Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

KnowBe4 Gets Whopping $300m in Funding

KnowBe4 Gets Whopping $300m in Funding

A private equity giant has invested an additional $300 million in cybersecurity awareness firm KnowBe4 only three months after announcing its initial investment of $50 million, according to Fortune.

At the helm of the company, which provides integrated security awareness training and a simulated phishing platform, are Stu Sjouwerman, CEO, and Kevin Mitnick, chief hacking officer. Founded in 2010, the company now boasts more than 25,000 users across the globe from highly regulated industries to global organizations.

“The company helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training,” the June 12 press release said.

“Having secured additional funding, as well as 'unicorn' status as a private company valued at $1 billion, KnowBe4 now plans to continue an ambitious international expansion that, in 2019 alone, has seen it acquire two cybersecurity companies located in different parts of the globe: Brazil-based El Pescador and Norway-based CLTRe,” Fortune reported.

In response to the company earning unicorn status, KnowBe4 CEO Stu Sjouwerman lauded the relationship the company has built with its investment firm, KKR. Sjouwerman’s blog post emphasized his plentiful gratitude:

I'd like to thank you for your trust in us, and for telling your friends about our platform. This is only the beginning of building a strong human firewall and we still need all the help we can get.

So from the bottom of our hearts, thank you so much. We will continue doing our level best to help you keep your organization safe, and please keep spreading the word.

“Organizations are beginning to understand that when it comes to security, building a human firewall takes precedence over merely deploying technology,” Sjouwerman told Infosecurity. “This investment is a representation of what we're seeing in the market, which is more emphasis placed on the area of security awareness training and education as a key way to manage the ongoing problem of social engineering.”

Source: Information Security Magazine

Philly Courts Still Down after Cyber-Attack

Philly Courts Still Down after Cyber-Attack

After a May 21, 2019, cyber-attack downed Philadelphia’s online court system for e-filing and docketing services, issues remain throughout the county, according to Government Technology.

On June 11, Government Technology reported that the computer networks of the Luzerne County Correctional Facility in Pennsylvania continue to be impacted, leaving inmates unable to order items from the jail commissary.

“The First Judicial District and City OIT are working in concert to ensure the safety of the First Judicial District’s electronic web system following the discovery of malware on a limited number of FJD workstations. As a precautionary measure the FJD’s website, employee email accounts, and electronic filing (e-file) have been temporarily suspended,” a May 31 notice from the The Philadelphia Courts First Judicial District of Pennsylvania stated.

“We are currently unable to provide more information concerning this virus so as not to provide any detail-specific information that could jeopardize the remediation process we are engaged in. In addition to City OIT, the FJD is contracting the services of a firm specializing in cybersecurity to assist in getting impacted operations restored safely.”

Since then, the courts have been using social media to engage with members of the community. On June 10, the Philadelphia courts expressed appreciation for the community’s patience as employees work to meet filing needs.

The city has reportedly hired a cybersecurity firm to investigate the attack, though said firm has not been named.

“Declining to name a publicly funded contractor has raised eyebrows. So far, the court has described the unnamed vendor as a firm 'specializing in cyber security to assist in getting impacted operations restored safely.' Courts spokesperson Marty O’Rourke has declined repeated requests for the name of the vendor – as well as the amount the city is paying for these services,” Billy Penn’s Max Marin reported.

Source: Information Security Magazine

Flaw in SymCrypt Can Trigger DDoS

Flaw in SymCrypt Can Trigger DDoS

A vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher.

“I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't,” Ormandy tweeted.

Now that we’ve entered into the 91st day, Ormandy has gone public with what he said is a relatively low severity bug. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g., ipsec, iis, exchange, etc.) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock,” Ormandy wrote in the Project Zero vulnerability report.

Ormandy noted that while it is a low-severity bug, it would be possibly to take down an entire Windows fleet relatively quickly if exploited. “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule,We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption," a Microsoft spokesperson wrote in an email.*  

"This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed. The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix,” said Adam Laub, SVP product management, STEALTHbits Technologies.

“When I first started in the industry nearly 15 years ago, patch management was very much the flavor of the day – much like privileged access management (PAM) and artificial intelligence (AI) technologies command significant mind share among security practitioners now. Sadly, the patch management problem persists despite advances in so many other areas of IT management, which could make this 'low severity' vulnerability a lot more pungent than it ought to be."

*June 12, 2019 3:38 PM: This article was updated to include comment from a Microsoft spokesperson.

Source: Information Security Magazine

XSS is Most Rewarding Bug Bounty as CSRF is Revived

XSS is Most Rewarding Bug Bounty as CSRF is Revived

Cross-site scripting (XSS) is the most rewarding security vulnerability, according to data on the number of bug bounties paid.

According to HackerOne’s top 10 most impactful security vulnerabilities, which have earned hackers over $54m in bounties and based on over 1400 HackerOne customer programs and 120,000 reported vulnerabilities, XSS is the most paid out vulnerability, followed by “improper authentication – generic” and “information disclosure.”
 
HackerOne’s Top 10 security vulnerabilities are:
 

  1. Cross-site Scripting – All Types (dom, reflected, stored, generic)
  2. Improper Authentication – Generic
  3. Information Disclosure
  4. Privilege Escalation
  5. SQL Injection
  6. Code Injection
  7. Server-Side Request Forgery (SSRF)
  8. Insecure Direct Object Reference (IDOR)
  9. Improper Access Control – Generic
  10. Cross-Site Request Forgery (CSRF)

In comparison to the current OWASP Top Ten, which was last refreshed in 2017, XSS only featured in seventh place in the last top 10. While SQL Injection, which was in the top position of the OWASP top 10, appeared in fifth place in HackerOne’s list.

Speaking to Infosecurity, Rahim Jina, COO of edgescan, said that from their stats XSS accounts for nearly 15% of application layer vulnerabilities found, showing a slight increase year on year.

“This is a vulnerability we nearly expect to find when we are assessing a web application (you tend to find multiple instances in an application, if you find them),” he said. “XSS has been around a long time and when highlighted, developers typically can resolve these, however we frequently see the same issues being introduced by these developers subsequently. I believe there is an educational problem here which needs to be addressed (people do get training, however they often seem to re-introduce XSS issues subsequently for whatever reason).”
 
Miju Han, director of product management at HackerOne, said: “We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.”
 
Cross-Site Request Forgery, which was removed from the last OWASP Top 10, having appeared in seventh place in the 2013 OWASP Top 10, was the tenth most paid bug for HackerOne.

Jina said that CSRF “is an interesting one” as last year it accounted for 1.75% of total app-layer vulnerabilities as found by edgescan and the reason cited by many here is that most of the modern web app frameworks include CSRF defenses built-in which can be enabled easily.

“Scanners tend to report this issue with high frequency, however when you actually look at the issue, the transaction may not be relevant – CSRF is about abusing a transaction in some meaningful way,” he said.

“Finding it may be relatively easy, however validating the real issue takes some effort. Additionally, due to the often complex nature of actually abusing such an issue successfully, these are often presented as lower risk items.”

Jina said that there is a slight increase in CSRF issues in general, as fixing them appears to be much easier and often simply turning on such a defense (if available in a given framework and is usually a configuration change) will protect the entire application in one go, as opposed to having to go into the code and fix each instance.

“We find that explaining the underlying risk and cause of CSRF issues can be confusing to developers and is often misunderstood.”

Source: Information Security Magazine

Microsoft Fixes Four SandboxEscaper Zero-Days

Microsoft Fixes Four SandboxEscaper Zero-Days

Microsoft has released its latest monthly security updates and there are four fixes for zero-day threats published recently by SandboxEscaper.

In total Redmond fixed 88 vulnerabilities in this update round with 21 labelled critical.

The four zero-days are all elevation of privilege flaws which affected Windows: CVE-2019-1069 is a bug in the Windows Task Scheduler, CVE-2019-1064 is an elevation of privilege bug in Windows, CVE-2019-1053 is a vulnerability in Windows Shell which could allow elevation of privilege on the affected system by escaping a sandbox and CVE-2019-0973 is a flaw in Windows Installer.

The recently disclosed BlueKeep vulnerability (CVE-2019-0708) in RDP should also be a priority for system admins, after Microsoft warned that it could be “wormable” — that is, exploitable without the need for user interaction.

However, patching is just one part of the defense-in-depth approach IT security teams need to take, according to Ivanti director of security solutions, Chris Goettl.

“Currently around 1.6 million public facing RDP servers are under the attack of a botnet called GoldBrute. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration?” he explained.

“Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling network-level authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.”

Elsewhere, there’s one critical update for Flash Player this month, fixing a bug (CVE-2019-7845) which could allow arbitrary code execution on a victim’s machine. Adobe also announced patches for three critical ColdFusion vulnerabilities and seven Adobe Campaign bugs, one of which is critical.

Source: Information Security Magazine

Radiohead Officially Releases Music Stolen in Hack

Radiohead Officially Releases Music Stolen in Hack

A week after receiving a ransom request for $150,000, alternative-rock band Radiohead decided to go live with the 18 hours of stolen music that was never intended for public consumption.

On June 5, Consequence of Sound reported that 18 hours of Radiohead’s music was leaked online. The band announced on June 11 that it has officially released the leaked material through Bandcamp and is donating the proceeds to the climate activist group Extinction Rebellion.

Band member Jonny Greenwood tweeted that a hacker stole minidisk archives of the band’s OK Computer sessions.

We got hacked last week – someone stole Thom’s minidisk archive from around the time of OK Computer, and reportedly demanded $150,000 on threat of releasing it.

So instead of complaining – much – or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion. Just for the next 18 days. So for £18 you can find out if we should have paid that ransom.

Never intended for public consumption (though some clips did reach the cassette in the OK Computer reissue) it’s only tangentially interesting. And very, very long. Not a phone download. Rainy out, isn’t it though?

Jonny

“Hackers holding data hostage is a growing concern for businesses as hackers have found out that crime does pay and people are willing to pay to regain control of their own data," said Matan Or-El, CEO of Panorays. "In their efforts to stop the hacker’s booming business, the FBI and industry experts strongly recommend to never to pay the ransom.

"Radiohead has taken an additional route – a creative one – to defeat hackers. Their method levels the playing field by beating hackers in their own game and simply releasing their album to the public.”

Source: Information Security Magazine

SOCs Struggle with Staffing, Reporting and Visibility

SOCs Struggle with Staffing, Reporting and Visibility

Staffing remains an issue for security operations centers (SOCs), which continue to struggle with reporting and documentation while barely being able to stay afloat in a sea of alerts and false positives, according to the annual State of the SOC report from Exabeam.

The report found approximately one-third of respondents said that their SOC was understaffed by 6–10 people. “Nearly 50% of understaffed SOCs indicated they don’t have sufficient funding for technology, while respondents of larger SOCs said that despite recent or increased funding for technology, they recommend continued investment in newer, more modern technologies (39%),” the press release said.

In addition, shifting roles and responsibilities is a top challenge for SOC managers, with C-suite executives taking on the tasks of incident response and threat hunting, while frontline employees are completing fewer operational tasks.

Only 5% of respondents said they see all of the events in the security incident and event management (SIEM) system. Not having full visibility into events is a handicap for SOC managers, who reported that a lack of visibility leaves them more likely to miss security alerts. Because legacy applications are unable to log events, 39% of SOC personnel reported security alerts as the largest pain point that leaves the organization more vulnerable to cyber-attacks.

“There’s an idiom, ‘what you don’t know can’t hurt you.’ But in the information security business, that couldn’t be further from the truth. In fact, it’s what you don’t know – or worse, can’t see – that will significantly harm your business,” said Steve Moore, chief security strategist at Exabeam. “From our survey, an example of how this can manifest is general lack of environmental visibility in the form of too few logs – you can’t protect what you can’t see. Visibility, event context and automation play a key role in building relevant defense, so you can have a fighting chance against even the most sophisticated adversaries.”

Increasingly, SOC managers are placing greater value on soft skills, like communication, with 65% of respondents saying personal and social skills play a critical role in the success of a SOC. In addition, the report found that hard skills, such as threat hunting and data loss prevention, have also increased in importance.

Source: Information Security Magazine

HaveIBeenPwned.com Open to Acquisition

HaveIBeenPwned.com Open to Acquisition

Since its inception in 2013, the website HaveIBeenPwned.com (HIBP) has grown exponentially – to the point where it is no longer feasible for one person to maintain, which is why Troy Hunt, the site’s creator, today announced that he is open to the possibility of an acquisition.

The prevalence of breaches, combined with the analysis he was doing and the scale of Adobe, is what sparked the idea for HIBP, Hunt said. “I wonder how many people know? Do they realize they were breached? Do they realize how many times they were breached? And perhaps most importantly, have they changed their password (yes, almost always singular) across the other services they use? And so Have I Been Pwned was born.”

In an exclusive interview with Infosecurity, Hunt joked that he has often been asked, "What would happen to the site if he were hit by a bus? … Microsoft has my credit card, so the site would continue, but who would manage it?” Hunt said.

Fans of the site have applauded Hunt for “doing God’s work,” but the man is indeed a mere mortal. “It’s gotten to the point where the service has become enormously popular and the effort required to maintain it is exceeding my time availability,” Hunt said. “It’s also making it clear that there is a lot more to be done than I’m able to do on my own. There needs to be a better continuity plan than just one person doing this in their spare time.”

With 8 billion breached records included in its database, the site has nearly 3 million subscribers. “I’ve emailed those folks about a breach 7 million times, there are 120,000 people monitoring domains they’ve done 230,000 searches for and I’ve emailed them another 1.1 million times. There are 150,000 unique visitors to the site on a normal day, 10 million on an abnormal day, another couple of million API hits to the breach API and then 10 million a day to Pwned Passwords.”

Though there is no one organization Hunt is eyeing for acquisition, he did say that he will continue to be involved in the future of HIBP. “There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward,” Hunt wrote.

Source: Information Security Magazine

FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

FTSE 250+ organizations leave an average of 35 servers and devices exposed to the open internet, while 231 have “weak or non-existent” phishing defenses.

According to research by Rapid7, many companies in the FTSE 250+ indicate how many and which cloud service providers they use in their DNS metadata. The research found that 114 organizations use between two and seven cloud service providers. 

Tod Beardsley, director of research at Rapid7, told Infosecurity that this is the “best of the best of IT in Britain” and what stood out to him was the number of services exposed, and this was in the 30% range, however some companies expose thousands and others only a few.

He said: “We look at each company and ask how many versions of iOS or nginx are they running, or how many versions of Apache? Do they standardize on one version, which every company wants to do because it makes things a lot easier with a lot less overheads, or are they running 20 different versions of Apache, which tells me they have a really fragmented asset management processes and are not doing patches, and doing black box stuff .”

One “bright side” that Beardsley pointed out for the UK was fewer SMB servers, with only seven found in total.

Of the average 35 exposed services, Beardsley admitted that if he were managing a company’s IT and only found 35, he would be delighted as “it sounds really good” as when you get to 300-400 it becomes a full time job.

Elsewhere, 19% of the FTSE 250+ organizations are not enforcing SSL/TLS security. Beardsley said that there is a lack of 302 redirects from HTTP to HTTPS, and “a lot of clear text HTTP as the front page” for household brands. He admitted that for a country so determined to get him to accept cookies, this was surprising as it permitted injection attacks as well as Man-in-the-Middle attacks.

Asked if he felt whether this puts the FTSE 250+ in a positive light, Beardsley said that there is work to be done, and while the SMB and Telnet stats are a good thing, Rapid7 is seeing connections from FTSE 250+ companies to its honeypot “as if we are part of the same network so it is accidental self-compromise.”

Source: Information Security Magazine

Welsh Man Gets Four Years for TalkTalk Attack

Welsh Man Gets Four Years for TalkTalk Attack

A Welsh man diagnosed with Asperger’s syndrome has been sentenced to four years behind bars for his role in a cyber-attack on TalkTalk which cost the company £77m.

Daniel Kelley, 22, from Llanelli, Carmarthenshire, will spend his sentence in a young offender institute after first pleading guilty to 11 offenses back in 2016.

These included: hacking the ISP and attempting to blackmail CEO Dido Harding and other executives, as well as “hacking his local college, encouraging and assisting hacking, possessing and offering to supply TalkTalk customer and other data and converting proceeds of blackmail from an Australian victim,” according to the Met Police.

“Kelley’s computers revealed from 2013 to 2015 that he had embarked on a cybercrime campaign hacking and blackmailing individuals and companies, attempting to sell compromised personal data online and committing cyber-attacks on infrastructure,” the London police force said.

“Over the three-year period, Kelley demanded over 753 Bitcoins valued at more than £123,700 successfully extorting £4400 in Bitcoins and attempted to conceal, convert and launder Bitcoins into cash. He had attempted to anonymize and conceal his identity and activities online using technology. As a result a significant amount of additional cybercrime offenses were identified and investigated by the Met.”

According to reports, Kelley turned to cybercrime after failing to get the grades he needed to get onto a computer course.

Kelley is just one of several people arrested following the 2015 attack on TalkTalk which led to the compromise of data on over 100,000 customers.

Another was a 17-year-old at the time, who admitted he hacked the firm to show off to friends.

The young age of the offenders is another indication that efforts are failing to get talented children to use their computing skills for positive ends.

At Infosecurity Europe last week, HaveIBeenPwned founder Troy Hunt urged: “We’ve got to do more to set kids back on the right path.”

Source: Information Security Magazine