Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Canada Launches Small Business Cybersecurity Certification Program

Canada Launches Small Business Cybersecurity Certification Program

Canada has launched a cybersecurity certification program to try and get small to midsize enterprises (SMEs) up to speed with a basic level of protection.

Launched at the University of New Brunswick's Canadian Institute for Cybersecurity by Minister of Finance Bill Morneau, CyberSecure Canada is a voluntary program that will help small organizations achieve a minimum required level of cybersecurity, according to the government.

The initiative requires Canadian SMEs to stick to a baseline set of cybersecurity controls developed by the Canadian Centre for Cyber Security. These controls include establishing an incident response plan, regularly patching operating systems and applications, using security software and securely configuring devices. Other measures in the list include using strong user authentication, offering employee awareness training and backing up and encrypting data.

Those passing the certification can display a mark showing that they have demonstrated compliance with the controls. Those businesses will also be listed on the program's website.

The Canadian government uses six certification bodies to check that companies have implemented the controls properly: Cyber Security Canada, Bell Canada, Bulletproof Solutions, Siemens, SourcetekIT, and WatSec. If businesses are using products and services from these companies that already meet the security controls, then some of the companies may certify them for free, the government's website says. Others may charge anywhere from a few hundred dollars to several thousand.

The certification lasts for two years, at which point businesses must go through the certification process again to continue using the certification mark.

The move follows growing concern over the cybersecurity preparedness of Canadian SMEs. In October, the Canadian Internet Registration Authority (CIRA) launched its 2018 Cybersecurity Security Survey, which gauged cybersecurity responses from 500 individuals at SMEs across Canada. It found that 40% of respondents had experienced a cyber-attack in the prior 12 months. Of the respondents, 88% were concerned with the prospect of future attacks, and 71% didn't have a formal software patching policy.

Source: Information Security Magazine

Google Offers Password-Free Android Access to its Services

Google Offers Password-Free Android Access to its Services

Google took another step toward ditching passwords as a login mechanism this week by announcing support for password-free access to some of its own services from Android phones. In a blog post on Monday, it demonstrated how users could access its cloud-based password manager using the new feature.

Users will be able to verify their identities by scanning their fingerprints on suitably equipped Android devices. While users have been able to access their phones using their fingerprints in the past, the new feature allows them to access back-end Google services as well.

The underlying technology uses standards underpinning FIDO2, which is a password-free log-in technology created by the FIDO Alliance. The underlying technologies, FIDO Client to Authenticator Protocol (CTAP) and W3C's WebAuthn, work together to authenticate the user on the phone and on the back-end site. The user creates a digital token by authenticating themselves on the phone, which CTAP then uses it to authenticate with the browser. WebAuthn then sends a digital token to the back-end service, logging the user in.

To use the service, the phone must be running Android 7 (Nougat) or later and set up with a personal Google account. The device must also be running a valid screen lock.

Google's FIDO2 support also lets users log into services using a hardware key, such as its own Titan Bluetooth-enabled device.

This latest announcement marks another step in Google's support of FIDO2. In February, it adopted the standard for Android apps.

Google rolled out the feature on Pixel devices on Monday and said that other Android devices would get the feature in the coming days.

Other companies have also made strides toward password-free access. In May, Microsoft achieved FIDO2 certification for Windows Hello, its biometric-capable login system included in Windows 10. This enables users to log into their Microsoft accounts using a hardware security key. The company also allowed Firefox users to log into their Microsoft accounts using FIDO2, with support for Google's Chrome to follow.

Source: Information Security Magazine

Microsoft Warns of New Wormable RDP Flaw

Microsoft Warns of New Wormable RDP Flaw

Just as exploits for Microsoft's BlueKeep bug make it into the wild, the company has announced another set of vulnerabilities in Windows that is equally dangerous – and this time, it also affects Windows 10 systems.

Microsoft announced the bugs, along with an associated set of patches, as part of its monthly Patch Tuesday release. The vulnerabilities lie in Remote Desktop Services (RDS), the Windows service that enables users to use a computer from a different location. RDS uses the remote desktop protocol (RDP), and an attacker can get full access to a system by sending a malicious RDP request to the victim's computer.

These new vulnerabilities can compromise a computer without the user doing anything, which means that they can spread quickly and autonomously. Attackers can use them to create worms that spread like wildfire online.

This makes the new vulnerabilities very similar to Bluekeep, the existing RDP-based worm that Microsoft announced and patched on May 14, 2019. However, that vulnerability (CVE-2019-0708) didn't affect Windows 10. These flaws (CVE-2019-1181, 1182, 1222 and 1226) do.

"At this time, we have no evidence that these vulnerabilities were known to any third party," said Microsoft in a blog post announcing the move, but it also sent a clear message: Patch now.

The announcement comes just a day after the Australian Signals Directorate's Cyber Security Centre warned that someone had published a way to exploit BlueKeep. It said: "A security researcher under the Twitter handle @zerosum0x0 has recently disclosed his Remote Desktop Protocol (RDP) exploit for the BlueKeep vulnerability to Metasploit. The disclosure, once made available to the public, is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems."

The researcher in question made that submission at least two weeks ago:

Microsoft had also warned people repeatedly to patch those vulnerabilities, most recently on August 8, when it said that some 400,000 endpoints remained unprotected.

BlueKeep had been a difficult bug to exploit, although several security companies said that they had successfully produced proof of concept code internally. It isn't yet clear how difficult it will be to exploit the latest flaws or how quickly someone will produce and publish workable code.

Source: Information Security Magazine

Unsolicited Blank Emails Could Portend BEC Attacks

Unsolicited Blank Emails Could Portend BEC Attacks

Security researchers have warned organizations that unsolicited blank emails could be a warning sign they are being actively targeted by BEC scammers.

Agari has been tracking professional BEC gangs such as London Blue, Scarlet Widow and Curious Orca for over a year.

Crane Hassold, senior director at the Agari Cyber Intelligence Division (ACID), explained in a new blog post that “lead validation and processing” is a crucial part of the attack chain in which gang members take raw leads and validate, add info to and organize them.

While some use commercial lead generation services to identify and validate targets, others might manually send “probing” emails to check the legitimacy of raw target data. These typically blank messages might contain the subject “i” and are only designed to see if they delivered successfully.

They’re usually sent in non-work hours when they’re more likely to be missed, Hassold said.

“If no bounce notification is received, the target’s email address is assumed to be valid and operational. In the case of Curious Orca, once this contact information has been validated, their name, email address, and title are added to one of the hundreds of consolidated text files containing verified targets,” he continued.

“In many cases, this file includes supplemental information about the CEO at the target company who will be impersonated in the BEC attack.”

Sometimes, even if the address is invalid, the scammer may try other variations, possibly using legitimate marketing tools to suggest new combinations.

The sheer time and effort required to do all of this manually shows the increasing professionalization of BEC campaigns, Hassold claimed.

“A single Curious Orca associate has sent blank reconnaissance emails to more than 7800 email addresses at over 3200 companies in at least 12 countries including Australia, Canada, Denmark, Hong Kong, Israel, Italy, the Netherlands, Papua New Guinea, Singapore, Sweden, the UK and the US since August 2018,” he revealed.

“The validated contact information collected by this actor has contributed to a master targeting database that contains more than 35,000 financial controllers and accountants at 28,000 companies around the world.”

To regain the initiative against BEC attackers, IT teams could configure their email settings to raise the alarm when individuals receive blank messages, or even disable email bounce messages to external senders, disrupting their reconnaissance work, Agari said.

Source: Information Security Magazine

Certificate Giant Slams Plan to Shorten HTTPS Lifespans

Certificate Giant Slams Plan to Shorten HTTPS Lifespans

Industry stakeholders are considering reducing the lifespan of HTTPS certificates to just 13 months, around half of the current duration, in order to improve security.

The CA/Browser Forum proposal would seek to make the changes from March 2020. It comes after certificate lifetimes were reduced from 39 to 27 months back in March 2018.

Proponents argue that doing so would make it harder for the black hats, as it would reduce the length of time stolen certificates could be used for. It could also force companies to use the latest and most secure encryption algorithms available.

However, not everyone is on board: Digicert standards technical strategist, Timothy Hollebeek, argued that “it is far from clear” there’s any security benefit in reducing TLS/SSL certificate lifespans.

“This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates,” he added.

“Another benefit that is sometimes suggested is that shorter lifetime certificates allow quicker transitions when the compliance rules change. Two-year certificate lifetimes mean that certificates that are issued today will still be around two years from now. But isn’t it the responsibility of those managing the certificate ecosystem to come up with compliance rules that can endure for at least that long?”

The changes would also significantly ramp up the costs for organizations, Hollebeek argued, although they could always use free services like Let’s Encrypt.

“We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes,” he said. “The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real.”

Source: Information Security Magazine

#DEFCON: American Teen Exposes Flaws in School IT Systems

#DEFCON: American Teen Exposes Flaws in School IT Systems

The challenges of government and enterprise IT security have been documented in a multitude of reports over the years, but what is the state of IT security within American schools?

At the DEF CON 27 conference in Las Vegas, 18-year-old Bill Demirkapi detailed how he discovered multiple vulnerabilities within several different software applications used in his school, including Blackboard's Community Engagement software and Follett's Student Information System. He started finding the issues when he was 16 years old and continued his research until he graduated in spring 2019.

The bugs ranged in severity and type and included SQL injection, as well as XML inclusion vulnerabilities. While the bugs varied the ultimate impact, Demirkapi said that he could have taken personally identifiable information or even changed his grades.

"I knew that there was a lot of schools using the software," Demirkapi said. "My method of finding vulnerabilities was…really inadequate and nonprofessional. It was just looking at pages and trying to mess with the parameters."

Among the simple flaws that he was able to discover was improper access control to the student information system. Demirkapi explained that most properties of the system were incremented, with a simple approach, making it easy to identify a student. Additionally he discovered a local file inclusion flaw.

He explained that when downloading their schedule or report card, users would be redirected to a servlet called toolResult.do.

"After running a tool or attempting to download a file shared with the user, a request to toolResult.do is made," Demirkapi said. "By modifying the fileName parameter to the proper path escape, an attacker can access any file on the system."

Within Blackboard's Community Engagement software, Demirkapi said that he found what he referred to as "SQL injections galore," the end result of which also enabled him to gain unauthorized access. Again, he noted that he really didn't know what he was doing but was still able to find issues.

"Essentially, I grabbed a list of links through a crawler and using Chrome Web Tools, I would then try and find interesting parameters to play around with and see how the server reacted when it received unexpected input," he said. "For parameters that responded to characters commonly used in SQL injection, I put them through SQLmap."

SQLmap is popular open-source tool that easily enables users to test for and exploit SQL injection conditions in software. The Blackboard system that Demirkapi accessed involved more than just his own school and had over five million students and teachers in the system spread across over 5,000 schools.

Demirkapi was quick to note that in his own research he only looked at his own data and did not look at or take anyone else's information. He commented that any other information that was gathered was metadata, such as the number of rows in a database.

"The primary reason I kept investigating is because the database had my records too," he said. "I felt obligated to determine the extent for the impact to my own records and the records of my peers."

Not only was Demirkapi meticulous in trying to be responsible about only accessing his own data, he also attempted to be responsible in his disclosure to both his school and the impacted vendor, with mixed results. After attempting to get the attention of his school with a disclosure notice that was only supposed to go to his school's IT team but ended up going to every school in his district, Demirkapi said he was suspended from school for two days.

Demirkapi learned from that initial experience and made future disclosures via the CERT Coordination Center, which made the disclosure process a bit easier getting things fixed, though he still faced some hurdles.

During his presentation, he noted that he had contacted Blackboard before giving his DEF CON presentation and was advised to share a statement in the presentation, which he did.

"Blackboard is always working hard to improve both the security of our products, as well as the processes and procedures we leverage in support of security," the company stated.

Wrapping up, Demirkapi said that it's important for schools to take data security seriously and hold software vendors accountable. "Don't fall for marketing," he said. "Just because they say they take care of data doesn't mean they do."

Demirkapi added that in his view there needs to be more regulations to keep children's data safe, since they can't defend their own data. "If a 16 year old can find a breach affecting millions of students and teachers, what would a nation–state find?" he asked.

Source: Information Security Magazine

#DEFCON: How the US's CISA Works to Improve Election Security

#DEFCON: How the US's CISA Works to Improve Election Security

With the U.S. 2020 presidential election looming, there is a certain amount of anxiety about the state of election security systems. The federal government has not been sitting idly by, running multiple ongoing efforts, including those led by the Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA).

At the Voting Village within the DEF CON 27 conference in Las Vegas, members of CISA's National Cybersecurity Assessments and Technical Services (NCATS) outlined their mission and their challenges for election security.

"We're here to help secure our nation's election infrastructure," Jason Hill, chief of NCATS at CISA, told the audience.

Hill explained that NCATS offers its services for free to the federal government, as well as to state and local election officials. NCATS conducts cybersecurity assessments before an adversary is known to have breached a system, a point in time that he referred to as "left of boom." He added that NCATS tries to find all of the vulnerabilities it can and has several different services it offers.

One of the primary services is the Cyber Hygiene service, which is an external scan of a perimeter. Genevieve Marquardt, IT specialist at NCATS, explained that the Cyber Hygiene program does not go inside an organization. Vulnerability scanning is conducted with multiple tools, including the open source Nmap tool to identify assets and Nessus, to identify known vulnerabilities. She added that the scans are done continuously and automatically to help organization identify potential security issues.

Another core service offered by NCATS is the Phishing Campaign Assessment, which is a six-week engagement. As part of the engagement, NCATS sends six different emails to a customer, ranging from the Nigerian Prince scam to targeted spear phishing campaign, to see what will get through. Hill commented that there is usually someone that will click on one of the messages, so it's an effective exercise.

Another service offered by NCATS is the Risk and Vulnerability Assessment, a two-week penetration test.

"We have a remote penetration test where all we do is remote assessment work, including web app scanning, external penetration testing and a basic phishing campaign assessment," Hill said.

The other core program offered by NCATS is called the Critical Product Evaluation (CPE), in which equipment is tested and validated. Hill said that CISA is partnered with multiple labs where "the equipment can be sent to let some really smart people tear it down to look for software, firmware and hardware vulnerabilities."

NCATS is getting busier as the 2020 election cycle nears. Marquardt said that NCATS currently has about 1,300 customers. Of those, she noted that 200 or so are elections, but many more are starting to sign up with the elections coming up. NCATS has conducted five full phishing campaign assessments so far this year, with three more in progress. For remote penetration testing, NCATS has completed 25 engagements, with 20 more currently in progress.

Hill commented that NCATS is limited by its resources, but it can scale up through the use of third-party contractors as well.

"What we've done is we've offered to those counties and states that are asking for our services…a cyber-hygiene program. And right now we have a roughly 1,300 customers in our cyber-hygiene program and we can scale that up to about 6,000," Hill said. "There are roughly 3,007 counties in the United States, so if all of them wanted to sign up, they could."

Hill added, however, that NCATS services are voluntary and counties need to make a request in order to get them. While there are concerns and challenges that face counties and elections infrastructure, Hill cautioned that the overall situation isn't terrible.

"There are some good places, it's not all dire, that's not the picture I want to paint, because it's not that bad," Hill said. "There's really no difference between an election system and a normal network system that we test: we find the exact same vulnerabilities in all of the networks that we test."

Source: Information Security Magazine

#DEFCON: Hackers Can Use Netflix Account to Steal Banking Info

#DEFCON: Hackers Can Use Netflix Account to Steal Banking Info

There are a lot of different risks to personal privacy, but one of the biggest could well be users themselves.

In a session at the Crypto and Privacy Village within the DEF CON 27 conference in Las Vegas, Cat Murdock, security analyst at GuidePoint Security, outlined a nightmare scenario seemingly straight out of an episode of Black Mirror (the session, coincidentally, was titled Black Mirror: You Are Your Own Privacy Nightmare – The Hidden Threat of Paying For Subscription Services).

Murdock detailed how simply having a Netflix account could potentially be the key that enables an attacker to gain access to a user’s banking information. She noted that approximately 60% of the adult population pays for some form of online subscription service, be it Netflix, Spotify or something else. She also noted that everyone with an online subscription has a bank account.

One way a financial institution verifies an account holder when they try to gain access is to verify a recent transaction, which is where subscription services come into play. Murdock observed that there are only so many plans that a subscription service offers and the payments typically recur at the same time every month.

She also noted that a lot of people will comment about their subscriptions on social media, identifying that they just paid again or have continued their subscriptions.

“People love to talk about their subscriptions,” she said. “This is quality open source intelligence [OSINT].”

To test her theory for the presentation, Murdock opened up a new bank account. During the presentation, she played audio recordings of her interactions with the bank, using OSINT and social engineering skills to gain access, which she ultimately was able to achieve.

“It's not your bank’s fault that you use Netflix and it’s not Netflix’s fault that you charge it to the bank,” she said. “It's incumbent on us as users to pay attention to these things, to understand that they're happening.

“Remember that any service provider you use is only responsible for their own privacy terms, and, quite frankly, as we have seen, they don’t always do that well either,” she added.

As a result, Murdock suggested that it is ultimately up to each individual to take care of their privacy themselves. She recommended that individuals be very aware of what they’re choosing to share with the world and who can see it.

“Make sure that you’re owning your own privacy and you know, try and do routine hygiene checks,” she said. “Pick a day every quarter or every month and ask: What am I signed up for? What is new? What am I going to share or did somebody else share something about me?”

Source: Information Security Magazine

Security Experts Slam Group Hook-Up App

Security Experts Slam Group Hook-Up App

Security experts have uncovered major new vulnerabilities in a group hook-up app, exposing private pictures, real-time location and highly sensitive personal details.

Security consultancy Pen Test Partners branded the 3fun app a “privacy train wreck,” claiming the privacy issues it found could end countless careers or relationships.

The app leaked location data right down to the house and building level. Some of the exposed users’ data even put their location on Downing Street and in the White House, although the researchers hypothesized that this could simply be tech-savvy users manually re-writing their position.

“Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration.’ This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position,” explained Pen Test Partners’ Alex Lomas.

“But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”

Although users can restrict the sending of latitude and longitude information, this is only done client-side, which means the data is still available on the server and can be queried via API, he added.

Also exposed in the privacy snafu were birth dates, private photos – even with privacy settings applied – sexual preference, gender and relationship status.

It goes without saying that such information could be a treasure trove for potential blackmailers. It recalls the furore surrounding adult infidelity site Ashley Madison, where an estimated 37 million customer records were stolen and subsequently used to extort money from victims.

Pen Test Partners contacted 3fun, which fortunately “took action fairly quickly and resolved the problem.” However, the fact that an estimated 1.5 million users may have been exposed on a platform where privacy is crucial will be of great concern.

Source: Information Security Magazine

McAfee Makes Container Security Play With NanoSec Buy

McAfee Makes Container Security Play With NanoSec Buy

McAfee has announced the acquisition of cloud security start-up NanoSec in a move designed to help reduce container-related risk for its customers and accelerate DevSecOps.

Cupertino-based NanoSec is described as a pioneer in simplifying app workload protection, with a zero-trust offering that works across multiple computing and containerized environments irrespective of the underlying infrastructure.

The tie-up will enhance McAfee’s MVISION Cloud and MVISION Server Protection products, enabling customers to accelerate the speed of application development whilst mitigating risk, meeting compliance requirements and enhancing governance across hybrid, multi-cloud deployments, the firm said.

NanoSec capabilities set to be applied to apps and workloads in containers and Kubernetes environments include: continuous configuration compliance and vulnerability assessment, plus runtime application-level segmentation for detecting and preventing lateral movement.

“NanoSec’s technology is a natural extension for McAfee MVISION Cloud, enhancing our current CASB and CWPP products, and adding to our ‘Shift-Left’ capabilities to deliver on the DevSecOps best practice to improve governance and security,” argued Rajiv Gupta, senior vice president and general manager of the cloud security business unit, McAfee.

“NanoSec’s team brings a wealth of experience to McAfee, and together we are committed to enabling organizations to reach their full cloud potential.”

The acquisition is a timely one considering the growing popularity of containers in DevOps organizations.

Gartner said in April that by 2022, over three-quarters of global organizations will be running containerized applications in production, a major increase on today’s figure of fewer than 30%.

Yet although containers represent a great way to speed up app delivery, modernize legacy apps and create new cloud-native ones, current ecosystems are immature and security must be embedded in environments across the entire life cycle, the analyst claimed.

“Although there is growing interest and rapid adoption of containers, running them in production requires a steep learning curve due to technology immaturity and lack of operational know-how,” said Arun Chandrasekaran, distinguished VP analyst.

“I&O teams will need to ensure the security and isolation of containers in production environments while simultaneously mitigating operational concerns around availability, performance and integrity of container environments.”

Source: Information Security Magazine