Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Symantec Calls Vulnerability Warning a "Routine Advisory"

Symantec Calls Vulnerability Warning a "Routine Advisory"

Symantec has recommended users update their systems in what it has described as a “routine advisory”.

In an advisory, Symantec warned that the management console for its Symantec Endpoint Protection (SEP) was susceptible to a number of security findings that could potentially result in an authorized, but less-privileged user gaining elevated access to the Management Console.

“SEPM contained a cross-site request forgery vulnerability that was the result of an insufficient security check in SEPM,” it said. “An authorized but less-privileged user could potentially include arbitrary code in authorized logging scripts. When submitted to SEPM, successful execution could possibly result in the user gaining unauthorized elevated access to the SEPM management console with application privileges.

“There was a SQL injection found in SEPM that could have allowed an authorized but less-privileged SEPM operator to potentially elevate access to administrative level on the application.”

The issue has been deemed critical enough for US CERT to issue an update, where it encouraged users and administrators to review the advisory from Symantec and apply the necessary update.

In a statement issued to Infosecurity, the company said: “This is a routine advisory. We recommend customers update to the latest version to keep their information secure.”

Paul Farrington, senior solution architect at Veracode, said that despite SQL Injection having been around for more than a decade and regularly featuring on the OWASP Top 10 list, the prevalence of the SQL injection vulnerability remains disturbingly high, with many businesses leaving themselves exposed to data loss and brand damage.

“Organizations can mitigate SQL injection with the right care and attention. All organizations need to be working to gain full visibility into its web application perimeter and run frequent scans on all existing applications to ensure that it remains protected from the threats that new or changed applications introduce, or from newly-discovered vulnerabilities. Indeed, this case shows that no company is above testing applications for vulnerabilities.”

Source: Information Security Magazine

US, Israel and UK Strengthen Cyber Cooperation

US, Israel and UK Strengthen Cyber Cooperation

The US Department of Defense and Israeli Ministry of Defense have entered an agreement to increase cyber-defense cooperation between the nations.

According to Army Technology, representatives discussed a number of ways to further strengthen cooperation on a range of issues, and the deal will see the USA deploy the US National Guard's cyber squadrons against ISIS.

The decision follows a meeting between US Defense Secretary Ash Carter and Israeli Minister of Defense, Moshe Ya'alon, where Carter reaffirmed the unshakeable US commitment to Israel's security and the importance of the US-Israeli defense relationship.

Tim Erlin, director of security and risk at Tripwire, told Infosecurity that information sharing is a key component to successful cyber-defense, whether between corporations or nations.

“The addition of cyber-attacks to theater of war is a growing trend,” he said. “We shouldn’t be surprised that existing international defense cooperation might be extended to this new battlefront.”

Paul Fletcher, cybersecurity evangelist at Alert Logic, said: “It’s possible that there has already been some collaboration between these two military cyber-teams in the past, and this announcement is a way to formalize the relationship and establish specific protocols for communication and information sharing."

“This cooperative partnership shows a maturation of the strategy for the US DoD to partner with foreign governments and acknowledgement of their technical contribution. This is especially interesting to me, a veteran, because several years ago the US DoD wouldn’t consider purchasing from any technology vendors from any foreign country (this policy may have changed by now). To the point that when Check Point Firewall-1 was the leading firewall technology, but the USA military couldn’t use the product because Check Point was based in Israel. Clearly, this public statement shows the DoD’s willingness to move their cybersecurity capabilities forward and working together for the greater good.

“Yes, this joint capability will certainly help fight cyber-terrorism threats. It will help just from the perspective of adding more highly skilled cybersecurity professionals in the fight against cyber-terrorists. Only time will tell if this strategy will be more effective than trying to install backdoors in technology.”

The news follows an announcement in February that the UK and Israel planned to extend their cooperation in defending national infrastructure installations from cyber-attacks. According to the Jewish News, the two nations are extending collaboration by strengthening the relationship between their Cyber Emergency Response Teams, and by launching a new academic engagement in the emerging field of cyber-physical security.

Leo Taddeo, chief security officer at Cryptzone, said: “Information and intelligence-sharing are critical to success in cyber-warfare. No single country can collect and process all of the data necessary to maintain strategic and tactical superiority.”

Source: Information Security Magazine

UK Online Banking Fraud Soars 64% in 2015

UK Online Banking Fraud Soars 64% in 2015

Online banking and e-commerce fraud both saw major spikes over the past year, growing faster than total payment card fraud, according to the latest industry figures.

The Year-End 2015 Fraud Update from Financial Fraud Action UK revealed that the value of e-commerce fraud jumped 19% from 2014 to 2015 to reach £261.5 million.

When including mail order and telephone fraud – which spiked 22% – the figure for total card not present (CNP) losses amounts to an even higher £398.2m.

Financial Fraud Action UK tried to soften the blow by suggesting the jump in fraud could be explained by an increase in online card spending over the period by 21% to £211 billion.

It’s clear that fraudsters are continuing to exploit the online channel as they have a higher chance of success than with face-to-face transactions.

Bearing this out, fraud on contactless cards and mobile devices – for example those using Apple Pay – amounted to losses of just £2.8 million during 2015, compared to spending of £7.75 billion over the same period.

However, it was online banking that saw the biggest spike in fraud last year. Losses jumped a massive 64% to reach £133.5m in 2015, while the volume of cases reported increased 23%. This proves criminals are increasingly targeting “high-net-worth and business customers,” the report claimed.

In some good news, however, 40% of losses were recovered after the incident.

Financial Fraud Action UK blamed an increase in phishing, corporate data breaches an “impersonation and deception scams” as the main drivers in the uptick in online fraud.

John Lord, managing director of identity data intelligence firm GBG, argued that a single fraud incident can often have a far reaching impact for the victim as many experience additional problems because a key account gets blocked.

“If someone who recently experienced a card fraud is attempting to make payments to an online retailer, for instance, the organization should be able to request additional, uncompromised personal information in order to authenticate the customer, rather than simply stop the transaction entirely,” he added.

“In the battle against fraud, we actually need access to more personal data – not less. Otherwise how can you validate that what you have been told by the customer is authentic?”

Source: Information Security Magazine

Rights Groups Petition DoJ and FCC on Police Stingrays

Rights Groups Petition DoJ and FCC on Police Stingrays

Some 45 rights groups have delivered a letter and over 34,000 petition signatures to the FCC and Department of Justice calling on them to investigate the use of controversial mobile phone surveillance technology by law enforcers without a warrant.

The groups have decided to voice their concerns after reports emerged last month that New York police have used International Mobile Subscriber Identity (IMSI) catchers, or ‘stingray’ technology, over 1,000 times over the past seven years without the need to obtain a warrant and with no guidelines in place governing their use.

There have also been allegations that law enforcers have used the technology improperly to spy on lawful protesters in violation of their constitutional rights.

Stingrays mimic mobile phone base towers, allowing their operators to locate specific devices/users and intercept communications. More worrying from a privacy perspective is that they also lift data from innocent bystanders.

The letter continued:

“Information about Stingray devices’ use and functions has been routinely withheld from courts and the public, and the numerous privacy and legal concerns raised by these devices have already received significant attention in national media and other outlets … We wish to highlight another serious concern: when used by law enforcement, Stingrays and other surveillance technologies do not affect all Americans equally.”

The letter goes on to allege that tools like this serve to amplify the bias in law enforcement for stopping, searching and monitoring “people of color,” eroding civil liberties.

The DoJ released new guidelines last year stating federal investigators and any local or state police they partner with must obtain a warrant for Stingray use and that procedures must be put in place to prevent unlawful retention of data on innocent bystanders.

However, that doesn’t apply to police departments acting on their own.

“Therefore, the DOJ must take further steps to ensure that all states and localities that deploy Stingrays do so in a way that is transparent, accountable, and consistent with the constitution, and encourage other agencies to put policies in place to minimize harm to historically disadvantaged communities. They could do this by ending the FBI’s practice of requiring state and local law enforcement agencies to sign nondisclosure agreements for Stingrays and could link the agency’s technology funding to a mandate that state and local agencies comply with the DOJ’s Stingray guidance.”

The letter was signed by several high profile rights groups including the EFF and Open Technology Institute.

Source: Information Security Magazine

Cybersecurity Folks Most-Sought After Contractors in the UK

Cybersecurity Folks Most-Sought After Contractors in the UK

The skills shortage in the IT security field continues to plague businesses that try to keep up with the fast-evolving threat landscape. But those who choose to walk that employment path are finding themselves in the catbird seat: cybersecurity professionals are the most sought-after contractors within the UK’s growing jobs market, according to new research from Sonovate.

Research from the recruitment specialist reveals that overall growth for contract security roles has reached a year-on-year high of 19%, and this level of demand is set to grow by 30% over the course of 2016.

The highest month-on-month demand is for consultants (52%), with network security engineers (26%) and analysts (24%) a close second and third respectively. And they make impressive money: IT security consultants command an average day rate of £539. Information security officers, despite having a more executive role, aren’t that far ahead, at £647 per day.

Engineers meanwhile make around £441 per day and analysts are paid an average of £460.

As for where the jobs are, demand is unsurprisingly the highest in London (45% of recruitment efforts), followed by the southeast of the country (26%), with single-digit demand elsewhere.

The data, based on the number of active roles advertised either directly or via recruitment agencies, highlights that the next most-looked-for skill sets lag behind: No. 2 is for roles in the user experience field (a 17% year-on-year growth), followed distantly by architecture specialists (5% growth).

“IT security has always been important for companies looking to protect their business interests—something which has only been reinforced by the recent spate of high-profile data breaches and cyber-attacks,” said Richard Prime, co-CEO and co-founder of Sonovate. “In addition, changing attitudes to work have resulted in a burgeoning contractor market.”

Prime added: “There’s a real appetite for high-quality contractors at the moment. This research says one thing loud and clear: it’s a great time to be an IT security recruiter, especially one with an eye for opportunity.”

Photo © 3d Pictures

Source: Information Security Magazine

Secunia Spots Over 16,000 Bugs in 2015

Secunia Spots Over 16,000 Bugs in 2015

Secunia Research last year spotted over 16,000 vulnerabilities across more than 2400 products, with nearly 14% rated “extremely” or “highly” critical, highlighting the increasing pressure IT admins are under to patch systems as soon as possible.

The Flexera Software business’ Vulnerability Review for the year recorded a total of 16,081 bugs in 2484 products from 263 vendors.

This was up from the 15,698 vulnerabilities found last year, despite the firm reducing the number of products (by 36%) and vendors (49%) it analyzed to better reflect the environments of its customers.

Some 1114 vulnerabilities were discovered in the five most popular browsers – Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari – and 147 bugs were spotted in the most popular readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

As in previous years, Secunia also analyzed the Top 50 most popular applications on customers’ PCs.

Last year’s stats highlighted the same issues facing IT administrators; namely that although 84% of vulnerabilities have a patch available on the day of disclosure, the problem is in coping with the disparate security update mechanisms of all of the third party software running in typical environments.

For example, 79% of vulnerabilities came from non-Microsoft products, which have no standardized update system.

Secunia Research director, Kasper Lindgaard, argued that third party software firms could take a leaf out of Microsoft’s book.

“Automated updates for applications in wide use on private PCs is definitely something we recommend,” he told Infosecurity. “For applications in corporate environments, auto-updates are often not applicable.”

In fact, Microsoft fared pretty well out of the study, with its products only responsible for 21% of bugs found in the Top 50 applications, despite accounting for 67% of the products themselves.

The number of zero day vulnerabilities – 25 – was the same as in 2014.

However, this is likely because they take a lot of time and effort to research and that hackers are already doing pretty well exploiting known vulnerabilities, rather than any improvement in the quality of coding.

“The majority of successful breaches use publically known vulnerabilities – and as the Vulnerability Review shows, around 85% of all vulnerabilities have a patch available on the day of disclosure,” said Lindgaard.

“This means that IT teams could patch the majority of vulnerabilities, thereby closing the entry points before hackers use them to gain access.”

Source: Information Security Magazine

#Belfast2016: Current IT Security Will Not Work for IoT

#Belfast2016: Current IT Security Will Not Work for IoT

The Internet of Things (IoT) is a concept that has snowballed in recent years to become one of the hottest topics of the digital age. Companies and individuals alike rely on connected networks and devices now more than ever, something that is not only becoming more common but also a way of life.

Research by cybersecurity specialist Webroot and data center organization IO recently found that 2016 is going to be a very busy year for IoT in the workplace, with 87% of polled CEOs and senior decision makers saying they plan to introduce IoT-focused strategies into their companies this year. Similarly, more than half of UK businesses intend to employ a chief IoT officer in 2016, signifying just how big an issue it has become.

However, speaking at the CSIT World Cyber Security Technology Research Summit 2016, Dr Ulf Lindqvist, Program Director of SRI International said current IT security techniques will not work for IoT services, suggesting there is a lot of work to do to secure the IoT.

Dr Lindqvist argued a key factor in this is a lack of clarity regarding who is responsible for governing IoT devices.

“Depending on what kind of device it is we don’t know if it’s the manufacturer that’s supposed to manage it; if it’s the person you sold it to, the vendor, whether it’s the organization or person that deployed it, if it’s the provider of the cloud or back-end communication services, or if it’s the user – who is it really?”

Dr Lindqvist explained his experience in the industry has taught him that good IT security is about separation – chiefly keeping the good things (authorized users) separate from the bad (unauthorized users).

“I learned a long time ago that there are three types of separation that still hold well,” he added. “These are physical, logical and cryptographic.”

The problem with this is that users see a lot of value in connecting things, the driving force behind the concept of the IoT, which counteracts the security needs of keeping things separate and creates the challenges we are now facing.

“If we look at what we are doing today to keep IT systems secure, it turns out that many of those things will not work for the Internet of Things,” Dr Lindqvist said.

“Today we do frequent patching and updates of our IT systems, we rely on secure configurations and we have all kinds of add-on security products which keep the cybersecurity industry alive and well,” but all of these can be very difficult to implement for a large distributed network of various devices.

“There’s some urgency here,” he continued. “The time is now to do something about this, and the reason for that is IT security in the cloud is really critical because it will soon impact everyone all of the time.”

Dr Lindqvist said to tackle the issue we must address the fact that IoT developers and integrators currently lack the knowledge, experience, standards and tools to provide security and privacy. 

“We feel that we need to fill that gap and bring the best of security to developers so they can get hands-on tools to use in their daily work,” he added.

After all, “Today’s future tech is tomorrow’s legacy” and it’s something we have to protect.

Source: Information Security Magazine

Rights Groups Urge Privacy Shield Rethink

Rights Groups Urge Privacy Shield Rethink

Some of the world’s biggest rights groups have urged European policy makers to send the recently negotiated Privacy Shield agreement between the EU and US back to the drawing board.

The call came in the form of an open letter to the chairman of the European Commission’s Article 29 Working Party; the chair of the Committee on Civil Liberties, Justice, and Home Affairs; justice commissioner Vera Jourová; and the ambassador and permanent representative of the Netherlands to the EU.

Unless there are substantive reforms to the agreement – which superseded the long-running Safe Harbor deal on data sharing between the two regions – then it will put users at risk, undermine the digital economy and perpetuate human rights violations occurring as a result of surveillance programs, it argued.

The letter continues:

“The Article 29 Working Party thoughtfully outlined four key conditions for an agreement to meet the standards of European legislation and guarantee the protection of human rights in intelligence activity, including clarity of law, use of human rights standards, incorporation of independent oversight, and availability of effective remedy. Unfortunately, the Privacy Shield manifestly fails to provide for these objectives.”

The rights groups’ main beef appears to be that the “same inadequacies in US law” mean EU citizens still don’t know what will happen to their data if it’s transferred to a datacenter across the Atlantic.

The US “continues to deny the relevance and application of the internationally-accepted standards of necessity and proportionality in its surveillance operations,” and the oversight mechanism established by the new deal is neither independent nor has enough power to investigate complaints properly, they argued.

What’s more, individuals aren’t even informed when their personal info is “collected, disseminated, or used” under the terms of the deal, so it would be difficult for them to seek any remedy.

The group argued that the Privacy Shield should be contingent on the US reforming its surveillance laws within a “reasonable time” to limit the scope of collection of “foreign intelligence information” and end indiscriminate surveillance.

Also needed are increased protections for personal data used commercially, in line with the EU Court of Justice (CJEU), and “provisions to ensure appropriate redress and transparency.”

Privacy International, the Electronic Frontier Foundation, American Civil Liberties Union (ACLU), and Amnesty International USA are just some of the 27 names which have signed the letter.

However, given the agreement has taken over two years to thrash out, and the US’s intransigence on surveillance activities, it’s unlikely to have a major impact.

It should be noted that the group argued that its points still stand even though much of the detail of Privacy Shield has yet to be revealed, simply because the same inadequacies in US law exist as they did when the CJEU effectively scuppered Safe Harbor in its landmark ruling last year

Source: Information Security Magazine

Celebgate iCloud Hacker Pleads Guilty

Celebgate iCloud Hacker Pleads Guilty

A 36-year-old Pennsylvania man has pleaded guilty to hacking the iCloud and Gmail accounts of over 100 celebrities after phishing their details.

A Department of Justice statement on Tuesday claimed that Ryan Collins of Lancaster in the Keystone State pleaded guilty to a violation of the Computer Fraud and Abuse Act and one count of “unauthorized access to a protected computer to obtain information.”

In reality, what that means is that from November 2012 until the beginning of September 2014 he engaged in a long-running phishing campaign targeting various celebrities.

Collins is said to have sent them phishing emails purporting to come from Apple or Google, requesting their log-in details.

With these usernames and passwords he was then able to access at least 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebrities, and download any nude photos or videos he came across.

It is claimed he also used an unnamed software program to download the entire contents of some celebs’ iCloud back-ups.

However, curiously, although Collins was brought to justice on the back of an investigation launched into the so-called “Celebgate” leaks of 2014, officers haven’t yet uncovered any evidence that he shared or uploaded the information.

Although there’s a statutory five-year sentence for the crimes Collins has pleaded guilty to, the parties involved have agreed a term of 18 months, the DoJ statement claimed.

“By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity,” said David Bowdich, assistant director in charge of the FBI’s Los Angeles Field Office.

“We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”

Speculation was rife at the time of the leaks that an individual had brute-forced the accounts, but now it seems that wasn’t the case unless other parties were involved.

Either way, it remains that if Apple had mandated two-factor authentication for iCloud access then the accounts would probably have remained secure.

Source: Information Security Magazine

#Belfast2016: Many Orgs Still View Cyber-attacks as 'Taboos'

#Belfast2016: Many Orgs Still View Cyber-attacks as 'Taboos'

“Business is not set up to talk about cybercrime in anything like the way it should be.”

These were the words of Keynote speaker Guy Wakeley, CEO of Equiniti, at the CSIT World Cyber Security Technology Research Summit 2016 in Belfast.

In his presentation, Wakeley argued that despite the various challenges that businesses now face to prevent cybercrime, attacks are still considered a ‘taboo’ subject within organizations.

He explained that companies are having to deal with fast, widespread changes across the macro environment – chiefly in computing power. Wakeley said this significant growth in computing power has created many security difficulties. 

“Our banking systems [for example] are interconnected in a way that’s frightening, we have markets that settle in milliseconds, we have cash moving around the world in the twinkling of an eye. Our markets are immediate and that immediacy drives trading algorithms and drives growth.”

“But it also drives problems, and when things go wrong, they go wrong very quickly.”

“We are now at an age where your whole organization can be eradicated and eliminated by the actions of one individual,” he added.

Despite this, many companies still refuse to openly discuss the issue of cyber-attacks, missing the opportunity to use collaboration to help grow and develop stronger, wiser security.

“Businesses are incredibly reluctant to talk about cyber-attacks. My business has been attacked; my business gets attacked most days, if not every day. We haven’t lost any data, yet; we haven’t lost any money, yet – but we might do, and when I look at notable cyber-attacks in the public domain, the depth and the severity of those attacks and most importantly the way businesses have tried and failed to deal with the reputational issues of those attacks is a massive issue.”

“We need to collaborate more; we need to be open about what’s happening, we need to share our experiences, we need to leverage the resources of academia and the broader computer science environment to make sure these cyber-attacks don’t hit us.”

Source: Information Security Magazine