Sunday, March 31, 2019

Zuckerberg uses online op-ed to call for internet regulation

Can AI defeat fake news?

Social networks crave attention, and they aren't particular about how they get it. Getting people outraged is one of the best ways they have to get - and keep - your focus. And fake news is the surest route to outrage - and profits.

Facts are the lifeblood of modern civilization. Managing humankind's population sprawl - soon to be 8 billion strong - means dealing with myriad problems that are complicated enough without having to overcome false impressions fostered by fake news embraced by the weak minded.

In fact, during the 2016 campaign the audience for the top 20 fake news stories was larger than that of the top 20 real news stories. The problem is real and getting worse.

The sheer amount of content generated today makes human filtering impossible. The only hope is automating the detection and neutralizing of fake content.

But how? Two recent papers point to a couple of options.

In Hierarchical Propagation Networks for Fake News Detection, researchers looked at how fake news moves through our networks to see if it is distinguishable from how real news is distributed. Another paper looks at how blockchain could be used for fake news prevention.

Propagation networks

The researchers, from Arizona State and Penn State, used the FakeNewsNet data repository and modeled the links between real and fake news, including tweets. They analyzed the resulting network graphs, and discovered that there are, indeed, significant differences between how real news and fake news spread through our social networks.

Metrics cover such macro structural issues as tree depth and number of nodes, as well as temporal issues such as the time difference between the first tweet and the last retweets. The micro level of user conversations includes metrics such as how long a conversation tree lasts, as well as the sentiment expressed in retweets.

They conclude:

. . . we can exploit the hierarchical structure of propagation networks to perform unsupervised fake news detection.

Blockchain

Researchers at Pakistan's Information Technology University took another tack in their paper, Using Blockchain to Rein in The New Post-Truth World and Check The Spread of Fake News. They propose a blockchain-based framework for fake news prevention.

Their proposed architecture has three blockchain based components: a publisher management protocol (PMC); a smart contract for the news; and, a news blockchain.

The PMC uses three smart contracts to enroll, update, and revoke the identities of news organizations. The smart news contract is used to publish news, and ensures that the content is as originally published, and includes publisher and verification data. Finally, the news blockchain guards against malicious alterations and includes a proof-of-truthfulness method that makes it easy to confirm validity.

The Storage Bits take

Lies are endemic in human interaction. Most are harmless, but when weaponized by digital media, they can have life-threatening consequences, such as the fake "Pizzagate" conspiracy story.

We know that hostile state actors are working to destabilize democratic nations with fake news, while limiting their own citizen's access to a free and open web. There are also malicious and/or opportunistic people who manufacture fake news for ideological or commercial reasons.

If our major social networks don't get a handle on the fake news crisis, they will lose their legitimacy and the forbearance of the governments and people that are targeted. Safe harbor provisions may protect them now, but those can be removed, opening them to massive legal liability that would threaten their existence.

Can AI defeat fake news? I hope so, since the alternative is the end of democratic societies.

Courteous comments welcome, of course.

from Latest Topic for ZDNet in... https://ift.tt/2TN7Eh4

Taiwan citing national security in Chinese streaming site block: Report

Australia to rush laws on jailing social media execs for violent crime streaming

Cybersecurity is broken: Here's how we start to fix it

Popup enlarges at the last second so users click on ads instead of 'Close' button

Saturday, March 30, 2019

Bithumb cryptocurrency exchange hacked a third time in two years

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i

There are multiple vulnerabilities in IBM® SDK Java Technology Edition and IBM® Runtime Environment Java used by IBM i. IBM i has addressed the applicable CVEs.

CVE(s): CVE-2018-1890, CVE-2018-12549, CVE-2018-12547, CVE-2019-2422, CVE-2019-2449, CVE-2019-2426, CVE-2018-11212

Affected product(s) and affected version(s):

Releases 7.1, 7.2 and 7.3 of IBM i are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10875554
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/152081
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/157513
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/157512
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/155741
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/155766
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/155744
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/143429

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2FJzIy0

IBM Security Bulletin: Vulnerability CVE-2019-1559 in OpenSSL affects IBM i

OpenSSL is used by IBM i. IBM i has addressed the applicable CVE.

CVE(s): CVE-2019-1559

Affected product(s) and affected version(s):
Releases 7.1, 7.2 and 7.3 of IBM i are affected.

The post IBM Security Bulletin: Vulnerability CVE-2019-1559 in OpenSSL affects IBM i appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2FKvlTk

IBM Security Bulletin: IBM Event Streams is affected by Go vulnerabilities

IBM Event Streams has addressed the following vulnerabilities in the Go Runtimes shipped.

CVE(s): CVE-2019-6486, CVE-2018-16875

Affected product(s) and affected version(s):
IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10876552
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/156156
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/154318

The post IBM Security Bulletin: IBM Event Streams is affected by Go vulnerabilities appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2FLgCHP

IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Watson Compare and Comply on IBM Cloud Private

There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server Liberty which in turn is used by IBM Watson Compare and Comply on IBM Cloud Private.

CVE(s): CVE-2018-10237

Affected product(s) and affected version(s):
This vulnerability affects IBM Watson Compare and Comply V1.0.4 through V1.1.3.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10876202
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142508

The post IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Watson Compare and Comply on IBM Cloud Private appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2FGApHa

IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Information Disclosure vulnerability

An Information Disclosure vulnerability was addressed by IBM InfoSphere Information Server.

CVE(s): CVE-2018-1917

Affected product(s) and affected version(s):

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 11.3, 11.5, and 11.7
IBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7

The post IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Information Disclosure vulnerability appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2OA51hR

IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Improper Authentication vulnerability

An Improper Authentication vulnerability was addressed by IBM InfoSphere Information Server.

CVE(s): CVE-2018-1906

Affected product(s) and affected version(s):

The post IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Improper Authentication vulnerability appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2OA4ZGL

IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2014-7810, CVE-2018-8039)

IBM WebSphere Application Server Liberty is affected by Apache Tomcat and CXF vulnerabilities that affect IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware.

CVE(s): CVE-2014-7810, CVE-2018-8039

Affected product(s) and affected version(s):

The following levels of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware are affected:

4.1.0.0 through 4.1.6.6

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10869814
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/103155
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/145516

The post IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2014-7810, CVE-2018-8039) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2U88xpu

IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance.

Multiple security vulnerabilities have been identified and fixed in the IBM Security Privileged Identity Manager Appliance.

CVE(s): CVE-2018-1049, CVE-2017-3738, CVE-2017-3737, CVE-2017-3736, CVE-2017-6464, CVE-2017-6463, CVE-2017-6462, CVE-2018-3639, CVE-2017-11368, CVE-2017-7562, CVE-2017-1000407, CVE-2017-18017, CVE-2017-15116, CVE-2017-15670, CVE-2017-12132, CVE-2015-5180, CVE-2018-1000199, CVE-2018-8897, CVE-2018-1091, CVE-2018-1087, CVE-2018-1068, CVE-2017-16939, CVE-2018-1113, CVE-2018-0494, CVE-2017-1000050, CVE-2016-9396, CVE-2018-1061, CVE-2018-1060, CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2018-5730, CVE-2018-5729, CVE-2018-5391, CVE-2018-15688, CVE-2018-1618, CVE-2018-1640, CVE-2018-1680, CVE-2018-1622, CVE-2018-1623, CVE-2018-1626, CVE-2018-1625, CVE-2016-5725, CVE-2016-1182, CVE-2016-1181, CVE-2014-0114, CVE-2015-0899

Affected product(s) and affected version(s):
IBM Security Privileged Identity Manager 2.1.1

The post IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance. appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2FNGO4R

Bithumb Hacked (Once Again), Hacker Stole $19 Million in Cryptocurrencies

Hackers yesterday stole nearly $13 million worth of cryptocurrency from

Bithumb

, the South Korea-based popular cryptocurrency exchange admitted today.

According to Primitive Ventures' Dovey Wan, who first broke the information on social media, hackers managed to compromise a number of Bithumb's hot EOS and XRP wallets and transferred around 3 million EOS and 20,000,000 XRP to his newly-created accounts.

The hacker then distributedly transferred the stolen digital assets to his different accounts created on other cryptocurrency exchanges, including Huobi, HitBTC, WB, and EXmo, via

ChangeNow

, a non-custodial crypto swap platform does not require KYC/account.

Bithumb has been hacked for the second time. Last time the popular Bitcoin and Ether cryptocurrencies

exchange was hacked in 2017

when hackers compromised a number of wallets belonging to its users and stole their funds.

"And this is the second time Bithumb saw a MAJOR hack, last time it was hacked with a loss over $30m.. lol and after the first hack it was STILL able to get the fiat license from Korea and WTF??" Wan says on Twitter.

It has been reported that the private key for the EOS hot wallet account belonging to Bithumb was stolen (address

g4ydomrxhege

), which allowed the hacker to transfer the funds to his address, "

ifguz3chmamg

The above image

shared

by Changpeng Zhao, CEO of Binance cryptocurrency exchange, explains how hacker distributed his funds after stealing it from Bithumb.

Here's how the hacker distributed and transferred the stolen funds to his accounts on different exchanges:

EXMO: 662,600
Huobi: 263,605
Changelly 143,511
KuCoin: 96,270
CoinSwitch: 38,725

According to a

blog post

published by the company today, Bithumb is still investigating the hack, which it believes was performed with the help of an insider, and has reported the breach incident to security firm Korea Internet and Security Agency (KISA).

"We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service," Bithumb said.

"As a result of the inspection, it is judged that the incident is an accident involving insiders because the external intrusion path has not been revealed until now. Based on the facts, we are conducting intensive investigations with KISA, Cyber Police Agency and security companies."

Meanwhile, Bithumb said the company is working with major cryptocurrency exchanges and foundations in hope to recover the loss of the cryptocurrency equivalent.

from The Hacker News https://ift.tt/2OwYlB1

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

A security researcher today publicly disclosed details and proof-of-concept exploits for two 'unpatched' zero-day vulnerabilities in Microsoft's web browsers after the company allegedly failed to respond to his responsible private disclosure.

Both unpatched vulnerabilities—one of which affects the latest version on Microsoft

Internet Explorer

and another affects the latest

Edge Browser

—allow a remote attacker to bypass same-origin policy on victim's web browser.

Same Origin Policy

(SOP) is a security feature implemented in modern browsers that restricts a web-page or a script loaded from one origin to interact with a resource from another origin, preventing unrelated sites from interfering with each other.

In other words, if you visit a website on your web browser, it can only request data from the same origin [domain] the site was loaded from, preventing it from making any unauthorized request on your behalf in order to steal your data, from other sites.

However, the vulnerabilities discovered by security researcher

James Lee

, who shared the details with The Hacker News, could allow a malicious website to perform universal cross-site scripting (UXSS) attacks against any domain visited using the vulnerable Microsoft's web browsers.

To successfully exploit these vulnerabilities, all attackers need to do is convince a victim into opening the malicious website [created by hacker], eventually allowing them to steal victim's sensitive data, like login session and cookies, from other sites visited on the same browser.

"The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection," Lee told The Hacker News in an email.

The researcher contacted Microsoft and responsibly shared his finding with the company ten months ago, that's almost a year, but the tech giant ignored the issues and did not respond to the disclosure till the date, leaving both the flaws unpatched.

Lee has now

released

proof-of-concept (PoCs) exploits for both issues.

The Hacker News has independently tested and confirmed both the zero-day vulnerabilities against the latest version of Internet Explorer and Edge running on a fully-patched Windows 10 operating system.

The newly-disclosed vulnerabilities are similar to the ones Microsoft patched last year in its Internet Explorer (CVE-2018-8351) and Edge browsers (CVE-2018-8545).

Since the details and PoC for both the zero-days have already been made publicly available, hackers won't take much time to exploit the flaws in an attempt to target Microsoft users.

What's disappointing is that there is currently not much that users can do to avoid this problem until Microsoft patches the security issues. You can use other web browsers that are not affected by this vulnerability, such as Chrome or Firefox.

from The Hacker News https://ift.tt/2FB15Jl

Friday, March 29, 2019

Google’s DeepMind asks what it means for AI to fail

Card breach reported at Buca di Beppo, Planet Hollywood, and other restaurants

Threat Roundup for March 22 to March 29

Threat Research

Threat Roundup for March 22 to March 29

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar. 22 and Mar. 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

VMware Releases Security Updates

Original release date: March 29, 2019

VMware has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the VMware Security Advisories VMSA-2019-0004 and VMSA-2019-0005 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2OAbGIH

Researchers publish list of MAC addresses targeted in ASUS hack

USN-3926-1: GPAC vulnerabilities

gpac vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.10
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS

Summary

GPAC could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description

gpac - GPAC Project on Advanced Content

Details

It was discovered that the GPAC MP4Box utility incorrectly handled certain memory operations. If an user or automated system were tricked into opening a specially crafted MP4 file, a remote attacker could use this issue to cause MP4Box to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10: gpac - 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu0.1; gpac-modules-base - 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu0.1; libgpac4 - 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu0.1
Ubuntu 18.04 LTS: gpac - 0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1; gpac-modules-base - 0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1; libgpac4 - 0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1
Ubuntu 16.04 LTS: gpac - 0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1; gpac-modules-base - 0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1; libgpac4 - 0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

from Ubuntu Security Notices https://ift.tt/2WzbQCV

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access

Mar 29, 2019 10:02 am EDT

Categorized: High Severity

Share this post:

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7 and 8, which are used by IBM Rational DOORS Web Access. IBM Rational DOORS Web Access has addressed the applicable CVEs. These issues were disclosed as part of the IBM Java SDK updates in January 2019.

CVE(s): CVE-2018-12547

Affected product(s) and affected version(s):

IBM Rational DOORS Web Access: 9.5.1 – 9.5.1.10
IBM Rational DOORS Web Access: 9.5.2 – 9.5.2.9
IBM Rational DOORS Web Access: 9.6.0 – 9.6.0.8
IBM Rational DOORS Web Access: 9.6.1 – 9.6.1.11

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10878753
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/157512

from IBM Product Security Incident Response Team https://ift.tt/2V4sius

IBM Security Bulletin: IBM Event Streams is affected by cURL vulnerabilities

IBM Event Streams has addressed the following vulnerabilities in the shipped cURL libraries.

CVE(s): CVE-2018-16890, CVE-2019-3822, CVE-2019-3823

Affected product(s) and affected version(s):
IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1

The post IBM Security Bulletin: IBM Event Streams is affected by cURL vulnerabilities appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2V76Bdm

IBM Security Bulletin: IBM Event Streams is affected by vulnerabilities in the shipped Node runtime

IBM Event Streams has addressed the following vulnerabilities CVE(s): CVE-2018-1000873, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 Affected product(s) and affected version(s):IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://ift.tt/2V66w9Y Database: https://ift.tt/2V66yi6 Database: https://ift.tt/2V66zTc Database: https://ift.tt/2V4s8Dm Database: https://ift.tt/2V4saes ...read more

from IBM Product Security Incident Response Team https://ift.tt/2V4saLu

IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities

IBM Event Streams has addressed the following vulnerabilities

CVE(s): CVE-2018-1000873, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362

Affected product(s) and affected version(s):
IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1

The post IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2V4s0DS

IBM Security Bulletin: Rational Build Forge Security Advisory for Apache HTTP Server (CVE-2019-0190; CVE-2018-17189; CVE-2018-17199)

Apache HTTP Server has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.

CVE(s): CVE-2018-17189, CVE-2019-0190, CVE-2018-17189, CVE-2018-17199

Affected product(s) and affected version(s):

IBM Rational Build Forge from 8.0.0.10.

The post IBM Security Bulletin: Rational Build Forge Security Advisory for Apache HTTP Server (CVE-2019-0190; CVE-2018-17189; CVE-2018-17199) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2V3ZQcl

IBM Security Bulletin: IBM Event Streams is affected by Alpine vulnerability CVE-2018-1000849

Mar 29, 2019 10:02 am EDT | High Severity

IBM Event Streams has addressed the following vulnerabilities in the shipped cURL libraries. CVE(s): CVE-2018-16890, CVE-2019-3822, CVE-2019-3823 Affected product(s) and affected version(s):IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://ift.tt/2V3eS1T Database: https://ift.tt/2UYVR0B Database: https://ift.tt/2V5vlCC Database: https://ift.tt/2V2kppy ...read more

from IBM Product Security Incident Response Team https://ift.tt/2V546bt

IBM Security Bulletin: IBM Event Streams is affected by Node.js vulnerabilities

IBM Event Streams is affected by the following vulnerabilities in the included Node.js runtime shipped.

CVE(s): CVE-2018-12122, CVE-2018-12121, CVE-2018-12123, CVE-2018-12116

Affected product(s) and affected version(s):
IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1

The post IBM Security Bulletin: IBM Event Streams is affected by Node.js vulnerabilities appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2V58bMK

IBM Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559)

OpenSSL has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.

CVE(s): CVE-2018-0734, CVE-2018-5407, CVE-2019-1559

Affected product(s) and affected version(s):

IBM Rational Build Forge from 8.0.0.10.

The post IBM Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2V9HUx7

IBM Security Bulletin: IBM Event Streams is affected by OpenSSL vulnerabilities

IBM Event Streams has addressed the following vulnerabilities in the OpenSSL versions shipped.

CVE(s): CVE-2018-0734, CVE-2018-0735, CVE-2018-5407

Affected product(s) and affected version(s):
IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1

The post IBM Security Bulletin: IBM Event Streams is affected by OpenSSL vulnerabilities appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2V5nWDl

IBM Security Bulletin: IBM Event Streams is affected by gettext vulnerability CVE-2018-18751

Mar 29, 2019 10:01 am EDT

Categorized: Low Severity

Share this post:

IBM Event Streams has addressed the following vulnerability.

CVE(s): CVE-2018-18751

Affected product(s) and affected version(s):
IBM Event Streams 2018.3.0 IBM Event Streams 2018.3.1

from IBM Product Security Incident Response Team https://ift.tt/2V48is2

Google security engineer discloses zero-day flaw in TP-Link smart home routers

Toyota announces second security breach in the last five weeks

Commando VM — New Windows-based Distribution for Hackers and Pentesters

FireEye today released

Commando VM

, a first of its kind Windows-based security distribution for penetration testing and red teaming.

When it comes to the best-operating systems for hackers, Kali Linux is always the first choice for penetration testers and ethical hackers.

However, Kali is a Linux-based distribution, and using Linux without learning some basics is not everyone's cup of tea as like Windows or macOS operating systems.

Moreover, if you are wondering why there is no popular Windows-based operating system for hackers? First, because Windows is not open-source and second, manually installing penetration testing tools on Windows is pretty problematic for most users.

To help researchers and cyber security enthusiasts, cybersecurity firm FireEye today

released

virtual machine (VM) based installer for

Commando VM

—a customized Windows-based distribution that comes pre-installed with useful penetration testing tools, just like Kali Linux.

"Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments," FireEye says. "Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests."

The release 1.0 includes two different VM images, one based upon Windows 7 and another Windows 10.

Both Commando VMs include more than 140 tools, including Nmap, Wireshark, Remote Server Administration Tools, Mimikatz, Burp-Suite, x64db, Metasploit, PowerSploit, Hashcat, and Owasp ZAP, pre-configured for a smooth working environment.

According to one of the

authors

of Commando VMs, the following are the top three features of the tool that make it more interesting:

Native Windows protocol support (SMB, PowerShell, RSAT, Sysinternals, etc.)
Organized toolsets (Tools folder on the desktop with Info Gathering, Exploitation, Password Attacks, etc.)
Windows-based C2 frameworks like Covenant (dotnet) and PoshC2 (PowerShell)

"With such versatility, Commando VM aims to be the de facto Windows machine for every penetration tester and red teamer," FireEye says.

"The versatile tool sets included in Commando VM provide blue teams with the tools necessary to audit their networks and improve their detection capabilities. With a library of offensive tools, it makes it easy for blue teams to keep up with offensive tooling and attack trends."

According to FireEye, C VMs also uses Boxstarter, Chocolatey, and MyGet packages to install all software packages. Running a single command will automatically update all your installed hacking software on Commando VM.

To use this on your Windows computer, you need at least 60 GB of free hard drive space, 2GB of RAM and a virtual machine software, like VMware or Oracle VirtualBox installed on your system.

Installing Commando VM is pretty easy. Just download the Commando VM image, decompress it and then execute the PowerShell script available in the package to complete the installation.

"The rest of the installation process is fully automated. Depending upon your Internet speed the entire installation may take between 2 to 3 hours to finish," FireEye says.

"The VM will reboot multiple times due to the numerous software installation requirements. Once the installation completes, the PowerShell prompt remains open waiting for you to hit any key before exiting."

After the completion of the installation process, you'll be presented with Commando VM, and all you need to do is reboot your machine to ensure the final configuration changes take effect.

In recent years, we have been asked by a number of our readers to list some of the best Windows-based operating systems for penetration testing. Commando VM is the first, and now I believe we will have more to this list really soon.

from The Hacker News https://ift.tt/2FLFjE7

FireEye debuts Windows Commando VM as Linux Kali rival

VPN providers pull Russian servers as Putin's ban threatens to bite

Hundreds of compromised Wordpress and Joomla websites are serving up malware to visitors

Here's the List of ~600 MAC Addresses Targeted in Recent ASUS Hack

EXCLUSIVE — While revealing details of a massive

supply chain cyber attack against ASUS

customers, Russian security firm Kaspersky last week didn't release the full list all MAC addresses that hackers hardcoded into their malware to surgically target a specific pool of users.

Instead, Kaspersky released a dedicated offline tool and launched an online web page where ASUS PC users can

search for their MAC addresses

to check whether they were in the hit list.

However, many believe it is not a convenient way for large enterprises with hundreds of thousands of systems to know if they were targeted or not.

List of MAC Addresses Targeted in ASUS Supply Chain Attack

To solve this and help other cybersecurity experts continue their hunt for related hacking campaigns, Australian security firm Skylight's CTO

Shahar Zini

contacted The Hacker News and provided the full list of nearly

583 MAC addresses

targeted in the ASUS breach.

"If information regarding targets exists, it should be made publicly available to the security community so we can better protect ourselves," Skylight said in a post.

"So, we thought it would be a good idea to extract the list and make it public so that every security practitioner would be able to bulk compare them to known machines in their domain."

Skylight researchers retrieved the list of targeted MAC addresses with the help of the offline tool Kaspersky released, which contains the full list of 619 MAC addresses within the executable, but protected using a salted hash algorithm.

They used a powerful Amazon server and a modified version of HashCat password cracking tool to brute force nearly 583 MAC addresses in less than an hour.

ASUS Hack: Operation ShadowHammer

It was revealed last week that a group of state-sponsored hackers managed to

hijack ASUS Live automatic software update

server last year and pushed malicious updates to over one million Windows computers worldwide in order to infect them with backdoors.

As we reported last week, Kaspersky discovered the attack, which it dubbed

Operation ShadowHammer

, after its 57,000 users were infected with the backdoored version of ASUS LIVE Update software.

The security company then informed ASUS about the ongoing supply chain attack campaign on Jan 31, 2019.

After analyzing more than 200 samples of the malicious updates, researchers learned that the hackers, who are not yet attributed to any APT group, only wanted to target a specific list of users identified by their unique MAC addresses, which were hardcoded into the malware.

Though the second stage malware was only pushed to nearly 600 targeted users, it doesn't mean that millions of ASUS computers which received the malicious software update are not compromised.

How to Check if Your ASUS Laptop Has Been Hacked?

After admitting that an unknown group of hackers hacked its servers between June and November 2018, ASUS this week released a new clean version of its LIVE Update application (

version 3.6.8

) and also promised to add "multiple security verification mechanisms" to reduce the chances of further attacks.

However, you should know that just installing the clean version of the software update over the malicious package would not remove the malware code from the infected systems.

So, to help its customers know if they were a victim of the attack, ASUS also released a

diagnostic tool

using which you can check whether your ASUS system was affected by the malicious update.

If you find your computer MAC address in the list, it means your computer has been backdoored by the malicious update, and ASUS recommends you perform a factory reset to wipe up the entire system.

The identity of hackers and their intentions are still unknown. The Hacker News will update you with any new developments.

from The Hacker News https://ift.tt/2V4IDPQ

Data breach exposes diagnosis data of 34,000 medical marijuana patients

Critical Magento SQL Injection Vulnerability Discovered – Patch Your Sites

If your online e-commerce business is running over the Magento platform, you must pay attention to this information.

Magento yesterday

released

new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities.

Owned by Adobe since mid-2018, Magento is one of the most popular content management system (CMS) platform that powers 28% of websites across the Internet with more than 250,000 merchants using the open source e-commerce platform.

Though most of the reported issues could only be exploited by authenticated users, one of the most severe flaws in Magento is an SQL Injection vulnerability which can be exploited by unauthenticated, remote attackers.

The flaw, which does not have a CVE ID but internally labeled "PRODSECBUG-2198," could allow remote hackers to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or password hashes that could grant hackers access to the admin's dashboard.

Affected Magento versions include:

Magento Open Source prior to 1.9.4.1
Magento Commerce prior to 1.14.4.1
Magento Commerce 2.1 prior to 2.1.17
Magento Commerce 2.2 prior to 2.2.8
Magento Commerce 2.3 prior to 2.3.1

Since Magento sites not only store users' information but also contain order history and financial information of their customers, the flaw could lead to catastrophic online attacks.

Given the sensitive nature of the data Magento e-commerce websites handle on a daily basis as well as the risk the SQL vulnerability represents, Magento developers have decided not to release technical details of the flaw.

Besides the SQLi vulnerability, Magento has also patched cross-site request forgery (CSRF), cross-site scripting (XSS), remote code execution (RCE) and other flaws, but exploitation of the majority of those flaws require attackers to be authenticated on the site with some level of privileges.

Online store owners are urged to upgrade their e-commerce websites to the recently patched versions as soon as possible before hackers started exploiting the flaw to compromise your websites and steal payment card details of your customers.

from The Hacker News https://ift.tt/2JNaD9v

Ex-NSA Contractor Pleads Guilty to 20-Year-Long Theft of Classified Data

A former National Security Agency contractor—who stole an enormous amount of sensitive information from the agency and then stored it at his home and car for over two decades—today changed his plea to guilty.

The theft was labeled as the largest heist of classified government material in America's history.

Harold Thomas Martin III, a 54-year-old Navy veteran from Glen Burnie, abused his top-secret security clearances to stole at least

50 terabytes of classified national defense data

from government computers over two decades while working for a number of NSA departments between 1996 and 2016.

In August 2016, the

FBI arrested Martin

at his Maryland home and found "six full bankers' boxes" worth of documents, many of which were marked "Secret" and "Top Secret," in his home and car.

At the time of his arrest in August 2016, Martin also worked for Booz Allen Hamilton Holding Corp, the same company that previously employed

Edward Snowden

that also stole and leaked classified NSA documents to the public in 2013.

Martin Pleads Guilty to Just 1 Count, Other 19 Charges Dropped

Martin was initially charged with 20 counts of violating the Espionage Act, but he pleaded not guilty at that time and was due to go to trial in June this year.

After the prosecutors announced earlier this week that Martin would be arraigned again, he

admitted

the wrongdoing in a federal district court on Thursday and pleaded guilty to a single charge of willful retention of defense information as part of a plea deal.

In return, federal prosecutors dropped the remaining 19 charges against Martin and recommended a 9-year prison sentence and three years of supervised release.

The Department of Justice also proposed that after serving his sentence, Martin should be forbidden from contacting any foreign person, probably because he was also accused of leaking classified data to Russia, China, Iran, North Korea, and other United States adversaries.

Martin's arrest came just days after a mysterious hacking group, calling itself Shadow Brokers, began posting the NSA's top secret hacking tools and other materials on the Internet.

In separate news earlier this year, it was also reported that a Twitter account associated with

Martin contacted Kaspersky Lab

researchers just 30 minutes before the Shadow Brokers began leaking the NSA classified documents.

The timing of the Twitter messages, the Shadow Brokers leaks, Martin access to the NSA's elite hacking unit, and other clues immediately triggered a red flag at Kaspersky, who then reported the communication to the NSA.

However, federal agents did not find any direct connection between Martin and the Shadow Brokers.

If the court accepts this week's plea agreement, Martin will be sentenced to nine years in federal prison. His sentencing is scheduled for July 17.

Martin's case was one of the multiple classified data breaches the U.S. intelligence agency faced in recent years.

In December 2017,

Nghia Hoang Pho

, a 67-year-old former NSA employee was

sentenced to 5.5 years in prison

for illegally taking home classified documents, which were later stolen by Russian hackers from his home PC that was running Kaspersky antivirus.

In the

case of Pho

, the American government accused Kaspersky Lab of colluding with the Russian intelligence agency to obtain and expose the classified NSA data from the NSA employee's computer, though the antivirus firm vigorously and repeatedly

denied the accusations

Another ex-NSA employee,

Reality Winner

, 26, who held a top-secret security clearance was also

sentenced to five years and three months

in prison last year for leaking a classified report on Russian hacking of the 2016 U.S. presidential election to an online news outlet.

from The Hacker News https://ift.tt/2HXVhMY

Thursday, March 28, 2019

Rules drafted on how to access data under Consumer Data Right

Researchers discover and abuse new undocumented feature in Intel chipsets

Committee pushes 'cyber taskforce' for security of Australia's election system

USN-3927-1: Thunderbird vulnerabilities

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.10
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software Description

thunderbird - Mozilla Open Source mail and newsgroup client

Details

It was discovered that Thunderbird allowed PAC files to specify that requests to localhost are sent through the proxy to another server. If proxy auto-detection is enabled, an attacker could potentially exploit this to conduct attacks on local services and tools. (CVE-2018-18506)

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2019-9788, CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9810, CVE-2019-9813)

A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. If a user were tricked in to opening a specially crafted website in a browsing context with Spectre mitigations disabled, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2019-9793)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10: thunderbird - 1:60.6.1+build2-0ubuntu0.18.10.1
Ubuntu 18.04 LTS: thunderbird - 1:60.6.1+build2-0ubuntu0.18.04.1
Ubuntu 16.04 LTS: thunderbird - 1:60.6.1+build2-0ubuntu0.16.04.1
Ubuntu 14.04 LTS: thunderbird - 1:60.6.1+build2-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make all the necessary changes.

References

from Ubuntu Security Notices https://ift.tt/2uwx2gL

USN-3918-3: Firefox regression

firefox regression

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.10
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

USN-3918-1 caused a regression in Firefox.

Software Description

firefox - Mozilla Open Source web browser

Details

USN-3918-1 fixed vulnerabilities in Firefox. The update caused web compatibility issues with some websites. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, denial of service via successive FTP authorization prompts or modal alerts, trick the user with confusing permission request prompts, obtain sensitive information, conduct social engineering attacks, or execute arbitrary code. (CVE-2019-9788, CVE-2019-9789, CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9797, CVE-2019-9799, CVE-2019-9802, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9808, CVE-2019-9809)

A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. If a user were tricked in to opening a specially crafted website with Spectre mitigations disabled, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2019-9793)

It was discovered that Upgrade-Insecure-Requests was incorrectly enforced for same-origin navigation. An attacker could potentially exploit this to conduct man-in-the-middle (MITM) attacks. (CVE-2019-9803)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10: firefox - 66.0.2+build1-0ubuntu0.18.10.1
Ubuntu 18.04 LTS: firefox - 66.0.2+build1-0ubuntu0.18.04.1
Ubuntu 16.04 LTS: firefox - 66.0.2+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS: firefox - 66.0.2+build1-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References

from Ubuntu Security Notices https://ift.tt/2FAIs8q

Thoughts on OSSEC Con 2019

Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years.

OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. It is cross-platform, such that I can run it on my Windows and Linux systems. The moving force behind the conference was a company local to me called Atomicorp.

In brief, I really enjoyed this one-day event. (I had planned to attend the workshop on the second day but my schedule did not cooperate.) The talks were almost uniformly excellent and informative. I even had a chance to talk jiu-jitsu with OSSEC creator Daniel Cid, who despite hurting his leg managed to travel across the country to deliver the keynote.

I'd like to share a few highlights from my notes.

First, I had been worried that OSSEC was in some ways dead. I saw that the Security Onion project had replaced OSSEC with a fork called Wazuh, which I learned is apparently pronounced "wazoo." To my delight, I learned OSSEC is decidedly not dead, and that Wazuh has been suffering stability problems. OSSEC has a lot of interesting development ahead of it, which you can track on their Github repo.

For example, the development roadmap includes eliminating Logstash from the pipeline used by many OSSEC users. OSSEC would feed directly into Elasticsearch. One speaker noted that Logstash has a 1.7 GB memory footprint, which astounded me.

On a related note, the OSSEC team is planning to create a new Web console, with a design goal to have it run in an "AWS t2.micro" instance. The team noted that instance offers 2 GB memory, which doesn't match what AWS says. Perhaps they meant t2.micro and 1 GB memory, or t2.small with 2 GB memory. I think they mean t2.micro with 1 GB RAM, as that is the free tier. Either way, I'm excited to see this later in 2019.

Second, I thought the presentation by security personnel from USA Today offered an interesting insight. One design goal they had for monitoring their Google Cloud Platform (GCP) was to not install OSSEC on every container or on Kubernetes worker nodes. Several times during the conference, speakers noted that the transient nature of cloud infrastructure is directly antithetical to standard OSSEC usage, whereby OSSEC is installed on servers with long uptime and years of service. Instead, USA Today used OSSEC to monitor HTTP logs from the GCP load balancer, logs from Google Kubernetes Engine, and monitored processes by watching output from successive kubectl invocations.

Third, a speaker from Red Hat brought my attention to an aspect of containers that I had not considered. Docker and containers had made software testing and deployment a lot easier for everyone. However, those who provide containers have effectively become Linux distribution maintainers. In other words, who is responsible when a security or configuration vulnerability in a Linux component is discovered? Will the container maintainers be responsive?

Another speaker emphasized the difference between "security of the cloud," offered by cloud providers, and "security in the cloud," which is supposed to be the customer's responsibility. This makes sense from a technical point of view, but I expect that in the long term this differentiation will no longer be tenable from a business or legal point of view.

Customers are not going to have the skills or interest to secure their software in the cloud, as they outsource ever more technical talent to the cloud providers and their infrastructure. I expect cloud providers to continue to develop, acquire, and offer more security services, and accelerate their competition on a "complete security environment."

I look forward to more OSSEC development and future conferences.

from TaoSecurity https://ift.tt/2Ovd6Ek

The Tao of Zero Trust

USN-3925-1: FreeImage vulnerability

freeimage vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

FreeImage could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description

freeimage - Support library for graphics image formats (development files)

Details

It was discovered that an out-of-bounds write vulnerability existed in the XMP image handling functionality of the FreeImage library. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could overwrite arbitrary memory, resulting in code execution.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS: libfreeimage3 - 3.17.0+ds1-2ubuntu0.1; libfreeimageplus3 - 3.17.0+ds1-2ubuntu0.1
Ubuntu 14.04 LTS: libfreeimage3 - 3.15.4-3ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5684

from Ubuntu Security Notices https://ift.tt/2JQrxUO

Report deems Russia a pioneer in GPS spoofing attacks

Advanced Breach Protection Demystified – Untold Truths On Security Beyond AV

Doing business in today's connected world means dealing with a continually evolving threat landscape.

With potential losses due to downtime following a breach, plus valuable client and proprietary information at risk, most organizations realize they cannot afford to be complacent.

This puts extra onus on security IT teams, who are continuously left scrambling, looking for the best way to protect their organizations against the threats that bypass AV and firewall.

Added to this is another challenge in that most organizations are limited in the resources they can invest in security. Many are left reliant on a single product on top of their security stack.

Common practice in organizational security circles as they attempt to remain secure is to upgrade endpoint protection with EPP\EDR or a Network Analytic tool.

But as we all know, what’s common is not necessarily what's best.

How can an organization ensure it remains secure, especially with all that is at stake?

Join Cynet for a webinar

on Wednesday, April 10 at 1:00 PM EST, when Yiftach Keshet, Cynet's Director of Product Management, will present, "Advanced Breach Protection Demystified – Untold Truths on Security Beyond AV."

In the webinar, Cynet will take a look at the inherent security gaps no one talks about in EDR\EPP and Network Analytics.

This includes an in-depth examination of attack vectors that make EPP\EDR go blind; threats that network analytics can prevent; why user behavior monitoring is integral to an organizational security solution, and finally, how you can secure all main attack surfaces.

Wondering what you need beyond AV and firewall to truly protect your organization? This webinar will examine that and more.

– our partner Cynet will send you an email with registration details. See you on April 10, 2019, at 1:00 PM EST to demystify security beyond AV.

from The Hacker News https://ift.tt/2Yyyv3V

Cisco Releases Security Update for Cisco IOS XE

Original release date: March 28, 2019

Cisco has released a security update to address a vulnerability in Cisco IOS XE. An attacker could exploit this vulnerability to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2HKpsIc