SymmetricalDataSecurity: April 2015

Thursday, April 30, 2015

Grooveshark ceases operations

As part of a settlement agreement with the major record companies, the music-sharing site has agreed to shut its services down immediately.

from Latest topics for ZDNet in Security http://ift.tt/1JETC9O

ThreatQuotient Raises $1.5Mn in Seed Money

The startup funding shows that the threat intelligence space is heating up.

from http://ift.tt/1ziCrY6

Macro Malware Returns with a Vengeance, Infecting Half a Million PCs

The threats downloaded in this latest wave of spam include banking trojans like Drixed and Vawtrak.

from http://ift.tt/1ItRFva

Changes Are Afoot for the C-suite/IT Perception Gap

C-level executives are now less confident than IT executives when it comes to cybersecurity preparedness.

from http://ift.tt/1Jdidz4

What We Can Learn from the Adobe Class Action Lawsuit

This week, Adobe announced a settlement of a class action lawsuit that was filed against them as a result of a 2013 data breach. This followed a 2014 finding that Adobe’s conduct was a contributing factor to the damages sustained by the plaintiff; namely representatives of some of the three million credit or debit card holders.

The potential for legal action is not limited to Adobe or the loss of credit card data. What we all need to consider is whether the conduct of your organization appears to be a key attribute in determining liabilities resulting from a data breach. This is not to suggest any malice in the case of Adobe. As a former employee, I can state it is a well-run ship. I do not have all of the facts on the case, and I am not interested in passing judgment. What I am interested in is pointing out the fact that given all the time and attention targeted attacks are being given in the media and security industry, it is time we collectively addressed some elephants in the boardroom.

To avoid being the next headline, we need to come to terms with the fact that a clear trail of evidence and action is being taken to address the problem. Security team, executives and board members must be seen as having taken ongoing and proactive steps to identify, inform and manage the risks associated with targeted attacks. To be clear, there is no silver bullet to this problem. Despite all the marketing hype around zero-days attacks, exploits and the latest threat research du jour, the sage approach is to develop an ability to detect what is designed by your adversaries to be undetectable. Looking in the same nook and cranny and expecting to find something new is at best wishful thinking. In other words, solutions designed based on yesterday are of little value to help you solve tomorrow’s problems.

Given this, should you read, hear or be told that monitoring the network equivalent of only your front door and window is enough to detect modern targeted attacks, I hope your false sense of security alarm is rattling loud and clear. For your security teams, executives and board members to be seen as proactive and serious about addressing the unexpected risks, costs, strategic and professional impacts associated with targeted attacks, they need the ability to detect and act upon the unexpected and the unseen. Why? Attackers are by nature unpredictable; therefore, how you detect, inform and take action must take this into account. One cannot implement a static approach, that being to merely monitor the perimeter and a few end user protocols and expect to catch a dynamic adversary. Caveat emptor: there are organizations that espouse this storyline and claim a level of expertise as a means to support this proven false premise.

Despite what you may have read or been told, your organization needs to have a 360-degree view of all activity across all internal and external network traffic, over all 65,000 ports – and to be able to detect what is happening on over one hundred protocols. Others may have you believe that a myopic approach of monitoring only web, email and file content used by your employees is all you need. However, as previously suggested, the enemy may already be well within your gate; therefore, you need eyes everywhere.

For more insight into the need and path ahead for your executives and board members to address targeted attacks and advanced threats, I encourage you to provide them with the following resources:

Insight into the potential impacts of a targeted attack: http://ift.tt/1GAAXWp

An opportunity to run a targeted attack simulation: http://ift.tt/19RsUMo

A rationale for investing in a targeted attack solution: http://ift.tt/1GAAWBU

from Trend Micro Simply Security http://ift.tt/1QRjcdB
via IFTTT

IBM Security Bulletin: IBM Security Network Protection is affected by a NSS vulnerability (CVE-2014-3566)

A security vulnerability has been discovered in Network Security Services (NSS) used with IBM Security Network Protection. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol...

from IBM Product Security Incident Response Team http://ift.tt/1Jda5i1

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Cognos Mobile app on Android (CVE-2015-2808)

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Cognos Mobile app on Android. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): IBM Cognos Mobile app on Android version...

from IBM Product Security Incident Response Team http://ift.tt/1ziftA6

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects z/TPF (CVE-2015-2808)

The RC4 "Bar Mitzvah Attack" for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) affects z/TPF. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): z/TPF Enterprise...

from IBM Product Security Incident Response Team http://ift.tt/1bjMNvr

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects InfoSphere BigInsights (CVE-2015-2808)

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects InfoSphere BigInsights. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): Customers who have Secure Sockets Layer (SSL)...

from IBM Product Security Incident Response Team http://ift.tt/1zifqoa

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM QRadar SIEM (CVE-2015-2808)

The RC4 Bar Mitzvah Attack for SSL/TLS affects IBM QRadar SIEM. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): QRadar SIEM 7.2.4 Patch 4 iFix01 and earlier QRadar SIEM...

from IBM Product Security Incident Response Team http://ift.tt/1zifqo6

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation Application Manager (CVE-2015-2808)

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects WebSphere Application Server 6.1 and IBM® SDK Java™ Technology Edition, Version 5. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s):...

from IBM Product Security Incident Response Team http://ift.tt/1ziftjI

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Network Performance Manager Wireless Platform (CVE-2015-2808 )

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects some configurations of IBM Tivoli Netcool Performance Manager Wireless Platform. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): ...

from IBM Product Security Incident Response Team http://ift.tt/1bjMLDz

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Security AppScan Standard (CVE-2015-2808)

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Security AppScan Standard. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): IBM Security AppScan Standard - 9.0.2,...

from IBM Product Security Incident Response Team http://ift.tt/1FBfcK2

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects Rational Application Developer for WebSphere Software (CVE-2015-2808)

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects Rational Application Developer for WebSphere Software. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): Rational Application...

from IBM Product Security Incident Response Team http://ift.tt/1E0fFzQ

IBM Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli/Security Directory Server (CVE-2015-2808)

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Tivoli/Security Directory Server. CVE(s): CVE-2015-2808 Affected product(s) and affected version(s): IBM Tivoli Directory Server 6.0,...

from IBM Product Security Incident Response Team http://ift.tt/1E0fFju

IBM Security Bulletin: Vulnerabilities in OpenSSL affect Proventia Network Enterprise Scanner (CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289, CVE-2015-0292,CVE-2015-0293)

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL is used by IBM Security Proventia Network Enterprise Scanner has addressed the applicable CVEs. CVE(s): CVE-2015-0209 , CVE-2015-0286 ,...

from IBM Product Security Incident Response Team http://ift.tt/1E0fGUr

IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Tivoli Access Manager for e-business (CVE-2015-0138)

The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® Runtime Java™ Technology Edition, various versions of which are used by IBM Tivoli Access Manager for e-business. ...

from IBM Product Security Incident Response Team http://ift.tt/1FBfccY

IBM Security Bulletin: Vulnerabilities in IBM Tivoli Directory Server affect IBM Security Access Manager for Web and Tivoli Access Manager for e-business (CVE-2015-0138)

GSKit, an IBM component, contains multiple vulnerabilities including “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. GSKit is used by IBM Tivoli Directory Server. IBM Tivoli Directory Server is used by IBM...

from IBM Product Security Incident Response Team http://ift.tt/1E0fF2S

IBM Security Bulletin: Multiple vulnerabilities affect IBM InfoSphere Information Server (CVE-2015-0383, CVE-2015-0410, CVE-2014-6593 CVE-2015-0138 CVE-2015-2808)

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also...

from IBM Product Security Incident Response Team http://ift.tt/1E0fGnt

Mobility Master Class: Citrix XenMobile 10 Clustering & MDM Migrations

	Mobility Master Class: Citrix XenMobile 10 Clustering & MDM Migrations Join our panel of mobility experts to learn about about XenMobile 10.0 scalability with clustering and about migrating MDM environments. What you will learn about: new stuff about XenMobile 10, migrating MDM Environments, clustering in XenMobile 10 and what’s new in the latest Worx Apps release.	Views:4
	Length:2:01:21

from CitrixTV RSS Feed http://ift.tt/1QQmTjM

Connect.Gov solidifies, expands ID credential plan for federal agencies

SecureKey Technologies continues as cloud broker service; ForgeRock, Ping Identity bring IAM integrations for identity and access management

from Latest topics for ZDNet in Security http://ift.tt/1I1Bkip

The Need for Test Data

from TaoSecurity http://ift.tt/1JcLUjY

£300 Apple Watch might not Work If You've Got Wrist Tattoos

Credit: mirror.co.uk If you love wearing tattoos and have one on your wrist, then the Apple Watch won’t work for you. Yes, you heard that right. Apple watch is unable to figure out your blood pressure or even sense your skin contact if you wear the watch on a tattooed wrist. Generally, the Apple Watch automatically detects your wrist by your measuring your heart's pulse rate. So, you

from The Hacker News http://ift.tt/1AmirPs

Software for Privacy & Security Incident Response

More and more organization are turning to software platforms to address the increasing burden privacy and security incidents create for companies that hold or process regulated data – data regulated by federal laws (HIPAA/HITECH) or regulated by numerous and varying state data breach laws. “Organizations are increasingly turning to RADAR®, patented privacy & security incident […]

The post Software for Privacy & Security Incident Response appeared first on Data Breach Watch.

Tags: Incident response, privacy incident response, privacy incident response platform, security incident response, security incident response platform

Del.icio.us

Facebook

TweetThis

Digg

StumbleUpon

Comments: 0 (Zero), Be the first to leave a reply!

You might be interested in this:

Copyright © Data Breach Watch [Software for Privacy & Security Incident Response ], All Right Reserved. 2015.

from Data Breach Watch http://ift.tt/1EGqNqg

Bugtraq: SevDesk v1.1 iOS - Persistent Dashboard Vulnerability

SevDesk v1.1 iOS - Persistent Dashboard Vulnerability

from SecurityFocus Vulnerabilities http://ift.tt/1IrIFXA

Where to Donate Your Old Smartphone…

…And What to Do Before You Get Rid of It

It’s time to spring clean! If you’re like me, you hate to toss a piece of hardware into the garbage. Happily, over the past couple of decades the reuse-recycle-repurpose trend has taken hold and expanded in our society. There are many ways to avoid just tossing an old smartphone in the garbage to end up in a landfill.

Recently, I became aware of a cool organization that is repurposing old smartphones in an incredibly great way. It’s a non-profit called Rainforest Connection and you can watch their promotional video on YouTube or their founder’s TED talk to learn all about them.

Here’s a quick description of what they do courtesy of their tagline: “Turning old phones into forest guardians.”

So in the spirit of spring cleaning, I decided it was time to part with my old iPhone 4S. I wanted to donate it to Rainforest Connection. However, before I sent it off to them, I wanted to see how much it might be worth to me if I sold it to www.gazelle.com. In a matter of minutes, using their website tool, I learned that my iPhone 4S in good condition could get me $20 from Gazelle.

I figured donating my old phone was worth a lot more to Rainforest Connection than $20, so it was a no-brainer. According to their website, they’ll “erase it, retrofit it, and send it into the jungle for its second life as a tireless forest guardian.” Now, I’m sure their hearts are in the right place and they wouldn’t do something nefarious – like misuse any of my personal data left on the phone, but I wanted to be sure they couldn’t.

Clearly, it’s important for everyone to wipe clean their old smartphones or mobile devices before giving them away, selling them, or disposing of them in some other way. You do not want to leave any of your personal or business data on it to be found by some bad person who uses it to steal your identity and empty your financial accounts.

Instructions for what to do to remove all your information from an iPhone before disposal can be found on Apple’s website: http://ift.tt/1DNcpc4.

Recommendations for how to clean your Android device and protect your personal information before you sell or give it away tend to involve these four steps:

	Encrypt the data Do a factory reset Enter garbage data Do another factory reset

Once you are confident that the personal data that was on your smartphone cannot be resurrected and misused, you can sell it or give it away with confidence.

My recommendation is Rainforest Connections because as their website says, “You can do something about climate change.”

You can contact them at or send phones to this address:
Rainforest Connection
77 Van Ness Ave
Suite 101-1717
San Francisco, CA, 94102

Let me know if you know of other good ways to recycle your old cellphone.

I work for Trend Micro and the opinions expressed here are my own.

from Trend Micro Simply Security http://ift.tt/1IsiBLO
via IFTTT

NSA is so overwhelmed with data, it's no longer effective, says whistleblower

One of the agency's first whistleblowers says the NSA is taking in too much data for it to handle, which can have disastrous -- if not deadly -- consequences.

from Latest topics for ZDNet in Security http://ift.tt/1DMVtCo

TA15-120A: Securing End-to-End Communications

Original release date: April 30, 2015

Systems Affected

Networked systems

Overview

Securing end-to-end communications plays an important role in protecting privacy and preventing some forms of man-in-the-middle (MITM) attacks. Recently, researchers described a MITM attack used to inject code, causing unsecured web browsers around the world to become unwitting participants in a distributed denial-of-service attack. That same code can be employed to deliver an exploit for a particular vulnerability or to take other arbitrary actions.

Description

A MITM attack occurs when a third party inserts itself between the communications of a client and a server. MITM attacks as a general class are not new. Classic MITM attacks (e.g., ARP Spoofing) focus on redirecting network communications. By definition, network infrastructure under attacker control is vulnerable to MITM. However, as technology evolves, new methods for performing MITM attacks evolve as well.

Currently, there is no single technology or configuration to prevent all MITM attacks. However, increasing the complexity with multiple layers of defense may raise the cost for the attacker. Increasing the attacker’s cost in time, effort, or money can be an effective deterrent to avoiding future network compromise.

Generally, encryption and digital certificates provide an effective safeguard against MITM attacks, assuring both the confidentiality and integrity of communications. As a result, modern MITM attacks have focused on taking advantage of weaknesses in the cryptographic infrastructure (e.g., certificate authorities (CAs), web browser certificate stores) or the encryption algorithms and protocols themselves.

Impact

MITM attacks are critical because of the wide range of potential impacts—these include the exposure of sensitive information, modification of trusted data, and injection of data.

Solution

Employing multiple network and browser protection methods forces an attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration.

US-CERT recommends reviewing the following mitigations to reduce vulnerability to MITM attacks:

Update Transport Layer Security and Secure Socket Layer (TLS/SSL)

US-CERT recommends upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled, unless required. TLS 1.0 clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding oracle attack when Cypher-Block Chaining mode is used. This method is commonly referred to as the "POODLE" (Padding Oracle on Downgraded Legacy Encryption) attack. Vulnerable TLS implementations can be updated by applying the patch provided by the vendor. Vendor information is available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 [1] or in CERT Vulnerability Note VU#577193 [2]. See US-CERT TA14-290A [3] for additional information on this vulnerability.

Utilize Certificate Pinning

Certificate pinning [4] is a method of associating X.509 certificate and its public key to a specific CA or root. Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust “this certificate only” or “trust only certificates signed by this certificate.” Please use the following resources to configure your browser for certificate pinning:

Microsoft Certificate Trust

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) 5.2 employs a feature named "Certificate Trust" for SSL/TLS certificate pinning. This feature is intended to detect and stop MITM attacks that leverage Public Key Infrastructure. [5]

To use the Certificate Trust, you must provide a list of websites you want to protect and certificate pinning rules applicable to those websites. In order to do this, work with the Certificate Trust Configuration feature of the graphical application or use the Configuration Wizard to automatically configure EMET with the recommended settings. [6] Also, ensure period defaults are updated through patching.

Browser Certificate Pinning

Google Chrome and Mozilla Firefox, among others, perform certificate pinning. They conduct a variation of certificate pinning using the HTTP Strict Transport Security (HSTS), which pre-loads a specific set of public key hashes into the HSTS configuration, limiting valid certificates to only those with the specified indicated public key. Chrome uses HTTPS pins for most Google properties. It uses whitelisted public keys which include keys from Verisign, Google Internet Authority, Equifax, and GeoTrust. Thus, Chrome will not accept certificates for Google properties from other CAs.

Firefox 32 on desktop and later (Firefox 34 and later on Android) has the ability to use certificate pinning. It also has the ability to enforce built-in pinsets (mapping of public keys) information to domains. Firefox will pin all sites that Chrome already does, pin their own sites after audit and cleansing, and pin other popular sites that are already in good standing. Please visit this site on How to Use Pinning [7] and for more information.

Implement DNS-based Authentication of Named Entities (DANE)

DANE is a protocol that allows certificates (X.509) commonly used for TLS. DANE is bound to DNS which uses Domain Name System Security Extensions (DNSSEC). A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it. [8]

Google Chrome does not use DANE but uses an add-on [9] for support. Mozilla Firefox also uses an add-on [10] to check the existence and validity of DNSSEC.

Use Network Notary Servers

Network notary servers aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on CAs. CAs are often considered a security risk because they can be compromised. [11] As a result, browsers can deem fraudulent sites trustworthy and are left vulnerable to MITM attacks.

Each network notary server, or group of servers, is public and can be operated by public/private organizations or individuals. These servers regularly monitor websites and build a history of each site’s certificate data over time. When a browser equipped with a network notary add-on communicates with a website and obtains its certificate information, a user-designated network notary server supplies the browser with historical certificate data for that site. If certificate information provided by the website is inconsistent with the notary’s historical data, a MITM attack could be at play. [12]

References

Revision History

April 30, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/1JDBjll

Bugtraq: [SYSS-2014-007] FrontRange DSM - Multiple Vulnerabilities

[SYSS-2014-007] FrontRange DSM - Multiple Vulnerabilities

from SecurityFocus Vulnerabilities http://ift.tt/1dww4GO

Bugtraq: [ MDVSA-2015:218 ] glibc

[ MDVSA-2015:218 ] glibc

from SecurityFocus Vulnerabilities http://ift.tt/1dww5uu

Bugtraq: [ MDVSA-2015:217 ] sqlite3

[ MDVSA-2015:217 ] sqlite3

from SecurityFocus Vulnerabilities http://ift.tt/1EFrTm6

Bugtraq: [SECURITY] [DSA 3241-1] elasticsearch security update

[SECURITY] [DSA 3241-1] elasticsearch security update

from SecurityFocus Vulnerabilities http://ift.tt/1EFrRuF

Amateur attackers can steal data from thousands of files in an IaaS cloud

We demonstrate how a relatively unskilled attacker could gain access to data from more than 11,000 files in unsecured IaaS cloud environments.

Read More

from Symantec Connect - Security - Blog Entries http://ift.tt/1AkJjzi

USN-2591-1: curl vulnerabilities

Ubuntu Security Notice USN-2591-1

30th April, 2015

curl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu (vivid)
Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in curl.

Software description

curl - HTTP, HTTPS, and FTP client and client libraries

Details

Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP
credentials when subsequently connecting to the same host over HTTP.
(CVE-2015-3143)

Hanno Böck discovered that curl incorrectly handled zero-length host names.
If a user or automated system were tricked into using a specially crafted
host name, an attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3144)

Hanno Böck discovered that curl incorrectly handled cookie path elements.
If a user or automated system were tricked into parsing a specially crafted
cookie, an attacker could possibly use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3145)

Isaac Boukris discovered that when using Negotiate authenticated
connections, curl could incorrectly authenticate the entire connection and
not just specific HTTP requests. (CVE-2015-3148)

Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers
both to servers and proxies by default, contrary to expectations. This
issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu (vivid):: libcurl3-nss 7.38.0-3ubuntu2.2; libcurl3-gnutls 7.38.0-3ubuntu2.2; libcurl3 7.38.0-3ubuntu2.2
Ubuntu 14.10:: libcurl3-nss 7.37.1-1ubuntu3.4; libcurl3-gnutls 7.37.1-1ubuntu3.4; libcurl3 7.37.1-1ubuntu3.4
Ubuntu 14.04 LTS:: libcurl3-nss 7.35.0-1ubuntu2.5; libcurl3-gnutls 7.35.0-1ubuntu2.5; libcurl3 7.35.0-1ubuntu2.5
Ubuntu 12.04 LTS:: libcurl3-nss 7.22.0-3ubuntu4.14; libcurl3-gnutls 7.22.0-3ubuntu4.14; libcurl3 7.22.0-3ubuntu4.14

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153

from Ubuntu Security Notices http://ift.tt/1JDkVBt

The Cisco Security Dojo

Over the past three years, Cisco has invested in the creation of an application security awareness program. The program helps the good citizens of this company understand, apply, and act upon a strategy to build more trustworthy products. We launched the existence of the program to the world at the RSA Conference 2015. I am sharing this with you because we’ve created something unique to the industry, and we want to encourage other companies to pursue the creation of an [...]

from Cisco Blog » Security http://ift.tt/1Pa0xGf

Nepal Earthquake Disaster Email Scams

Original release date: April 30, 2015

US-CERT would like to warn users of potential email scams regarding the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for fraudulent charitable organizations commonly appear after these types of natural disasters.

US-CERT encourages users to take the following measures to protect themselves:

Do not follow unsolicited web links or attachments in email messages.
Maintain up-to-date antivirus software.
Review the Federal Trade Commission's Charity Checklist.
Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
Refer to the Security Tip (ST04-014) on Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/1AkLvXo

Ad Fraudsters Get Political With Pro-Russia Vids

Trustwave spots campaign designed to articificially boost pro-Kremlin propaganda

from http://ift.tt/1EFnhwo

Microsoft Edge: The Windows 10 Web Browser

Meet Microsoft’s replacement to its old web browser Internet Explorer. The Project Spartan Web browser for Windows 10 has now an official name — Microsoft Edge. Yes, Microsoft’s new web browser shipping on all Windows 10 devices, from computers to smartphones and tablets, is dubbed Microsoft Edge. The company just announced in its Build developer conference that Edge is going to be its

from The Hacker News http://ift.tt/1DMlNwp

Countdown to Zero Day, book review: Dispatches from the first cyberwar

In this gripping and technically accomplished book, Kim Zetter reveals the genesis of Stuxnet and its successors, and their role in the new field of cyberwarfare.

from Latest topics for ZDNet in Security http://ift.tt/1EtIVCC

Major Flaw Could Let Remote Hackers into SOHO Routers

TippingPoint’s ZDI discloses publicly after months of inaction by RealTek

from http://ift.tt/1P9vF8Y

Most UK Firms Plan to Run Windows Server 2003 After Support Ends

Breach risk as many admit to having no security plans in place

from http://ift.tt/1DE4eNW

Password Alert Chrome Extension to Protect your Google Account from Phishers

As cybercriminals have started using sophisticated phishing techniques in an attempt to hijack online users’ account, Google on Wednesday launched a new Chrome Extension to fight against Phishing. The search engine giant has launched a new Password Alert Chrome extension that will alert you whenever you accidentally enter your Google password on a carefully crafted phishing website that

from The Hacker News http://ift.tt/1bFJuPt

USN-2590-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2590-1

30th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.10

Summary

Several security issues were fixed in the kernel.

Software description

linux - Linux kernel

Details

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A local
guest user could exploit this flaw to cause a denial of service (host
crash). (CVE-2015-2150)

A stack overflow was discovered in the the microcode loader for the intel
x86 platform. A local attacker could exploit this flaw to cause a denial of
service (kernel crash) or to potentially execute code with kernel
privileges. (CVE-2015-2666)

A privilege escalation was discovered in the fork syscal vi the int80 entry
on 64 bit kernels with 32 bit emulation support. An unprivileged local
attacker could exploit this flaw to increase their privileges on the
system. (CVE-2015-2830)

It was discovered that the Linux kernel's IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the 'hop_limit'
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped). (CVE-2015-2922)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.10:: linux-image-3.16.0-36-generic-lpae 3.16.0-36.48; linux-image-3.16.0-36-powerpc64-smp 3.16.0-36.48; linux-image-3.16.0-36-powerpc64-emb 3.16.0-36.48; linux-image-3.16.0-36-generic 3.16.0-36.48; linux-image-3.16.0-36-lowlatency 3.16.0-36.48; linux-image-3.16.0-36-powerpc-smp 3.16.0-36.48; linux-image-3.16.0-36-powerpc-e500mc 3.16.0-36.48

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2150, CVE-2015-2666, CVE-2015-2830, CVE-2015-2922

from Ubuntu Security Notices http://ift.tt/1QNzlAZ

USN-2589-1: Linux kernel (Utopic HWE) vulnerabilities

Ubuntu Security Notice USN-2589-1

30th April, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic - Linux hardware enablement kernel from Utopic

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-36-generic-lpae 3.16.0-36.48~14.04.1; linux-image-3.16.0-36-powerpc64-emb 3.16.0-36.48~14.04.1; linux-image-3.16.0-36-powerpc64-smp 3.16.0-36.48~14.04.1; linux-image-3.16.0-36-generic 3.16.0-36.48~14.04.1; linux-image-3.16.0-36-lowlatency 3.16.0-36.48~14.04.1; linux-image-3.16.0-36-powerpc-smp 3.16.0-36.48~14.04.1; linux-image-3.16.0-36-powerpc-e500mc 3.16.0-36.48~14.04.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2150, CVE-2015-2666, CVE-2015-2830, CVE-2015-2922

from Ubuntu Security Notices http://ift.tt/1QNzlAU

USN-2588-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2588-1

30th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux - Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-51-powerpc64-emb 3.13.0-51.84; linux-image-3.13.0-51-powerpc64-smp 3.13.0-51.84; linux-image-3.13.0-51-generic 3.13.0-51.84; linux-image-3.13.0-51-powerpc-smp 3.13.0-51.84; linux-image-3.13.0-51-powerpc-e500 3.13.0-51.84; linux-image-3.13.0-51-generic-lpae 3.13.0-51.84; linux-image-3.13.0-51-powerpc-e500mc 3.13.0-51.84; linux-image-3.13.0-51-lowlatency 3.13.0-51.84

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2666, CVE-2015-2922

from Ubuntu Security Notices http://ift.tt/1DY3NhO

USN-2587-1: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-2587-1

30th April, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty - Linux hardware enablement kernel from Trusty

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-51-generic 3.13.0-51.84~precise1; linux-image-3.13.0-51-generic-lpae 3.13.0-51.84~precise1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2666, CVE-2015-2922

from Ubuntu Security Notices http://ift.tt/1QNznbZ

USN-2586-1: Linux kernel (OMAP4) vulnerability

Ubuntu Security Notice USN-2586-1

30th April, 2015

linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

linux-ti-omap4 - Linux kernel for OMAP4

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1463-omap4 3.2.0-1463.83

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2922

from Ubuntu Security Notices http://ift.tt/1DY3Lqd

USN-2585-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2585-1

30th April, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

linux - Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-82-generic 3.2.0-82.119; linux-image-3.2.0-82-virtual 3.2.0-82.119; linux-image-3.2.0-82-generic-pae 3.2.0-82.119; linux-image-3.2.0-82-highbank 3.2.0-82.119; linux-image-3.2.0-82-powerpc64-smp 3.2.0-82.119; linux-image-3.2.0-82-omap 3.2.0-82.119; linux-image-3.2.0-82-powerpc-smp 3.2.0-82.119

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2922

from Ubuntu Security Notices http://ift.tt/1QNzlkv

USN-2584-1: Linux kernel (EC2) vulnerability

Ubuntu Security Notice USN-2584-1

30th April, 2015

linux-ec2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 10.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

linux-ec2 - Linux kernel for EC2

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 10.04 LTS:: linux-image-2.6.32-377-ec2 2.6.32-377.94

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-3339

from Ubuntu Security Notices http://ift.tt/1QNznbS

USN-2583-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2583-1

30th April, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 10.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

linux - Linux kernel

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 10.04 LTS:: linux-image-2.6.32-74-powerpc 2.6.32-74.142; linux-image-2.6.32-74-386 2.6.32-74.142; linux-image-2.6.32-74-sparc64 2.6.32-74.142; linux-image-2.6.32-74-generic-pae 2.6.32-74.142; linux-image-2.6.32-74-preempt 2.6.32-74.142; linux-image-2.6.32-74-lpia 2.6.32-74.142; linux-image-2.6.32-74-sparc64-smp 2.6.32-74.142; linux-image-2.6.32-74-powerpc64-smp 2.6.32-74.142; linux-image-2.6.32-74-versatile 2.6.32-74.142; linux-image-2.6.32-74-generic 2.6.32-74.142; linux-image-2.6.32-74-virtual 2.6.32-74.142; linux-image-2.6.32-74-server 2.6.32-74.142; linux-image-2.6.32-74-powerpc-smp 2.6.32-74.142; linux-image-2.6.32-74-ia64 2.6.32-74.142

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-3339

from Ubuntu Security Notices http://ift.tt/1QNzlkn

8 Best Android Apps To Improve Privacy and Security in 2015

Just to have a good anti-virus protection app in your smartphone doesn’t mean a complete Security. As Mobile Device Security is comprised of security of different features, such as: Data privacy and security features Permission restrictions for snoopy apps A blacklist for undesired calls An excellent backup capability, in case your smartphone gets deteriorated. As well as encryption

from The Hacker News http://ift.tt/1DY4O9L

Wednesday, April 29, 2015

JPMorgan Chase Insider Thief Nabbed by FBI

The perp faces charges of stealing customer data and trying to sell it to an undercover informant for tens of thousands of dollars.

from http://ift.tt/1JakEm1

Google Releases Security Update for Chrome

Original release date: April 29, 2015

Google has released Chrome version 42.0.2311.135 for Windows, Mac, and Linux to address multiple vulnerabilities. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Google Chrome blog entry and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/1FyUlqK

Survey: C-level Tech Execs Most Responsible for Breaches

As the data breach epidemic rages on, the question of corporate liability has been front and center.

from http://ift.tt/1zrnhjq

Google Aims at Phishing with Password Alert

A warning pops up if a user types her Google password into a site that isn’t a Google sign-in page.

from http://ift.tt/1OG13kq

Best Security Practices for Microsoft Azure: Locking Down Your Environment

As you know, moving your workloads to the cloud doesn’t mean you’re not responsible for the security of your operating system, applications and data. Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your Azure environment is secure. In this post, we’re going to walk step-by-step through what you need to do to secure access at the administrative, application and network layers.

We’ll follow this up with the next steps to ensure security of your workload. Make sure you also share your own tips for managing security in Azure in the comments section below!

Now on to the best practices…

Plan before your Cloud Adoption

I want to talk about this general principle before I start on the security tips because it’s essential and often overlooked. Unfortunately, it’s a common mistake for application owners/departments or business units to bypass IT and security teams to sign up with cloud services without any plan or much forethought. Such adoption of cloud services often leads to complicated and costly corrections later on when your IT and security teams become involved. For example, if you don’t clearly separate your subscriptions, you can inadvertently give access to production services to employees who don’t need such access. I must admit, thinking and planning takes time, but when you invest your time planning your cloud adoption strategy, it allows you to establish a solid foundation upon which you can build and grow without fearing costly changes later on.

Now we’ll walk through the general flow of the Microsoft Cloud Service (Azure) sign-up and introduce you to the some fundamental concepts associated with Microsoft Azure. This will help you better understand the relationship between these components, what the security principles for each step are, and what options are at your disposal.

Creating Your Azure Account

To do anything in Azure, you need an account. When you create an account with Azure using the Azure Account Center, there are two choices provided to sign up: a) Microsoft account such as <user>@outlook.com, <user>@hotmail.com or <user>@live.com; or b) Your organization/work account — these are sourced from Azure Active Directory.

Microsoft Azure subscriptions use Azure Active Directory to sign users into the management portal and to secure access to the Azure management API. It’s recommended to use organization/work accounts that are created from within Azure Active Directory and provide more options for managing them. For example, organization/work accounts can be supplemented with multi-factor authentication which is always recommended for privileged users such as “account administrator/global administrator.”

Consider creating a “service” email account in your organization, e.g., a distribution list (DL) with an external SMTP address associated with it that can be used for Azure sign-up. This email DL should hold few key project/stakeholders as members, that way, your Azure Account is unaffected by employee turnover. For example, “Comp_Azure_Srv@yourdomain.com” could be the user ID used for your Azure account sign-up process. This will become your “Account Administrator or Global Administrator.” Simply place this user is your “root” account. The account administrator is the only one who is authorized to access the account center to create subscriptions, cancel subscriptions, change billing for a subscription, change service administrator, and more. There is a one-to-one relationship between Azure account and account administrator.

Setting up Your Subscription

Once the Azure account is created, the next step is to set up subscriptions. Every cloud service belongs to a subscription; subscriptions help you organize access to cloud service resources. The account administrator, the person who creates the Azure account, is the only one who can create subscriptions and is designated as the default “service administrator” for the subscription. There is a one-to-one relationship between subscription and service administrator. Access to the Azure Management Portal is granted to this administrator. You can also create up to 10 co-administrators per subscriptions. You can create multiple subscriptions based on your requirements, e.g., you can create individual subscriptions based on the type of environment, such as “development,” “staging” and “production.” This enables you to view usage and control access to each service granularly; it is then advisable to separate your workloads into specific subscriptions to avoid accidental changes, etc.

Figure 1 – Azure Account to Subscription and Access Administrators

Setting Role-Based Access Controls (RBAC)

Now that the subscriptions are created, you can start to control which cloud resources your employees can access and what actions they can perform on those resources. In the new Microsoft Azure Preview Portal, Microsoft has announced the preview release of Role-Based Access Control (RBAC). Using RBAC, you can limit the access of users and groups by assigning them roles on Azure resources. Azure role-based access control comes with different built-in roles: “owner,” “reader” and “contributor,” that can be assigned to users, groups and services.

It’s easier to first create and assign access to the “subscription level” and then make adjustments at the resource levels. For example, John Smith (your DBA), can be assigned as a “reader” role at the subscription level, and based on his job role (i.e. DBA) and application structure (three-tier application, Web, app and DB), you can then assign the “contributor” role to him at the virtual machine level that is running the database for your application.

Figure 2 – Reader Access on the Subscription level

fig 3

Figure 3 – Contributor Access on the VM level

Control Your Access Points to Azure Resources

Next, you need to decide how your user will access the cloud resources that they have been given access to. Microsoft Azure allows multiple accesses and management capabilities, and it’s important to restrict remote access to your VM from a dedicated hardened workstation that runs only required services and applications and may have restricted network access to only what is needed to perform tasks at hand. These workstations are not used by your users for day-to-day activities. You can further lock down access to Azure resources by having a Remote Desktop Gateway (RDGW) installed on premise that is connected to the Azure environment. This RDGW, together with Windows Server Network Access Protection (NAP), helps ensure that only clients that meet specific security criteria established by your AD GPOs can connect.

In this type of setup, the local instance of Windows Firewall (or a non-Microsoft client firewall) is configured to block inbound connections, such as RDP. The administrator can log on to the on premise hardened workstation and start an RDP session that connects to Azure VM, but cannot log on to a corporate PC and use RDP to connect to the hardened workstation itself. This practice is meant to restrict and reduce your attack surface. The following logical view shows how access to the Azure VM is only allowed from the hardened on premise workstation via RDGW.

Figure 4 – Taken From: http://ift.tt/1ES4T5l

Network Layer Security Considerations

Network security is one of the most important building blocks of your overall security design, whether it is done on premise or in the public cloud. Microsoft Azure provides the infrastructure necessary to securely connect your virtual machines (VMs) to one another, and be the bridge between the cloud and your on premise data center. The responsibilities for network protection and management are shared between you and Microsoft. For example, Microsoft Azure takes care of spoofing attacks by performing hypervisor-based checks on the outgoing network, i.e., a compute node is disallowed from sending traffic from any IP other than its own. Similarly, as an Azure subscriber, you cannot walk into a Microsoft data center and rewire a server rack, but you are allowed to do the equivalent within your cloud environment through a number of different virtual mechanisms, including guest OS firewalls, VNET Gateway configuration, and virtual private network (VPN).

Let’s take an “inside-out” look toward the networking in Azure; just like with an on premise model, you should plan your network design based on your security, connectivity and application requirements. This must be done prior to launching your workloads (VM) in Azure since, after a VM has been deployed, you can’t move it to the virtual network without redeploying it.

By leveraging Windows Azure virtual networking service, you can create virtual networks for the purposes of segregating your three-tier application stack where you put your Web, app and DB VM’s.

Figure 5 – 3-Tier Virtual Network

Once the virtual network is created, you can attach your virtual machine to a Windows Azure Virtual Network. All VMs attached to the virtual network can only talk to other VMs attached to the same virtual network. If communication should be restricted among VMs within the same subnet, e.g., VMs in Web-Tier can’t talk to each other (east-west), then either use the guest OS Firewall, or deploy third-party host-based firewall solution. To restrict the traffic flow between subnets and VMs (e.g., the VMs in Web-Tier can’t talk to DB-Tier), you can use guest OS firewall, deploy a third-party host-based firewall solution, or you can also use network level access control from Azure called Network Security Groups as long as your vNet is not associated with affinity groups. NSGs will allow a two-tier level of traffic filtering on inbound and outbound flow and implement a traffic flow firewall policy that is maintained at the network level instead of the OS level.

External access to the VM from the Internet is defined by creating input endpoints that allow inbound communication to your VM. In the three-tier network design, VMs placed in an app-tier and DB-Tier usually don’t need direct access from the Internet. For this reason, it’s recommended to restrict direct access to them by not having any input endpoints for such VMs and creating input endpoints to only open ports that you need open from the Internet. When access to application and DB servers from outside is required, you can also specify access control lists (ACLs) on input endpoints to control the source IPs from which the VM will allow inbound traffic, as shown below.