SymmetricalDataSecurity: February 2017

Tuesday, February 28, 2017

Shamoon: 特定の組織のみを狙う複数ステージの破壊的攻撃

Palo Alto Q3 outlook disappoints amid execution issues

Palo Alto Networks' third quarter outlook missed expectations and the company said it saw "some execution challenges" that hurt the second quarter results.

The security company reported a second quarter net loss of $60.6 million, or 67 cents a share, on revenue of $422.6 million, up 26 percent from a year ago. Non-GAAP earnings were 63 cents a share in the second quarter.

Wall Street was looking for non-GAAP second quarter earnings of 63 cents a share on revenue of $429.7 million.

CEO Mark McLaughlin said in a statement that "we were disappointed that we came in below top-line expectations due to some execution challenges, which we are moving quickly to address."

As for the outlook, Palo Alto Networks said it expected non-GAAP earnings for the third quarter to be 54 cents a share to 56 cents a share including a 4 cents a share for the acquisition of LightCyber. Revenue for the third quarter will be between $406 million to $416 million, up 17 percent to 20 percent from a year ago.

Wall Street analysts were expecting third quarter non-GAAP earnings of 70 cents a share on revenue of $454.6 million.

Palo Alto launched its next generation security platform during the second quarter. The company also said it will increase its share buyback program by $500 million to a total of $1 billion.

from Latest Topic for ZDNet in... http://ift.tt/2mqqkqX

Labor calls out government for breaching privacy laws amid Centrelink fiasco

MobileIron lands reseller deal with Lenovo

Enterprise mobility management firm MobileIron announced that it has inked a reseller partnership with PC giant Lenovo. Under the deal, Lenovo will resell MobileIron's security and management platform to enterprise customers purchasing Lenovo PCs, tablets, and smartphones.

According to MobileIron, the partnership underscores the massive shift from legacy security tools to EMM for PC management.

"Modern enterprise computing means moving to modern operating systems like Windows 10, Android, and iOS, and using EMM to secure all your devices from mobile to desktops," said MobileIron CEO Barry Mainz. "As the market leader in PC sales, Lenovo is leading that transition on the hardware front and this partnership with MobileIron adds the critical security layer that companies need for modern operating systems."

Mainz is just wrapping up his first year as MobileIron's chief executive, after replacing MobileIron founder Bob Tinker in January 2016. At the time, Mainz said he planned to work to help MobileIron, which went public in 2014, become the "applications and security backbone" for end-user computing. The Lenovo partnership is a certainly a step in that direction.

MobileIron recently expanded its portfolio with the launch of a new Internet of Things division -- a move that's not totally unexpected given Mainz's history in IoT. Before MobileIron, Mainz was the president of Wind River, an Intel subsidiary with various IoT-related products.

from Latest Topic for ZDNet in... http://ift.tt/2m40tDR

USN-3213-1: GD library vulnerabilities

Ubuntu Security Notice USN-3213-1

28th February, 2017

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

The GD library could be made to crash or run programs if it processed a specially crafted image file.

Software description

libgd2 - GD Graphics Library

Details

Stefan Esser discovered that the GD library incorrectly handled memory when
processing certain images. If a user or automated system were tricked into
processing a specially crafted image, an attacker could cause a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10166)

It was discovered that the GD library incorrectly handled certain malformed
images. If a user or automated system were tricked into processing a
specially crafted image, an attacker could cause a denial of service.
(CVE-2016-10167)

Ibrahim El-Sayed discovered that the GD library incorrectly handled certain
malformed TGA images. If a user or automated system were tricked into
processing a specially crafted TGA image, an attacker could cause a denial
of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and
Ubuntu 16.10. (CVE-2016-6906)

Ibrahim El-Sayed discovered that the GD library incorrectly handled certain
malformed WebP images. If a user or automated system were tricked into
processing a specially crafted WebP image, an attacker could cause a denial
of service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6912)

It was discovered that the GD library incorrectly handled creating
oversized images. If a user or automated system were tricked into creating
a specially crafted image, an attacker could cause a denial of service.
(CVE-2016-9317)

It was discovered that the GD library incorrectly handled filling certain
images. If a user or automated system were tricked into filling an image,
an attacker could cause a denial of service. (CVE-2016-9933)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: libgd3 2.2.1-1ubuntu3.3
Ubuntu 16.04 LTS:: libgd3 2.1.1-4ubuntu0.16.04.6
Ubuntu 14.04 LTS:: libgd3 2.1.0-3ubuntu0.6
Ubuntu 12.04 LTS:: libgd2-xpm 2.0.36~rc1~dfsg-6ubuntu2.4; libgd2-noxpm 2.0.36~rc1~dfsg-6ubuntu2.4

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-10166, CVE-2016-10167, CVE-2016-10168, CVE-2016-6906, CVE-2016-6912, CVE-2016-9317, CVE-2016-9933

from Ubuntu Security Notices http://ift.tt/2mC2Njl

Ghost apps live on to torment Android users

IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to various CVE’s

Apache Tomcat prior to version 6.0.48 is susceptible to several vulnerabilities.

CVE(s): CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, CVE-2016-6816

Affected product(s) and affected version(s):

· IBM QRadar SIEM 7.2.n

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2l7XBXj
X-Force Database: http://ift.tt/2jew1Gw
X-Force Database: http://ift.tt/2if9bdY
X-Force Database: http://ift.tt/2jeqBvn
X-Force Database: http://ift.tt/2if6ZDc
X-Force Database: http://ift.tt/2ifdg1N
X-Force Database: http://ift.tt/2iIaaqs

The post IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to various CVE’s appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2luRXuJ

IBM Security Bulletin: IBM Java as used in IBM QRadar SIEM and Incident Forensics is vulnerable to various CVE’s

IBM QRadar SIEM and Incident Forensics are vulnerabile to various CVE’s found in IBM Java.

CVE(s): CVE-2016-5597, CVE-2016-5542

Affected product(s) and affected version(s):

· IBM QRadar SIEM 7.2.n

· IBM QRadar Incident Forensics 7.2.n

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2luUwg6
X-Force Database: http://ift.tt/2e5pD2s
X-Force Database: http://ift.tt/2e5s2Ku

The post IBM Security Bulletin: IBM Java as used in IBM QRadar SIEM and Incident Forensics is vulnerable to various CVE’s appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2l7Y7F6

IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to various CVE’s

OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016] outline several vulnerabilities affecting OpenSSL.

CVE(s): CVE-2016-6302, CVE-2016-2182, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-6306, CVE-2016-2181

Affected product(s) and affected version(s):

· IBM QRadar SIEM 7.2.n

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2luQlkI
X-Force Database: http://ift.tt/2dR4fNY
X-Force Database: http://ift.tt/2dR45pA
X-Force Database: http://ift.tt/2aPXjQq
X-Force Database: http://ift.tt/2asKHex
X-Force Database: http://ift.tt/2dR5fBu
X-Force Database: http://ift.tt/2dmYpRr
X-Force Database: http://ift.tt/2dmXLUk

The post IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to various CVE’s appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2luIvHT

IBM Security Bulletin: Pivotal Spring Framework as used in IBM QRadar SIEM is vulnerable to various CVE’s

OpenSource Pivotal Spring Framework as used in IBM QRadar is susceptible to several vulnerabilities.

CVE(s): CVE-2013-7315, CVE-2013-4152, CVE-2014-0054, CVE-2014-3578, CVE-2014-3625

Affected product(s) and affected version(s):

· IBM QRadar SIEM 7.2.n

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2lPu4QW
X-Force Database: http://ift.tt/2e1fwwv
X-Force Database: http://ift.tt/2eeIMvh
X-Force Database: http://ift.tt/2eeHjVR
X-Force Database: http://ift.tt/2liEuZk
X-Force Database: http://ift.tt/2m8cGVE

The post IBM Security Bulletin: Pivotal Spring Framework as used in IBM QRadar SIEM is vulnerable to various CVE’s appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2lPBmV5

IBM Security Bulletin: Apache Solr as used in IBM QRadar SIEM and Incident Forensics is vulnerable to a denial of service (CVE-2014-0050)

Apache Solr is vulnerable to a denial of service attack.

CVE(s): CVE-2014-0050

Affected product(s) and affected version(s):

· IBM QRadar SIEM 7.2.n

· IBM QRadar Incident Forensics 7.2.n

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2lPAhww
X-Force Database: http://ift.tt/2kC357J

The post IBM Security Bulletin: Apache Solr as used in IBM QRadar SIEM and Incident Forensics is vulnerable to a denial of service (CVE-2014-0050) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2lPBofF

IBM Security Bulletin: IBM QRadar SIEM uses broken or risky cryptographic algorithms (CVE-2016-2879)

The software uses an outdated insecure cipher or it is using a proprietary crypto standard which is likely to be vulnerable. Outdated/broken algorithms are MD4, MD5, SHA1, DES, ECB, RC4, Export ciphers, SSLv2, SSLv3, DH using keys less than 1024

CVE(s): CVE-2016-2879

Affected product(s) and affected version(s):

IBM QRadar 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2lPE1Oo
X-Force Database: http://ift.tt/2lkhYvQ

The post IBM Security Bulletin: IBM QRadar SIEM uses broken or risky cryptographic algorithms (CVE-2016-2879) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2lPwiji

IBM Security Bulletin: IBM QRadar SIEM contains hard-coded credentials (CVE-2016-2880)

An IBM QRadar SIEM user with shell access could obtain the encryption key used to encrypt certain passwords.

CVE(s): CVE-2016-2880

Affected product(s) and affected version(s):

IBM QRadar SIEM 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2lPzhbO
X-Force Database: http://ift.tt/2lknJd1

The post IBM Security Bulletin: IBM QRadar SIEM contains hard-coded credentials (CVE-2016-2880) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2lPxO57

70+ Cyber Security Micro-Courses and Certifications To Boost Your IT Career

With the evolving hacking events around us, cyber-security skills are in high demand across all organizations and industries, because a shortage of skilled cyber security practitioners could leave an organization vulnerable to cyber attacks.

But knowledge alone is not sufficient, 'certification as eligibility' also matters, which shows employers that you are serious about your career and eligible as you have demonstrated your technical ability in some form.

I frequently receive emails and messages from my readers asking: Should I get certified?, Are certifications important to build up a career in IT?, What certifications can one get to start a career in information security? and more.

These are some of the most frequent queries I came across, and in this article, I will attempt to answer these along with a solution on how to get started.

Whether you are looking to launch your career in the IT industry, or perhaps get promoted at your current job — getting certified is a great way to market yourself.

Certifications play a major role in any industry, as almost every organization hires IT professionals with practical knowledge as well as professional certifications which provide a measurement of your skills and knowledge.

This is why it's important to earn certificates in your field.

Cyber Security Micro Courses and Certifications

Cybrary

, one of the most popular and highly rated free online IT and Cyber Security Training company, has recently launched around 80

Cyber Security Micro Courses and Certifications

in an effort to combat the global shortage of talent in the cyber security profession.

Created by the Cybrary Education Committee, all Micro Courses and Certifications are categorized into Beginner, Intermediate and Advanced levels, giving users thorough deep dive into the most critical skills in the field.

Usually one has to pay thousands of dollars for classes and then thousands for certification exams, but the good news is that all Cybrary's Micro Courses are free and Certification exams are conducted online at the cost of just $10 each — with one free retake per exam.

"The Cybrary community is working to make cybersecurity training available to anyone who wants it, anywhere. Training should not be exclusive to those who can afford to pay $5,000 per class. The same applies to certifications," said Ryan Corey, co-founder, Cybrary.

"Certifications are imperative to a cybersecurity career, and it’s important that we provide accessible and affordable education paths that will help reverse the growing need for skilled cybersecurity professionals."

Here's the list of some selected certification courses that grabbed my attention and are important in the IT field:

Cryptography
Network Devices
Software Development Security
Security Architecture Fundamentals
Mobile Device Security Fundamentals
Incident Response & Advanced Forensics
Security Assessment & Testing Certification
Malware Fundamentals Certification Course

Cybrary also provides free practice tests, so that users can test their capabilities and then finally apply for the actual certification exams.

So, go and grab the best

certification courses in cyber security

and network security that suit your requirements. The Hacker News readers can use code

FREESCT1

for your first free certification exam.

from The Hacker News http://ift.tt/2lSeN05

Critical Flaw in ESET Antivirus Exposes Mac Users to Remote Hacking

What could be more exciting for hackers than exploiting a vulnerability in a widely used software without having to struggle too much?

One such easy-to-exploit, but critical vulnerability has been discovered in ESET's antivirus software that could allow any unauthenticated attackers to remotely execute arbitrary code with root privileges on a Mac system.

The critical security flaw, tracked as CVE-2016-9892, in ESET Endpoint Antivirus 6 for macOS was discovered by Google Security Team's researchers Jason Geffner and Jan Bee at the beginning of November 2016.

As detailed in the

full disclosure

, all a hacker needs to get root-level remote code execution on a Mac computer is to intercept the ESET antivirus package's connection to its backend servers using a self-signed HTTPS certificate, put himself in as a man-in-the-middle (MITM) attacker, and exploit an XML library flaw.

The actual issue was related to a service named esets_daemon, which runs as root. The service is statically linked with an outdated version of the POCO XML parser library, version 1.4.6p1 released in March 2013.

This POCO version is based on a version of the Expat XML parser library version 2.0.1 from 2007, which is affected by a publicly known XML parsing vulnerability (

CVE-2016-0718

) that could allow an attacker to execute arbitrary code via malicious XML content.

Now, when esets_daemon sent a request to http://ift.tt/2lPavqi during activation of the ESET Endpoint Antivirus product, an MITM attacker can intercept the request to deliver a malformed XML document using a self-signed HTTPS certificate.

This event triggers the CVE-2016-0718 flaw that executes the malicious code with root privileges when esets_daemon parsed the XML content.

This attack was possible because the ESET antivirus did not validate the web server's certificate.

Here's what the duo explain:

"Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients."

Now since the hacker controls the connection, they can send malicious content to the Mac computer in order to hijack the XML parser and execute code as root.

The Google researchers have also released the proof-of-concept (PoC) exploit code, which only shows how the ESET antivirus app can be used to cause a crash.

ESET addressed this vulnerability on February 21 by upgrading the POCO parsing library and by configuring its product to verify SSL certificates.

The patch is made available in the release of

version 6.4.168.0

of ESET Endpoint Antivirus for macOS. So, make sure your antivirus package is patched up to date.

from The Hacker News http://ift.tt/2m2Xj3w

Stuffed toys database left personal data exposed, says security expert

Singapore defense ministry suffers data breach affecting 850 users

Internet-Connected Teddy Bear Exposed Over 2 Million Voice Messages; Data Held for Ransom

Every parent should think twice before handing out Internet-connected toys or smart toys to their children, as these creepy toys pose a different sort of danger: privacy and data security risks for kids who play with them.

This same incident was happened over a year ago when Hong Kong toymaker

VTech was hacked

, which exposed personal details, including snaps of parents and children and chat logs, of about 6.4 million children around the world.

Now, in the latest security failing of the internet-connected smart toys, more than 2 Million voice recordings of children and their parents have been exposed, along with email addresses and passwords for over 820,000 user accounts.

And What's even Worse? The hackers locked this data and held it for Ransom.

California-based Spiral Toys' line of internet-connected stuffed animal toys,

CloudPets

, which allow children and relatives to send recorded voicemails back and forth, reportedly left the voice messages recorded between parents and children and other personal data to online hackers.

Cloudpets' Data was Held for Ransom

The customer data was left unprotected from 25 December 2016 to 8 January in a publicly available database that wasn't protected by any password or a firewall, according to a

blog post

published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?.

Hunt said that the exposed data was accessed multiple times by many third parties, including hackers who accessed and stole customer emails and hashed passwords from a CloudPets database.

In fact, in early January, when cyber criminals were actively scanning the Internet for exposed or

badly-configured MongoDB databases

to delete their data and ultimately

hold it for ransom

, CloudPets' database was overwritten twice.

Toy Maker was Notified of the Breach Multiple Times

The worst part comes in when any company is notified of some issue, but it doesn't give a shit to protect its customers. Spiral Toys did the same.

The toy maker was allegedly notified four times that its customer data was online and available for anyone to have their hands on — yet the data remained up for almost a week with evidence suggesting that the data was stolen on multiple occasions.

Interestingly, the CloudPets blog hasn't been updated since 2015, and there is not any public notice about the security concerns.

"It is impossible to believe that CloudPets (or mReady, [a Romanian company which Spiral Toys appears to have contracted with to store its database]) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them," Hunt said.

"Obviously, they have changed the security profile of the system, and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines."

While voice recordings were not kept on the open MongoDB databases, Spiral Toys used an open Amazon-hosted service that required no authorization to store the recordings, user profile pictures, children's names, and their relations to parents, relatives, and friends.

This eventually means that anyone with malicious intent could listen to the recordings by only guessing the correct URL.

Affected? How to Check and What to Do?

This incident is perhaps something to be kept in mind the next time you are shopping for the latest internet-connected smart toy for your kid.

If you are a parent holding a CloudPets account, you are advised to check

Have I Been Pwned?

website, which compiles all the data from breaches and now includes users accounts stolen from Spiral Toys.

If you found your account affected, you should change your password immediately and consider disconnecting the toy from the internet.

You are also advised to change the passwords on any other online accounts for which you are using the same password as for CloudPets account.

from The Hacker News http://ift.tt/2m1BjWE

Monday, February 27, 2017

Shamoon: 限定于指定目标的多阶段毁灭性攻击

Government to continue Census name and address collection

Commonwealth Bank partners with Airtasker for identity verification

Tens of thousands of Chromebooks fail because of Symantec BlueCoat problem

Leaked documents reveal airport's catalog of security lapses

Cisco PSIRT – Mitigating and Detecting Potential Abuse of Cisco Smart Install Feature

Cisco Coverage for Smart Install Client Protocol Abuse

USN-3212-1: LibTIFF vulnerabilities

Ubuntu Security Notice USN-3212-1

27th February, 2017