Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2017

SecureAuth and Core Security Announce Merger Plans

SecureAuth and Core Security Announce Merger Plans

SecureAuth and Core Security have announced plans to merge, combining security operations and identity and access management.

The aim of the two companies will be to combine network, endpoint, vulnerability and identity security, and offer the industry’s first identity-based security automation platform. The two companies said that this will allow enterprises to visualize and priorities risks, shorten their response time and provide context for identity actions to focus on the most meaningful threats as they occur.

Jeff Kukowski, who will act as CEO of the combined company, said: “Despite the incredible amount of money spent on security technology, front line security professionals in the most sophisticated security operations centers are challenged in managing and visualizing the full attack surface.

“Including identity information into the threat landscape alongside traditional network, endpoint and vulnerability information substantially reduces threat discovery and response time.”

Core Security was formerly acquired by Courion in 2015. This merger is pending regulatory approvals from US government agencies; the company is backed by K1 Investment Management and Toba Capital. 

Dominic Trott, research manager (IT Security-Europe) at IDC, told Infosecurity that this reflects what IDC is calling “platform or unified security.”

He said that vendors are responding to the complexity of enterprises' security product environments, and the desire to either better integrate or even simplify them, in two ways:

1. By offering better integrated portfolios that offer more than the sum of their parts

2. By aiming to become the platform around which both in-house and third party products are integrated

He added: “It looks to me like SecureAuth seeks to position itself as more of a platform player, centered around identity, by expanding into vulnerability management and threat response to offer greater value through the combination of the two capability areas.

“It is also notable that the areas in which Core operates (threat and vulnerability management) aim to help customers be more proactive in their approach to security – addressing the potential for an incident before it can occur, rather than responding to it after the event. This is another key feature of the shifting approach towards security that IDC views as being important given the shifting market context (i.e. the three 'mega-drivers' of the evolving threat landscape, digital transformation and regulatory reform).

“Thus, SecureAuth's plan to become a more strategic partner for customers by building an identity-centric platform approach that focuses on IAM and what IDC terms SVM (security and vulnerability management), which happen to be the two fastest growing segments of the security software market according to IDC's forecasts, is a sound move.”

Source: Information Security Magazine

Greater Manchester Police Still Running 1000+ XP PCs

Greater Manchester Police Still Running 1000+ XP PCs

England’s second largest police force is still running a worryingly high number of Windows XP PCs while many others have refused to disclose figures, according to a new Freedom of Information (FOI) request.

Most of the UK’s police forces, including Police Scotland, refused to tell the BBC how many XP machines are still operational, fearing it would put them at greater risk of attack.

However, Greater Manchester Police claimed that over 1500 PCs were still on the legacy operating system, amounting to around 20% of the total.

"The remaining XP machines are still in place due to complex technical requirements from a small number of externally provided highly specialized applications," a spokeswoman told the broadcaster.

"Work is well advanced to mitigate each of these special requirements within this calendar year, typically through the replacement or removal of the software applications in question.”

There’s no news on how these computers are being secured, although virtual patching typically helps to protect machines running unsupported software and systems until they can be upgraded.

Otherwise, they could represent a serious security risk, being vulnerable to covert info-stealing raids and ransomware attacks, among other threats.

Cleveland Police, the Police Service of Northern Ireland and the Civic Nuclear Constabulary all claimed less than 1% of machines run XP. Although this reduces their attack surface considerably, attackers theoretically only need to compromise one networked machine to do their worst.

The Metropolitan Police refused to respond to the FOI request, although it was revealed in June that 18,000 PCs were running the unsupported Microsoft OS at the UK's biggest force.

Elsewhere there was a more positive picture, with Gwent Police, North Wales Police, Lancashire Constabulary, Wiltshire Police and City of London Police all claiming to have no computers running XP.

David Emm, Kaspersky Lab principal security researcher, described the findings as 'alarming'.

“The fact that Microsoft issued emergency updates for XP and other unsupported systems in response to the WannaCry outbreak shouldn’t lure organizations into a false sense of security:  there’s no guarantee that this would happen for future attacks,” he added.

Source: Information Security Magazine

Viacom AWS Misconfig Exposes Entire IT Infrastructure

Viacom AWS Misconfig Exposes Entire IT Infrastructure

Viacom is the latest big-name firm to have misconfigured its cloud databases, in a security incident which could theoretically have allowed hackers to remotely control its entire IT infrastructure.

Security firm UpGuard made the discovery, when noted director of cyber risk research, Chris Vickery, found a “publicly downloadable” Amazon Web Services S3 cloud storage bucket containing 72 .tgz files.

Frequently mentioned in the files is “MCS” – thought to refer to Viacom’s Multiplatform Compute Services group, which supports the IT infrastructure for hundreds of the media giant’s brands, including MTV, Nickelodeon, Comedy Central, Paramount and BET.

“While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” explained UpGuard cyber resilience analyst, Dan O’Sullivan, in a blog post.

“Exposed within this repository are not only passwords and manifests for Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but perhaps more significantly, Viacom’s access key and secret key for the corporation’s AWS account. By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised.”

The accidental leak could have allowed attackers to launch faultless phishing campaigns using Viacom brands and infrastructure, while AWS access keys could have been used to spin off new servers to create a botnet, he warned.

UpGuard has been leading from the front in its discovery of countless misconfigured AWS installations, exposing poor security practices at the likes of Dow Jones, the US Department of Defense and Verizon.

A Viacom statement played down the seriousness of the leak:

“Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.”

Source: Information Security Magazine

Phishing Awareness Improves in 2017

Phishing Awareness Improves in 2017

Industries across the board have seen an improvement in 2017 in terms of identifying phishing attacks: On average, only about 24% of respondents in an analysis on average weren’t able to identify them in 2017, compared to 28% on average in 2016.

That’s according to Wombat Security’s 2017 Beyond the Phish Report, which analyzed more than 70 million questions and answers—a significant increase from 20 million in 2016—across 10 categories. It found that the number one problem area for end users, with 26% of questions missed, is protecting confidential payment card and healthcare information. Users struggled the most with questions around the use of shared login credentials.

Also, across categories, gains and losses in various categories offset each other. For instance, protecting mobile devices and information saw the most significant downgrade in performance year-over-year, with users struggling to understand the implications and ramifications of unsafe mobile applications and invasive permissions.

End-users across all industries answered a quarter of questions incorrectly around the protection and disposal of personally identifiable information.

As to industry demographics, employees in healthcare, transportation and retail performed the lowest on average across all categories. Also, all but one industry performed worse in questions around using the internet safely after positive numbers in 2016, showing that organizations cannot make assumptions about levels of risk from one year to the next.

 “We continue to see in our year-over-year results that reinforcement and practice are critical to learning retention. As with any learned skill, organizations need to work on cybersecurity awareness and knowledge to see continual improvements,” said Joe Ferrara, president and CEO of Wombat. “Organizations that focus on building a culture of security and empowering their employees to be a part of the solution develop the most sustainable and successful security awareness training programs. By sharing our data in the Beyond the Phish Report, we hope to be a part of building those cultures and helping organizations successfully change behavior in previously undiscovered areas of vulnerability.”

On the positive side, social media use saw the largest year-over-year improvement, a positive trend as the use of social media platforms continues to rise globally. Also, working safely outside the office showed a significant improvement year-over-year, which continues to be important to organizations as 43% of employees work remotely at least part of the time according to Gallup.

On average, end-users performed well on the new category around protecting oneself against scams, which focuses on the recognition of different types of social engineering techniques.

As in 2016, the best understood category for end-users focused on password safety, where only 12% of answers were incorrect in 2017.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


Source: Information Security Magazine

Cybersecurity, AI, IoT All Major Drivers of the Internet's Future

Cybersecurity, AI, IoT All Major Drivers of the Internet's Future

There are many forces that are shaping the future of the internet today, from artificial intelligence (AI) and cyberthreats to the internet of things (IoT) and the rising role of government—all of which impact key areas, including digital divides, personal freedoms and rights, as well as media and society.

The internet Society (ISOC)’s 2017 Global internet Report found for example that AI and IoT, for all of their benefits to people’s personal and work lives, could result in a “surveillance society.” Therefore, ethical considerations should steer technology development and guide its use.

The survey also found wide-ranging fears that there are significant forces at work that may undermine the promise of the internet for future generations. For example, many believe that internet freedom will continue to decline around the world due to widespread surveillance, internet shutdowns and content regulation. At the same time, cybersecurity issues will pressure governments to take decisions that could erode the open and distributed global governance of the internet. Measures that may be intended to secure cyberspace may undermine personal rights and freedoms. Without a change of course, online freedoms may be nearing a point of irreversible decline, ISOC found.

“We cannot afford to let the ‘securitization’ of the Internet, and our digital lives, run rampant: there is a very real threat that online freedoms and global connectivity will take a back seat to national security,” ISOC said in the report. “Given the growing pressure from cyber-threats and security challenges such as terrorism, the ease with which our open societies and our freedoms and rights could become subordinate to pervasive surveillance regimes facilitated by AI and IoT should not be underestimated.”

There is also the view that the media landscape will become more difficult to navigate and that separating fact from fiction will become ever harder.

Yet, for all of the potential dangers, younger users and those in developing countries are particularly optimistic about the future of the internet and the ability to use the technology to better their lives and create their futures.

“We found that people share a sense of both optimism and disillusionment for the internet’s future in equal measure,” said Sally Wentworth, vice president of global policy for the ISOC. “While there are no guarantees of what lies ahead, we know that humanity must be at the center of tomorrow’s internet. The internet must continue to benefit people and create new social and economic possibilities to fulfill the premise on which it was built. We should heed the warnings in this report and begin to take the actions today that will help to keep the internet working for everyone, everywhere far into the future.”

To arrive at the findings, ISOC conducted three global surveys and two regional surveys that generated more than 3,000,000 responses from 160 countries. It also interviewed more than 130 Internet experts and users, and hosted more than 10 roundtables. While many in the ISOC’s global community shared the view that the internet is facing a period of unprecedented change, they also reaffirmed their belief in the core ideas that have shaped the internet to date.

“Our extensive research clearly shows that just as when the internet Society was founded 25 years ago, people believe that the internet’s core values still remain valid—that it must be global, open, secure and used for the benefit of people everywhere in the world,” Wentworth added.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


Source: Information Security Magazine

Facial Recognition Rated Far More Ineffective Than Touch ID by Hackers

Facial Recognition Rated Far More Ineffective Than Touch ID by Hackers

Facial recognition was rated as the worst tool for authentication by a fifth of respondents in a recent survey of the hacking community—six times more often than fingerprint authentication.

It’s an interesting insight given the new iPhone’s shift to face-recognition security. In fact, facial recognition (19%) was ranked the second-worst tool overall, according to the Bitglass Data Games: Security Blind Spots report, which surveyed 129 white hat and black hat hackers that attended Black Hat 2017. Password-protected documents (33%) were ranked as the least effective security tool.

Other problematic approaches in the hackers’ view were access controls in general (15.5%); mobile device management and network firewalls (11.6% each). Fingerprint authentication was seen as an ineffective tool by only 3.1%.

Meanwhile, 59% of respondents identified phishing as the best data exfiltration strategy, as human error and ignorance will always be exploitable. Understandably, and in line with recent cyberattacks, malware and ransomware ranked second, at nearly 27%.

“Phishing and malware are threats made all the more potent by cloud adoption and the ease with which employees can share corporate data,” said Mike Schuricht, vice president of product management at Bitglass. “Many security technologies fail to address IT’s largest blind spots—unmanaged devices and anomalous access.”

In fact, the top five data security blind spots are unmanaged devices (61%), not-up-to-date systems, applications and programs (55%), mobile devices (36%), data at rest in the cloud (26%) and traditional on-premises security (20%).

On the motivation front, more than three quarters (83%) of respondents believe that hackers are spurred by the monetary value of stolen data, with ego and entertainment value playing only a small role.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


Source: Information Security Magazine

IBM: Crypto-Mining Attacks Increased Six-Fold in 2017

IBM: Crypto-Mining Attacks Increased Six-Fold in 2017

Security researchers have warned of a sharp increase this year in cyber-attacks targeting enterprise computers with embedded crypto-currency mining tools.

IBM Managed Security Services (MSS) senior threat researcher, Dave McMillen, explained that the firm had seen more than a six-fold increase in attacks during the period January-August.

All of these attacks involved the same mining tool which supports several different currencies, although CryptoNote-based currencies such as Monero (XMR) were most popular among the black hats.

Typically, attackers are attempting steganographic techniques to hide such tools inside fake image files hosted on compromised web servers running Joomla or WordPress. Compromised JBoss Application servers are another target, said McMillan.

It’s unknown whether the malicious actors compromise the servers themselves first or scan for content management systems that have already been hacked.

Firms in manufacturing (29%), financial services (29%) and arts & entertainment (21%) sectors have experienced the highest volume of attacks over the eight-month period, indicating that these may have a larger number of vulnerable targets.

Attackers are increasingly interested not in IoT devices – although they may be easier to compromise – but in poorly protected servers.

“Server-based targets have a wider range of power — certainly much more than the plethora of IoT devices that typically come with very little computing power,” explained McMillan.

“We may soon see a worm designed to mass-infect computers ranging from enterprise-level servers right down to the one from which you’re reading this blog to mine coins. On monitored devices, such activity would typically affect the endpoint’s performance and may be detected and shut down promptly after mining commences.”

Cross-site scripting, brute force/default password attacks, command buffer overflow exploits, SQLi and command injection, and any other attack involving the injection of executable code could be used in a crypto-mining raid, he added.

IBM recommends prompt patching of bugs, changing default security credentials, app whitelisting, input validation on web apps and improved user awareness to help mitigate the threat.

Last week, Kaspersky Lab revealed it has blocked 1.65 million crypto-currency mining attacks on its customers already this year, a major increase on the 700,000 seen in 2014.

North Korean hackers are known to be actively focused on stealing Bitcoins and other online currencies to fund the regime there.

Source: Information Security Magazine

Uninspiring Lessons Threaten to Worsen Cyber-Skills Crisis

Uninspiring Lessons Threaten to Worsen Cyber-Skills Crisis

The vast majority (70%) of British adults believe their school didn’t teach them enough digital skills, with over a third claiming they would have considered a career in cybersecurity if lessons had been more interesting, according to McAfee.

The security vendor polled 2000 UK adults and found a clear link between today’s cyber-skills crisis and the quality of IT teaching in British schools.

In total, 36% claimed they would have considered a career in IT security if they’d been inspired more by IT lessons, while a whopping 88% said they didn’t even know there was such a thing as a career in cybersecurity whilst at school.

Nick Viney, McAfee VP of consumer, argued the research findings show that fixing chronic cyber-skills shortages will take more than updating the curriculum.

“However, teachers are not to blame. Our sector needs to attract new talent but that won’t happen if the industry cannot convey the wide variety of available job opportunities or the fast-paced and challenging nature of careers,” he added.

“The view of cybersecurity needs to change at a national level. While updates to the curriculum could help plug the skills gap and inspire a new generation of cyber experts, it won’t come into effect straight away. Instead we need to foster new education models and accelerate the availability of training opportunities for all.”

Back in February, industry non-profit (ISC)² warned the UK is heading for a skills “cliff edge” if younger cybersecurity professionals can’t be encouraged to join the industry to replace older retirees.

Two-thirds of UK organizations suffer from a cybersecurity skills shortage, with 47% claiming the reason is a dearth of qualified applicants.

Although there seemed to be an uptick in interest among students when the computing GCSE was launched in 2013, growth in new students seems to have slowed in recent years: 64,159 Year 11 students registered for the computer science exam in 2017, versus 60,521 in 2016.

What’s more, standards aren’t rising either. Some 41% gained a B-grade or higher in 2017, up just slightly from 40.3% last year, but down on 2015’s 43.4%.

Despite the high salaries on offer and the possibility of working at the cutting edge of an industry constantly evolving, students continue to eschew IT security, especially girls.

Girls accounted for only 20% of the new computer science GCSE this year. That’s reflected in the survey results, with 61% of male respondents claiming they were aware of the option of a career in cybersecurity when at school, compared with just 39% of female respondents.

Source: Information Security Magazine

Fitbit Vulnerabilities Expose Wearer Data

Fitbit Vulnerabilities Expose Wearer Data

The University of Edinburgh has released results from a new study that reveals how personal information can be stolen from Fitbit fitness bands.

Researchers analyzed the Fitbit One and Fitbit Flex wristbands, and discovered a way of intercepting messages transmitted between fitness trackers and the cloud servers where data is sent for analysis. This allowed them to access personal information and create false activity records, thus sharing unauthorized personal data with third parties.

These include online retailers and marketing agencies. As corporate wellness programs evolve, they include things like physical activity as a basis to offer discounts on insurance or rewards such as gift cards. Enterprising fraudsters could send such companies false activity data, thereby manipulating rates.

“These monetary incentives are being tied to and distributed based on user’s activity data,” said Dan Lyon, principal consultant at Synopsys, via email. “While the current monetary impact is small, the future is likely going to have this data being more and more valuable. Wearables in general are evolving to collect much more data to provide increased benefits, but this also increases the potential risks. Medical conditions, such as movement disorders, are currently being studied for early indicators related to physical activity through commercially available wearable devices.  It may be possible to identify that people have movement disorders such as Parkinson’s disease through specific profiles or changes in things like a person’s walking gait or arm movements.”

If this kind of analysis can be performed now or anytime in the future, it could be used to determine whether a person has a specific medical condition; and, the impact of this to the individual could be raised healthcare premiums or even denied coverage due to pre-existing conditions. Further, once the data is in the hands of an organization, it could potentially be sold for other purposes.

“While this kind of big data potential is still in its infancy, the risks are real and need to be understood,” Lyon said. “The wearables and their data transfer, storage and analysis systems need to be designed to minimize the risks. Organizations need to address security and privacy through a comprehensive effort to build security into the entire development process. The Fitbit example highlights one element of good design in that they are able to release software updates to address the issue.  The ability to deliver secure software updates is a crucial design element that many devices do not have."

The researchers have produced guidelines to help manufacturers remove similar weaknesses from future system designs to ensure users’ personal data is kept private and secure, and in response to the findings, Fitbit has developed software patches to improve the privacy and security of its devices.

“Our work demonstrates that security and privacy measures implemented in popular wearable devices continue to lag behind the pace of new technology development,” said Paul Patras, a researcher at the School of Informatics and part of the team who uncovered the issue. “We welcome Fitbit’s receptiveness to our findings, their professional attitude towards understanding the vulnerabilities we identified and the timely manner in which they have improved the affected services.”


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


Source: Information Security Magazine

3,000 Orgs Open to Equifax-type Breaches

3,000 Orgs Open to Equifax-type Breaches

The number of organizations that have downloaded vulnerable versions of the Struts2 component (CVE-2017-5638) totals 3,054, according to Sonatype.

Analyzing data from the Maven Central repository, the largest distribution point for Java open-source components, Sonatype found a startling lack of hygiene related to enterprise consumption of vulnerable Struts2 components, which were exploited in the massive breach at Equifax.

The company’s research reveals that in the last 12 months, organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on March 10, 2017 and subsequently exploited at Equifax between May and July 2017.

About 1,731 organizations downloaded versions of Struts2 that were publicly disclosed as vulnerable in July 2013, that resulted in numerous breaches in major organizations in the weeks following disclosure.

Also, a full 46,557 organizations downloaded a version of Struts and/or its sub-projects with known vulnerabilities despite perfectly safe versions being available.

In an effort to accelerate innovation and avoid redundant costs, organizations are embracing open source at an extraordinary pace. Last year alone, enterprise developers requested more than 100 billion components from repositories such as Maven Central, NPM and PyPI, Sonatype noted. Today, 80 – 90% of a typical application consists of open-source components, like Apache Struts. Yet, according to Sonatype’s 2017 DevSecOps Community Survey, 43% of organizations say they have no formal policy to govern the quality and security of open-source software components utilized in their applications.

Additionally, Sonatype’s 2017 State of the Software Supply Chain report found that 4.6% (1 in 22) of the components used in production software have known vulnerabilities.

“Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open-source components are simply not paying attention,” said Wayne Jackson, CEO of Sonatype. “The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components.”

Proposed legislation in the US and the General Data Protection Regulation (GDPR) soon to take effect in the European Union will hold organizations liable for poor software supply chain hygiene. In the past year in the US, the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety and security of software supply chains.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


Source: Information Security Magazine