Specialized Recruiting Solutions Designed to Access Deep Talent Pools
Call Us: 415-510-2973

Archive for the News Category

New Variants Found in Spectre and Meltdown

New Variants Found in Spectre and Meltdown

Two new variants of the Meltdown and Spectre vulnerabilities that can allow an attacker to gain access to sensitive information have been disclosed, according to a 21 May US-CERT alert.

Google and Microsoft announced that the new variants, 3a and 4, known respectively as Meltdown and Spectre, affect the central processing unit (CPU) hardware implementations, making them vulnerable to side-channel attacks.

Security researcher for Google Project Zero, Jann Horn, reported the issue after finding a new way to attack microprocessors while testing speculative execution behavior on Intel and AMD processors.

US-CERT wrote, “Meltdown is a bug that 'melts' the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.”

Rob Tate, distinguished security researcher at WhiteHat Security, said, "Once they can get code to run locally on a victim’s computer, highly skilled hackers have many tools at their disposal to expand their control and take over the machine. What made Meltdown/Spectre special was its universal nature in both working on many machines and being useful in many different scenarios on a given machine."

The vulnerabilities were assigned Common Vulnerability Exposure numbers. Variant 3a, a rogue system register read, was assigned CVE-2018-3640 while Variant 4, known as Speculative Store Bypass (SBB), was assigned CVE-2018-3639. Tate said Variant 4 is being discussed in a fairly narrow scope of accessing specific unpatched browsers' private data.

"If an attacker has access to run code on a machine, there are already a number of simpler (and more universal) techniques to try before resorting to this, and it’s far from the wide-reaching implications of the original Spectre. So, while patches should be applied when possible, Intel is right to call this a Medium," said Tate. 

The more commonly useful a vulnerability, the more it helps attackers simplify their process; thus, the easier it becomes for non-skilled hackers to compromise more computers.

In an industry where people are trained to expect speed, it's not uncommon to see the vast majority of people choose speed over security, said Renaud Deraison, co-founder and CTO of Tenable. “The speed of the chips inside our personal computers, our tablets and our phones is critical to their performance – everybody knows that."

“In this case," continued Deraison, "the vulnerabilities take advantage of the very features that make them fast. Intel optimized for performance and later learned they were facing a trade-off between security and performance."

In their security advisory, Microsoft wrote, “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”

Source: Information Security Magazine

Georgia Votes in Primary amid Cybersecurity Suit

Georgia Votes in Primary amid Cybersecurity Suit

Despite the continued development of a federal lawsuit regarding the cybersecurity of Georgia's voting machines against Georgia's Secretary of State Brian Kemp and others, today's highly competitive primary race for governor puts a focus on paperless voting machines, according to the Augusta Chronicle

Georgia is one of just five states with an all-electronic voting machine system that has no independent paper backup, leaving it especially vulnerable to election interference through hacking. Across the nation, about 20% of registered voters use paperless machines. While election officials are on board with upgrading these systems, they do say that the machines are accurate, according to the Augusta Chronicle.

"In many jurisdictions, the multimillion-dollar cost is a hurdle," the Augusta Chronicle said, but since the confirmation that Russians did indeed meddle in the 2016 election, many states are taking steps to replace the machines that do not produce paper records.

"In Georgia, the cost to switch to paper-based machines in the state’s 159 counties ranges from $25 million to more than $100 million, depending on the technology adopted," the Augusta Chronicle reported. 

But issues with voting accuracy are not exclusive to statewide elections. On 15 May, the Atlanta Journal Constitution reported, "A Fulton County judge ordered local elections officials to make available documents linked to a state investigation into potential irregularities of the December runoff that yielded a narrow victory for Mayor Keisha Lance Bottoms."

WXIA 11Alive, reported that "under Kemp’s watch there was a massive breach in 2015, potentially exposing the personal data of more than six million Georgians, traceable to one employee," but Kemp said extensive security measures and cyber-defense upgrades make the state’s current system reliable.

Security concerns, combined with all of the reported irregularities, have culminated in the law firm Morrison & Foerster representing, pro bono, a group of Georgia voters in the lawsuit, Curling v. Kemp, with the aim of making Georgia’s voting machines more resistant to cyber-attacks.

Morrison & Foerster partners David Cross and John Carlin are leading the team of attorneys working on the Curling v. Kemp case, and have secured an agreement over the preservation issues of the direct-recording electronic (DRE) voting machines.

“The goal of the suit," said Cross, "is to get the state to switch to a system (before the November election) that includes voter-marked paper ballots so votes can be audited and verified. In the time remaining before the midterms, that could mean having everyone cast a paper absentee ballot as one means of achieving this goal in the short term."

There are also varying options for long term solutions based on examples from other states. "The primary vulnerability is the ability to alter votes cast via DREs without a paper record to audit or otherwise verify the electronic voting records. Other vulnerabilities include the manner in which [Georgia] has stored voter registration information and the ability to access and even alter that information in ways that could affect the election. For example, a hacker could change assigned polling locations for certain voters to create confusion when they go to vote and effectively prevent them from voting,” Cross said.

Source: Information Security Magazine

3.2 Million Files Revealed on AWS S3 Bucket

3.2 Million Files Revealed on AWS S3 Bucket

A Los Angeles County nonprofit that provides health and human services accidentally exposed about 3.2 million files on an unsecured AWS S3 bucket, according to the UpGuard cyber risk team.

211 LA County, a nonprofit organization serving LA County, was reportedly left publicly exposed online. The content revealed in the downloadable files was widespread. In addition to access credentials for the 211 system operators and email addresses for contacts, "included in the more than 3 million rows of call logs are 200,000 rows of detailed notes," UpGuard wrote in a 17 May post. 

The call notes included personally identifiable information for people reporting the problem. Among those were “persons in need, and, where applicable, their reported abusers, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns,” according to UpGuard.

The information, stored in an Amazon AWS S3 bucket located at the subdomain “lacounty,” was inadvertently misconfigured to be publicly and anonymously accessible, according to UpGuard. “Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information,” the UpGuard post stated.

While the leak itself is not remarkable in size, the exposed information is highly sensitive, and is possibly the ultimate example of how important it is to know if the service you're using is risk-appropriate for the information being stored, said Sam Bisbee, CSO, Threat Stack.

“When you see an organization expose such sensitive data, it should serve as a reminder that companies must maintain an understanding of whether the service they use is risk-appropriate for the type of data they store there,” Bisbee said.

While UpGuard made efforts to contact 211 LA County after their 14 March analysis that revealed the sensitive information was accessible, they were not able to connect with a member of the 211 LA County information security team until 24 April.

UpGuard confirmed that after only 24 hours, the bucket was no longer publicly accessible. “Amazon S3 access rules can be set for both the bucket as a whole and for the files within it. In the case of the “lacounty” bucket, permission settings allowed anyone to list the contents; some of the files inside, however, had additional rules preventing public users from downloading them,” the UpGuard post said.

Threat Stack research indicates that nearly three-quarters of companies have critical AWS cloud security misconfigurations. “So, every reported cloud data leak is a lesson to companies that they need to proactively find ways to create transparency within their cloud infrastructure so that they can effectively manage the security of their data and systems,” Bisbee said.

Source: Information Security Magazine

Global Fraud Hits £3.2 Trillion

Global Fraud Hits £3.2 Trillion

Experts have urged organizations to focus more on fraud prevention after new figures were released revealing that doing so could add a staggering £44 billion to the UK economy.

Researchers at the University of Portsmouth’s Centre for Counter Fraud Studies teamed up once again with tax and advisory firm Crowe, Clark and Whitehill to produce The Financial Cost of Fraud 2018 report.

Once again, the findings are based on representative samples of items of expenditure in each organization and whether incorrect payments are the result of error or fraud. In total, it reviewed 600 loss measurement exercises related to £15.6 trillion of expenditure in 40 sectors globally.

Fraud is costing the global economy £3.2 trillion annually, and in the UK stands at £110bn.

Although this is a drop from last year’s estimate of £125bn, in some organizations losses can reach more than 10% of total expenditure, the report claimed.

Since 2008, there has been a massive rise of 49.5% in average losses, that amounts to 6.8% of total expenditure over the period.

Head of forensic and counter fraud at Crowe, Clark and Whitehill, Jim Gee,  told Infosecurity that the drop in fraud is simply a result of Sterling foreign exchange losses.

“Regarding cyber-fraud, this is one of the key drivers of this increase since 2007 and with increasing digitization, it is possible to perpetrate fraud on an industrial scale,” he added.

“The other three drivers of growth are: a decline in adherence to common moral and ethical norms; more and more transactions being undertaken by screen to screen, and fraudsters feeling more distant from and therefore less vulnerable to their victims; and the faster pace of business life meaning that ‘controls’ lag further and further behind.”

The findings come after other reports showed a continued uptick in cyber-driven fraud in the UK. Cifas claimed identity fraud jumped 1% last year, with cyber comprising 84% of the figure.

In addition, a PwC report from February revealed that almost half of UK organizations (49%) have suffered from cyber-related fraud in the past two years.

Crowe, Clark and Whitehill argued that visibility into the problem is a vital first step towards mitigating fraud risk.

“It is also the case that work to measure losses is highly cost-effective,” it said. “Efforts to reduce losses are helped by greater knowledge about the scale of the problem. The data shows that organizations which re-measure the same area of expenditure have consistently lower loss rates.”

Source: Information Security Magazine

DrayTek to Issue New Firmware After Zero-Day Attacks

DrayTek to Issue New Firmware After Zero-Day Attacks

Taiwanese router-maker DrayTek is working to issue an emergency security update after reports emerged that customers had been hit by a zero-day attack.

The vulnerability in question allowed hackers to change the router DNS settings, enabling them to take unsuspected users to phishing or other malicious sites.

An urgent noticed posted by the company had the following:

“We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.”

DrayTek urged users in the meantime to check their DNS settings and correct them if altered or restore them from a config back-up.

“We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated,” it added.

The affected models are: Vigor2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220; BX2000; 2830nv2; 2830; 2850; and 2920.

There are thought to be in the region of 800,000 DrayTek routers in the wild globally, although it’s not known how many are vulnerable to the bug.

Nominet researcher Sion Lloyd argued that because DNS is the underlying protocol that directs internet traffic, it is overlooked by admins and therefore seen as a prime target by hackers.

"In order to mitigate or prevent attacks prior to patching hardware, security teams should pay heed to their threat intel feeds, which will include blacklisted domains/IP addresses, and make sure this data is applied in a timely manner,” he added. “Blocking known bad identifiers is a game of cat and mouse, but it is an effective way of severing connections to servers which are out to abuse your users. Also monitoring for changes to configuration files or DNS traffic being sent to new or unexpected servers would give an alert that something might require remediation."

Source: Information Security Magazine

Bank Robbing? There's a Vulnerable Web App for That

Bank Robbing? There's a Vulnerable Web App for That

Gone are the days when criminals masked their identities and busted into a bank declaring, "This is a stick up!" According to Bank Attacks 2018, published today by Positive Technologies, cybercriminals are reaping big financial gains with relatively low risk by going online to rob banks. 

Analysis of information systems performed by the company for banks over the past three years found that attackers can obtain unauthorized access to financial applications at 58% of banks.

While banks are well armed against external attacks with strong perimeter protections, they remain susceptible to insider threats, according to the report. "Whether by puncturing the perimeter with social engineering, vulnerabilities in web applications, or the help of insiders, as soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries," Positive Technologies wrote in a press release.

Using techniques similar to those of the Cobalt gang, known for its attacks on financial institutions, penetration testers compromised the workstations used for ATM management at one-quarter (25%) of the banks tested. 

The report also noted that during the reconnaissance stage of collecting information about the target, many criminals search for malicious insider on web forums. These unscrupulous insiders are willing to share company information for a fee. Using stolen credentials and phishing campaigns are the most common and effective techniques criminals use to access banks because "it is both difficult and risky to organize attacks on servers or web applications, since the attackers are very likely to get caught," the report said.

Vulnerabilities in web applications leaves many banks at risk. Still, remote access is another dangerous feature that often leaves the door open to access by external users. "The most common types are the SSH and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42 percent of banks," the report said.

"The good news is that it's possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, in the press release.

"Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It's critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM solutions substantially simplify and improve the effectiveness of incident management."

Source: Information Security Magazine

#IRMS18 Can Blockchain be Compliant with GDPR?

#IRMS18 Can Blockchain be Compliant with GDPR?

Speaking at the IRMS Conference in Brighton, Dyann Heward-Mills, CEO, HewardMills focused on emergence of Blockchain, and the need for GDPR compliance.

She called the relationship between the regulation and distributed ledger “critical” as data protection officers need to understand its impact, how it sits with data subject rights and the Right to be Forgotten.

“Critical is the implementation of privacy by default and design with the technology,” she said. “When presented with a technology like Blockchain, what does a DPO do? Well you conduct your data protection impact assessment over the technology.”

She agreed that it is “very robust and secure and unlikely to be encountering challenges” regarding loss of personal data, but how does it sit with data retention?

From a regulatory perspective, Heward-Mills acknowledged that there is no central regulation required, but is it desired? In terms of how GDPR applies to Blockchain, she asked the audience if encrypted data and metadata is still considered to be personal information?

“Where there are decentralized systems, how does the legislation actually apply? Is it still fit for purpose?”

Looking at the key principles, she rated Blockchain against the principles of Article Five of the GDPR:

These were as follows:

“Processed lawfully, fairly and in transparent manner” – Not transparent due to encryption

“Collected for specified, explicit and legitimate purpose” – Arguably legitimate – for authentication purposes

“Adequate, relevant and limited to what is necessary” – Not necessary, ledger exists forever

“Accurate and where necessary, kept up to date” – May not be accurate, and no way to delete it

“Identification for no longer than necessary” – Not necessary, ledger exists forever

“Processed in a manner that ensures its security” – Secure, due to encryption

Heward-Mills said that with the GDPR, privacy by design was one of central pillars but with Blockchain, it is decentralized, everyone has a ledger and how is it possible to regulate in a decentralized way of operating?

She acknowledged that there is an “opportunity to shape the approach of supervisory authorities in this context” as the regulators were still figuring out how to work with such technology.

Following on with the role of the DPO in this, she said there will be a critical role in shaping how the regulators respond to this emerging technology, but what we can offer “is the voice of corporate reality and challenges that are presented in using this technology.”

She said: “This is a really exciting time. Given that the regulator wants to receive perspectives from practitioners, I think we have a real opportunity to shape the future of this technology.”

Concluding, Heward-Mills said that there is some uncertainty on how it is evolving and how it is being regulated, but it is growing in importance and there will be more discussion on how it is applied.

“It is not always anonymous and it is possible through different data sets to decode on use and individuals behind the ledger and either we need to find some exemption in terms of how Blockchain is perceived, and its application under data protection laws, but the law needs to be updated as there are certain principles that are so incompatible fundamentally.”

Source: Information Security Magazine

Roaming Mantis Preys on Multilingual Victims

Roaming Mantis Preys on Multilingual Victims

A new wave of Android malware originally seen targeting victims across Asia via DNS hijacking has evolved into multilingual malware, broadening its attack surface and evading detection as it spreads across Europe and the Middle East, according to new research from Kaspersky Lab.

Roaming Mantis, Android malware distributed through DNS hijacking, was discovered earlier this year but has since evolved beyond targeting smartphones in Asia. The malware now supports 27 languages and has extended into Europe and the Middle East, adding a phishing option for iOS devices and a PC crypto-mining capability.

Designed to steal user information, the malware also provides attackers with control over the compromised device. Researchers believe a financially motivated Korean- or Chinese-speaking cybercriminal group is behind the operation.

“The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese,” security researcher Suguru Ishimaru wrote in an 18 May SecureList blog post.

"But, of course, this multilingualism is not limited to the landing page," Ishimaru continued. "The most recent malicious apk (MD5: 'fbe10ce5631305ca8bf8cd17ba1a0a35') also was expanded to supports 27 languages."

Researchers believe the attackers used an automatic translator to expand their initial set of languages into dozens of others and infect more users, but they have changed more than the languages.

Though the criminal group originally targeted Android devices, it is now targeting iOS devices as well, “using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’,” Ishimaru wrote.

While an authentic DNS server would recognize that such a domain name doesn’t exist, Ishimaru said, “a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.”

An additional feature included in the extended translations of the malware is PC web mining for the most popular crypto-currency among cybercriminals, Coinhive, accomplished via a special script executed in the browser.

Source: Information Security Magazine

Parent and Teen Data Leaked from Monitoring App

Parent and Teen Data Leaked from Monitoring App

A security researcher discovered two leaky servers of a California-based company, TeenSafe, which left the email addresses and passwords of parents and teens unprotected. According to ZDNet at least one of the servers used by the TeenSafe app leaked data from tens of thousands of accounts.

TeenSafe is an app, available for both iOS and Android, for parents who wish to monitor the texts, calls, locations and even the social media exchanges of their teens. The parents enter their email addresses and those of their teenagers. The database stores not only the email and password information but also the child’s device name and the device’s unique identifier, as reported by ZDNet.

“Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data,” ZDNet wrote.

UK-based security researcher Robert Wiggins found the issue with one server containing production data – live customer information – while the second server stored test data. In a tweet to Infosecurity Magazine, Wiggins said, “It appeared to be intercepting the phone’s requests to iCloud for FindMyPhone and other bits related to iCloud.”

Wiggins said the problem was with the type of service running: its default was set for no password and no SSL. “They should’ve firewalled it off to IP’s only,” Wiggins said.

The TeenSafe website claims that it uses “industry-leading SSL and vormetric data encryption to secure your child’s data,” ensuring parents, that their “child’s data is encrypted – and remains encrypted – until delivered to you, the parent.” However, the leaked data discovered by Wiggins was in plaintext. 

"It is sad to see a company charged with storing our kids' Apple ID passwords get this wrong, especially after Amazon introduced several new features to avoid this back in November. Both parents and data custodians should not assume that data is being properly stored. Just saying your website uses SSL is no longer enough," said James Lerud, head of the Verodin behavioral research team.

Companies charged with storing sensitive data should actively disclose what steps they are taking to perform continuous validation, added Lerud. "Parents/customers should start expecting assurances before trusting a company with their data." 

Source: Information Security Magazine

#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

As the final few days countdown until the GDPR becomes law, the Information Commissioner’s Office (ICO) reassured conference delegates that the regulation is an opportunity rather than a barrier.

Speaking in the opening keynote at the IRMS conference in Brighton, Louise Byers, head of risk and governance at the ICO, who also acts as the regulator’s data protection officer, and is responsible for the ICO’s records and management team, opened by acknowledging that she is in a unique position but “faces some of the same challenges and some of the same conversations that you are facing today as well.”

She said that as “custodians of information and data, records management professionals have a unique role to play in safeguarding information rights,” and referencing a talk given in April by the Information Commissioner Elizabeth Denham, she said: “There’s never been a better time to be in data protection.”

In current times, she said that allegations surrounding Cambridge Analytica have provided an opportunity for the public to focus on privacy and how their data is handled.

“The GDPR rebalances the relationship between the public and organizations and it gives greater control over how their data is used, and it compels organizations to be transparent about their actions, but it doesn’t end there.”

Along with new regulations such as the NIS Directive and E-Privacy Directive, Byers said that “Friday is a beginning not an end,” and that “GDPR is not Y2K”, but an opportunity to revolutionize the way that businesses work and engage with those who are most important to you.

Byers said that those organizations that thrive under the rules will see an opportunity to commit to data protection and embed it in their policies, processes and culture, and that some organizations are “embracing it for the opportunity it presents rather than the perceived barriers it throws up.”

Regarding its position as the regulator of the GDPR, Byers said that “we’re expecting more of everything.” This includes: more breach reports as the law requires it; more complaints as people will be better informed of their rights; and greater engagement as businesses turn to the ICO for advice at the outset of projects.

This has allowed the ICO to “develop, to grow and reinvent ourselves.” This has seen a “fundamental” series of changes at the ICO including its mission in transparency in digital economy, recruitment, funding and its approach to technology with its new three year strategy

Byers went on to say that the ICO will “not be changing our approach to fines in four days time,” but its aim is to prevent harm, and put support and compliance at the heart of its regulatory action. 

While voluntary compliance is the preferred route, she said that action will be taken where necessary and this will be backed up with “hefty fines” which can be levied on those who organizations who persistently, deliberately or negligently flout the law.

In conclusion, Byers said that its 12 Steps to GDPR compliance has been downloaded six million times in two years, and it will updating its guidance on how things change in the future. In her position as data protection officer for the GDPR, Byers identified three key areas to achieve compliance:

  • The first regards information rights and records management, as this is “the starting point for everything as it enables you to know what you have got, and who knows what you have." 
  • The second is collaboration, as securing senior buy-in is crucial, and work with all parts of the organization to identify key players.
  • The third is communications, both internal and external, and working with all areas of the business to deliver strong communications around the requirements and the importance of breach reporting and recording. 

“If I had to sum up the impact of GDPR in one word, it would be people,” she said. “This is all about individuals, balancing the law and increasing the public’s trust and confidence in the way their data is handled.”

Source: Information Security Magazine

Page 1 of 30312345...102030...Last »