Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

US Congress Passes Controversial Info-Sharing Bill

US Congress Passes Controversial Info-Sharing Bill

On Friday, the US Congress passed cybersecurity information sharing legislation after more than five years of debate. The Cybersecurity Act of 2015 (formerly the Cybersecurity Information Sharing Act, or CISA), was passed as part of the Omnibus Spending Bill.

Specifically, CISA gives companies the ability to share cybersecurity information with federal agencies, including the NSA, “notwithstanding any other provision of law:” i.e., it provides liability protection and antitrust exemption for those sharing information.

To effect this, it calls for info-sharing portals to be set up with agencies like the FBI and the Office of the Director of National Intelligence, so that companies hand information directly to law enforcement and intelligence agencies instead of going through the Department of Homeland Security and the court vetting system contained therein. And, it allows the use of specific threat data by law enforcement without specific court approval when there is a known, specific threat.

Other aspects include:

  • It’s voluntary. There is no requirement to share information or to use shared information.
  • It requires reasonable efforts to protect the distribution of PII unless that information is relevant to the cybersecurity purpose (e.g. the registration details of a criminal domain).
  • It makes clear that shared data can be used in criminal prosecutions, but cannot be used as evidence of regulatory violations.

The legislation has been highly controversial, with detractors arguing that it could allow organizations to circumvent privacy norms and civil liberties, including the requirement for warrants when it comes to surveillance. There is no mention of warrantless wiretapping and the like as part of the bill’s language, but opponents are concerned that the language is sufficiently vague as to provide a loophole for just such snooping.

“We are deeply disappointed that Congress has passed CISA into law, despite our serious concerns that it will undermine privacy and cybersecurity,” said Robyn Greene, policy counsel at New America’s Open Technology Institute (OTI), in a statement to media. “Hopefully, the private sector, the intelligence community, and law enforcement will construe its dangerously broad provisions as narrowly as possible, so that the impact on online privacy is minimized.”

Opponents are also particularly upset that it was packaged with the Omnibus, a virtually un-vetoable, must-pass package that will provide operational funding and avoid a government shut-down for the time being. OTI, along with 50 other security experts and civil society groups, wrote to Congress in the wake of the bill’s passage, they strongly oppose the bill “because of its weak privacy protections, and opposing leadership’s choice to refuse to hold a stand-alone vote and instead force it into law as part of the must-pass omnibus spending bill.”

Sean Tierney, Morgan Stanley’s former cyber-emergency response chief and current vice president of threat intelligence at IID, has a different take. He said that CISA removes many of the main impediments to widespread cybersecurity information-sharing, while maintaining the current level of protection for personally identifiable information (PII).

“Study after study has found that fear of liability for shared information keeps organizations from fully participating in threat intelligence exchange,” he said in a blog. “For the past two years, IID has partnered with the Ponemon Institute to study this topic. Last year 55% of respondents said the potential liability of sharing keeps their companies from more fully participating in a threat intelligence exchange program. This increased to 62% of respondents in this year’s study.”

And some are in the middle when it comes to reaction, and note that the interpretation of the law will be everything. Paul Kurtz, former White House cybersecurity advisor and current CEO and co-founder of TruSTAR Technology, noted that the devil will be in the details.

"This is the first tangible demonstration of a partnership between Congress, the Administration and the private sector to address the critical need for cyber incident sharing to help protect our economy and national security,” he said, via email. “Providing liability relief for companies sharing cyber incident data amongst themselves and with the government provides a foundation on which to build a more collaborative cybersecurity defense. However, information-sharing should not have to cost us our privacy, and now it will be up to the private sector to build an infrastructure that both promotes security and preserves trust."

One thing that’s agreed upon is that there’s much more work that can be done. OTI and others are urging Congress to consider other measures in the cybersecurity space, including: Reforming the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to ensure that security researchers are able to identify and responsibly disclose vulnerabilities without fear of prosecution or civil liability; establishing a grant program that would support small businesses in implementing programs that accept and reward vulnerability reports; incentivizing businesses to practice better cyber hygiene; and creating scholarships programs for individuals in underserved communities to study computer science and software engineering.

“For over five years, the information sharing debate took up all of the air in the room when it came to cybersecurity policy,” OTI’s Greene said. “Now that it is over, we hope that Congress will finally turn its attention to passing legislative reforms that will improve cybersecurity while also respecting or even enhancing privacy. Congress should begin to work to ensure that security researchers can find and disclose vulnerabilities free from the threat of prosecution or civil liability, and create programs that will make cyber-hygiene and tech education more accessible to and achievable by individuals and businesses.”

Source: Information Security Magazine

Hello Kitty, Goodbye Privacy as 3M+ Users Hit by Breach

Hello Kitty, Goodbye Privacy as 3M+ Users Hit by Breach

The personal information of over three million Hello Kitty customers has been found online by security researchers over the weekend.

The database in question was found by security bod Chris Vickery and relates to the Japanese cartoon character’s online community sanriotown.com, although those who registered accounts through hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com are also affected.

Vickery told Salted Hash that the information exposed included full names, birth dates, gender, email and password hint questions and answers.

Birthday data was encoded but easily reverse engineered, while unsalted SHA-1 password hashes were also used—particularly bad information security practice.

Sanrio and the ISP used to host the database were informed of the incident, which is thought to be the result of an improperly configured MongoDB database.

The same problems resulted in privacy snafus for several websites recently including MacKeeper (13 million records) and HIV-positive dating service Hzone.

Given that Hello Kitty is popular with youngsters it’s possible that the personal details of children have been exposed in this incident, just as they were in the major VTech breach recently.

Brian Spector, CEO of internet security firm MIRACL, told Infosecurity that any Hello Kitty fans caught up in this should immediately change their passwords for the site, and any others which they share the same credentials for.

“Businesses should strive to use authentication technologies that eliminate the risk of username/password database breaches,” he added.

Mark James, security specialist at Eset, argued that hackers may have a higher success rate when cashing in on stolen data belonging to children.

“As adults we get inundated with emails to click here or sign up here and most thankfully end up in the recycle bin. But children are a lot more susceptible to that email that reads ‘Click here—for that new in-game item’ or new website that promises to give them something they don’t already have but need to own,” he told Infosecurity.

“The fact that our children are getting their own email addresses and having access to a lot more online devices younger and younger poses a real threat when this type of data is found in the ethers of shady servers or websites.”

It’s also been suggested that identity fraud attacks on kids are more dangerous as parents typically don’t monitor their children’s credit record, so it might not be found out for years.

“Companies need to understand that all data has a value, especially information about minors. I know it’s easy to state that an adult must help you sign up and a minimum age is required to use your services but when has that ever stopped someone?” argued James.

“Yes, we are responsible for our children, but you are also responsible for doing as much as you possibly can to protect that data if you’re going to request and store it electronically.”

Photo © dean bertoncelj

Source: Information Security Magazine

Facebook Shuns Buggy Flash in Favor of HTML5

Facebook Shuns Buggy Flash in Favor of HTML5

Momentum continues to build against Adobe Flash after Facebook announced it had switched to HTML5 for videos on its site.

The social network’s Daniel Baulig explained in a blog post that the change had now been shipped to all browsers by default.

Using HTML5 means faster development as Facebook programmers don’t have to recompile code and can apply changes directly in the browser, he argued.

It also allows the development team to make use of various web testing tools like jest and WebDriver, whilst supporting accessibility requirements for visually impaired users.

It wasn’t all plain sailing though. Initially Facebook found that old browsers actually performed worse on HTML5 than Flash, although continuous development enabled it to fix these bugs.

Other development challenges included slow page loading times and video page logging issues, Baulig explained.

However, HTML5 is very much the preferred choice today over Flash player.

“Not only did launching the HTML5 video player make development easier, but it also improved the video experience for people on Facebook. Videos now start playing faster. People like, comment, and share more on videos after the switch, and users have been reporting fewer bugs,” said Baulig.

“People appear to be spending more time with video because of it. Videos are an enriching way to connect with the world around you, and we're happy we could make the Facebook video experience better.”

This is not the end of Facebook and Adobe’s relationship: the social network still uses Flash for gaming on its platform.

However, its decision on videos is yet another nail in the coffin for the bug-ridden Flash platform.

The news follows YouTube’s decision to drop Flash in favor of HTML5 at the beginning of the year.

The most recent Patch Tuesday saw Adobe release fixes for a whopping 78 bugs in Flash player.

Photo © Verticalarray

Momentum continues to build against Adobe Flash after Facebook announced it had switched to HTML5 for videos on its site.

The social network’s Daniel Baulig explained in a blog post that the change had now been shipped to all browsers by default.

Using HTML5 means faster development as Facebook programmers don’t have to recompile code and can apply changes directly in the browser, he argued.

It also allows the development team to make use of various web testing tools like jest and WebDriver, whilst supporting accessibility requirements for visually impaired users.

It wasn’t all plain sailing though. Initially Facebook found that old browsers actually performed worse on HTML5 than Flash, although continuous development enabled it to fix these bugs.

Other development challenges included slow page loading times and video page logging issues, Baulig explained.

However, HTML5 is very much the preferred choice today over Flash player.

“Not only did launching the HTML5 video player make development easier, but it also improved the video experience for people on Facebook. Videos now start playing faster. People like, comment, and share more on videos after the switch, and users have been reporting fewer bugs,” said Baulig.

“People appear to be spending more time with video because of it. Videos are an enriching way to connect with the world around you, and we're happy we could make the Facebook video experience better.”

This is not the end of Facebook and Adobe’s relationship: the social network still uses Flash for gaming on its platform.

However, its decision on videos is yet another nail in the coffin for the bug-ridden Flash platform.

The new follows YouTube’s decision to drop Flash in favor of HTML5 at the beginning of the year.

The most recent Patch Tuesday saw Adobe release fixes for a whopping 78 bugs in Flash player.

Source: Information Security Magazine

Sophos Boosts Endpoint Protection Suite with SurfRight Acquisition

Sophos Boosts Endpoint Protection Suite with SurfRight Acquisition

Sophos has announced the acquisition of Dutch endpoint security vendor SurfRight to boost its endpoint protection capabilities.

A provider of signature-less endpoint threat detection and response, SurfRight offers a portfolio of behavioral technologies which prevent, detect and remediate zero-day and sophisticated attacks by interrupting malware and advanced persistent threat (APT) vectors.

SurfRight's real time anti-exploit technology focuses on detecting and preventing the memory manipulations and abuses that allow malicious code to run in the first place. In particular, its HitmanPro.Alert 3 is designed to stop threats before they emerge and aims to protect your vulnerable software, data and identity against current and future attacks, without requiring prior knowledge of the attack or malicious program.

This acquisition will boost Sophos’ endpoint protection portfolio by adding new defense tactics, delivered both on premise or in the cloud, while Sophos will integrate the SurfRight technology into its line of endpoint security solutions. This technology will then be available via its global network of 15,000+ channel partners.

SurfRight's technology will also further enhance Sophos' synchronized security strategy, in which multiple components of security protection, including network security and endpoint security, actively and continuously communicate with each other to create faster threat detection.

Kris Hagerman, CEO of Sophos, said:  “SurfRight is a growing, profitable business with an established customer base and proven security capabilities. The team has engineered powerful, innovative next-generation endpoint technologies that provide multiple advanced protection and mitigation elements, and yet are simple to use.

“SurfRight's products embody the same product vision we have at Sophos – that even the most advanced IT security products should be simple to deploy and manage by organizations of any size. We are excited to welcome SurfRight to Sophos and look forward to introducing the benefits of this leading-edge technology to our global customer and partner base.”

SurfRight CEO Mark Loman will join the Sophos Enduser Security Group, reporting to Dan Schiappa, senior vice president of Enduser Security at Sophos. Loman said:  “Sophos offers SurfRight the opportunity to be part of a high-growth industry leader with a world-class channel and specialized product development teams to accelerate the delivery of our technology into IT organizations of all sizes.

“We built this new technology from the ground up to address every vector of an APT attack in an auto-responding, coordinated manner, thus enhancing the speed of detection and response. SurfRight's unique next generation endpoint security software complements Sophos' offerings and delivers advanced security capabilities to better protect businesses worldwide.”

Source: Information Security Magazine

Juniper Issues Emergency Advisory After Rogue Backdoor Code Discovered

Juniper Issues Emergency Advisory After Rogue Backdoor Code Discovered

Juniper Networks has issued a statement regarding suspcious code found in its ScreenOS software.

Posted by SVP Chief Information Officer Bob Worrall, he stated that during a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices. This would permit decryption of VPN connections.

“Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS,” he said.

“At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.”

Juniper claimed that there were two independent issues regarding the unauthorized code: the first issue allows unauthorized remote administrative access to the device over SSH or telnet, and exploitation of the vulnerability can lead to complete compromise of the affected system. The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic.

No other devices running Junos are impacted at this time, and Juniper stated that all NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20 are affected by these issues and require patching.

Security researcher "The Grugq" pointed out that the backdoor had been present since late 2012, and can only be fixed by upgrading to the new software version.

Source: Information Security Magazine

Target Suffers New Security Headache With Flaws In Christmas App

Target Suffers New Security Headache With Flaws In Christmas App

While it continues to settle with credit card providers and victims of its 2013 breach, Target has experienced a new data security headache courtesy of a mobile app.

According to research from Avast, the Wish List app’s Application Program Interface (API) is easily accessible over the internet, does not require any authentication and can serve data to an attacker in a JSON file. “The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated,” Avast researcher Filip Chytry said.

The JSON file it requested from Target’s API contained data such as users’ names, email addresses, shipping addresses, phone numbers, the type of registries used and the items on the registries.

Target later said that it had suspended elements of the app while developers investigate the problem.

The Avast researchers also analyzed another Christmas app from Walgreens and found it required a large number of unnecessary permissions, including permission to change audio settings, pair with Bluetooth devices, control the flashlight and run at start-up.

Source: Information Security Magazine

Researchers Find Major Security Flaws in Parking Apps

Researchers Find Major Security Flaws in Parking Apps

Several smartphone parking applications contain serious vulnerabilities which could allow a hacker to launch a Man in the Middle attack against their users and ultimately gain unauthorized access to the device, new research has found.

Information assurance firm NCC Group tested six popular but unnamed Android apps, some with an installed base of 5-10,000 users and others with registered users of up to one million.

Although the majority of the apps used TLS to encrypt sensitive data sent back to the server, none verified the certificate used by that server—exposing them to MITM attacks enabled by an "intercepting proxy tool."

One vendor had even chosen to build their own encryption system, but failed by storing the keys in the application code, so they were easily retrieved by decompiling the app.

Another confirmed the username and password via email—again meaning a hacker connected to the same network could intercept and recover these details.

However, NCC Group security consultant, Chris Spencer, clarified that MITM attacks can work only if the hacker has some control over the same network the vulnerable device is connected to—for example via unsecured Wi-Fi.

“Since most of the time parking applications will be used when connected to mobile data connections, the likelihood of these attacks may be reduced (although it is possible for an attacker to create a fake GSM base station),” he explained.

“There are circumstances where a user of the application may be connected to public Wi-FI, however, such as when extending a parking stay from a restaurant or coffee shop. Be careful when using any type of mobile application that may expose sensitive data when connected to a potentially unsecure network.”

Other security oversights included allowing passwords or PINs to be stored on the device to enable “auto-log-in.”

“This feature isn't generally a good idea, mainly as the password may not be stored securely,” wrote Spencer. “In fact, one of the applications stored the password for the system (unencrypted) in the application's private data directory on the phone.”

File traversal vulnerabilities made it possible for the NCC Group testers to  access private data directories—on one occasion enabling them to recover an unencrypted password stored there.

However, the research did point to some good security practice among the app developers studied—for example ensuring any data stored on the device is done so using a recognized hashing algorithm.

NCC Group recommended developers of parking applications use securely configured TLS to encrypt data sent to the server; use the latest Android API version; use certificate pinning to mitigate the risk of MITM on TLS; and avoid exporting Android components if possible, among other steps.

Photo © smuay

Source: Information Security Magazine

NCA Leads International Cybercrime Exercises

NCA Leads International Cybercrime Exercises

The UK’s National Crime Agency (NCA) has hosted a major international cybercrime response exercise designed to test how effectively multiple agencies can react to a simulated cyber attack.

Exercise Silver Shadow was funded by the Foreign and Commonwealth Office (FCO) with backing from the Home Office, with officers from the FBI as well as Bulgaria, Georgia, Lithuania, Moldova, Romania and Ukraine taking part.

The exercise was an opportunity to assess their ability to respond collectively to an incident at a fictitious international petroleum company, whilst building stronger inter-agency partnerships in the process.

Silver Shadow took place over the week of 30 November at the Cabinet Office’s Emergency Planning College in North Yorkshire—run by private sector firm, Serco.

Serco’s cybersecurity training and exercise platform cybX was used to stage the exercise, which also featured a representative from Europol’s Joint Cyber Action Taskforce (J-CAT).

The news follows a pilot exercise which was held back in October to assess the ability of the UK’s domestic cybercrime units to respond to an incident.

These included the NCA’s National Cyber Crime Unit and cyber units within the country’s Regional Organised Crime Units (ROCUs), Police Scotland and the Police Service of Northern Ireland (PSNI).

NCCU director, Jamie Saunders, argued that strong international partnerships are at the heart of the unit’s efforts to better combat serious cybercrime threats to the UK.

“Cybercrime is by its very nature international, with many of the criminals and the technical infrastructure they rely upon based overseas, and yet its impact is felt by real people and real businesses in communities across the UK,” he added in a statement.
 
“This means that our response has to be capable of linking police colleagues dealing with victims at a local level with law enforcement colleagues in other countries investigating and prosecuting those who may be responsible.”

This isn’t the first time law enforcers from across the globe have come together to fight cybercrime.

The UK took part in a major anti-piracy operation involving 27 countries in the run up to Black Friday.

Photo © Gwoeli

Source: Information Security Magazine

Symantec Tells Google to Distrust Root Cert

Symantec Tells Google to Distrust Root Cert

Google has made a move to ‘distrust’ a Symantec root certificate after the security giant revealed it no longer complies with current security standards.

Software engineer, Ryan Sleevi, explained in a blog post that the cert in question is one of Symantec’s “Class 3 Public Primary CA” root certificates which currently works across Chrome, Android and Google products.

“We are taking this action in response to a notification by Symantec Corporation that, as of December 1, 2015, Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” he wrote.

“As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.”

Symantec claimed it is planning to use the certificate for purposes other than publicly trusted certificates.

But Google said that by failing to meet the baseline requirements for security and trustworthiness, there is no guarantee that it won’t be used to “intercept, disrupt, or impersonate the secure communication of Google’s products or users.”

“As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate,” said Sleevi.

For its part, Symantec maintains that this is the normal procedure for a legacy certificate, and that website owners shouldn’t be affected.

“Further, Symantec has also indicated that, to the best of their knowledge, they do not believe customers who attempt to access sites secured with Symantec certificates will be affected by this,” Sleevi added.

The news comes after a turbulent few months for the Mountain View neighbors.

Back in September Symantec was forced to sack several employees after subsidiary Thawte issued unauthorized certificates for several Google domains.

Things got worse a month later after it found over 160 rogue certificates had been issued without permission.

As a result, Google said it will require as of 1 June 2016 that all Symantec-issued certs support its Certificate Transparency standard for easier logging. If they don’t, it “may result in interstitials or other problems when used in Google products,” Sleevi warned.

Abuse of digital certificates and cryptographic keys is fast becoming a favorite strategy for cyber-criminals, according to Kaspersky Lab.

The security vendor claimed last week that the number of new malware files it found this year was down on 2014 volumes because cyber-criminals are changing tactics.

Photo © 360b

Source: Information Security Magazine

Alibaba.com Hit with Widespread Phishing Campaign

Alibaba.com Hit with Widespread Phishing Campaign

A widespread phishing attack is underway, targeting businesses and consumers using Alibaba.com, the China-based e-commerce giant and global trading website.

Comodo Antispam Labs discovered the campaign, and said that the primary method of attack is a random phishing campaign that employs well-crafted spoofing methods. The firm explained in an analysis that the fake emails are being sent from the spoofed address feedback@service.alibaba.com. That means that to business or consumer, they appear to be sent from a legitimate email address.

The mails ask alibaba.com customers to click on a link to verify their account, in order to “cut down on spam and fraudulent emails.”

The real story is that these aren’t legit mails from legit addys at all. Instead, they’re coming from cyber-criminals who have set up a fake log-in page; when users log in to verify their information, the page steals the user names and passwords of alibaba.com customers, thereby allowing the perpetrators to gain access to account information.

The Comodo Antispam Labs team identified the alibaba.com phishing email through IP, domain and URL analysis.

The attack uses a fairly common approach, pointing out once again that phishers know how to make good use of social engineering. Like the recent spear phishing campaign in which users are being targeted by emails crafted to look like terror alerts from law enforcement agencies, spoofing features highly.

In that case, the mails were spoofing the Dubai Police Force with attachments disguised as valuable tips on how recipients could protect themselves, their companies and families from a nearby terror attack.

“Cybercriminals are getting more and more creative each day—trying to use breaking news in the world to try and take advantage of businesses and consumers and steal data, passwords and financial information,” said Fatih Orhan, director of technology for Comodo and the Comodo Antispam Labs.

Photo © wk1003mike

Source: Information Security Magazine