STE WILLIAMS

It’s every sysadmin’s worst nightmare: discovering that someone has planted a device in your network, among all your servers, and you have no idea where it came from nor what it does. What do you do?

Well, one IT manager at a college in Austria decided the best bet was to get on Reddit and see what the tech hive mind could figure out.

User geek_at posted pictures of the alleged suspicious gizmo over the weekend, and the sysadmin subreddit has been providing its particular brand of priceless expertise mixed with uninformed idiocy ever since.

“Rogue Raspberry Pi found in network closet. Need your help to find out what it does,” geek_at claimed along with a few pictures of the device – a Raspberry Pi with an unidentified USB dongle stuck into it.

The post included some intriguing details: the network closet it was found in is always locked, requires a key, and very few people have the keys. The Linux-powered Pi was trying to connect to a nearby wireless network. It included Docker containers that were updated every 10 hours. And it connected via a VPN to the Balena platform – which is typically used for large internet-of-things system.

In short, it looked a lot like someone had installed a sophisticated network-bugging device, and was sending whatever it gathered to somewhere outside the facility, presumably via the VPN. Copies of the Pi’s file system were taken and uploaded, though no obvious smoking gun was immediately apparent.

The big question was: why? And why hadn’t it been more effectively disguised – attaching a loose Raspberry Pi to a rack-mounted switch is bound to attract attention eventually. It wasn’t even dressed up in a little box with a “Production DNS” label on it, which would have scared off most techies from poking around it too much.

Asked which industry they worked in – and so the likelihood of it being industrial espionage – geek_at revealed that they were the IT manager at a college with around 1,000 people so the data flowing through the systems in that sense was of “no value.”

Testing, testing, one, two, one, two

Various Redditors’ first conclusion was that the techie had stumbled on an independent penetration test ordered by management to check the security of its systems, though that explanation fell away after geek_at approached management to reveal the device.

The first breakthrough came when a Reddit poster ID’ed the USB dongle as a pretty powerful IoT device that contains both Bluetooth and Wi-Fi functionality. The nRF52832-MDK costs around $30. The Bluetooth functionality could mean a number of different things, posters mused: it could be connecting to other devices, such as keyboards, and logging their activity; it could be used by someone walking close by to download data from the device, and so on.

“Wireless key logger?” suggested another poster. “Someone could have an inline key logger that dumps data to this box over Bluetooth, then this box ships it out on port 443. Bluetooth is low range, I would check all the PCs within 50 feet for a key logger.”

Security guard cost bank millions by hitting emergency Off button

READ MORE

Another user who claims to be a professional penetration tester concurred: “Completely agree. I did something similar to this in a Pen test my company was hired to do. Managed to do it to the CEO and CFO; went weeks before anyone spotted it. Lots of juicy information was given out to me thru this. Fortunately it went to me and not the bad guy.”

Intriguingly, geek_at revealed in a subsequent update that the switch room is “only feet away from secretary/CEO office” and that a program he had identified as running on the device was called – yep – “logger.” That could be a key or network activity logger, of course.

Intrigue then turned to who had managed to get into the room: only geek_at, their boss, and the cleaning staff had access. At which point, the “other Reddit” – the one that tried to identify bombers at the Boston Marathon in 2013 and did a dangerously terrible job of it – kicked in.

Out came the instant experts: it was the cleaners! Suddenly a vast global conspiracy started brewing: a Jason Bourne character dressed as a cleaner sneaking in to do… who knows what? Nuclear war maybe? Certainly an assassination of some kind.

Here we go

“This is a serious problem,” railed one user who is a walking advert for the expression “a little knowledge is a dangerous thing.” Filled with visions, they continued: “Who had the access and/or authority to put anything in your rack? If you aren’t king of the hill, you need to be going to the top on this one.”

Great advice. But wait there’s more: “Lock it the hell down! Secure the door to your rack, change the lock IMMEDIATELY. No entry allowed. I’d also consider putting a dummy device in place and see who comes to try to retrieve it. Take total control of that server room, no one in without you standing over their shoulder.”

America! Fuck yeah! “You need to be informing the FBI,” the clearly very experienced poster noted.

Being based in Austria, calling the FBI wasn’t something that geek_at felt was going to be terribly useful, however. But on it went, the eternal online battle between people who know what they’re talking about, and those who believe they do.

Despite numerous treatises to put the college into full lockdown and call the cops – who presumably would turn up within minutes in tinted black trucks bellowing information-laded instructions to one another, geek_at instead took the issue to the higher ups based with what he had.

And what’s the latest? It turns out that there was someone else was able to get into the room: a former employee that “still has a key because of some deal with management,” geek_at informed Redditors.

It also turns out that the IT bod was able to identify the username of that former employee – and he had been seen attempting to log into the system just a few minutes before the device was spotted poking the organization’s DNS server.

So what we have is a former employee who for some reason had access to a secure server room in the heart of the organization, without the IT manager being informed, and who installed a fairly sophisticated bit of kit seemingly designed to sniff wired and nearby wireless network traffic and/or connect to and log Bluetooth devices, such as keyboards, and fire all the gathered intelligence back to base via a VPN.

“Still no idea what it actually does,” explained geek_at in their latest update. And so we’ve contacted the netizen to see what the latest is, but the lesson appears to be – gasp! – don’t give old employees access to your server room.

And, possible, maybe, on occasion, that Reddit can actually be useful. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/20/rogue_raspberry_pi_reddit/

If you work in cybersecurity it’s important to stay abreast of the latest tools and techniques, and there’s no better place to do that than Black Hat Europe in London next month.

As the year winds down around us, now is a good time to be planning ahead for a fruitful new year. If you work in cybersecurity that means keeping abreast of the latest tools and techniques, and there’s no better place to do that than Black Hat Europe in London next month.

For example, MongoDB’s Keeping Secrets: Emerging Practice in Database Encryption Briefing promises an hour dedicated to reviewing the latest advances and breaks in database encryption techniques, including searchable encryption, multi-party authorization, and attribute based access. Expect a deep dive into database encryption threat models and the realities of production ops, including emerging methods around data in-use and blind administrator models.

If you want something of an inside look at how Black Hat’s network works, check out the Decisions and Revisions – The Ever Evolving Face of the Black Hat NOC Briefing from RSA and Red Sky Solutions. It’s your chance to get up close and personal with the Black Hat NOC, as you’ll learn how (and why) equipment and services are deployed on the Black Hat network. You’ll also get insight into the changes made when deploying and securing a network in the U.S., Europe, and Asia, alongside lots of interesting stories and stats! It’s a full debrief of the activity seen this year, what has changed since past shows, and what that means for the industry as whole.

When it comes to threat modeling there can be a gap between academic knowledge and the real world, so it’s important to study real-world examples if you want to keep sharp.  In Toreon’s two-day Advanced Whiteboard Hacking Aka Hands-On Threat Modeling you’ll get some practical threat modeling scenarios based on real projects,  robust training experience, and the templates to incorporate threat modeling best practices in their daily work.

Make time for Not So Secure’s Web Hacking – Black Belt Edition Training if you want to spend two days learning the latest web hacking techniques. You’ll practice some neat, new and ridiculous hacks which affected real products, some of which were bagged in bug bounty programs. The vulnerabilities selected for the class typically either go undetected by modern scanners or rely on overlooked exploits, so it’s a great place to learn something new!

You’ll find a slew of new tools to check out at the Black Hat Europe Arsenal, including Astra: Automated Security Testing For REST APIs.  Built to help developers and security engineers detect and patch vulnerabilities in the initial phase of the development cycle, Astra can automatically detect and test login logout (Authentication API), which makes it easy for anyone to integrate this into CICD pipeline. Astra can also take API collection as an input, making it a great tool for testing APIs in standalone mode.

You might also enjoy an Arsenal demo of SCAVENGER: A Post-Exploitation Scanning/Mapping Tool, which can help you by mapping systems and finding “interesting” and most frequently used files, folders and services. Once credentials are gained, it can scan remote systems (Linux, Windows and OSX) via services like SMB and SSH to scrape that system looking for “interesting” things and then cache the result. This gives you the ability to find the “interesting” and most frequently files used on that system — password files being accessed by an administrator, for example, or heavily-used credit card database files. Don’t miss it!

Black Hat Europe returns to The Excel in London December 3-6, 2018. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-europe-stock-up-on-new-security-tools-and-training/d/d-id/1333310?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A solid response and reputation management program will go a long way in surviving a major breach.

After a major data breach, consumers are willing to forgive, but companies can only regain their trust if they are serious, communicate well, and implement real changes, say industry experts who focus on incident response and reputation management.

According to Chris Morris, principal of the Advisory Financial Services Cybersecurity Privacy Practice at PwC US, although no one action will win back every customer, some measures are more likely to resonate. These include compensation for victims, a detailed explanation of what happened, and a clear description of the privacy policies in place.

“Consumers want businesses to be responsive, transparent, and take steps to ensure a breach does not happen again,” Morris says.

In PwC’s “Digital Trust Insights” survey, only about half of midsize and large businesses in important vertical sectors say they are building resilience to cyberattacks and other disruptive events to a large extent, Morris adds. And fewer than half say they are very comfortable their companies have adequately tested their resistance to cyberattacks.

As for reputation management, Morris views it as an important component of effective crisis management. For companies to emerge stronger from crisis, he says, they must take the following five steps:

• Ground responses in the facts.
• Establish governance and effective coordination via a cross-functional core team that combines PR/communications, legal, and key operational response functions.
• Understand constituents and stakeholders, respond authentically, and know they will need to monitor each stakeholder for sentiment and may require a different engagement approach.
• Dedicate energy during the crisis to “look around the corner” for both additional risks or opportunities.
• Take action on what was learned.

Help on the Way
Some important help may be on the way for companies looking to step up their reputation management game.

Mark Goldman, strategic adviser of Atlanta-based Group Salus, says the company will be testing its new reputation management platform with beta customers during the first quarter of 2019.

The Salus platform, he says, will walk company executives through the five steps of response: assess, audit, plan, implement, and monitor.

“The assessment is not a pen test. It’s more of a look if you have the lines of communication open with all the stakeholders,” Goldman explains. “We provide a template that people can walk through to audit their documents, develop a plan, and implement a plan for handling the media with the proper messaging. The platform will help companies decide who will say what and who will be authorized to speak to the press.”

Pending successful beta tests, Salus should be readily available by the middle of 2019, he adds.

Related Content

• 20 Ways to Increase the Efficiency of the Incident Response Workflow 
• How to Build a Cybersecurity Incident Response Plan
• 4 Trends Giving CISOs Sleepless Nights
• 77% of Businesses Lack Proper Incident Response Plans

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/operations/consumers-are-forgiving-after-a-data-breach-but-companies-need-to-respond-well/d/d-id/1333318?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For too long, cybersecurity has been looked at as one team’s responsibility. If we maintain that mentality, we will fail.

Leaders around the globe are not naive regarding the impact cyberattacks have on a business. From affecting the bottom line to losing your customer’s trust, recovering from a cyberattack isn’t easy. When an organization succumbs to an attack, nearly every business unit is affected, costing the business, on average, $3.86 million. While most CSOs and CISOs want to be the ones to prevent and fix this, they must realize they can’t take this on alone. There is a strong argument to be made that cybersecurity needs to go beyond the CSOs, CISOs, and their teams. Security needs to be a companywide effort and embraced as part of the company’s core culture.

Most have heard the saying “Culture eats strategy for breakfast,” and CISOs around the world know how true it is. The adage carries over to the security world in a basic way. Any security strategy or plan you’re trying to implement will be held back by the people you depend on if the culture does not support it.

Today, many companies are struggling to embrace a culture of security. Only 5% of organizations believe that no gap exists between their current cybersecurity culture and their desired cybersecurity culture, according to a recent survey put out by ISACA. This means that a whopping 95% of organizations see a disconnect between the culture they have and the culture they want. So, what can businesses do?

Accept That Your Security Team Can’t Do It Alone
One of the challenges in cybersecurity is that most organizations take the approach of having one security team and thinki that one team can address all cybersecurity threats and needs. In reality, cybersecurity goes far beyond just the security team. Products and corporate assets are never “owned” by the cybersecurity team, and those who do own them likely have very different objectives than the security team.

Security needs to become something that all departments think about. That doesn’t mean sales or engineers need to become technical experts in security, but they do need to start bridging the gap by asking questions, understanding the risks, and knowing how they fit into the solution. In fact, that is what must happen if we want to succeed.

Establish Relationships with Different Business Units
Security leaders will always be the biggest cheerleaders for cybersecurity, but when other departments openly embrace it, their teams will follow. Security teams must enlist the support of departments including human resources, communications, marketing, product development, legal, and more. While not all will sign on, most reasonable leaders will recognize how doing so helps the company achieve its objectives.

Spend time talking to the different department leaders to find where your interests align and how you can work together for mutual benefit. For example, product quality and security are often viewed and measured as two different elements owned by two separate departments. However, customers don’t see it that way. If a product is high in quality but lacks security, it ultimately isn’t a high-quality product.

Likewise, customer privacy can’t exist without security, and a sales team that can’t speak to the security of their products can’t understand and help manage customer risk. Businesses need to start to make those types of connections, and it will happen more naturally when cybersecurity is engrained in the culture.

Get Buy-in from the C-Suite
Studies show that top executives and boards of directors see cybersecurity as a top issue facing companies. The question is: Are leaders taking action or expecting their CISO to fix the problem? We’ve found the answer requires both. In another role, we were able to get the C-suite to establish security goals as part of their annual objectives. These goals were ones that the C-suite, not just the CISOs, were measured against. That was a successful cultural change.

It’s time that we recognize security for what it is: a business and leadership concern. Executives must prioritize security in the same way they do all other business risks. They must recognize that not all the actions to address the risk will begin with the CISO. In fact, they are likely to find most do not. The CISO needs to develop the strategy, guide and advise throughout the process, provide measures, teach, and coach, but the CISO can help the most by accepting that they cannot be the one that does it all, regardless of the size of the team. Without leadership from the top, cybersecurity will remained siloed and viewed as a specialized technical issue rather than the cultural one it is.

For too long, cybersecurity has been looked at as one team’s responsibility. If we maintain that mentality, we will fail. Cybersecurity needs to be a part of a culture, and security needs to be at the core of the company, lead by executives. It’s no longer good enough for the security department to be the last stop on a checklist of things to do — we need a team approach instead.

Related Content:

• 8 Threats That Could Sink Your Company
• Cyber Crooks Diversify Business with Multi-Intent Malware
• From Reactive to Proactive: Security as the Bedrock of the SDLC
• To Click or Not to Click: The Answer Is Easy

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Troy Mattern is the Vice President for Product and Services Cybersecurity at Motorola Solutions. Having joined Motorola Solutions in June 2017, he leads all policy, strategy, and prioritization for cybersecurity efforts pertaining to Motorola Solutions Products and Services. … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/cybersecurity-at-the-core/a/d-id/1333284?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Report delivered at Payment Card Industry Security Standards Council meeting flags issues in deployments of Magento, a popular e-commerce platform.

Magento is a popular e-commerce platform, used by nearly 74,000 web sites in North America alone. And according to new research, 79% of them are at heightened risk from cyber criminals.

Researchers at Foregenix analyzed more than 170,000 Magento websites and found that 90% of those using Magento 1 are at this heightened risk, while roughly 30% of those with Magento 2 are at the elevated risk level.

The heightened risk comes from unpatched vulnerabilities, including 2.3% of all the Magento websites that have not yet patched for Magento Shoplift, a vulnerability that was disclosed (and a patch made available for) in January of 2015. Foregenix delivered the results of their research  in October at the Payment Card Industry Security Standards Council European Community Meeting in London.

Andrew Henwood, Foregenix’s CEO, said in a prepared statement, “While the figures for North America are of great concern, they are roughly in line with our findings for many other regions such as Europe.” Later in the statement, he pointed out that regular patching, changing default settings on administration interfaces, and using stronger passwords with multi-factor authentication can dramatically reduce the exposure of online e-commerce platforms and applications.

For more, read here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/report-tens-of-thousands-of-e-commerce-sites-at-heightened-security-risk/d/d-id/1333319?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Account holders can use a FIDO2-compatible key or Windows Hello to authenticate sans username or password.

Starting today, Microsoft is giving users the option to sign in to their accounts using a standards-based FIDO2-compatible device, in addition to Windows Hello, on the Edge browser.

Microsoft, a member of the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C), has been teaming with other organizations to develop open standards for the next generation of authentication, explains Alex Simons, corporate vice president of program management for Microsoft’s Identity division, in a blog post on the news.

Simon’s post dives into a few more details on how Microsoft implemented WebAuthn and FIDO2 CTAP2 specifications. FIDO2, unlike passwords, uses public/private key encryption to safeguard credentials. The private key, which is stored on the device, can only be used when unlocked with a local gesture – for example, biometrics or a PIN. When the private key is stored, the public key is registered to the user’s account in the Microsoft cloud, he explains.

When someone later tries to access his account, the Microsoft account system sends a nonce to his PC or FIDO2 device. The device uses the private key to sign the nonce, and the signed nonce and metadata is sent back to the Microsoft system, which uses the public key to verify it.

“The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture,” Simons writes. “It’s these properties that make authentication with Windows Hello and FIDO2 devices not ‘phishable’ or easily stolen by malware.”

Depending on the device you’re using, it will have a hardware trusted platform module (TPM), otherwise known as a secure enclave, or a software TPM. You use your face, fingerprint, or PIN to unlock the TPM, which stores the private key. A FIDO2 device comes with its own built-in secure enclave, which stores the private key and also requires a biometric or PIN to unlock it.

To start using a hardware key for Microsoft login, first update your system to Windows 10 October 2018. Go to the Microsoft account page in the Edge browser and sign in as normal. Select Security more security options, and under “Windows Hello and security keys” to access instructions for setup. The next time you sign in, you can click More Options Use a security key, or enter your username to get a prompt for security key sign-in.

If you’re still in the market for a security key, Microsoft has partnered with Feitian Technologies and Yubico, both of which support the FIDO2 standard and sell them.

This marks Microsoft’s latest push toward passwordless authentication. At its Ignite 2018 event earlier this year, the company announced users could authenticate via Azure Active Directory (AD). It already let AD-connected apps authenticate via Microsoft Authenticator, an app released in 2016 to combine passwords with one-time codes for two-step verification.

Rob Lefferts, Microsoft’s corporate vice president of security, said at the time that moving Azure AD applications to passwordless authentication marked “a critical milestone” for both businesses and employees targeted with increasingly subtle phishing attacks. Most people don’t have strong passwords, he said, and multifactor authentication is becoming mainstream.

Related Content:

• 8 Security Buzzwords That Are Too Good to Be True
• 95% of Organizations Have Cultural Issues Around Cybersecurity
• 7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
• Vulnerabilities Dip 7%, but Researchers Are Cautious

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-enables-account-sign-in-via-security-key/d/d-id/1333321?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In April, with the GDPR deadline and its requirement for data portability looming, Instagram released the long-anticipated download your data tool. The feature gave users the ability to download images, posts and comments.

Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said.

As The Information reported last week, Instagram told affected users on Thursday night that if they’d used the “download your data” feature, their passwords were showing up in plaintext in the URL of their browsers.

That might not be a big deal to a user at home on an unshared computer, but as Facebook, which owns Instagram, said in the notice to users, it means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around.

It also means that Instagram passwords were stored on Facebook servers, the user notice said, and that means in plaintext, not encrypted.

Facebook didn’t say whether anybody’s Instagram account was compromised because of the error. The Information quoted an Instagram spokesperson who said that the issue was…

…discovered internally and affected a very small number of people.

Sophos’s own Chester Wisniewski, principal research scientist, told The Information that this never would have happened if Instagram was doing encryption right. For the Facebook-owned Instagram to be able to trip up and post plaintext passwords in URLs, that means that somewhere inside of Instagram, users’ passwords are bouncing around in plain text. That’s not good as far as industry best practices go, Chester says:

This is very concerning for other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that.

We’ve already seen bigger, recent problems

Bigger problems, indeed. We don’t know what Facebook/Instagram’s definition of “small” is when it comes to this breach, but we do know that security practices led to a massive breach at Facebook in September, with what would eventually turn out to be around 30 million accounts affected and another 40 million reset as a “precautionary step.”

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app. At least in the early days following the attack, Facebook said it looked like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bwLt_XOShJE/

If you’re one of the 100,000+ users of AMP for WP, good news – the popular plugin for implementing Accelerated Mobile Pages returned to WordPress.org last week.

AMP is a Google technology through which users of publishing partners such as WordPress can create pages that will load faster on mobile devices. Doing that requires a plugin, which is where AMP for WP comes in.

The plugin’s hiatus, which began when it abruptly disappeared on 21 October, was starting to look a little unusual.

According to a note from the developer, the reason for the disappearance was an ominous-sounding security flaw that “could be exploited by non-admins of the site.”

It also said that existing users could continue using the plugin in the meantime, which wouldn’t have sounded terribly reassuring to anyone using it in its vulnerable state as the days turned into weeks.

We’ve got a report from the WordPress that they found a security Vulnerability in our plugin which could be exploited by non-admins of the site, so to prevent the exploitation they temporary withdraw our plugin for further download. But the existing user’s will be able to use the plugin like always.

The day after AMP for WP reappeared on WordPress.org on 14 November, WebARX, the company that discovered the security problems, finally explained the weakness.

Wrote researcher Luka Šikić:

In WordPress plugin development, you have the ability to register ajax hooks which allows you to call functions directly on wp-admin/admin-ajax.php?action=action_name.

Except this hook didn’t check a user’s account role, which meant:

Under plugin settings, admins can place ads, add custom HTML in header or footer and since there is no user role validation, any user could inject their ads, mining scripts or javascript malware.

In other words, a sneaky elevation of privileges that would be impossible to detect until the damage had been done.

What to do

The patched version of AMP for WP is 0.9.97.20 (see full changelog) so applying this should be the first priority. If a site allows open user registration, applying this update becomes a critical issue.

You can check if you have the Accelerated Mobile Pages plugin by logging in to WordPress and choosing Plugins from the menu. If any plugins need updating they will appear orange in the list of plugins, and if you have the latest version of AMP for WP it will appear blue, like this:

A useful next step is to ask if your site needs user registration at all. Switching it off makes your site less prone to this class of vulnerability (see the recent WordPress GDPR plugin flaw for a related example of the same problem), and it’s easily done by simply unchecking the tick box under Settings Membership.

If you plan to leave registration turned on, simply be aware that it comes with additional risks.

As ever, we should always start by making life harder for attackers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UszA8_fPHNs/

For the second time in three years, there’s a vulnerability in Microsoft Skype that could get communications tangled up in bouncy little kitten emojis (or any other kind of animated emojis, for that matter).

SEC Consult reported last week that it had discovered that launching 100 animated emojis (the security firm chose to focus on kittens, because, we assume, KITTENS) at Skype for Business caused it to flutter, triggering a short lag in the application.

Throwing 800 animated emojis at the app turned the emoji marauders into the forces of darkness in a denial of service (DoS) attack, causing Skype to keel…

…well, for a few seconds, anyway. Even so, if your business depends on Skype to hold staff conferences, client calls or any other form of communication, you should hop on the patch installation. Microsoft issued a patch for the vulnerability – CVE-2018-8546 – which affects Office 365 ProPlus, Microsoft Office, Microsoft Lync, and Skype.

It’s a good idea to install that patch. You don’t want some jerk – like, say, a disgruntled ex-employee – to lob gobs of nonstop kittens at your operation. If such a jerk were to keep it up, a business would be up a creek without a paddle, says SEC Consult:

When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

This has happened before: in 2015, Skype for Business had the same kind of emoji-overload vulnerability. As SEC Consult put it, multiple animated emoticons would “cause a client’s CPU usage to go through the roof.”

The fix for the 2015 vulnerability was simple: close the conversation windows. You couldn’t stop your CPU from draining away while they were open. Once they’d been closed, users could then turn off emoticon animation in the Option dialog box.

This time around, Microsoft didn’t identify any workarounds or mitigating factors. Could be that it wasn’t worth the effort: Microsoft corrected the manner in which Skype for Business handles emojis and got the patch out lickety-split.

Who’s affected

SEC put up this proof of concept to check whether or not your client freezes upon receiving a dumpster truck worth of emojis. Then again, you could just check whether your client is:

• Skype for Business 2016 MSO (16.0.93).64-Bit or before, or
• Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 or before, and
• Running on Windows.

It might not seem like a terribly risky vulnerability or a particularly important patch, but most businesses that rely on Skype for Business or Lync are either small (41%) or medium-sized (19%).

Installing patches isn’t a trivial task. But neither is dealing with a DoS attack that hits a sales team, SEC points out: do small organizations with limited security and IT staff really need that kind of panic attack?

If you are responsible for the IT and/or security in your company, constant patch management is key. How much would it cost you if your sales team fell victim of a Denial of Service attack? How long would it take your IT department to put an end to it (if they are able to do so without compromising your productivity)? You’ll do the math.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/B76jjsU9Q4k/

What will you be doing this Black Friday?

Me? I’m super excited, I’ll be… It’ll be great because…

…oh I can’t lie. Like a lot of people who work in IT I’ll be hiding under my desk, waiting for it all to pass and trying to fend off all the adverts, emails and messages with special offers, tips and things I can’t afford to miss out on from anyone I’ve ever brushed past who has a sales forecast to hit. For me, it’s just another Friday.

For the uninitiated, Black Friday is the Annual Festival of Buying Things that falls on the busiest shopping day of the year in the USA: the day after Thanksgiving.

The term was originally derisive, referring to the general unpleasantness of all the crowds and traffic. That was turned on its head a few years ago by some shops who were concerned that the name, earned on the back of the day’s unparalleled popularity with shoppers let’s not forget, might be putting off shoppers.

So the name was rebranded to mean the day shops “go into the black” and start making a profit for the year. Because nothing says “let’s go shopping” like a technocratic accounting trick, amiright?

As if that wasn’t bad enough, Black Friday doesn’t stop on Friday, because it has a jealous franken‑twin: Cyber Monday.

Cyber Monday was assembled from discarded bits of Black Friday by a mad scientist who had an online retail portal and was jealous of all the attention Black Friday was getting. Probably.

To ensure that shoppers get stuck on their fly paper instead of somebody else’s, retailers attempt to lure in consumers with the sweet, sweet scent of deals, deals, deals!

There are deals in windows and on TV; deals on the web; deals on Instagram, Twitter and Facebook, deals via SMS, WhatsApp and Messenger; and deals in email.

That’s great if you’re into being harassed about great deals, it’s a reason to go and hide in a tree if you’re like me, and it’s Christmas come early if you’re a scammer.

With companies fighting for your attention, scammers have plenty of camouflage for their phishing emails and fake sites. They can dress them any which way, whether it’s fake offers that really are too good to be true, or any number of excuses for drumming up a bit of false urgency and demanding a login (Check your order! Verify your account! Register now!)

So, alongside the deals, deals, deals that go with Black Friday and Cyber Monday, there’s no shortage of people telling you what you should be doing differently to protect yourself from cyber thieves at this time of year.

But here’s the thing – scammers do all of these things and more, all the time. They never sleep and they never stop, because we never stop spending, looking for bargains, reading messages, opening attachments and clicking on links.

Scammers will do whatever works, and they don’t stop trying to dupe you or take their foot off the gas just because it’s the day after Cyber Monday.

So, while it’s tempting to tell you to do things differently on Black Friday, there’s no reason you should. Even if you’re planning to join me and hide in a tree for four days, the scammers will still be there when you come down.

Cybersecurity is 24/7, every single day of the year, because so is cybercrime.

There are no precautions you should take on Black Friday and Cyber Monday that you shouldn’t also be taking on Shrove Tuesday, dress down Friday, any given Sunday, National Cookie Day, March Madness, Black History Month, the second fiscal quarter, the lunar phase cycle or at any other time.

Want to protect yourself? Then make every day Black Friday and follow these simple tips, all day, every day:

• Use a web filter. Web filters, like the one included in Sophos Home, stop you from browsing to websites that are known to be used for scams, phishing or spreading malware.
• Use a password manager. Password managers create, remember and enter passwords for you, and they won’t enter your password into a phishing site, no matter how convincing it looks.
• If it looks too good to be true, it is. Scams make wild claims and use familiar brands or friends and family to make them seem trustworthy. Stay alert, and if something seems off, it probably is.
• Check your bank statements regularly. You can reduce the chance that you’ll become the victim of a scam but you can’t eliminate it, so make a habit of checking your bank statements regularly.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5n15TwchBUE/