STE WILLIAMS

Thanks to John Shier for his help with this article.

Think of the big security stories of recent months.

Security holes like F**CKWIT and KRACK; a plethora of ransomware attacks ending in extortion; data breaches that were big, bigger or biggest…

…there are plenty of candidates for the story that got the most attention.

In contrast, phishing attacks rarely make the news these days, even though (or perhaps precisely because) there are so many of them.

Somehow, phishing seems to have turned into an “obvious” problem that everyone is expected to have experienced, learned from, got the better of, and moved on.

But phishing is still big business for cybercriminals: in the last week alone, for example, SophosLabs intercepted phishing attacks that abused the brands of many financial institutions.

Organisations that had their brands hijacked in this way in the past few days include: eBay, PayPal, VISA, American Express, Bank of America, Chase, HSBC, National Australia Bank – and that’s just a random subset of the list, in one industry sector.

Protecting your brand against abuse by phishers is, sadly, as good as impossible, especially if your brand is well-known and widely advertised.

Every time you send out an email of your own, or publish a blog article, or pen a PR statement, or put a logo on your website, you provide raw material for cybercrooks to copy-and-paste to produce simulacrums of their own.

Ironically, the less original and inventive they try to be, the more legitimate they’ll look, and the less likely they’ll be to introduce spelling, grammar and visual mistakes that clue you in to the deception.

Most phishing attacks are angling for something you know but are supposed to keep to yourself, such as:

• Usernames and passwords for existing accounts. With login credentials, the crooks can login themselves and take over.
• Credit card numbers, expiry dates and CVV codes. Crooks can use these to spend your money on themselves, or sell the data on to someone else.
• Personal information that you wouldn’t usually give out. Crooks can sell this on, or use it to open new accounts or take loans in your name.

Netflix brand hijack

Last week, a phishing campaign that hijacked the Netflix brand made big news.

Even if you back yourself to spot phishes from a mile away, it’s still worth reminding yourself from time to time what would go wrong if you were to make a mistake and click through.

So, we thought this one would be worth a quick “guided tour”, because the phish goes after all of the targets listed above: it tries to trick you into handing over your login details, your credit card data, your mugshot and your ID.

We’ve seen other people reporting different starting points for this phish, but here’s what we received to draw us in:

Note the simple trick, right there in the subject line, of not spelling out the brand-theft text “Netflix” exactly: the crooks wrote the X as the Greek letter chi, so that Netflix came out as Netfli𝛘.

Remember: never click login links or “update your account” links directly in emails, because you can’t easily tell where they lead.

Keep your own record of where your favourite login pages are, and find your own way to them, precisely to avoid tricks like what comes next:

Note that this fake website has an HTTPS padlock, which is a convincing start.

But a padlock doesn’t mean you can automatically trust a site.

In this case, the crooks hacked into a site that already had a valid HTTPS certificate, and then uploaded their phishing pages so they’d show up with an air of believability.

One one hand, the hacked site is “secure”, because it really does belong to the company that is named in the certificate; on the other hand, it’s not secure at all, because it’s serving up unauthorised content:

Having already handed over your username and password, the crooks also want your card details:

The crooks have added a grammatically incorrect sentence of their own at the top of the page that should tip you off, along with the incorrect URL:

You need to confirm your informations to be able to fix this problem and access to your account Netflix.

Ironically, the crooks didn’t need this sentence and could easily have left it out – so be sure to take advantage of anything that doesn’t look right, and treat it as a phishing warning sign.

Next, there’s a fake Verified by VISA page that does nothing but repeat back to you what you already entered, but does so in a way that add a veneer of legimitacy, to try to keep you on the hook:

The crooks want to reassure you at this point, because they don’t want you to bail; they’re going for the triple play by asking for your mugshot and ID:

And, finally, you’re redirected to the real Netflix login page…

…where you should have gone in the first place, unaided by any “helpful” links in any email.

What to do?

• Never click on a login link or an account verification link in an email. If there is one, bail.
• Check for the HTTPS padlock. If there isn’t one, bail.
• But if there is a padlock, check the name of the site. If it’s not exactly what you expect, bail.
• Don’t ignore telltales such as spelling and grammar errors. If it looks wrong, bail.
• Guard your ID closely. If you’re asked for a selfie or ID when it isn’t absolutely necessary, bail.

Remember, if in doubt, DON’T GIVE IT OUT!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/acKrah5_50c/

A group of operating systems specialists believes sloppy benchmarking is harming security efforts, by making it hard to assess the likely performance impact of security countermeasures.

The researchers, a group of operating system specialists from the Netherlands and Australia, decided to take a look at the accuracy of security researchers’ systems benchmark. As they explain in this paper at arXiv, security papers are littered with so-called “benchmarking crimes”.

The Register spoke to Gernot Heiser, a long-time researcher in trustworthy systems at Australian research center Data61, a professor at the University of New South Wales and also co-founder of OK Labs, which developed one of the world’s first “provably secure” microkernels.

Heiser became interested in benchmarking because “I got annoyed by common deficiencies” in how security researchers validate system performance. His Dutch colleagues shared his irritation.

As Heiser explained to The Register, bad benchmarks are more than an irritant because for any security solution “you need to show two things – that the mechanism is effective, that it prevents certain classes of attacks; and that it’s useable, because it doesn’t impose an undue overhead.”

That makes “benchmark crimes” (a colourful rather than literal term) important, because they can make a promising fix unusable in the real world.

In their analysis of 50 papers published between 2010 and 2015 (in Usenix Security, as well as IEEE’s Security Privacy, the ACM’s CCS, and papers accepted by the NDSS symposium), the researchers say they identified 22 discrete “benchmarking crimes”, ranging from ignoring performance impacts altogether, “creative overhead accounting”, using misleading benchmarks, all the way through to presenting only relative numbers in a benchmark.

Most often, Heiser said, the crime is that “evaluation data is not complete enough … you look at the ‘cost’ of the mechanism in a scenario, without doing a thorough evaluation of the performance effects in a representative set of scenarios”.

Take, for example, a researcher running runs the SPEC suite on systems with and without their security solution. “The suite is designed to represent a broad class of use-cases” he said, but “SPEC only makes sense if you make all the individual programs to come up with the score”.

Cherry-picking SPEC results means they’re less effective: “you might pick predominantly CPU-intensive processes and ignore memory-intensive processes”, he said.

Heiser said the prevalence of benchmarking crimes is partly a symptom of the complexity of modern systems: authors might be sloppy or careless, but equally, they might have trouble understanding the implications of their own work.

“That takes a fair degree of expertise,” he said, such that even the people peer-reviewing papers don’t notice the problem.

“The upshot is that you get too optimistic a picture of what you can do against a particular attack.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/16/benchmark_crimes_in_infosec/

Cyberattack last June aimed to disrupt Ukraine’s financial system.

The CIA has concluded that Russia’s GRU military spy arm waged the NotPetya data-wiping cyberattack on Ukraine in June of last year, according to a report late last week in The Washington Post. 

NotPetya was deployed to appear like ransomware while meanwhile destroying data from computers in banks, energy companies, and an airport in Ukraine. The malware spread via popular accounting software used in Ukraine called MeDoc, after an update server for the application was compromised and spread the malware during an automatic update. 

US intelligence officials told The Post that the CIA in November assessed “with high confidence” that the GRU was behind NotPetya. While most of the victimized machines were in Ukraine, the malware also spread to other nations including the US.

Read the full report here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cia-russian-military-hackers-behind-notpetya-attack/d/d-id/1330821?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time.

But what happens if they don’t?

It’s something that must have researchers at security consultancies IOActive Labs and Embedi pulling out their hair, assuming they have any left.

Two years ago, they jointly found 50 weaknesses in the security of 20 mobile apps used by a plethora of SCADA Industrial Control Systems (ICS) sectors covering things like power, water, and manufacturing.

Not good news exactly, but at least the problems were public domain and that meant they’d be fixed.

Now a follow-up test of 34 ICS apps from Google Play has found that far from improving, things have got worse – this time they found 147 security vulnerabilities in apps and backend systems designed for the same job.

Classifying them using OWASP’s Top Ten Mobile risk categories, 32 of the 34 lacked root or code protection, 20 had poor authorisation, 20 implemented insecure data storage, and 18 lacked obfuscation to protect code from reverse engineering.

Less frequent but still serious issues included poor-quality coding (12), insecure communication (11), insufficient cryptography (8), and insecure authentication (6).

In addition, the team noticed that seven apps exposed vulnerabilities on backend servers, for example SQL injection or cross-site scripting (XSS). And:

One of the reviewed applications had write permissions for the tables, allowing an attacker to tamper with station configurations and user statistics.

Overall, in the period between the two tests, researchers saw an average increase of 1.6 vulnerabilities per application.

Clearly, there’s a problem, but what is it?

Perhaps the app boom has lowered standards in a sector that rewards clever functions, performance and rapid development. If so, these apps simply manifest the same sorts of slapdash development that have affected other app sectors such as remote banking.

If that’s the case – and it’s hard not to imagine that it might be in at least some cases – it’s short-termism of the worst kind.

Say IOActive and Embedi:

The industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late.

The researchers have informed the affected vendors of the problems in the apps.

You can understand why so many ICS companies want to offer customers the ability to access monitoring and control using a mobile app. But on this evidence, it looks as if they are solving their problem today at the expense of creating a bigger one down the line for everyone.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pF8sSEfLGSU/

As Facebook continues to embed itself into the fabric of our social and online lives – or, perhaps it’s more correct to say, as we let Facebook continue to embed itself in our lives – it’s increasingly important that we keep our accounts safe from unauthorized use.

If you barely ever log in to Facebook, you might not be too concerned about what could happen if someone gets into your account. But with Facebook being the biggest social media network on the planet with more than two billion users, and even if not all of those users are active or tied to a real person, it is increasingly used as a service to prove we are who we claim to be.

Facebook is entrenching itself to be indelibly tied to our entire identity online: How often have you seen Facebook authentication offered as a way to post comments on websites, or to register or log in to an app or service?

For many Facebook users, if someone were to gain access to their account, this would go beyond a mere annoyance – that person could also have access to their accounts on other apps, access to all sorts of sensitive information about them, their families, friends, and coworkers. From a reputation perspective alone, there’s a lot of potential for real-life consequences.

That’s why it’s a very good idea to take the security of your Facebook account seriously, and thankfully Facebook has made it reasonably easy to manage. A complex, unique password for Facebook is a great starting point – and if you haven’t changed it in a long while, take a moment to do it – but we also encourage you to take the security of your account to the next level and enable two-factor authentication as well.

Two-factor authentication (2fA) isn’t just a good idea, it’s a great idea: Someone trying to log in to your account needs more than just your password (“something you know”), they also need access to a phone or device that you own (“something you have”). This extra layer of security is simple to set up – we’ll walk you through it below – and can provide great peace of mind.

How to set up 2FA on your Facebook account

You will need:
1) Access to your Facebook account via a computer.
2) A phone number that can receive Text Messages (SMS) OR a smartphone that can run the Facebook app.

The 2FA process will tie your Facebook account to your phone number as a method of proving who you are. If the idea of Facebook having your phone number makes you uneasy, you can still use 2FA with just a code generator app and a Universal 2nd Factor (U2F) security key like a Yubikey – but to use U2F you must also use a code generator app, which still requires a smartphone. So keep that in mind.

For the purposes of this walkthrough, we’ll assume you’re okay with tying your Facebook account to your phone number, as this makes setting up 2FA quite simple.

1) On your computer, log in to your Facebook account and click the drop down arrow at the top right of the page on the blue notification bar. (It’s to the right of the question mark.) Look at the bottom of the menu and hit “Settings,” and on the next screen hit “Security and Login” on the menu on the left.

2) Scroll down to the “Setting Up Extra Security” section, and you’ll see a “Use Two-Factor Authentication” header.

Click “Edit” and a whole submenu will expand. Let’s start at the top – you’ll see “Two-factor authentication is off.” Hit “Set up” to get started.

3) If you haven’t at any point told Facebook your mobile phone number, you will now be prompted to add either a phone OR a code generator and security key to proceed. As noted above, we’re going the phone route in this walkthrough. Hit “Set Up Second Factors.”

4) You’ll be back in the 2FA submenu. In the “Text message (SMS)” field, hit “add phone” and follow the prompts to confirm your phone number. By the end of the process, you’ll be asked to confirm that you want to set up 2FA for your account, with an additional option to not require a second factor (like an SMS code) for the next seven days to *disable* 2FA on your account.

Whichever option you choose, when you’re done, hit “Enable” and Facebook will helpfully notify you that 2FA is well and truly on:

That’s it! You’ve now enabled 2FA on your Facebook account. Next time you try to log in, after entering your password, Facebook will text you a 6 digit code that you’ll need to enter to complete the login process.

While you’re in the security menu, take a look at the other options here and enable as much as you feel comfortable with: “Get alerts for unrecognized logins” for example is a great idea, especially paired with 2FA. This means if someone tries to log in to your account and doesn’t enter the correct code, Facebook will helpfully let you know next time you successfully log in:

Combining the unrecognized logins with 2FA works like a canary in the coal mine, letting you know someone’s (unsuccessfully) trying to access your account, and that it’s time for you to change your password.

If you’d rather not get text messages every time you log in, you can go one step further and use the Facebook app’s built-in code generator or a third-party code generator app to get that 6 digit code to verify it’s you. If you opt to use the built-in code generator in the Facebook app, keep in mind that you need to be logged in to the Facebook app on your smartphone for it to work, so this verification method will only work in verifying a new device or browser. This isn’t likely to be an issue for most people, but if you tend to log in and out of your smartphone’s Facebook app, you’re better off using a third-party code generator app, like Google Authenticator.

Whichever method you use, you’ll need to be at a computer to set up your method of choice with your smartphone handy. Here’s what you need to do to get a code generator method set up:

• For the Facebook in-app code generator, click “Set up” next to the “Code Generator” option in the Two-Factor Authentication submenu and follow the prompts.
• For a third-party code generator app, click “third party app” in the Code Generator text option and follow the prompts.

Will you be enabling 2FA on your Facebook account, or have you already?

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bQdamDeR8Yg/

It’s easy to do – you quickly type a URL you use every day, whether it’s Google or Facebook or Amazon, and in your haste, you accidentally swap, add, or delete a single letter and hit enter. Suddenly you’re not where you wanted to be, and often that new strange piece of the internet isn’t a 404 message, but rather an unexpected, and often sinister, website.

Or even stranger, a spoofed version of the site you wanted to visit in the first place.

Registering common misspellings of popular websites to catch users unaware is known as typosquatting, and it’s exactly what it sounds like – cybercriminals scoop up these frequently miss-spelt domain names, knowing that a some innocent users will end up on their page.

Typosquatting is so common that businesses often register common typos themselves to redirect users to the correct page. It’s a huge industry – over 80% of all possible one-character variants of Facebook, Google, and Apple are registered.

It’s easy to make jokes about typosquatting – the human error component can be amusing, and some of the satirical pages users stumble across are occasionally clever – but the risks posed by typosquatting are very real. NBC Nightly News recently highlighted the dangers of these typos and what you can do to avoid these malicious sites in a video featuring Sophos’ James Lyne.

But what really happens when someone makes their way to the wrong page? That depends on the intentions of the typosquatter. Sometimes it’s simply domain parking or domains for sale, or “related search” pages. Others are riskier to encounter, like competitions and surveys asking for personal information, or bait-and-switch sites. Others still truly are benign, like humor or satire sites or sites maintained by typosquatting researchers.

A while back, Naked Security’s Paul Ducklin misspelled Apple, Facebook, Google, Microsoft, Twitter, and Sophos in 2,249 ways to see what would happen – basically he let a computer miss-type URLs across the web to see what it uncovered. He found everything from outright fake pages to adult content and contests designed to capture personal information:

The full report goes into greater detail, but it’s worth highlighting few key takeaways. Most interestingly, typosquatting sites are not rife with malware, despite what one might expect.

The fact that the scammers registering these sites are using popular misspellings, and thus there is a finite number of URLs available for this sort of activity, means, oddly enough, reputation matters. If they’ve registered a common misspelling of Facebook, they can’t just up and move house to a new URL if the page develops a reputation.

In fact, cybercrime made up just under 3% of the findings. Pop-ups and ads were far more common (15%) while IT and hosting – pages offering to sell you interesting domain names – made up 12%.

But while the percentage is relatively low, the tricks used by typosquatters to trick users into giving away personal or financial information can be very effective. Spoofed sites might, for example, offer you a free product if you pay for shipping – capturing the credit card data for unsuspecting users.

Other common goals for typosquatting include a false warning that your computer has been infected, tricking the user into downloading a “fix” that is actually the malicious payload, or convincing the user to click on a link that infects their computer with malware.

Attackers don’t just target everyday users. A devious newer form of typosquatting was recently identified targeting developers installing Python packages from the PyPI (Python Package Index) repository.

Bad code was found hiding in plain sight using filenames that were easily mistaken for legitimate packages. This is an interesting case because the motive was unclear – the code was malicious but relatively benign. It was a warning shot to developers using other peoples’ code in their projects, and demonstrated a variation on a common online scam.

The best antidote to protect yourself against typosquatting is, alongside appropriate security software, awareness. Bookmark your regular sites, check your spelling on a URL before hitting enter and be skeptical when a site doesn’t feel right or asks you for information you need to protect.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2LQCHIzNF3M/

If you’re a member of the US “intelligence community” – the FBI, CIA and NSA – this past Thursday was a great day for homeland security.

A majority vote in the US House of Representatives to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA) for six years will, in their view, give them continued access to the indispensable tools they need to prevent major foreign terrorist attacks. Without them, they would be blinded to terrorist plots within the US, and US soldiers could be at much greater risk on foreign battlefields.

If you’re a privacy/civil liberties advocate, it was an unwelcomed win for Big Brother and a shameful, ominous day for everybody else – a reauthorization of warrantless spying on US citizens that amounts to a back door around the Fourth Amendment’s prohibition against unreasonable search and seizure.

According to a bipartisan “letter to colleagues” from four senators – Republicans Rand Paul (KY) and Michael Lee (R-UT); and Democrats Ron Wyden (OR) and Patrick Leahy (VT) – Section 702 in its present form…

…does nothing substantive to protect the Fourth Amendment rights of innocent Americans. This bill allows an end-run on the Constitution by permitting information collected without a warrant to be used against Americans in domestic criminal investigations.

Most of the debate over Section 702 is not about its stated intent, but about how it is interpreted. The provision allows the NSA to monitor the communications of foreigners located outside the country to gather what was the agency’s original mission: foreign intelligence. That goal gets general, bipartisan support.

But, as has been widely reported since the law was created in 2008, and as the revelations of former NSA contractor Edward Snowden documented, that collection has been both foreign and domestic. The communications of millions of Americans who were not specific targets have been “incidentally” included. And much of that data, critics say, has been made available to other intelligence agencies like the FBI and CIA.

That is what has prompted the intensity of debate over Section 702’s renewal that ramped up last fall.

Not that last week’s House vote makes it a done deal. The measure still has to come to a vote in the Senate, where a bipartisan coalition led by Paul and Wyden has threatened a filibuster.

The two are co-sponsors, along with a dozen other senators, of a bill titled the USA Rights Act, which would mandate reforms to 702, including a requirement for intelligence agencies to have a warrant before they can conduct even incidental surveillance of citizens.

The Senate will hold a procedural vote on 702 this week after it returns from a break, Senate Majority Leader Mitch McConnell said on Thursday.

So the debate continues, with splits in both parties. Some Republicans, like Paul, oppose it, and a few House Democrats joined the large majority of Republicans who supported renewal (the Republican majority is only 241-194).

Wyden took to the website of The Cyber Brief to label Section 702, “broad, unchecked government surveillance… at the expense of Americans’ personal liberty and constitutional rights…”

Among privacy advocates, the opposition is united. David Ruiz, a staff attorney at the Electronic Frontier Foundation (EFF), called the House vote “deeply disappointing.”

Because of these votes, broad NSA surveillance of the internet will likely continue, and the government will still have access to Americans’ emails, chat logs, and browsing history without a warrant. Because of these votes, this surveillance will continue to operate in a dark corner, routinely violating the Fourth Amendment and other core constitutional protections.

EFF and other organizations also condemned a majority vote to reject the House version of the USA Rights Act, which had 40 co-sponsors.

Privacy organizations including EFF, the Center for Democracy Technology, American Civil Liberties Union, Brennan Center for Justice, New America’s Open Technology Institute and Restore the Fourth have been arguing since Section 702 came into existence that, in the name of collecting foreign intelligence, it allows spying on “US persons” as well.

Among their complaints, they cited a Washington Post examination of 160,000 emails and instant messenger conversations collected under Section 702 between 2009 and 2012, and found that 90% of them were from online accounts not belonging to foreign surveillance targets. They said nearly half contained information belonging to US citizens or residents.

But, while acknowledging the “genuine and legitimate controversy” over whether there should be amendments to Section 702 that add privacy protections, Brookings Institute Fellows Benjamin Wittes (Governance) and Susan Hennessey (National Security Law), said the “general value” of the law is not “remotely controversial among serious people”, when you consider:

• Information derived from 702 collection is the single largest contributor to the Presidential Daily Brief.
• 702 information is used to protect US soldiers on the battlefield.
• 702 information keeps US decision-makers apprised of the intentions of adversary nations.
• 702 information helps federal agents detect and prevent terror attacks on US soil.

Paul, Lee, Wyden and Leahy contend they are simply trying to limit Section 702’s authority to its original purpose, and keep intelligence agencies and law enforcement from abusing it. The USA Rights Act, they wrote…

…(will) preserve the government’s ability to pursue terrorists abroad and protect the country from foreign threats while also making the necessary reforms to protect the Fourth Amendment rights of Americans here at home.

Follow @tarmerding2
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L3nfCKLDa4U/

A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company’s site. And they’re unhappy that the company has been slow to address the issue.

Dozens of fraud reports of unauthorised credit card use were posted through on the company’s support forum, and many more on Reddit. Some users were hit with unauthorised transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?

In a holding statement, OnePlus said it was investigating, but didn’t confirm or deny that a breach had taken place. The Shenzhen firm’s webstore was initially built with Magento’s e-commerce software, old versions of which were vulnerable to cross-site scripting and remote code execution attacks, but OnePlus said that since 2014 the site has been rebuilt with custom code. The company denied that it “stored” user credit card details.

A security audit by Fidus reveals that OnePlus is currently conducting the transactions itself, rather than through an iFrame. This introduces a new attack vector – it means that the credit card details (including security code) pass through the OnePlus site.

“All payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus noted.

OnePlus is in hot water after acknowledging that some of its phones beamed data to Alibaba without the user’s knowledge or consent. Last year it admitted that detailed usage data was being sent back to the company, without knowledge or consent. This is a breach of basic data protection law in Europe. And a month later it acknowledged that an insecure diagnostic tool had been left on shipping devices. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/15/oneplus_users_report_credit_card_fraud/

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems.

SCADA vendor Wonderware admitted that Redmond’s Meltdown patch made its Historian product wobble. “Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC,” an advisory on Wonderware’s support site explains.

Rockwell Automation revealed that the same patch had caused causes issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). “In fairness [this] may be RPC [Remote Procedure Call] change related,” said cybersecurity vulnerability manager Kevin Beaumont.

El Reg requested clarification from Rockwell but we’re yet to hear back from the vendor.

The expected and well-publicised system slowdown issues from Meltdown and Spectre patches (Reg reports here, here and here) have been accompanied by even more irksome stability problems on some systems. Incompatibility with Microsoft fixes released on January 3 freezes some PCs with AMD chips, as previously reported.

An Ubuntu Linux kernel update prompted by Meltdown caused systems to become unbootable. Patching against CVE-2017-5753, CVE-2017-5715 (Spectre) and CVE-2017-5754 (Meltdown) affected both the PulseSecure VPN client and Sandboxie, the sandbox-based isolation program developed by Sophos.

Beaumont is curating a list of issues with Meltdown security patches here.

Slowdowns

The Spectre and Meltdown vulnerabilities affect the processors in computers, smartphones and tablets. The flaws potentially allow malicious apps in the user space to access protected areas of kernel memory on the same machine or shared system in the cloud.

“Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years,” infosec guru Bruce Schneier warned over the weekend.

Moritz Lipp of Graz Technical University, a security researchers credited in the discovery of both Meltdown and Spectre, praised the vendor response during the disclosure period.

“I think the response of the vendors to us was very professional during the responsible-disclosure process,” Lipp told El Reg.

“Also the public response of ARM releasing a list of all vulnerable CPUs was very open as well with ideas and approaches on how to fix these issues. Apple also said that all [its] devices ([except] the watch I think) are affected and release updates for [its] devices.”

Browser vendors are now implementing countermeasures that should “decrease the possibility to mount Spectre attacks within the browser successfully to zero,” Lipp added.

Spectre will be more difficult to resolve than Meltdown but that too is in hand, according to Lipp.

“We will see what microcode updates can actually do to resolve Spectre attacks; the ideas are there and updates are rolled out for various CPUs,” he said. “Software is recompiled with tailored compilers and in the end we will see how performance benchmarks will look, but yes, Spectre is much harder to fix than Meltdown.

“In the long run, processor designs will be adjusted to prevent such attacks with a low(er) performance overhead.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/15/meltdown_ics/

A recent survey finds a number of attributes women seek in their careers can be found in a cybersecurity profession – the dots just need to be connected.

With the cybersecurity industry facing a shortfall of 1.8 million professionals by 2022, increased efforts are underway to find and train more infosec pros – especially women who, according to a Global Information Security Workforce Study, comprise only 11% of the cybersecurity workforce.

And although a number of challenges exist in attracting women and young girls to a cybersecurity career, a number of similarities exist between the attributes these women and young girls seek in a career and what the cybersecurity profession can offer, according to a recent survey by Kaspersky Lab and interviews with female cybersecurity pros.

In its global survey of approximately 2,000 females ages 16-to 21 years old, Kaspersky’s report, “Beyond 11% – A Study Into Why Women Are Not Entering Cybersecurity,” found:

• 72% want a career they can be passionate about
• 83% do not believe a cybersecurity career would be dull
• 23% want a career that can make a difference to society
• 44% believe cybersecurity is helpful to society
• 52% want a career that will enable them to earn a good salary

Median annual salary is $100,000 for cybersecurity staff members, according to a Dark Reading 2016 Security Salary Survey.

Career Passion

“Being passionate is important for any job,” says Ambareen Siraj, founder of the national Women in Cybersecurity (WiCyS) organization and an associate computer science professor at Tennessee Tech University. “Cybersecurity is a very dynamic field and you are always learning. If you want to be in a field that is always refreshed and you have a big thirst for learning, then you should consider cybersecurity.”

As for the 17% of survey respondents who believe a cybersecurity career would be boring, it comes down to a lack of understanding of the various roles in cybersecurity that can range from technical to training to developing policies, says Mari Galloway, director of finance and communications for the Women’s Society of Cyberjutsu.

Benefit to Society

A career in cybersecurity can make a difference in society, Galloway says. 

“Take healthcare. So much technology is used to keep people alive. All it takes is one bad hacker to exploit a vulnerability in a hospital system and bring the whole operation down, potentially killing patients,” Galloway explains. “It’s the cyber professionals’ job to ensure things like this don’t happen.”

Noushin Shabab, senior security researcher with Kaspersky’s Global Research Analysis Team, says she was surprised by the low percentage of women and young girls who noted they wanted to make a difference in society with their career and believed that cybersecurity helped society.

“Despite the [23%] statistic, I feel deep down, a woman wants to make their mark in society,” Shabab says. “Hopefully with the hard work and efforts that women around the world are taking in today’s world, more women will feel empowered to make a difference in their respective societies. If women believe they can make an impact (big or small) this is already a big start to change how they feel about their careers.”

Salary and Job Security

Salaries are a big factor in women’s career choices but not the only deciding factor, Siraj says. Cybersecurity not only provides a good salary but, in many cases, infosec professionals are able to work from home and can relocate to a new job with relative ease, since there is virtually no unemployment in the industry, she adds.

Challenging Stereotypes

Despite these similar attributes that can be found in cybersecurity careers, it remains a challenge to attract women and young girls to the field, these cybersecurity professionals say.

“All that women hear about in the media is about the bad guys in cybersecurity. They don’t hear about the researchers who made a difference and helped society,” Siraj says. “In the movies and TV shows, cybersecurity professionals are portrayed as guys sitting in a dark room alone, surrounded by computers, and as highly intelligent nerds. That is not how most women want to view themselves.”

Shabab noted WannaCry, ExPetr and other large-scale cyberattacks may attract more women to the IT security field, rather than chase them away. These attacks proved cybersecurity is essential for every individual, home user, and enterprise – perhaps fueling a desire to pursue a cybersecurity career and protect what matters most to them, she adds.

A range of efforts are underway to dispel of cybersecurity career stereotypes and educate young girls and women about the profession, these women note. Cyberjutsu Girls Academy, Girl Scouts, Black Girls Code, WiCyS, and others are providing information and role models, they add.

“What will bring more women in are seeing women at various levels making decisions, [girls] getting hands-on experience in STEM, cyber at a young age, providing equal opportunities for women to grow, and laying out a roadmap of potential career paths for young women to visualize where they can go,” Galloway says.

Related Content:

• Cybersecurity Faces 1.8 Million Worker Shortfall By 2022
• How to Build a Path Toward Diversity in Information Security
• Making Infosec Meetings More Inclusive

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/how-to-attract-more-women-into-cybersecurity---now/d/d-id/1330816?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple