Roundup Here's a quick Monday summary of recent infosec news, beyond what we've already reported.…
DXC Technology is sending hundreds of security personnel from the America's division down the redundancy chute and offshoring some of those roles to low-cost centres, insiders are telling us.…
Posted by xen1thLabs on Jun 24XL-19-008 - ABB IDAL FTP Server Path Traversal Vulnerability
Posted by xen1thLabs on Jun 24XL-19-012 - ABB IDAL HTTP Server Uncontrolled Format String Vulnerability
Posted by xen1thLabs on Jun 24XL-19-009 - ABB HMI Hardcoded Credentials Vulnerability
Posted by xen1thLabs on Jun 24XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
Posted by xen1thLabs on Jun 24XL-19-010 - ABB IDAL HTTP Server Authentication Bypass Vulnerability
Posted by xen1thLabs on Jun 24XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
Posted by xen1thLabs on Jun 24XL-19-011 - ABB IDAL HTTP Server Stack-Based Buffer Overflow Vulnerability
Posted by xen1thLabs on Jun 24XL-19-007 - ABB IDAL FTP Server Buffer Overflow Vulnerability
Posted by Apple Product Security via Fulldisclosure on Jun 24APPLE-SA-2019-6-20-1 AirPort Base Station Firmware Update 7.8.1
Posted by xen1thLabs on Jun 24XL-19-006 - ABB HMI Outdated Software Components
Posted by XORcat on Jun 24Original posting: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
Posted by Henri Salo on Jun 24Please use CVE-2019-12935 for this vulnerability.
Posted by gionreale on Jun 24Quarking Password Manager 3.1.84 suffers from a clickjacking
Posted by aaron bishop on Jun 24BlogEngine.NET, versions 3.3.7 and earlier, are vulnerable to an
Andrew Wertkin, CTO of BlueCat Networks, returns to the podcast to discuss a new and hotly contested privacy technology called DNS over HTTPS (DoH), the ethical and procedural issues around DoH, and how it may change the way infosec professionals work. In the podcast, Wertkin and host Chris Sienko discuss: – Can you explain DNS […]
The post DoH! Will the new protocol change how infosec professionals work appeared first on Infosec Resources.
This week, we welcome Vivek Ramachandran, Founder and CEO of the Pentester Academy, to talk about their AttackDefense Labs platform, and how the Pentester Academy is helping thousands of customers from government agencies to Fortune 500 companies! In the second segment, we welcome back Bryson Bort, Founder and CEO of Scythe, to talk about purple teaming, top attack simulation scenarios, and testing command and control channels! In the Security News, how not to prevent a cyberwar with Russia, the case against knee-jerk installation of Windows patches, U.S. Customs and Border Protection data breach is the result of a supply chain attack, and a phishing scam that hacks two factor authentication!
To learn more about SCYTHE, visit: https://securityweekly.com/scythe
Full Show Notes: https://wiki.securityweekly.com/Episode609
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Posted by Micah Wiseley on Jun 21Full Disclosure
This week, we welcome Bryan Warren, President and Chief Consultant at WarSec Security, to talk about the Challenges of Healthcare Security! In our second segment, we'll talk about the challenges of inheriting someone else's code! In the Enterprise News, Docker desktop for Windows 10 will soon switch to WSL 2, Netskope introduces Zero-Trust secure access to private enterprise applications, 10 notable security acquisitions of 2019, and can your patching strategy keep up with the demands of open source?
Full Show Notes: https://wiki.securityweekly.com/ES_Episode142
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a cyberespionage campaign targeting Middle Eastern countries anda botnet malware that infiltrates containers via exposed Docker APIs.
The latest FBI Internet Crime Complaint Center (IC3) report paints an accurate picture of the scale of online threats and shows that consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers.
Trend Micro uncovered a cyberespionage campaign targeting Middle Eastern countries and named it “Bouncing Golf” based on the malware’s code in the package named “golf.”
Trend Micro announced it has blocked 5 million attempted cyberattacks against IP cameras in just five months. Through its strategic partnership with VIVOTEK, Trend Micro’s IoT security solutions are embedded in globally deployed IP cameras to provide superior protection.
Trend Micro details an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant of the Linux botnet malware AESDDoS.
A ransomware attack in May prevented the Baltimore City and County governments from mailing the annual water and sewage tax bills to its residents due to unverifiable accounts of abnormally low or no water consumption in 2018.
Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites in 17 months, according to a new report by internet delivery and cloud services company Akamai.
A Netflix researcher uncovered four critical vulnerabilities within the TCP implementations on Linux and FreeBSD kernels that are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.
Oracle published an out-of-band security alert advisory on CVE-2019-2729, a zero-day deserialization vulnerability that could allow remote attackers to execute arbitrary code on targeted servers.
The hacking group, Xenotime, behind intrusions targeting facilities in oil and gas industries has started probing industrial control systems (ICSs) of power grids in the U.S. and the Asia-Pacific region, researchers reported.
US medical bill and debt collector American Medical Collection Agency (AMCA) has filed for bankruptcy protection in the aftermath of a disastrous data breach that resulted in the theft of information from clients including Quest Diagnostics, LabCorp, BioReference Laboratories and more.
Trend Micro observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread from an infected host to any system that has had a previous SSH connection with the host.
Multiple groups are launching attacks against exposed Exim mail servers, trying to exploit a vulnerability that could give them permanent root access.
Riviera Beach is paying $600,000 in Bitcoins to a hacker who took over local government computers after an employee clicked on a malicious email link three weeks ago.
Are you up-to-date on the best ways to lower the risk of hackers accessing your personal data? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Cyberespionage Campaigns and Botnet Malware appeared first on .
A while back, Rik & Kasia Ferguson shared their thoughts on the movie, “Unfriended: The Dark Web.” The dark web and technology in general plays a pivotal role in the movie’s plot, so the team decided it would be interesting to have a real-world expert review.
Everyone had a lot of fun, and thus Trend Micro movie reviews were born. I was “fortunate” enough to get the next call. The downside? The movie is, “Child’s Play” and I don’t do horror movies well.
Opening night, I powered through, watched the movie and was…pleasantly surprised?
Was there too much gore and violence? Absolutely. However, the movie was a lot better than I expected, with an eerie performance by Mark Hamill as the voice of Chucky. Aubrey Plaza, as Karen, played her role well, which added the only real-relatable character of any depth beyond Chucky.
How does this movie rate in the horror genre? No idea. What I do know is that I enjoyed it more than I expected—which was, an admittedly low bar—and found myself entertained for the duration.
[ Spoilers ahead : scroll down if you’re ok with that ]
Unlike the original entries in the series, this edition brings Chucky into the 21st century. Chucky is no longer a demonically possessed doll, but a blank slate in the form of a nascent AI in a robotic toy doll.
As with any AI or machine learning model, the AI starts off neutral. It requires training data in order to generate results. In Chucky’s case, he is a unique example of the “Buddi” product.
In a classic insider supply chain attack, a QA employee is fired by an overly abusive boss, but before he’s removed from the property, the employee is ordered to finish one last Buddi doll: Chucky.
This employee modifies Chucky’s code to remove any boundary checking for his core behaviours. This creates a truly unbounded, clean slate for the AI that is set out into the world.
Skipping ahead, Chucky is trained on a biased data set. This bias is the naive world view of a group of kids and their run-down neighbourhood. Chucky is exposed to crude humour, horror movies and heated emotional commentary…all without the context to process it.
This tunes the AI to generate the psychotic behaviour that fuels the rest of the movie.
One of the features of this 21st century Buddi doll is the ability to control your smart home. Think of the doll like a walking Alexa or Google Home. Of course, there’s zero authentication or information security controls in place.
Once he’s synced with the latest update from the cloud, Chucky can simply wave his tiny finger and control the devices around him.
This leads to a number of issues around privacy (in this case, used to increase the suspense and move the plot forward) that mirror cases we’ve seen in the real world.
3rd party access to smart speakers to terrorize unsuspecting victims, remote viewing of private video streams, and manipulation of key devices, like thermostats, have all happened already in the real world, but not by rogue AIs.
In the movie’s climax, Chucky really lets loose. He comes into his digital powers and starts to wreak havoc. Our heroes and supporting cast struggle to respond to this maniacal behaviour. The interesting point is that Chucky has developed enough as a character by this point to understand that it’s not maniacal behaviour from his perspective. To him, it’s perfectly reasonable. This underscores the fact that AI is only as good as it’s training data and won’t highlight bad results from a bad model.
While striving to reach his goal, Chucky—a trusted endpoint in the corporation’s services network—reaches out to all of the compatible devices within his local area.
This type of lateral movement is extremely common in today’s cyberattacks.
The movie presents the issue in an overly dramatic fashion (it is a movie after all), but the point stands up. Most technologies, IoT specifically, are generally designed with two types of endpoints: trusted and untrusted.
Security and privacy controls are then designed to prevent untrusted endpoints from accessing trusted endpoints. Trusted endpoints have little to no verification applied when communicating with each.
In “Child’s Play”, this results in disastrous consequences. In the real world, too.
The movie is a stark—and bloody—reminder that networks and systems need visibility across all endpoints and layers and layers of security and privacy controls.
The way the movie leverages poor AI training, a lack of IoT security, and lateral movement techniques is intriguing, but what really caught my attention is the larger trend within the horror and suspense genre.
Films are moving away from fantasy and otherworldly villains to digital ones. That’s a reflection of how big a role technology plays in our lives, as well as the general lack of deep understanding of how it works.
For me—and the security community—that’s a big challenge: helping people understand cybersecurity and privacy in context.
If you’re looking for a fun suspense film with a technology slant, I would—shockingly— recommend watching this movie. As long as you have realistic exceptions and remember that breaking most current IoT security is…child’s play.
[ Sorry, couldn’t resist ]
The post Movie Tech Review: Child’s Play 2019 appeared first on .
Many enterprises today have inadvertently exposed proprietary information by failing to properly secure data stored in public cloud environments like AWS, Azure, and GCP. And while cloud computing has streamlined many business processes, it can also create a security nightmare when mismanaged. A simple misconfiguration or human error can compromise the security of your organization's entire cloud environment.
Whether your whole business or small portions operate in the cloud, it’s imperative to understand the cloud-specific threats facing your organization in order to find creative and impactful solutions for remediation and protection. Let’s start by walking through the top security challenges in the cloud today to gain a better understanding of this complicated and ever-evolving landscape.
Top Security Challenges in the Cloud
Top threat: Phishing
Phishing is very popular in the cloud today. It’s often deployed using PDF decoys hosted in public cloud that arrive as email attachments and claim to have legitimate content, such as an invoice, employee directory, etc. Furthermore, since the malicious pages are stored in public cloud, they fool users into thinking that they are dealing with a legitimate entity, such as Microsoft, AWS, or Google. Once received, such content is saved to cloud storage services, like Google Drive. As soon as attachments are shared, malware can propagate within an organization, leading to cloud phishing fan out. In a matter of minutes, a legitimate user’s account can be compromised and used as part of a phishing campaign, which is far harder to detect and mitigate.
Top threat: Cryptojacking
Cryptojacking occurs when a nefarious actor uses your public cloud compute resources without your authorization. Such attacks are indifferent to device type, service, or OS, making them especially dangerous. What’s more, because such attacks usually appear to be coming from legitimate users, they often go undetected for quite some time, allowing the actors to execute a number of attacks under the radar.
A deeper understanding of these threats is critical, but it doesn’t solve the problem. So, where do we go from here? Below are my recommendations on steps for combating the above risks (and others) in the cloud.
Recommendations for Better Cloud Security
Assess Your Risk Exposure
Organizations must deploy a real-time visibility and control solution for sanctioned and unsanctioned accounts to perform continuous assessment of the security posture of these accounts and to provide visibility into what is going on with your IaaS accounts. You must also track admin activity using logging services like Amazon CloudTrail and Azure Operational Insights to gather logs about everything that is going on in an environment. Additionally, consider deploying an IaaS-ready DLP solution to prevent sensitive data loss in web facing storage services, like AWS S3 and Azure Blob. And lastly, get real-time threat and malware detection and remediation for IaaS, SaaS, and Web. It’s imperative to continuously monitor and audit for IaaS security configuration to ensure compliance with standards and best practices and to make sure that the bad guys do not split in and fly under the radar.
Protect Sensitive Data from Insider Threats
While it sounds like common sense, many of today’s breaches occur when a user either intentionally or inadvertently shares sensitive information that compromises the security of an organization. To combat this, it’s important to educate all employees of the risks associated with doing business in the cloud. Warn users against opening untrusted attachments and executing files. Teach employees to verify the domains of links and identify common object store domains. Deploy real-time visibility and control solutions, as well as threat and malware detection solutions to monitor, detect, and remediate nefarious activity. And lastly, scan for sensitive content and apply cloud DLP policies to prevent unauthorized activity, especially from unsanctioned cloud apps. People are often the weakest link and proper training and education should be a priority for your business.
Follow Best Practices
Businesses should leverage compliance standards, such as NIST, CIS, and PCI, to easily benchmark risk and security. A lot of these tools will provide insights and recommendations for how to remediate various violations, but you should still understand that customization is key.
In order to thwart exposure, companies must have the capability to look at all cloud environments and perform assessments of how such resources are secured. And remember, every organization is different, and there is no one-size-fits-all approach to proper protection in the cloud. That said, by better understanding the threat landscape (whether within or outside your organization) and putting the proper tools in place, comprehensive cloud security is, indeed, possible.
About the author: Michael Koyfman is a Principal Global Solution Architect with Netskope. In his role, he advises Netskope customers on best practices around Netskope deployments and integrating Netskope solutions within customer environment by leveraging integration with customer technology ecosystem.Copyright 2010 Respective Author at Infosec Island
Zach Kurtz (Statistics Ph.D., CMU 2014) is a data scientist with Carnegie Mellon University's Software Engineering Institute, CERT Division. Zach has developed new evaluation methodologies for open-ended cyber warning competitions, built text-based classifiers, and designed cyber incident data visualization tools. Zach's experience has ranged outside of the pure cybersecurity domain, with research experience in inverse reinforcement learning, natural language processing, and deepfake detection. Zach began his data science career at the age of 14 with a school project on tagging Monarch butterflies near his childhood home in rural West Virginia.
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 14 and June 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
TRU06212019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.