May’s final interview will disappoint people who expected cryptocurrencies to fundamentally disrupt the banking system any time soon.

“I’ve never seen such hype, such mania. Not even during the dot.com bubble,” he said.

“When I got my first credit card I did not spend a lot of time reading manuals, let alone downloading wallets, cold storage tools or keeping myself current on the protocols. It just worked, and money didn’t just vanish.

“Bottom line: there’s way too much hype, way too much publicity and not very many people who understand the ideas. It’s almost as if people realize there’s a whole world out there and thousands start building boats in their backyards. Some will make, but most will either stop building their boats or will sink at sea.”

Another legacy of May’s work is the legitimisation of a worldview so radical – even for many libertarians – that a consensus that produces workable laws remains elusive. This has been taken to heart by Google and Facebook, corporations arguably more powerful than any government. Google adopted the Manifesto’s call to embrace “wire clippers which dismantle the barbed wire around intellectual property” – with the result that no individual can effectively enact their digital property rights (example).

But May also acknowledged the power of the platforms in enabling what he called a “dossier society”.

“China already uses massive databases – with the aid of search engine companies – to compile ‘citizen trustworthiness’ ratings that can be used to deny access to banking, hotels, travel. Social media corporate giants are eagerly moving to help build the machinery of the dossier society (they claim otherwise, but their actions speak for themselves). Not to sound like a Leftist ranting about Big Brother, but any civil libertarian or actual libertarian has reason to be afraid. In fact, many authors decades ago predicted this dossier society, and the tools have jumped in quantum leaps since then”

I attended the list’s 10th anniversary at May’s house in Corralitos, California, near Santa Cruz. Friend Lucky Green noted: “Tim leaves behind a very large firearms collection.” ®

Bootnote

Perhaps as a reminder of the reliability of distributed information, Bitcoin Wiki’s page for Tim May carries a photo not of May, but of Nick Timothy – UK prime minister Theresa May’s former chief advisor.

Bitcoin Tim May article features Nick Timothy

Click to enlarge

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/17/timothy_c_may/

  • 17/12/2018
  • adm

[Sponsored Content] The State of Encryption and How to Improve It

Dec 14, 2018

Article source: https://www.informationweek.com/whitepaper/security-management-and-analytics/security/the-state-of-encryption-and-how-to-improve-it/402903?cid=mp_rptbx&_mc=mp_rptbx&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/12/2018
  • adm

Shhhhh! The Secret to Secrets Management

Companies need to take a centralized approach to protecting confidential data and assets. Here are 12 ways to get a handle on the problem.

Organizations in all industries have secrets that need to be protected. The modern ID landscape is filled with secrets — passwords, encryption keys, cryptocurrency wallets, SQL connection strings, storage account keys, API tokens — and organizations are challenged with storing, managing, and protecting their secrets.

Let’s define “secrets” as some knowledge or a piece of data that should be hidden from others, such as unapproved employees, unrelated business units, and competitors. Secrets are often used to encrypt data at rest and in transit. For example, a website will typically access encrypted data, process the information, and present the resulting information to a user in a browser. The data must be unencrypted for processing and transmission to the user.

If secrets aren’t managed correctly, they can expose sensitive information that could wreak havoc on an organization, its network, and its data. Currently, 87% of executives lack confidence in their organization’s level of cybersecurity, according to EY, a member firm of Ernst Young Global Limited. Knowing where secrets are kept is the first step, which is easier said than done. They are likely fragmented and scattered everywhere across the organization and beyond: on premises, in the cloud, on servers, on devices, on clients, and even in code. A centralized approach to secrets management is vital for companies to protect their data and assets, while a poorly managed security approach could lead to breach, noncompliance, or outage.

12 Ways to Get a Handle on Secrets Management

  1. Learn where your company’s secrets are kept and inventory them.  Secrets are often scattered everywhere: on premises; on servers, devices, and clients; in the cloud, and even in code. Develop a checklist to discover which systems are using keys, and collect information on their secret requirements and integration points.
  2. Set your goals for security robustness. The more robust your security, the more complex the implementation. You’ll need to have guidelines and practices in place for your extended security team to include user access policies, automated systems updates, and secure code deployment.
  3. Centralize your approach. Place secrets in a private repository with restricted access. Leverage vaulting systems (such as password managers) with access management. Leverage systems such as PKI to utilize keys requiring lower management of keys.
  4. Separate data from the secrets. You can use location to your advantage and keep the secrets on premises and data in the cloud.
  5. Define your implementation. Evaluate administration versus technology solutions (see section below). Determine if you will use policy and custom processes or will leverage an existing vendor solution to achieve your goal
  6. Control access. Consider security around any centralized repository. Manage control of access, authorizations, permissions, and privileges.
  7. Remove the human factor, if possible. Limit employees’ access to the secrets, leverage escrow services when passwords are involved, and consider alternate identity solutions in lieu of passwords.
  8. Check permissions: users, machines, applications. Determine where secrets are being created and stored and enforce restrictions that prevent unapproved creation and storage in unmanaged places.
  9. Log use and look for patterns. Anomaly detection will help you better understand and assess data and user behavior.
  10. Rotate encryption and identity keys. Define lifetimes and rotation strategies so encryption keys are removed from use before their cryptographic lifetimes are exceeded.  
  11. Have an incident response plan ready. With threats and errors occurring with increased regularity, an incident response plan will reduce your risks (and stress) if you are faced with a security incident, requiring urgent incident response.
  12. Plan ahead for data breach to reduce the impact. Having your breach response plan always updated will help if there is any type compromise.

Once secrets are located by performing an assessment and inventory, it’s crucial to separate data from the secrets. For example, make sure the encryption keys that protect the data are separate from the secrets in a central, private repository with restricted access — such as a key management server with limited access to the public and by your employees. One recommendation is to use location to your advantage: secrets on-premises, data in the cloud. Be sure to keep data encrypted using keys and ensure keys are encrypted at rest.

Administration vs. Technology Solutions
The human element will always be the weakest link in any security protocol. Consider this: 80% of data breaches are caused by silly mistakes made by those responsible for managing secrets, according to Rashmi Jha, senior program manager at Microsoft. Here are some principles for tightening up your security:

  • Leverage escrow services when passwords are involved.
  • Consider alternate identity solutions in lieu of passwords.
  • Key management solutions are only part of the equation.
  • Audit, compliance, and remediation are critical.
  • Consider security around any centralized repository.

Levels of Security
Depending on your resources, there are different levels of security to consider when protecting your organization’s secrets:

  • Limited access: Secrets are stored in a repository/server with limited access to the public. Examples include password vaults, hardware security modules, and private Git repositories.
  • Encrypted secrets: Before being stored, the secrets are encrypted. Security through obscurity is not acceptable.
  • Management: An application that allows high-level control of the secrets. Examples include symmetric key management systems and password escrow services.

The Carrot or the Stick
Managing your organization’s secrets is one thing, but what about the third parties that you work with on an ongoing basis? Will secrets management be defined by your vendor’s application capabilities? If so, your vendors will be indirectly dictating your security posture. Application support is of utmost importance for the security of your secrets. You’ll want to define your own secrets management goals, establish a baseline standard for today, and create a two- to five-year goal for your security standard. You will want to be in control and notify your vendors that they must support the standard or face replacement. Any new RFP and application selection process criteria will factor in new requirements before acquisition.

The Pitfalls of Poor Secrets Management
What happens if organizations have poor secrets management? It can lead to account and network compromise, information leaks, outages, compliance issues, data breach, loss of reputation — and even the business shutting down. Secrets management is an ongoing effort and it’s important to follow the “trust but verify” approach.

Related Content:

 

Mark B. Cooper, President and Founder of PKI Solutions, has been known as “The PKI Guy” since his early days at Microsoft. Mark has deep knowledge and experience in all things public key infrastructure (PKI), including Microsoft Active Directory Certificate Services … View Full Bio

Article source: https://www.darkreading.com/perimeter/shhhhh!-the-secret-to-secrets-management/a/d-id/1333461?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/12/2018
  • adm

Facebook: Photo API Bug Exposed 6.8M User Photos

The flaw let developers access images that users may not have shared publicly, including those they started to upload but didn’t post.

Facebook has apologized for a photo API bug that may have exposed photos belonging to 6.8 million users.

This issue affects people who use Facebook login and gave third-party apps permission to access their photos. Normally, access is limited to images posted on users’ timelines. In this case, the bug expanded access to include photos shared on Marketplace or Facebook Stories. Third-party apps may have had access to a larger set of photos from Sep. 13 to Sep. 25, 2018.

The bug also affected photos that people uploaded to Facebook but chose not to post yet. When someone uploads a photo to Facebook but the post doesn’t complete (because they lost service, for example), Facebook stores a copy for three days so they can finish the post later.

Facebook says the only apps affected by the bug are those it had previously approved to access the photos API, and which people had authorized to access their images. That said, the flaw may have affected up to 1,500 apps built by 876 developers, the company says in a blog post.

The social network is notifying potentially affected users with a Facebook alert, which will direct them to the Help Center where they can see if they’ve used affected apps. It suggests users log into apps with which they’ve shared Facebook photos, and check which images they shared.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/facebook-photo-api-bug-exposed-68m-user-photos/d/d-id/1333501?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/12/2018
  • adm

Lax Controls Leave Fortune 500 Overexposed On the Net

The largest companies in the world have an average of 500 servers and devices accessible from the Internet – and many leave thousands of systems open to attack.

Large companies are leaving easy-to-exploit systems exposed on the public Internet, raising the risk of a serious future compromise, according to data from two cybersecurity firms. 

Rapid7 found that the average Fortune 500 firm had approximately 500 servers and devices connected to the Internet, with five- to 10 systems exposing Windows file-sharing or Telnet services. Fifteen out of the 21 industry sectors on which Rapid7 collected data had at lease one member allowing public access to a Windows file-sharing service.

This simple-to-spot oversights suggest that companies do not have adequate control over what systems are connected to the public network, says Tod (CQ) Beardsley, research director of Rapid7, which published a report last week on its findings.

“I would advise everyone, from the Fortune 500 on down, to be aware of what you are exposing to the Internet,” Beardsley says. “Any chance you have of taking something off the Internet—every device you take of the Internet is one less device for attackers to compromise.” 

The report refutes the common wisdom that larger companies, with their greater resources and more skilled security teams, are better defended against cyberattacks than smaller firms. While it’s easy to assume that larger firms generally have more resources to allocate to cybersecurity, they also have many more devices connected to the Net, a sprawling infrastructure. and a greater attack surface area. 

Both Rapid7’s report and an earlier report by security monitoring firm BitSight found that larger firms were likely to have self-inflicted holes in their defenses. 

“Bigger doesn’t always mean better,” says Jake Olcott, vice president of government affairs for BitSight. “Just because you are a large organization with lots of resources doesn’t necessary mean that your security performance is better. In general, the larger the organization, the larger the attack surface.”

The reports show that companies need to focus on three main areas to button up their systems and eliminate the security issues for which attackers are constantly on the lookout.

Know Your Assets

Rapid7 had little trouble identifying the various systems and devices connected to the Internet. On average, Fortune 500 companies had 500 systems connected to the public network: overall, large companies should consider that the baseline for the number of systems that should be exposed to the network. A significant fraction of technology, business-service and financial firms had thousands of exposed servers, Rapid7 found.

“When you are that far off of the norm, that tells me you have an asset management problem,” Beardsley says. “It tells me that those companies are just littered with vulnerable systems connected to the Internet.” 

At least one company in each of the aerospace defense, chemical, and retail industries had more than 20,000 systems accessible through the Internet, Rapid7 found.

Getting those assets under control is important. While many applications may warrant being connected to the Internet, the companies with greater than 1,000 connected systems are offering attackers a very enticing attack surface area.

Watch Outbound Traffic 

Both Rapid7 and BitSight regularly see traffic generated by compromised systems coming from Internet addresses assigned to large companies. Rapid7, for example, found that the healthcare, retail, and technology sectors all had a high incidence of malicious traffic coming from their networks.

In its 2017 report, How Secure Are America’s Largest Business Partners?, BitSight found that 15% of companies produced traffic suggesting a compromise by Conficker, malware that is almost a decade old. Other infections included Necurs, Bedep, and Zeus. “Many organizations are not aware of these issues inside their networks,” BitSight’s Olcott says. “The traffic is absolutely an indicator that there is something bad happening.”

It’s not clear from the traffic data whether companies are having trouble eradicating malware or if they just don’t know about a system harboring malicious code, he says.

“It could be a governance issue or a technology issue, or it might be an employee-training and awareness issue,” Olcott says. “The root cause — the challenge that these organizations have is it is very hard for them to get visibility into their environments.”

Eliminate Easy-to-Exploit Services

For modern companies, there is no reason to expose either Windows file-sharing, Telnet, or file-transfer protocol (FTP) services to the public network. Yet, at least a third of companies are hosting serveers with one of those services available, according to BitSight data.

Exposing Windows file-sharing through the SMB protocol opens up companies to debilitating attacks such as WannaCry, NotPetya, and other ransomware. Companies in at least 15 of the 21 sectors monitored by Rapid7 have servers with Windows file-sharing available through the public network. And more than 48 companies of the Fortune 500 have Telnet exposed on the Net, the company says. 

“If you can get rid of all of the Internet-facing Telnet and SMB, you are miles ahead of the rest of the Internet, and you will avoid contributing to the next WannaCry,” Rapid7’s Beardsley says.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/perimeter/lax-controls-leave-fortune-500-overexposed-on-the-net/d/d-id/1333497?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/12/2018
  • adm

Fake face fools fones

Forbes has added to the ever-growing pantheon of ways to trick biometrics by printing a 3D head and using it to break into Android phones.

We’ve long known how easy it is to spoof static authentication by holding up a 2D picture to a camera, as Google found out after filing a patent to let users unlock their phones by, say, sticking out your tongue or wiggling your eyebrows…

…or, in the case of fingerprints, by making a dummy fingerprint out of wood glue or a 2D inkjet printout.

Google went ahead and filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool it with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes.

Similarly, researchers at one point came up with a way to mimic the swipey touch gestures we use to get into our phones. They did it by whipping up a Lego robot and equipping it with a finger sculpted from Play-Doh.

Like these previous methods of bypassing biometrics, Forbes’ head approach is rather, shall we say, crafty. Hell, it’s downright makerspace-intensive, given that you need access to a studio equipped with 50 cameras, a 3D printer, and a boatload of gypsum.

The point was to see how easy it is to break into four of the hottest handsets running Android and iOS with a 3D-printed head. The upshot: the gypsum head tricked all of the Androids. Apple’s phone, however, wasn’t fooled.

The models that Forbes managed to trick, given just the right lighting, a software-enhanced version of Thomas Brewster’s nose that had fallen off/been left behind during the photos capture, and various levels of fast-face scan (not so secure) vs. slow-face scan (better): the LG G7 ThinQ, a Samsung S9, a Samsung Note 8 and a OnePlus 6.

The only one that gypsum-head couldn’t fool: The iPhone X.

So, to recap: All you have to do is to lure a target into a studio where 50 cameras will photograph their head simultaneously, and then wait several days for the fake head to be produced! And then you can break into some, but not all phones! Unless they also have a PIN!

OK, exactly how pie in the sky is this? Should (Android) phone owners really worry about thieving hackers sneaking up on them and dragging them into their well-equipped photo studio lair?

Well, you have to ask yourself this: Who has the resources and motivation to set up a 50-camera photo studio, the ability to cajole or compel a phone owner to enter it and STOP FIDGETING, FOR PETE’S SAKE, and the leisure time to wait a few days until a 3D-printed, hand-tinted, gypsum-powder head is ready to use to break into a phone (with the proper lighting level, that is) that’s already in their possession?

Forget thieves. I’m thinking technology-enthusiastic law enforcement. The 3D head is a steal at the cost.

Think about the San Bernardino shooters’ phone and how the FBI dragged Apple to court over encryption on their iPhone, with the whole thing being rendered moot when the bureau figured out how to get to data on the shooters’ phone, with technology from an undisclosed vendor that cost nearly $1m.

Even technology from Apple handset-unlocker Grayshift starts at a cool $15,000, and that’s just for the online, 300-use version. Heck, at the cost of £300 (USD $379), a gypsum head is a steal!

Actually, it would be far preferable for law enforcement to rig up studios and 3D printers to churn out gypsum heads by the truckload, rather than dragging technology companies into court over prosecutors’ fervent desire to break encryption with backdoors.

At the end of the day, we as phone owners can simply avoid the whole, esoteric gypsum-head-phobia security worry by choosing to forego face authentication. Instead, we can choose a PIN. Not only are they tougher to crack, they also tend to fall under Fifth Amendment protection against self-incrimination.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qpSeNgIQKhY/

  • 17/12/2018
  • adm