Specialized Recruiting Solutions Designed to Access Deep Talent Pools
Call Us: 415-510-2973

Archive for the News Category

Vulnerable IoT Vacuums, DVRs Put Homes at Risk

Vulnerable IoT Vacuums, DVRs Put Homes at Risk

The internet of things (IoT) has seen a string of vulnerabilities across multiple devices, the latest of which are new vulnerabilities in Dongguan Diqee 360 robotic vacuum cleaners, which could allow cybercriminals to eavesdrop, perform video surveillance and steal private data, according Positive Technologies.

Researchers Leonid Krolle and Georgy Zaytsev uncovered the Dongguan Diqee 360 security issues found on vacuums, which most likely affect not only those made by the company but those sold under other brand names as well. The devices affected by vulnerability CVE-2018-10987 are at risk of an authenticated remote code execution, potentially allowing an attacker to send a User Datagram Protocol (UDP) packet enabling them to execute commands on the vacuum cleaner as root.

A second vulnerability, CVE-2018-10988, involves a microSD card that reportedly could be used to exploit weaknesses in the vacuum's update mechanism. The researchers said that these vulnerabilities may also affect other IoT devices using the same video modules as Dongguan Diqee 360 vacuum cleaners. Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.

That an authenticated attacker can gain access to the device in itself isn’t a major issue. “The difference is that this vacuum cleaner does not simply wander around the house, cleaning,” said Yotam Gutman, VP of marketing, SecuriThings. “It also serves as a mobile surveillance bot, with both day and night capabilities. Imagine that someone can get access to the device and watch the video feed, without the owners even realizing it. Even worse – someone can program the route of the device to drive around the house, filming the inside, which is very similar to what reconnaissance drones do in 'Star Wars' or other sci-fi movies."

"This is another incident/vulnerability that demonstrates just how hackable cheap connected devices are. Buyers of vacuum robots should really think if they want their nice little R2-D2-like helper to have reconnaissance capabilities.”

In related news, another vulnerability (CVE-2013-6117) has resurfaced despite being nearly five years old. Login passwords for tens of thousands of Dahua DVR devices were reportedly cached and indexed inside search results returned by IoT search engine ZoomEye.

Commenting on Twitter about the vulnerability, Ankit Anubhav, principal researcher at NewSky Security, wrote, “The attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it.

“A new low has been achieved in the ease of hacking IoT devices. One does not even need to connect to the Dahua devices to get the credentials.”

Source: Information Security Magazine

Attention Airline Passengers, Your Data Is at Risk

Attention Airline Passengers, Your Data Is at Risk

A new report, Attention All Passengers: Airport Networks Are Putting Your Devices & Cloud Apps at Severe Risk, released by Coronet found that some of America’s airports are cyber-insecure.

The data collected identified San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as lagging in cybersecurity.

Over the course of five months, vast amounts of data on device vulnerabilities and Wi-Fi network risks were collected from more than 250,000 consumer and corporate endpoints that traveled through America’s 45 busiest airports.

After extensive analysis, the data was compile into an Airport Threat Score, which identified not only the most cyber-insecure airports but also the least vulnerable. Chicago-Midway International, Raleigh-Durham International and Nashville International ranked top of the list for low vulnerability.

According to the report, business travelers are at heightened risk of unintentionally facilitating unauthorized device access, data theft and malware/ransomware spread across their endpoints. Once devices are infected, the integrity and confidentiality of the employers’ essential cloud-based work apps, such as G Suite, Dropbox and Office 365, are jeopardized.

The data suggested that all flyers are at an elevated risk of connecting to unencrypted, unsecured or improperly configured networks, which can prompt identity theft, financial fraud, and personal files and picture theft.

“Far too many U.S. airports have sacrificed the security of their Wi-Fi networks for consumer convenience,” said Dror Liwer, Coronet’s founder and CISO.

“As a result, business travelers in particular put not just their devices, but their company’s entire digital infrastructure at risk every time they connect to Wi-Fi that is unencrypted, unsecured or improperly configured," said Liwer. "Until such time when airports take responsibility and improve their cybersecurity posture, the accountability is on each individual flyer to be aware of the risks and take the appropriate steps to minimize the danger.”

Source: Information Security Magazine

IBM Can't Contain Itself, Launches Nabla

IBM Can't Contain Itself, Launches Nabla

IBM researchers have created a new approach to container isolation with the launch of Nabla containers, designed for strong isolation on a host. The containers achieve isolation by adopting a strategy of attack surface reduction to the host and using only nine system calls.

According to the Nabla website, IBM researchers have "measured exactly how much access to the kernel common applications exhibit with Nabla containers and standard containers by measuring the number of system calls containerized applications make and correspondingly how much kernel functions they access.

"A containerized application can avoid making a Linux system call if it links to a library OS component that implements the system call functionality. Nabla containers use library OS – aka unikernel – techniques, specifically those from the Solo5 project, to avoid system calls and thereby reduce the attack surface. Nabla containers only use 9 system calls, all others are blocked via a Linux seccomp policy."

There has been a fierce debate within the industry regarding whether isolated containers or virtual machines (VMs) are more secure. James Bottomley, IBM research engineer and Linux kernel developer, wrote a blog regarding 'one of the biggest problems about container vs Hypervisor security': "No-one has actually developed a way of measuring security, so the debate is all in qualitative terms, but no-one actually has done a quantitative comparison."

The researchers then tested Nabla through the metric of performance, and showed that it is "far and away the best containment technology for secure workloads given that it sacrifices the least performance over docker to achieve the containment." The blog also noted that Nabla was two-times more secure than using hypervisor-based containment. 

There are some limitations to Nabla, however, in that Nabla runtime only supports images built for nabla as well as missing features, which the team is currently working on. 

Source: Information Security Magazine

Campaign's Election Data Exposed in Virginia

Campaign's Election Data Exposed in Virginia

A Virginia-based political campaign and robocalling company Robocent left hundreds of thousands of voter records on a public, exposed and unprotected Amazon S3 bucket. This year has already seen a lineup of attempted attacks on local elections and campaigns, but this news comes less than a week after the indictment of 12 Russian officials for meddling in the 2016 US presidential election.

According to an 18 July blog post by Bob Diachenko, head of communications at Kromtech Security, Robocent’s self-titled bucket was reportedly "indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found. Repository contained both audio files, with pre-recorded political messages for robocalls dials (*.mp3, *.wav), and voter data (*.csv, *.xls files)."

Voter names, phone numbers, addresses, age, gender, jurisdiction breakdown and political affiliation were some of the information included in the data, which Robocent co-founder told ZDNet was publicly available information that the company was only "keeping track of."

“Voter data is extremely sensitive and leaks like this highlight the need for organizations to maintain visibility into where their data is located within their cloud infrastructure and whether the storage system is risk appropriate given the sensitivity of the information. It’s easy for a fast-growing or seasonal organization like this one to lose track of that risk over time,” said Sam Bisbee, CSO, Threat Stack.

“Many companies have critical AWS cloud security misconfigurations. It’s an easy mistake to make. AWS customer needs to take responsibility for their security by prioritizing infrastructure visibility. Find ways to proactively create transparency within the cloud to effectively manage the security of data and systems and you give your organization the best chance of defending itself against cybercriminals.”

The security of the 2018 midterm elections is a growing concern, which makes the lack of proper cybersecurity hygiene through virtually all job roles within the election ecosystem, private and public, problematic for security, said Ben Johnson, CTO and co-founder, Obsidian Security.

“Given this abysmal state of election security, one has to assume that any voter data that hasn’t already leaked soon will,” Johnson said. “Companies, campaigns and individuals are all racing to collect and utilize data without doing nearly enough to properly safeguard it. When you combine poor practices with lucrative data and motivated, sophisticated attackers, this picture will get worse before it gets better.”

Source: Information Security Magazine

Gov Slow to Address Urgent CNI Security Needs

Gov Slow to Address Urgent CNI Security Needs

A committee of MPs and peers in the UK has criticised the government for its lack of urgency in addressing the cybersecurity skills gap in relation to critical national infrastructure (CNI).

According to a report released following the meeting with The Joint Committee on the National Security Strategy, the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK's CNI operators and regulators in relation to cybersecurity. The report also calls for ministers to step forward and take the lead in developing a strategy to give drive and direction.

The committee references the May 2017 WannaCry attack on the National Health Service, believing it demonstrated a fundamental need to ensure the UK is able to keep CNI secure from cyber-threat. They go on to say that a lack of detailed analysis of which CNI sectors and specialisms are most acutely affected is impacting on the government’s ability to understand, and therefore address, the gap between skills supply and demand.

"Our Report reveals there is a real problem with the availability of people skilled in cybersecurity but a worrying lack of focus from the government to address it," said chair of The Joint Committee, Margaret Beckett MP. "We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us, but also the much larger number of posts which require moderately specialist skills.

"We acknowledge that the cybersecurity profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications. However, we are calling on government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, government must work in close partnership with the CNI sector and providers to create a cybersecurity skills strategy to give clarity and direction. It is a pressing matter of national security to do so."

In its recommendations, the committee proposed the government should address the need for continuing professional development for teachers and lectures, enabling their knowledge to keep pace with the rapidly changing cybersecurity landscape. It also references increasing the numbers of women in the cybersecurity workforce, saying that a version of the CyberFirst Girls Competition could be used to attract returning mothers to the cybersecurity profession.

"I sympathise with the NCSC and others who have been tasked with addressing the cyber-skills gap for a few years now," said Eerke Boiten, professor of cybersecurity, De Mortfort University. "They have pumped significant amounts of money out of the five year Cyber Security Strategy into various initiatives, not all of them looking likely to be productive. In particular, an initiative to introduce cyber security at secondary schools contained no thought on how to integrate this with the computing curriculum.

"I think that both for the medium term and the gender balance issue, secondary schools have to be the focal point. The drop in take up and the general perception of the Computer Science A level are serious concerns. Increasing the number of highly qualified teachers is indeed essential, but calling for more CPD is not going to be effective until there is resource for it at a time when most secondary schools are being cut financially. 

"The government would also do well to note the points made about recruiting from abroad," he continued. "Brexit makes any job in the UK unattractive for most EU applicants; the limits on Tier 2 visas also have an adverse effect. The NSS recommendations gloss over this only where they talk of the 'implications, risks and opportunities of Brexit'."

A standalone skills strategy, promised by government in November 2016 and which would frame and give impetus to its various efforts, will be published by December 2018.

Source: Information Security Magazine

US Retail Weak in Encryption, Security Practices

US Retail Weak in Encryption, Security Practices

A large majority of US retailers have experienced a breach, which according to the 2018 Thales Data Threat Report exceeds the global average. The report found that 75% of retailers have experienced a breach in the past year, compared to 52% in 2017.

US retail lags behind the global average when it comes to implementing encryption, with only 26% of retailers reporting that they have begun implementation. Still, retail is more inclined to store sensitive data in the cloud as widespread digital transformation is under way, with 95% of retail organizations expected to use sensitive data in an advanced technology environment, such as cloud, internet of things (IoT) and containers. More than half of respondents said they believe sensitive data is currently being used in these environments without the proper security protocols.

“This year’s significant increase in data breach rates should be a wake-up call for all retail organizations. Digital transformation is well under way and the business benefits of the cloud, big data, IoT and mobile payment technologies are compelling and fueling widespread adoption,” Peter Galvin, chief strategy officer, Thales eSecurity, said in a press release.

“However, with the flow of sensitive data through all of these disparate platforms and technologies, the attack surface increases exponentially and with it the risk of a data breach.”

The report found that in 2018, retail data breaches more than doubled, from 19% in 2017 to 50% this year, making retail the second-highest vertical to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government. 

“These increases come as no surprise to retailers. While nearly 95% of retailers acknowledge vulnerability to data breaches, now almost half recognize they are extremely vulnerable. This is an increase of 30% from the previous year,” said Garrett Bekker, principal analyst for information security at 451 Research.

Even though 84% of retailers plan to increase IT security spending, the report indicates that their spending plans don’t correlate with the most effective defenses.

“While this trend can be partially attributed to US retailers aggressively pursuing a multi-cloud strategy, these organizations continue, year after year, to spend on the same security solutions that worked for them previously. With increasingly porous networks and expanding use of external resources (SaaS, PaaS and IaaS most especially), traditional endpoint and network security are no longer sufficient to protect sensitive data,” said Bekker.

Source: Information Security Magazine

Federal Agencies Struggle with DMARC Compliance

Federal Agencies Struggle with DMARC Compliance

According to new research from Proofpoint, the majority of federal agencies are behind schedule when it comes with complying to the Department of Homeland Security’s (DHS's) Binding Operational Directive (BOD) 18-01. With less than 90 days remaining for agencies to secure their email systems, some agencies have not started their Domain-based Message Authentication, Reporting & Conformance (DMARC) email authentication compliance journey for any of their domains, according to the research.

Email authentication, when deployed, can prevent spoofing for the trusted domains of federal agencies that are in compliance, but a lot of work goes into implementing and enforcing DMARC. Federal agencies run the risk of blocking legitimate email, and DHS’s aggressive timelines have created a lot of work for agencies that are trying to be compliant.

Proofpoint’s research found that 28% of agencies have not yet begun to move toward DMARC compliance. Based on this finding, it is unlikely that all agencies will reach DMARC compliance for each of their domains by the October 2018 deadline – given that this deadline is only a few short months away, the research concluded.

Of the agencies that have started DMARC compliance, about 72% are working on their implementation project themselves and gathering DMARC data, and only 19% of agencies have engaged a vendor to help them implement email authentication. Agencies are delayed in complying with the deadline, and, according to Rob Holmes, VP of email security, Proofpoint, what is going on behind the scenes is making compliance slower than anticipated.

“We anticipate there is a gap in compliance as BOD 18-01 was issued with little advance notice and without a reserved budget," said Holmes. "Without having previously budgeted to become compliant within the DHS’s deadlines, many agencies have tried to work within the internal resources they have available.”

Federal agencies have been charged with many different pieces in their overall security portfolios, and DMARC authentication, though critical, is only one of those.

“A small percentage of agencies have blind DMARC deployments and are not gathering any data at all,” Holmes said. “Of the total domains included in the directive, 36% have already achieved the one-year compliance standard of publishing a valid SPF record and a valid DMARC record with a 'reject' policy. A further 22% have satisfied the January 2018 standard of publishing a DMARC with a 'monitor' policy but have more work to do, while 42% are not even compliant with the January milestone, due to SPF and/or DMARC gaps.”

Source: Information Security Magazine

Web Forums, Social Media Targets for Credentials

Web Forums, Social Media Targets for Credentials

Web forums were the greatest targets for credential spills during 2017, which saw more than 2.3 billion credentials from 51 different organizations reportedly stolen, according to a new report from Shape Security. Of those 51 different organizations, companies providing online services contributed the largest number of compromised credentials, with over 2 billion credential spills. In total, the criminal enterprise is costing US businesses over $5bn a year.

The report, released today, studied the life cycle of stolen credentials, taking a holistic, behind-the-scenes look at the extent to which credentials can be monetized and weaponized long after a breach occurs. Because web forums serve as hyper-specialized communities of online users, they tend to have lower membership and thus a smaller collection of credentials. “However, they are easy targets for credential spills because many are volunteer-run and lack a corporate security or IT function," the report stated. While web forums were found to be the most frequently targeted, they are not actually the source of the greatest number of spills.

“Social media sites were typically responsible for the largest spills. This makes sense because those organizations rely on a network effect to succeed, so they are likely to have the largest user bases,” the report said.

While the report found the frequency of credential spills remained consistent for two years, the average size of spills in 2017 was lower than in 2016. “Additionally, over the course of two years, spills have been reported on a very regular basis; in 2017, the longest gap between reports was 31 days,” it said.

On average, there’s a 15-month window between credentials being compromised and the breach, during which time criminals carry out their most damaging credential stuffing attacks. Credential stuffing attacks make up from 58% to 90% of login traffic, depending on the industry. According to the report, the US consumer banking industry suffers almost $50m potential losses each day due to credential stuffing attacks.

In the banking industry alone, credential stuffing attacks cost an average of $1.7bn annually. In the e-commerce industry, the average cost jumped to $6bn annually. Over time, though, the value of the stolen credentials decreases. As more people have access to those credentials, they fall out of favor for criminals.

Source: Information Security Magazine

Millions of Health Records at Risk Following LabCorp Suspected Breach

Millions of Health Records at Risk Following LabCorp Suspected Breach

LabCorp, a healthcare diagnostics company, has shut down its systems after a suspected network breach, which could have put millions of health records at risk. 

In a report to the United States Securities and Exchange Commission, the company announced that during the weekend of July 14 2018, it had detected suspicious activity on its IT network and immediately took specific systems offline. The company said that the suspicious activity has been detected only on LabCorp Diagnostics systems, and that "there was no indication that it affected systems used by Covance Drug Development."

LabCorp provides diagnostic, drug development and technology-enabled solutions for more than 115 million patients per year, according to its website. It typically processes tests on more than 2.5 million patient specimens per week and supports clinical trial activity in around 100 countries. It has over 1900 patient service centers in the US. 

The filling itself does not go into detail as to which systems might have been affected, but concerns over patient data are justified. In August 2017, the NHS suffered a data breach where 1.2 million patient names were hacked, and another breach which resulted in 655,000 patient records from three hacked healthcare providers being sold. 

According to Healthcare IT News, in June 2018 LabCorp successfully won a court battle over an alleged HIPAA violation and was accused of not providing enough privacy protection at its Providence Hospital computer intake system. LabCorp argued an individual can’t bring a lawsuit under HIPAA and filed a motion to dismiss. The judge agreed.

HIPAA has also published that there have been 2181 healthcare data breaches since 2009, the largest being Anthem Inc. which had 78.8 million records stolen from a database hack.  

"We take it for granted that doctors and medical professionals will have complete access to our health profiles and background… however the very nature of this access, and the vast amount of information held within the healthcare industry, make it a prime and profitable target for criminals," wrote Suzanne Widup, senior analyst, Verizon Security, back in March 2018. "Knowing which security threats are out there, and what steps to take to proactively prevent security incidents is vital if personal healthcare information is to be kept safe."

While it has not been confirmed by LabCorp who is behind the suspected attack, Verizon's 2018 Protected Health Information Data Breach Report highlighted that healthcare was the only industry in which internal actors were the biggest threat to an organisation, driven by financial gain or looking up personal records of celebrities.

Source: Information Security Magazine

US Vote-Counting Computers Had Flaw, Allowed Hackers Access

US Vote-Counting Computers Had Flaw, Allowed Hackers Access

In the US, vote-counting computers used in government elections contained a security vulnerability which could have been used to affect election results. The systems, which were sold by Elections Systems & Software (ES&S), contained remote-access software and were sold between 2000 and 2006, with some machines still being used as late as 2011. 

Election-management systems are not voting terminals – they are in county election offices and contain software that in some counties is used to program all the voting machines used in the county. The systems also tabulate final results from voting machines. 

In a report by Motherboard, in a letter sent to Senator Ron Wyden D-Oregon, which came to light on July 17 2018, the company admitted that it had "provided pcAnywhere remote connection software to a small number of customers between 2000 and 2006." The article goes onto say that originally in February 2018, ES&S had denied installing the software on any of its election systems it sold and said: "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software." The company's machines were used in a number of states and at least 60% of ballots cast in the US in 2006 were counted on the systems.  

This news comes alongside the continuing investigations into suspected Russian meddling in the 2016 US presidential elections. On July 14 2018 deputy attorney general, Rod Rosenstein, announced that 12 individuals had been changed as part of the investigation. 

During 2006, hackers stole the source code for the pcAnywhere software, which wasn't made public knowledge until 2012 when a hacker posted some of the code online. This forced Symantec, the distributor of the software, to admit it had been stolen. Security researchers also found a vulnerability in the software that would allow an attacker to seize control of a system, without the need to authenticate with a password. Researchers at Rapid7 also conducted research and found that 150,000 online computers were configured to allow direct access to hackers.  

Alarmingly, pcAnywhere was still being used in 2011 by Venango County, Pennsylvania, and it has not been clear whether the security flaws were patched or if there could have been more vulnerabilities. According to Motherboard, ES&S wrote in its letter to Wyden that it would be willing to meet privately in his office to discuss election security, but when the company was asked to attend a hearing on election security last week before the Senate Committee on Rules and Administration, ES&S declined to send anyone to answer Senate questions.

Wyden said he’s still waiting for ES&S to respond to the outstanding questions he sent the company in March. “ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cybersecurity questions, you have to ask what it is hiding.”

Source: Information Security Magazine

Page 1 of 32312345...102030...Last »