Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2017

GitLab Vulns Could Lead to Session Hijacking

GitLab Vulns Could Lead to Session Hijacking

During a recent pen test of GitLab, Imperva researchers were surprised to come across a vulnerability that leaves users exposed to session hijacking attacks.

The vulnerability stems from the type of session tokens used by GitLab. According to Imperva, the tokens are troublesome because: They are short, making them susceptible to brute-force attacks; they are persistent, meaning they never expire; and they lack role-based access control, meaning a simple copy/paste of the token grants access to every actionable item on the GitLab platform, eg, user dashboards, account information, individual projects and website code.

Session hijacking is a serious threat to online users’ privacy, money and identity; it involves the interception of session tokens that identify individual users logged into a website. An attacker can use a hijacked token to access a user’s account, make illegal purchases, change login credentials and access credit-card details, among other things.

In this case, the vulnerability can have wide-ranging consequences, given that GitLab is a widely used SaaS provider that focuses on developer-related issues, including Git repository management, issue tracking and code review.

Methods for stealing session tokens include: Man in the middle (MITM) attacks, in which forged authentication keys are used to pass off a connection as secure; brute force attacks, in which a botnet executes millions of requests using random session IDs until an authorized token is found; and SQL injections, in which malicious SQL code is used to access sensitive data, Imperva noted in an analysis.

GitLab has already taken steps to minimize the exposure of private tokens, and has introduced role-based security controls to minimize the access a compromised token would provide. Additionally, GitLab is replacing private tokens with RSS tokens for fetching RSS feeds to avoid exposing session IDs; and is gradually phasing out private tokens altogether.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Source: Information Security Magazine

MacEwan University Defrauded Out of $11.8mn in Phishing Attack

MacEwan University Defrauded Out of $11.8mn in Phishing Attack

MacEwan University in Edmonton, Alberta has been defrauded of $11.8 million, thanks to a phishing attack.

The university uncovered the issue on Aug. 23.

A member or members of the university’s staff fell for a classic business email compromise gambit (BEC) after receiving a request to purportedly change the electronic banking information on file for one of the university’s major vendors. Believing the email to be legitimate, the staff made that change without verifying the veracity of the sender, resulting in a transfer of funds into a bank account controlled by the bad actors.

“There is never a good time for something like this to happen,” said university spokesman David Beharry, in a statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”

Immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds. It was able to track down more than $11.4 million of the stolen money, found to be in bank accounts in Canada and Hong Kong, the university said. Those funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover them; the status of the balance of the funds remains unknown.

Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate security units of the banks involved with the e-transfers are working to resolve the criminal aspect of the case. 

The university has conducted an interim audit of business processes, and said that controls were put in place to prevent further incidents.

“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the university said.

William MacArthur, threat researcher, RiskIQ, told us that having those controls—or at the very least, employee training on social engineering—would have made a big difference.

“These campaigns replicate apps used by these companies in their day to day operations, or spoof the email addresses of employees to trick employees into divulging highly sensitive and confidential information,” he said. “These attacks go after those who are the traditionally less security savvy folks in HR and finance departments. These people must be alerted to the dangers of phishing, and make sure they are verifying the authenticity of every single email asking for sensitive information—that means researching the purported company online and picking up the phone and calling if necessary.”

He also warned that phishing comes in many forms.

“It’s like a constant game of chess, except they have more pieces and always on the offensive,” he said. “They also evolve to keep up with the changes happening in everyday life. How we work and communicate, and the channels on which we do so, are always changing—as are the way we use sensitive personal and financial data. Phishing has spread beyond the inbox to mobile apps, social media, and instant messaging platforms (basically, anything that connects people) and replicate exactly the apps we trust with sensitive data every day to fool people.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Source: Information Security Magazine

Juniper to Acquire Cyphort

Juniper to Acquire Cyphort

Juniper Networks said that it plans to acquire start-up cybersecurity firm Cyphort, to shore up its own cyber-portfolio—including its virtualized security offerings.

Santa Clara-based Cyphort offers advanced threat detection, analytics and mitigation, which will be integrated with Juniper’s Sky advanced threat protection (ATP) product line. Juniper said that customers can expect improved performance, an increased range of supported file types and additional threat detection capabilities (e.g., on- and off-premises support, cloud email, analytics and improved malware detection).

It complements traditional security information and event management (SIEM) platforms, but Cyphort’s technology also rests on a combination of behavioral analytics and machine-learning that can work across virtual infrastructure and cloud environments. As such, it will complement Juniper’s Software-Defined Secure Network portfolio. It offers NGFW as-a-service combined with real-time threat intelligence, aggregated into a common, cloud-based service that offers dynamic distribution of updated policies and remediation countermeasures.

“As cloud-based ATP is becoming a critical feature of next-generation firewalls (NGFW), Juniper intends to be a leader in the NGFW space as it’s critical to our Software-Defined Secure Network vision,” said Kevin Hutchins, Juniper’s senior vice president of strategy, in a blog.

The acquisition is expected to close within the next month. Terms of the deal were not disclosed, but Cyphort has drawn $53.7 million to date in venture capital, across four rounds.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Source: Information Security Magazine

HackerOne Expects $100m Paid Out in Bounties by 2020

HackerOne Expects $100m Paid Out in Bounties by 2020

Popular bug bounty platform HackerOne is aiming to generate $100m in payments to ethical hackers for vulnerabilities they find and disclose through the site by 2020.

CEO Marten Mickos claimed in a blog post that the platform has already helped over 100,000 hackers to find and fix 50,000 vulnerabilities, resulting in pay-outs of more than $20m.

This so-called 'hacker-powered security' can help root out the bugs typically not found by automated tools and can end up saving the organization in question in the long-run – given the expense associated with hiring an outside auditing firm.

That’s part of the reason why even the US Department of Defense last year joined up and has been running various programs including Hack the PentagonHack the Army and Hack the Air Force.

Most recently, Tor announced its own program with HackerOne in recognition of the millions of political dissidents, journalists and others around the world who rely on it to keep their browsing private.

In an example of some of the riches on offer for ethical hackers, Facebook announced in July that it is increasing the size of its Internet Defense Prize to $1m, while Microsoft launched a new Windows Bounty Program with a top pay-out of $250,000.

“Just a few years ago, bug bounty programs were the privilege of few cloud-based companies. The hackers powering them counted in the thousands, and rewards were modest. Today we stand here 100,000 hackers strong, with 50,000 vulnerabilities eradicated and $20 million in rewards distributed to the heroes of hacker-powered security,” explained Mickos.

“Soon we will have 1 million hackers, 200,000 vulnerabilities found and fixed, and $100 million paid out in rewards. The savings thanks to avoidance of data breaches will be on the order of $10 billion. This is huge, and it’s just the beginning.”

Source: Information Security Magazine

Foreign Firms Should Fear New Chinese Cyber-Law: Report

Foreign Firms Should Fear New Chinese Cyber-Law: Report

China’s new Cybersecurity Law (CSL) could expose Western firms and their customers to significant new security risks if the state chooses to launch ‘national security’ investigations, demanding IP and source code, according to a new report.

In it, threat intelligence firm Recorded Future claims foreign multi-nationals operating in China will be faced with a stark choice: comply with the law’s “onerous, vague, and broad new legal requirements” or be denied access to the huge mainland China market.

It argues that the new law gives sweeping new powers to the China Information Technology Evaluation Center (CNITSEC), part of fearsome spy agency the Ministry of State Security, which is said to be home to threat group APT3.

CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments” and may use bugs found in such tests in its intelligence gathering, the report claims, citing a US State Department cable.

This makes it highly likely that if CNITSEC were asked to investigate any foreign firm for national security reasons, it could handover the resulting intelligence to the MSS for use in state-sponsored cyber-attacks, Recorded Future claims.

That means elevated risk to the investigated company’s own machines and networks, its products and services, and its customers and users around the world.

Such firms could also find themselves on the end of a public relations backlash in Europe and North America, and could be deemed too risky for use by governments there as a result, the report continues.

“Most products and services utilized in China will not be wholly unique from their global counterparts, raising the risk that vulnerabilities discovered by the MSS could be utilized to exploit international users of these machines, networks, products, and services,” the report notes.

Cloud providers are at greatest risk because they could be defined as “critical information infrastructure” and therefore subject to more checks, it claims.

However, any company defined as a 'network operator' could come under investigation. This term could cover financial institutions, cybersecurity providers or indeed any enterprise that has a website and provides network services, the report suggests.

“It is important for companies to note the imprecision and breadth of the CSL as well as the 2015 National Security Law, because both contain vague language that can be invoked by Chinese authorities to compel national security reviews, data sharing with government authorities, and even inspections into proprietary technology or intellectual property,” the report warns.

Source: Information Security Magazine