STE WILLIAMS

As graduation day draws near for W.S. Neal High School in East Brewton, Alabama, the school is being quizzed, hard.

The questions:

Who hacked grades for the past two years, to the extent that the school can’t figure out if the top 10 students are legitimately the top 10 students? How did the perpetrator(s) hack the grade-reporting system? What is the school doing to prevent this from happening again?

Those questions came from Monica Fountain, just one of many parents who are furious that the school might not be able to find answers in time to pick a valedictorian or salutatorian for graduation in two weeks, on 22 May.

The issue was first reported by the Mobile, Alabama TV station WKRG.

Escambia County Superintendent John Knott confirmed to WKRG that when the school was finalizing the Top 10 students, staff discovered that somebody had altered students’ grades. Knott couldn’t comment on who was involved, nor how many students’ grades could have been affected. As far as whether the school can have a valedictorian or salutatorian, Knott said that it will depend on when the investigation is wrapped up.

To those of us familiar with cyber forensics, that’s not unreasonable. These things take time. It’s not necessarily easy, or fast, to trace hackers and quickly come up with suspects’ identities. What’s more, prematurely releasing details about an ongoing investigation can jeopardize the outcome, whether it’s by tipping off suspects so they can destroy evidence, or by falsely naming suspects before enough evidence has been amassed to form a solid case. People prematurely reported as suspects might well turn out to be innocent, but that hasn’t stopped people from prosecuting them in the court of public opinion and social media.

But those of us who might not be familiar with the time involved in finding hackers want answers, and they want them now.

As you can see by the reactions on a Facebook post Monica Fountain put up about the incident, the town is outraged. Some say it’s unfair to the kids who’ve worked so hard to get their good grades, that scholarships could be jeopardized, and even that the school is hiding the identity of the hacker(s) for some reason.

WKRG talked to one parent, Shannon Odom, who said that his son is a senior at the high school and plans to go to the University of Alabama. Odom said the administrators called his son into the office to tell him about the investigation. School staff also asked if he knew who did it. Odom said his son didn’t know, but he’s concerned about where his class ranking will wind up. He’s applying for scholarships.

Fountain, who’s also a parent of a W.S. Neil High School student:

It hurts me because I know these kids here and they’ve spent long nights, countless nights, studying for this achievement, and for it to be taken away from them because of reckless actions.

This is far from an isolated case.

In the autumn, the FBI charged a college student for allegedly hacking his grades more than 90 times. The student allegedly used keyloggers to record whatever his professors typed, including credentials to log into university grading and email systems.

Four years ago, we saw 11 teenagers expelled for hacking teacher accounts and bumping up grades.

Those schoolkids allegedly used a keylogger, too, said to have been given to them by a private tutor who got a year in jail for adjusting their grades.

Students do it, tutors do it, even moms do it. In 2012, a US mother faced six felony counts for allegedly hacking into her children’s school computer, changing their grades, and accessing the school’s human resources system to open thousands of personnel files that contained contracts, employee reports and other information.

So yes, grade hacking is not uncommon. But the repercussions in this one are particularly unfortunate: the timing, this close to graduation, is lousy. It means potentially losing a long tradition of having valedictorian and salutatorian speeches.

We can only hope that the investigation wraps up in time for the 22 May event… or that the school scuppers graduation until it can do it right, ensuring that diligent students get the recognition they deserve and that any hacking student(s) don’t share their limelight.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C6rmfUIBzPI/

When is a bug not a bug? That’s the question in play with a proof of concept (PoC) published by researcher Marius Tivadar, which can crash several versions of Windows, even if they’re locked, all within seconds of launching the code.

This PoC requires a USB key with a faulty NTFS image on it to be physically inserted into a Windows PC that also has autoplay enabled. Regardless of the privilege level currently active (from user to administrator), seconds after the target PC tries to read data on the USB stick, the dreaded blue screen of death (BSOD) occurs, crashing the computer.

That’s why Tivadar classifies this bug as a denial of service attack, but a crash is as far as this specific issue goes, and at no point does any privilege escalation or unauthorized data access occur.

Tivadar says he reached out to Microsoft in July 2017 to disclose his findings, all in the hope that Microsoft would officially give this security issue a CVE and start working on a patch to fix the problem.

But because this bug requires a USB key to be physically inserted into a machine to work, Microsoft responded that this finding didn’t “meet the bar” for issuing a security patch – so no CVE and no patch will be forthcoming.

At the time of this writing, according to Tivadar, this issue remains unresolved, and his PoC bug still causes Windows BSODs even in the most recent version of the operating system.

This has stirred an interesting debate about whether the mere existence of a PC-crashing bug automatically merits a robust response and patch from Microsoft. Tivadar’s PoC works and that’s not in dispute by anyone – it’s what to do about it that’s in question.

Microsoft’s reason for rejecting this security issue for a CVE and patch response is, according to Tivadar, that it requires physical access to a machine to work. If an attack requires physical access to a machine, it’s not easily replicable or weaponizable at scale.

Plus, if you have physical access to a machine and you’re looking to cause problems, you can do a lot more than just cause it to crash.

That’s all well and good, says Tivadar, but it’s just as much the principle of the thing that seems to be of concern, especially Microsoft’s apparent dismissal of the bug due to physical access requirements. Writes Tivadar on his GitHub documentation page:

As a security researcher, I think that every vulnerability that requires physical access and/or social engineering is important. We all know the stories Kevin Mitnick taught us regarding social engineering, so yes, these types of bugs are important.

Where do you fall in this debate? Is Microsoft’s response reasonable, or is it leaving Windows users at risk with their refusal to patch this issue?

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zYUC4_6NJ-Q/

Thanks to Chen Yu of SophosLabs for her research.

SophosLabs has discovered apps in Google Play harbouring Guerilla ad clicker malware.

The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps.

SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google.

Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users.

The apps harbouring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files.

That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realising.

The new batch of Guerilla apps display a few technical differences from those removed from Google Play earlier this year.

Like the earlier apps, the latest ones hide their payloads in their asset folders as text files. This time around the apps use the filenames atop.txt or atgl.txt.

In an apparent effort to avoid detection, the JAR files now arrive encrypted, with the DES algorithm, and are decrypted on the phone.

The affected packages are:

What to do?

In all areas of cybersecurity we recommend a strategy of defence in depth.

The safest place to get your Android apps is still Google Play. Although malware is found there fairly regularly, it’s still news when it happens. Google Play isn’t perfect but it’s a far safer environment than other, unregulated, app repositories.

Because no app review process can ever be perfect, we recommend running security software on your phone too, such as Sophos’s free Sophos Mobile Security for Android.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kmiJ-6A1dFg/

You’ve probably seen the news already: there’s a text message going around that can cause WhatsApp to freeze or crash (if those aren’t essentially the same thing).

Just how alarmed you are depends on where you’ve looked.

Some articles have been hedging their bets by urging you to watch out for “the text bomb that could destroy your phone“, which is dramatic without actually being definitive. (After all, you could win the lottery tomorrow, but you won’t.)

Other articles have insisted that the damage is more than just theoretical – the Birmingham Mail, for instance, headlined its article to state unequivocally that “this WhatsApp text bomb is destroying recipient’s phones“.

Fortunately, the article itself is a bit more conciliatory, noting that:

If you receive [the text bomb], your phone – whether it’s an iPhone or Android – could become unresponsive, forcing you to restart it.

As far as we know, that’s about as bad as it gets, and after restarting, you should be able to delete the offending message so it doesn’t disrupt you again.

At this point, you’re probably wondering how something as simple as a text message can cause problems for modern software.

Playing live video streams; performing Bitcoin transactions; encrypting files; rendering complex, interactive web pages; recognising fingerprints and faces; displaying ever-changing 3D maps for real-time satellite navigation…

…now those are hard problems that need lots of processing power and RAM to perform complex computations on lots of data.

But how hard can it be do display some text?

The latest WhatApp text bomb, for instance, is even publicly available so you can download it for your own, ahem, experiments, and it looks very simple at first sight:

As we’ve highlighted in the image above, however, the message is actually well over 100 kilobytes, because it’s crammed with characters that are there to tell you how to display the text, rather than to tell you what text to display.

In this case, there are thousands of pairs of marker characters in sequence that say, “from now on, write from left-to-right, as is usual in English”, followed immediately by, “changed my mind, now go right-to-left, Hebrew style”.

And so it goes, with the file telling any app that loads it to keep swapping direction, even though there’s nothing to display between each direction switch.

The just-a-jump-to-the-left-and-then-step-to-the-right markers are jammed in as Unicode characters between the laugh-till-you-cry emoji and the final quote mark:

You might think that text direction wouldn’t need its own special character, if you assume that the direction setting always applies to entire documents.

But many languages that write from right to left, such as Arabic and Hebrew, commonly write numbers in Indian numerals, just as we do in English when we write a phrase such as “there are 63,360 inches in a mile”.

So texts in those languages routinely need to typeset text from the right, then to jump ahead and set numerals backwards from the left towards the text just printed out, then to switch back again, skipping over the “backwards” numerals and setting text from right to left.

Likewise, text editing and word processing apps need to know how to leap the cursor back and forth along a line as the editing point in the file moves between different text directions.

There are also many other sorts of non-printable character commonly used in Unicode text, such those used to compose multiple characters into a compound form in which they are usually displayed.

Compounding characters into different forms often sounds weird to English speakers. But consider that in English it used to be common to write the word THE with the letters TH combined into a form that looked a bit like a modern Y, but wasn’t. Today, we give the impression of antiquity by writing things like “Ye Olde Gift Shoppe”, but the word that nowadays looks like “Ye” is, in fact, an alternative way of writing “the” (and it’s pronounced “the”, by the way, not “ye”).

So rendering plain old text messages isn’t quite as plain as just reading bytes one by one and displaying them one after another – as Apple found recently when a single Telugu character, consisting of several subcomponents combined in a special way, could crash iOS.

What to do?

• Don’t panic – reports about “destroyed” phones are exaggerations.
• Reboot your phone if you need to.
• Delete any prank messages.
• Watch for an update to WhatsApp – they’re sure to be working on this if it’s not fixed already.
• Don’t send “text bomb” messages to your friends – it’s feels like a joke, but it’s not funny.

Remember that last point especially.

Cybersecurity jokes are ten a penny – it’s easy to send fake virus popups in emails to friends; to have a laugh by sending annoying-rather-than-actively-dangerous text bomb messages; to set silly calendar items into a colleague’s diary while their computer is unlocked and their back is turned.

But please don’t do it.

Cybersecurity is enough of a battle to fight without trying to use it as a source of irritating or embarrassing jokes…

…plus a lot of these “jokes” are illegal, anyway, so don’t expect sympathy if you get caught!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MBesujaB_00/

IBM has banned its staff from using removable storage devices.

An advisory to staff penned by IBM global chief Information security officer Shamla Naidoo said the company “is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”

The advisory says some pockets of IBM have had this policy for a while, but “over the next few weeks we are implementing this policy worldwide.”

Big Blue’s doing this because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.”

IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around.

But the advisory also says that the move may be “disruptive for some”.

He’s not wrong: The Register understands that frontline iBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches.

Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/

There is no doubt that the UK’s surveillance regimes will come under scrutiny in negotiations on continued data flows with Europe after Brexit, and the government needs to start preparing for that now, MPs have been told.

The British government has been repeatedly warned that gaining an adequacy decision from the EU will not be simple – or fast – and today data protection, law and policy experts emphasised this to members of the Exiting the European Union Committee.

James Mullock, a partner at law firm BirdBird, said that decisions can take about two years to go through – which, if the formal negotiations start on the official Brexit date, March 29, 2019 – could mean it would go four months beyond the transition period, which is due to end on December 31, 2020.

He acknowledged that the Privacy Shield deal, which allows transatlantic data flows and was set up after its predecessor Safe Harbor was struck down, was pushed through faster. But he pointed out that much of the groundwork had been done because people could see the court case, brought by Max Schrems, coming.

Similarly, witnesses said that the UK government should make sure it is ready to tackle the more complex questions that it knows it will face – namely, national security and surveillance laws in the nation.

As a member state, the UK benefits from exemptions under EU data protection laws, which means that its regime does not affect data flows within the bloc.

Once it leaves, this protection is removed, and the controversial Investigatory Powers Act – which has been ruled unlawful under EU law – will be part of considerations on whether to grant an adequacy deal.

Information commissioner Elizabeth Denham said there was “no doubt” that the UK’s national security and surveillance powers would come under scrutiny.

This would include the intelligence services’ collection, retention and use of data, and the secretive Five Eyes intelligence-sharing network between the UK, US, New Zealand, Australia and Canada, as adequacy decisions also set rules on how data is shared with third countries.

Denham said that as part of the team that had been involved in the Privacy Shield discussions, her office was “well aware of the types of questions we’re going to be asked”, including around Five Eyes.

In her view, if the Data Protection Bill – which implements a lot of the General Data Protection Regulation – gets on to the statute book, the UK will be in a “good position to check a lot of the adequacy boxes”.

That means they could front load their work and “be ready for the assessment on the more difficult questions” on national security and intelligence services.

Negotiations

Giles Derrington, head of policy for Brexit at TechUK, agreed that the government needs to start preparing for this part of the negotiations, including some of the basic hurdles – and for them not to become complacent after recent progress and increased focus on data protection.

For instance, he said, one of the biggest challenges for the US was in setting up processes that allowed the US authorities and the Commission to have a conversation about classified information in a non-classified setting.

The witnesses emphasised the importance of continued data flows on business certainty. Mullock said that his clients were “fairly anxious”, noting that in the two or three months after Safe Harbor was struck down there were several tens of thousands of companies searching for patches to make their EU-US data flows legal.

“If we have anything like that, it will be extremely disruptive and it will, I think, be extremely off-putting in terms of business looking at where they will headquarter themselves in Europe,” he said.

An added problem is that the fallback option for businesses if the UK does not have data adequacy agreed once it exits the bloc would be standard contractural clauses – which were used to cover data flows to the US after Safe Harbor.

However, these are subject to a challenge in the Court of Justice of the European Union, part of Schrems’ long-running battle with Facebook, which makes the situation much less clear for business.

And even without this added uncertainty, the burden for businesses switching to SCCs would be huge, Stephen Hurley, head of Brexit planning at BT, told the group.

His firm has more than 18,000 suppliers, he noted, and setting up contracts with even a subset would be very cumbersome, especially as the set text “isn’t necessarily designed to deal with the modern ways of doing business, and the way flows of data occur in practice”.

Elsewhere in the hearing, the witnesses agreed that it would be preferable for the UK to have a treaty on data flows, rather than simply an adequacy deal – something the government has set its sights on.

The idea is that it would allow the UK to be involved in the one-stop shop mechanism – broadly, this means that an organisation that operates in a number of member states only has to deal with one supervisory authority – and let the ICO have a greater role in the European Data Protection Board.

Derrington said that it would “unquestionably” mean the UK would lose influence if the ICO was only allowed to be an observer at the EDPB, which Denham fleshed out.

“At this time, when GDPR is in its infancy, participating in shaping and interpreting the law, I think, is really important,” she said.

“If [the ICO] is outside, we’re not going to have same effect as we need to have with big tech companies… because that’s all going to be decided by that group of regulators.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/10/uk_eu_spying_privacy_brexit/

Mobile devices are emerging as a primary gateway for phishing attacks aimed at stealing data.

A mobile user is 18 times more likely to be exposed to a phishing attempt than to malware, according to a new report on techniques and technologies that try to get a user to be an accomplice in their own victimization.

While employees have been taught to be suspicious of links and attachments in email, there is considerably less scrutiny of channels like SMS, Skype, WhatsApp, games, and social media. “As more communications take place over mobile devices, organizations haven’t changed their thinking to cover the modes of communications taking place on the devices,” says Michael Covington, vice president of product at Wandera, which published the report.

Mobile devices are the technology channel on which personal employee and corporate apps and data come together, and criminal hackers are taking advantage of that to reach enterprise credentials through personal communications.

“You can train an employee to not be a victim, but the mobile attacks are so compelling that education isn’t enough,” Covington says. “We want to see corporations move into the present, recognize the risk and mitigate the risk.”

That risk is considerable. According to Wandera’s mobile phishing report, the average iOS user has 14 different accounts on their work phone, typically including services such as Amazon, Paypal, and Airbnb. On Android, the number jumps to 20 unique apps. And both messaging and social media apps increased in popularity as an attack vector by more than 100% in 2017, with no sign of that growth slowing in 2018.

While email remains the most common target of phishing attackers, the effectiveness has been dramatically reduced by improving defense systems and years of employee training, the report notes. Fewer than one in five successful attacks originate with email phishing campaigns on desktop and mobile devices. That’s not to say that phishing as a tactic is going away.

According to the Verizon 2018 Data Breach Investigations Report, 90% of cyberattacks begin with phishing. There’s a good reason for that, Covington says, especially in the mobile domain. “To be perfectly honest, these mobile devices are pretty hardened,” he says. “They do have problems, we have seen them exploited, but if you look at something like the current iOS it’s pretty hardened. Phishing allows an attacker to bypass all of those protections.”

There are companies that see statistics such as those around phishing through apps and decide that the solution is to lock down apps. But that’s not an effective solution to the problem, according to Wandera.

“Phishing attacks have been observed in practically every single form of communication on mobile devices, including Skype, QQ, WeChat, Viber and Kik. Clearly this is a problem at scale that cannot be solved through blocking certain apps, or through app- centric controls,” the report said. “Phishing attacks have been observed in practically every single form of communication on mobile devices, including Skype, QQ, WeChat, Viber and Kik. Clearly this is a problem at scale that cannot be solved through blocking certain apps, or through app-centric controls.”

Mobile phishing attacks have become more sophisticated and effective as the stakes have increased. As Mike Murray, vice president of security intelligence at Lookout said in an InteropITX session, “Mobile has become not just a target, but the primary target in the enterprise.”

“Mobile has a gap and often it’s the user sitting on the other side of the interface,” says Covington. That danger of that gap is amplified by the behavior of the companies where they work. Covington explains, “Most organizations want to stop phishing and protect data with GDPR coming online. Neither is being addressed with mobile.”

Related Content:

• Kaspersky Lab Discovers ZooPark, an Android-based Malware Campaign
• What Meltdown and Spectre Mean for Mobile Device Security
• ‘Zero Login:’ The Rise of Invisible Identity
• HTTP Injector Steals Mobile Internet Access

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/phishing-threats-move-to-mobile-devices/d/d-id/1331757?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Email has long been a prime vector for cyberattacks, and hackers are only getting sneakier. Can email platforms and security tools keep up?

No matter how many messaging and collaboration apps clutter the enterprise space, most (if not all) employees will continue to use email. Cybercriminals know this, and they’re increasingly leveraging this reliance to their advantage, finding new ways to bypass protective measures.

Bob Adams, cybersecurity expert at Mimecast, explains how email-based threats have evolved. “It’s important to understand the history of these attacks to understand where they’re going,” he says. Older phishing scams were easy to detect, with poor spelling and grammatical mistakes. The people who fell for them were likely to give attackers what they wanted.

“One of the reasons it was so successful is it was targeted in a way that intelligent people wouldn’t respond,” he says. Today’s threat actors have resources to make their attacks credible to a broad range of victims. Now, the people who could recognize obvious phishing scams are getting hit with spearphishing attempts and business email compromise (BEC) attacks.

In its Email Security Risk Assessment (ESRA), Mimecast passively scanned 95.9 million emails that went through email security systems and were received by a business email management portal. The ESRA caught 14.2 million spam messages (5.1 million rejected; 9.1 million quarantined), nearly 10,000 dangerous file types, 12,500 malware attachments, and 23,000 impersonation attacks.

Spam is annoying, sure, but most people know what it looks like and it isn’t lethal. Impersonation attacks, on the other hand, are sneaky. “What’s making these attacks even easier and have higher ROI is the sheer amount of information publicly available on every company and individual within its top ranks,” says Wickr CEO Joel Wallenstrom.

“All attackers need to do is pick a target; tailor messaging based on data gleaned from Facebook, LinkedIn, obscure data brokers, and exposed PII databases; and voilà, the scam works as intended,” he adds. Business email compromise has become a hugely profitable industry, with $5 billion in profit and categorization as a separate crime type by the FBI starting in 2017.

“What we’re seeing more and more is spearphishing attacks, hearing much more of attackers using social engineering in a variety of different ways to get people to give up their account credentials,” says Reena Nadkarni, group product manager at Google.

BEC attacks rely on simplicity, credibility, psychology, and urgency to convince victims to act, Adams points out. They won’t use too many details: “It was great talking to you the other day” is more likely to convince a target than “It was great meeting you at Starbucks last Wednesday.” Attackers may capitalize on employees’ hesitation to question managers. “I can’t talk right now, but I need you to do this immediately” is another line they may send a BEC target.

Of the 12,500 malware attachments that bypassed email security systems in the ESRA test, 11,653 contained known malware and 849 contained unknown malware. Failing to detect unknown malware in an email can be hugely detrimental because most common antivirus systems won’t notice it, and an attacker can gain or extend their presence on the network.

Can Email Security Keep Up?
Major email providers Microsoft and Google have been stepping up to build stronger security into their platforms. Nadkarni explains how the evolution of cyberattacks has made email security a challenge; now, attackers are spoofing websites and creating lookalike domains.

“What’s interesting about some of these emails is they don’t have an attachment,” she says. “Many of the traditional methods of being able to catch these just don’t work.”

Google recently added a few new Gmail security features as part of a broader redesign. Users can protect sensitive content by creating expiration dates for their messages or revoking sent messages before or after they’re viewed. Recipients may be required to provide additional info view messages, a measure intended to protect data even if the receiving account was hacked.

Microsoft, to its credit, has also added new security features to its email platform. However, some security experts note there’s much more to be done on the data security front. Gmail’s confidential computing is “a step in the right direction,” says Wallenstrom. Users must know to implement data expiration settings for each email, but only on the recipient’s end. He points out that it would add helpful protection to minimize data on the sender’s account also.

Adams says “it’s a little bit late and it’s also, in my mind, a little bit lacking,” with respect to the recent Gmail updates, specifically referring to enterprise security. It might be good for smaller businesses, he says, but for major corporations “I don’t see it being secure and effective enough at this time.”

Eitan Bremler, vice president of product at Safe-T, points out how Exchange is still limited by the size of files (unless you send via OneDrive) and there is no integration with data loos prevention (DLP) and antivirus (AV) software. With Gmail, he’s concerned about a lack of advanced security functions like file encryption and DLP or AV integration.

“While hackers have grown more sophisticated and created more nuanced ways of getting into emails, email technologies themselves have not evolved much from a technology perspective over the last 20 years,” Bremler says.

What Businesses Can Do in the Meantime
To improve email security, Wallenstrom advises businesses to make security and data minimization a default, “something that employees don’t have to opt into each time they communicate,” he says. Further, enforcing a business-wide policy that bans sending valuable data — financial information, business intelligence — via email would also help build security hygiene.

“What surprises me is even today, a large number of administrative accounts don’t have two-factor authentication,” says Nadkarni. “If you have admin accounts in any system and that’s compromised, that’s a huge deal.”

She also advises businesses to look into security keys. “That makes such a huge difference,” she explains, noting that even multifactor authentication codes can be phished. “To introduce an element of physical security, that changes the game quite a bit.”

Related Content:

• Phishing Threats Move to Mobile Devices
• Calculating Cloud Cost: 8 Factors to Watch
• Microsoft’s Patch Tuesday Fixes Two CVEs Under Active Attack
• Google Security Updates Target DevOps, Containers

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/email-security-tools-try-to-keep-up-with-threats/d/d-id/1331769?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Video streams are getting hijacked for ‘prestige,’ DDoS, and financial gain, a new report found.

Video streams are being hijacked in vast quantities and the biggest reason for the intrusion is … fun. The good news for businesses is that their cameras tend not to be the primary targets. They are, instead, “warm up” targets used by hackers getting ready for the real thing — cameras from adult content websites, according to a new report.

Trend Micro’s Forward-Looking Threat Research (FTR) Team says that most camera hacking is being done by “script kiddies” who are in it for fun and peer-group prestige. According to the report, “Information on exposed cameras or cameras with known passwords is widely shared on the ‘Fun’ sections of underground forums or in dedicated prank groups in certain social networks.”

Serious criminals also use the activities of the script kiddies to mask their own attacks, “exposing the video streams of cameras or even exploiting these IoT devices for malicious activities such as distributed denial-of-service (DDoS) attacks, covert cryptocurrency mining, and even financial crimes.”

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/script-kiddies-criminals-hacking-video-streams-for-fun-and-profit/d/d-id/1331770?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

After time off in April, 0-days have returned with a small bang in May’s Patch Tuesday from Microsoft.

The loudest is a remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation state cybercriminals three weeks ago by Chinese security firm Qihoo 360.

Dubbed ‘Double Kill’ (CVE-2018-8174), it can be deployed in a number of ways, including by luring an Internet Explorer user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document.

Any one of these scenarios gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware, Microsoft said, hence the need to apply a patch as a high priority.

The next 0-day is CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2.

An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical.

Microsoft hasn’t said how it’s being exploited, but having this kind of vulnerability to hand is gold for cybercriminals, which is why it should also be on the immediate fix list for anyone running Windows 7.

Two others worth mentioning are CVE-2018-8141, a kernel information disclosure flaw affecting Windows 10 1709, and CVE-2018-8170, an elevation of privilege vulnerability in Windows 1709 and 1703 32-bit.

Both are marked important rather than critical but information about them is said to be in the public domain without exploits having been detected.

The best of the rest

Microsoft’s May vulnerability count reaches 68 CVEs, 21 of which are rated critical, 45 important, and only two low impact.

Of the remaining marked ‘critical’, a strong browser theme is apparent with an assorted dozen scripting engine memory corruption browser flaws affecting Edge and Internet Explorer, plus four more affecting Edge’s Chakra JavaScript engine.

Hyper-V is also patched for CVE-2018-0959 and CVE-2018-0961, while CVE-2018-0961 looks after the RCE in Windows Host Compute Service Shim.

Microsoft’s site offers plenty of detail on these vulnerabilities by platform and product but you’ll find a quicker-to-digest summary here.

Still fixing Flash

It’s not just Microsoft who is issuing patches – Adobe has fixed five CVEs.

One worth underlining is a critical fix for Flash Player (CVE-2018-4944) affecting all platforms including Windows 10 (Edge) and 8.1 and Server 2012/R2 (IE). The vulnerable version is 29.0.0.140, which requires an update to 29.0.0.171.

Flash is on its way out, but it’s likely that plenty of systems still have it installed and running for one reason or another, which is why we mark it for special attention.

Follow @johnedunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WrjOwPbIvnM/