Saturday, July 30, 2016

Hillary Clinton's Presidential Campaign also Hacked in Attack on Democratic Party


There's a lot more to come from the DNC Hack.

The Associated Press

confirmed

yesterday that the computer systems used by Hillary Clinton's presidential campaign were hacked as part of the recent Democratic National Convention (DNC) hack.

Last week's email dump containing almost

20,000 emails from top DNC officials

was just the beginning, which led DNC Chairwoman Debbie Wasserman

Schultz to resign

as the group’s leader, as WikiLeaks announced that it was part one of its new Hillary Leaks series.

This suggests WikiLeaks Founder Julian Assange has had his hands on more data from the DNC hack that, according to him, could eventually result in the arrest of Hillary Clinton.

Assange — Wikileaks' Next Leak will lead to Arrest of Hillary Clinton

In an

interview

with Robert Preston of ITV last month, Assange made it clear that he hopes to harm Hillary Clinton’s chances from becoming president of the United States, opposing her candidacy on both policies as well as personal grounds.

Assange also stressed that he had "

a lot more material

" about Clinton's presidential campaign that could possibly provide enough evidence for the indictment of Hillary Clinton.

Now, when it has been reported that the computer systems used by Clinton's presidential campaign were breached as part of the DNC hack, one could guess this could be the next release in the Hillary Leaks series by Assange.

According to federal law enforcement officials and some cybersecurity experts, the DNC hack is believed to be an attempt by the Russian intelligence services to

influence the presidential election

.

U.S. intelligence agencies have reportedly

concluded

that the Russian government was behind the theft of the DNC emails and documents. Although, it's unclear whether the attack was fairly routine espionage or an effort to manipulate the presidential election.

DNC Hack Malware Based Upon Chinese Open-Source Tool

Even, security firm CrowdStrike, who first

investigated the DNC hack

, said that the group that hacked into the DNC servers in April 2016 was engaged in extensive political and economic espionage to benefit Russian government and closely linked to the Russia's powerful and highly capable intelligence services.

According to the firm, the Fancy Bear APT (

also known as APT28 and Pawn Storm

) used a piece of malware called X-Tunnel to steal data from the system without getting detected.

Most recently, security firm Invincea also released its own report, saying

X-Tunnel was used to steal the data

from the DNC servers, but since the malware appeared to be a repurposed open source tool from a Chinese company, the firm did not support or refute "

the Russian origins of the XTunnel binary

."

The F.B.I. said in a statement that it "is aware of media reporting on cyber intrusions involving multiple political entities, and is working to determine the accuracy, nature, and scope of these matters."

Democratic Party Hack Influences the Presidential Election

We still have to accept the fact that someone is attacking America's computer systems in an attempt to influence the presidential election.

So this kind of politically motivated attack can become even worse in November — at the time of voting.

Security expert Bruce Schneier stressed that since Clinton's computer systems can be targeted as part of DNC attack, it is possible that America's election systems and voting machines could also be vulnerable to a similar attack.

"We need to secure our election systems before autumn," says Schneier via the Washington Post. "If Putin's government has already used a cyber attack to attempt to help Trump win, there's no reason to believe he won't do it again — especially now that Trump is inviting the "help.""

Since more and more states have moved to electronic voting machines and Internet voting over the past years, it has made a way for hackers to manipulate these systems.

Schneier suggests the government to "create tiger teams to test the machines’ and systems’ resistance to attack, drastically increase their cyber-defenses" and if can not guarantee their security online, take them offline.



from The Hacker News http://ift.tt/2aRGDUI

Best Password Manager — For Windows, Linux, Mac, Android, iOS and Enterprise


When it comes to safeguarding your Internet security, installing an antivirus software or running a

Secure Linux OS

on your system does not mean you are safe enough from all kinds of cyber-threats.

Today majority of Internet users are vulnerable to cyber attacks, not because they aren't using any best antivirus software or other security measures, but because they are using

weak passwords

to secure their online accounts.

Passwords are your last lines of defense against online threats. Just look back to some recent data breaches and cyber attacks, including high-profile

data breach at OPM

(

United States Office of Personnel Management

) and the extra-marital affair site

Ashley Madison

, that led to the exposure of hundreds of millions of records online.

Although you can not control data breaches, it is still important to create strong passwords that can withstand dictionary and

brute-force attacks

.

You see, the longer and more complex your password is, the much harder it is crack.

How to Stay Secure Online?

Security researchers have always advised online users to create long, complex and different passwords for their various online accounts. So, if one site is breached, your other accounts on other websites are secure enough from being hacked.

Ideally, your strong password should be at least 16 characters long, should contain a combination of digits, symbols, uppercase letters and lowercase letters and most importantly the most secure password is one you don't even know.

The password should be free of repetition and not contain any dictionary word, pronoun, your username or ID, and any other predefined letter or number sequences.

I know this is a real pain to memorize such complex password strings and unless we are human supercomputers, remembering different passwords for several online accounts is not an easy task.

The issue is that today people subscribe to a lot of online sites and services, and it's usually hard to create and remember different passwords for every single account.

But, Luckily to make this whole process easy, there's a growing market for password managers for PCs and phones that can significantly reduce your password memorizing problem, along with the cure for your bad habit of setting weak passwords.

What is Password Manager?

Password Manager software has come a very long way in the past few years and is an excellent system that both allows you to create complex passwords for different sites and remember them.

A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks.

Password managers that generate passwords and double as a form filler are also available in the market, which has the ability to enter your username and password automatically into login forms on websites.

So, if you want super secure passwords for your multiple online accounts, but you do not want to memorize them all, Password Manager is the way to go.

How does a Password Manager work?

Typically, Password Manager software works by generating long, complex, and, most importantly, unique password strings for you, and then stores them in encrypted form to protect the confidential data from hackers with physical access to your PC or mobile device.

The encrypted file is accessible only through a master password. So, all you need to do is remember just one master password to open your password manager or vault and unlock all your other passwords.

However, you need to make sure your master password is extra-secure of at least 16 characters long.

I've long recommended password managers, but most of our readers always ask:

  • Which password manager is best?
  • Which password manager is the most secure? Help!

So, today I'm introducing you some of the best Password Managers currently available in the market for various devices and platforms.

Best Password Managers for Windows

Windows users are most vulnerable to cyber attacks because Windows operating system has always been the favorite target of hackers. So, it is important for Windows users to make use of a good password manager.

Some other best password managers for windows: Keeper, Password Safe, LockCrypt, 1Password, and Dashlane.

LastPass Password Manager

LastPass is one of the best Password Manager for Windows users, though it comes with the extension, mobile app, and even desktop app support for all the browsers and operating systems.

LastPass is an incredibly powerful cloud-based password manager software that encrypts your personal info and accounts' passwords with AES-256 bit encryption and even offers a variety of two-factor authentication options in order to ensure no one else can log into your password vault.

LastPass Password Manager comes for free as well as a premium with a fingerprint reader support.

Download

LastPass Password Manager:

Windows, Mac, and Linux

|

iOS

|

Android

KeePass Password Manager

Although LastPass is one of the best password managers, some people are not comfortable with a cloud-based password manager.

KeePass is a popular password manager application for Windows, but there are browser extensions and mobile apps for KeePass as well.

KeePass password manager for Windows stores your accounts' passwords on your PC, so you remain in control of them, and also on Dropbox, so you can access it using multiple devices.

KeePass encrypts your passwords and login info using the most secure encryption algorithms currently known: AES 256-bit encryption by default, or optional, Twofish 256-bit encryption.

KeePass is not just free, but it is also open source, which means its code and integrity can be examined by anyone, adding a degree of confidence.

Download

KeePass Password Manager:

Windows and Linux

|

Mac

|

iOS

|

Android

RoboForm Password Manager

You can easily find good password managers for Windows OS, but RoboForm Free Password Manager software goes a step further.

Besides creating complex passwords and remembering them for you, RoboForm also offers a smart form filler feature to save your time while browsing the Web.

RoboForm encrypts your login info and accounts' passwords using military grade AES encryption with the key that is obtained from your RoboForm Master Password.

RoboForm is available for browsers like Internet Explorer, Chrome, and Firefox as well as mobile platforms with apps available for iOS, Android, and Windows Phone.

Download

RoboForm Password Manager:

Windows and Mac

|

Linux

|

iOS

|

Android

Best Password Managers for Mac OS X

People often say that Mac computers are more secure than Windows and that "Macs don't get viruses," but it is not entirely correct.

As proof, you can read our previous articles on cyber attacks against Mac and iOs users, and then decide yourself that you need a password manager or not.

Some other best password managers for Mac OS X:

  1Password, Dashlane, LastPass, OneSafe, PwSafe.

LogMeOnce Password Manager

LogMeOnce Password Management Suite is one of the best password manager for Mac OS X, as well as syncs your passwords across Windows, iOS, and Android devices.

LogMeOnce is one of the best Premium and Enterprise Password Management Software that offers a wide variety of features and options, including Mugshot feature.

If your phone is ever stolen, LogMeOnce Mugshot feature tracks the location of the thief and also secretly takes a photo of the intruder when trying to gain access to your account without permission.

LogmeOnce protects your passwords with military-grade AES-256 encryption technology and offers Two-factor authentication to ensure that even with the master password in hand, a thief hacks your account.

Download

LogMeOnce Password Manager:

Windows and Mac

|

iOS

|

Android

Keeper Password Manager

Keeper is a secure, easy-to-use and robust password manager for your Mac, iPhone, iPad, and iPod devices.

Using military-grade 256-bit AES encryption, Keeper password manager keeps your data safe from prying eyes.

It has a secure digital vault for protecting and managing your passwords, as well as other secret information. Keeper password manager application supports Two-factor authentication and available for every major operating system.

There is also an important security feature, called Self-destruct, which if enabled, will delete all records from your device if the incorrect master password is entered more than five times incorrectly.

But you don't need worry, as this action will not delete the backup records stored on Keeper's Cloud Security Vault.

Download

Keeper Password Manager:

Windows, Linux and Mac

|

iOS

|

Android

|

Kindle

Apple iCloud Keychain

Apple introduced the iCloud Keychain password management system as a convenient way to store and automatically sync all your login credentials, Wi-Fi passwords, and credit card numbers securely across your approved Apple devices, including Mac OS X, iPhone, and iPad.

Your Secret Data in Keychain is encrypted with 256-bit AES (Advanced Encryption Standard) and secured with elliptic curve asymmetric cryptography and key wrapping.

Also, iCloud Keychain generates new, unique and strong passwords for you to use to protect your computer and accounts.

Major limitation: Keychain doesn't work with other browsers other than Apple Safari.

Also Read:

How to

Setup iCloud Keychain

?

Best Password Managers for Linux

No doubt, some Linux distributions are the safest operating systems exist on the earth, but as I said above that adopting Linux doesn't completely protect your online accounts from hackers.

There are a number of cross-platform password managers available that sync all your accounts' passwords across all your devices, such as LastPass, KeePass, RoboForm password managers.

Here below I have listed two popular and secure open source password managers for Linux:

EnPass Password Manager

Enpass is an excellent security oriented Linux password manager that works perfectly with other platforms too. Enpass offers you to backup and restores stored passwords with third-party cloud services, including Google Drive, Dropbox, OneDrive, or OwnCloud.

It makes sure to provide the high levels of security and protects your data by a master password and encrypted it with 256-bit AES using open-source encryption engine SQLCipher, before uploading backup onto the cloud.

"We do not host your Enpass data on our servers. So, no signup is required for us. Your data is only stored on your device," EnPass says.

Additionally, by default, Enpass locks itself every minute when you leave your computer unattended and clears clipboard memory every 30 seconds to prevent your passwords from being stolen by any other malicious software.

Download

EnPass Password Manager:

Windows

,

Linux

|

Mac

|

iOS

|

Android

SpiderOak Encryptr Password Manager

SpiderOak's Encryptr Password Manager is a zero-knowledge cloud-based password manager that encrypts protect your passwords using Crypton JavaScript framework, developed by SpiderOak and recommended by Edward Snowden.

It is a cross-platform, open-Source and free password manager that uses end-to-end encryption and works perfectly for Ubuntu, Debian Linux Mint, and other Linux distributions.

Encryptr Password Manager application itself is very simple and comes with some basic features.

Encryptr software lets you encrypt three types of files: Passwords, Credit Card numbers and general any text/keys.

Download

Encryptr Password Manager:

Windows, Linux and Mac

|

iOS

|

Android

Best Password Manager for Android

More than half of the world's population today is using Android devices, so it becomes necessary for Android users to secure their online accounts from hackers who are always seeking access to these devices.

Some of the best Password Manager apps for Android include 1Password, Keeper, DashLane, EnPass, OneSafe, mSecure and SplashID Safe.

1Password Password Manager

1Password Password Manager app for Android is one of the best apps for managing all your accounts' passwords.

1Password password manager app creates strong, unique and secure passwords for every account, remembers them all for you, and logs you in with just a single tap.

1Password password manager software secures your logins and passwords with AES-256 bit encryption, and syncs them to all of your devices via your Dropbox account or stores locally for any other application to sync if you choose.

Recently, the Android version of 1Password password manager app has added Fingerprint support for unlocking all of your passwords instead of using your master password.

Download 

1Password Password Manager: 

Windows and Mac

 | 

iOS

 | 

Android

Dashlane Password Manager

DashLane Password Manager software is a little newer, but it offers great features for almost every platform.

DashLane Password Manager app for Android gives you the secure password management tools right to your Android phone: your password vault and form auto-filler for online stores and other sites.

DashLane Password Manager app for Android is completely free to use on a single device and for accessing multiple devices, you can buy a premium version of the app.

DashLane password manager works by encrypting your personal info and accounts' passwords with AES-256 encryption on a local machine, and then syncs your details with its online server, so that you can access your accounts database from anywhere.

The best part of DashLane is that it has an automatic password changer that can change your accounts' passwords for you without having to deal with it yourself.

Download 

DashLane Password Manager: 

Windows

and

Mac

 | 

iOS

 | 

Android

mSecure Password Manager

Like other popular password manager solutions, mSecure Password Manager for Android automatically generates secure passwords for you and stores them using 256-bit Blowfish encryption.

The catchy and unique feature mSecure Password Manager software provides its ability to self-destruct database after 5, 10, or 20 failed attempts (as per your preference) to input the right password.

You can also sync all of your devices with Dropbox, or via a private Wi-Fi network. In either case, all your data is transmitted safely and securely between devices regardless of the security of your cloud account.

Download 

mSecure Password Manager software: 

Windows and Mac

 | 

iOS

 | 

Android

Best Password Manager for iOS

As I said, Apple's iOS is also prone to cyber attacks, so you can use some of the best password manager apps for iOS to secure your online accounts, including Keeper, OneSafe, Enpass, mSecure, LastPass, RoboForm, SplashID Safe and LoginBox Pro.

OneSafe Password Manager

OneSafe is one of the best Password Manager apps for iOS devices that lets you store not only your accounts' passwords but also sensitive documents, credit card details, photos, and more.

OneSafe password manager app for iOS encrypts your data behind a master password, with AES-256 encryption — the highest level available on mobile — and Touch ID. There is also an option for additional passwords for given folders.

OneSafe password manager for iOS also offers an in-app browser that supports autofill of logins, so that you don't need to enter your login details every time.

Besides this, OneSafe also provides advanced security for your accounts' passwords with features like auto-lock, intrusion detection, self-destruct mode, decoy safe and double protection.

Download

OneSafe Password Manager:

iOS

|

Mac

|

Android

|

Windows

SplashID Safe Password Manager

SplashID Safe is one of the oldest and best password manager tools for iOS that allows users to securely store their login data and other sensitive information in an encrypted record.

All your information, including website logins, credit card and social security data, photos and file attachments, are protected with 256-bit encryption.

SplashID Safe Password Manager app for iOS also provides web autofill option, meaning you will not have to bother copy-pasting your passwords in login.

The free version of SplashID Safe app comes with basic record storage functionality, though you can opt for premium subscriptions that provide cross-device syncing among other premium features.

Download 

SplashID Safe Password Manager:

Windows and Mac

iOS

 | 

Android

LoginBox Pro Password Manager

LoginBox Pro is another great password manager app for iOS devices. The app provides a single tap login to any website you visit, making the password manager app as the safest and fastest way to sign in to password-protected internet sites.

LoginBox Password Manager app for iOS combines a password manager as well as a browser.

From the moment you download it, all your login actions, including entering information, tapping buttons, checking boxes, or answering security questions, automatically completes by the LoginBox Password Manager app.

For security, LoginBox Password Manager app uses hardware-accelerated AES encryption and passcode to encrypt your data and save it on your device itself.

Download 

LoginBox Password Manager:

iOS

 | 

Android

Best Online Password Managers

Using an online password manager tool is the easiest way to keep your personal and private information safe and secure from hackers and people with malicious intents.

Here I have listed some of the best online password managers that you can rely on to keep yourself safe online:

Google Online Password Manager

Did you know Google has its homebrew dedicated password manager?

Google Chrome has a built-in password manager tool that offers you an option to save your password whenever you sign in to a website or web service using Chrome.

All of your stored accounts' passwords are synced with your Google Account, making them available across all of your devices using the same Google Account.

Chrome password manager lets you manage all your accounts' passwords from the Web.

So, if you prefer using a different browser, like Microsoft Edge on Windows 10 or Safari on iPhone, just visit

passwords.google.com

, and you'll see a list of all your passwords you have saved with Chrome. Google's two-factor authentication protects this list.

Clipperz Online Password Manager

Clipperz

is a free, cross-platform online password manager that does not require you to download any software. Clipperz online password manager uses a bookmarklet or sidebar to create and use direct logins.

Clipperz also offers an offline password manager version of its software that allows you to download your passwords to an

encrypted disk

or a USB drive so you can take them with you while traveling and access your accounts' passwords when you are offline.

Some features of Clipperz online password manager also includes password strength indicator, application locking, SSL secure connection, one-time password and a password generator.

Clipperz online password manager can work on any computer that runs a browser with a JavaScript browser.

Passpack Online Password Manager

Passpack

is an excellent online password manager with a competitive collection of features that creates, stores and manages passwords for your different online accounts.

PassPack online password manager also allows you to share your passwords safely with your family or coworkers for managing multiple projects, team members, clients, and employees easily.

Your usernames and passwords for different accounts are encrypted with

AES-256 Encryption

on PassPack's servers that even hackers access to its server can not read your login information.

Download the PassPack online password manager toolbar to your web browser and navigate the web normally. Whenever you log into any password-protected site, PassPack saves your login data so that you do not have to save your username and password manually on its site.

Best Enterprise Password Manager

Over the course of last 12 months, we've seen some of the biggest data breaches in the history of the Internet and year-over-year the growth is heating up.

According to statistics, a majority of employees even don't know how to protect themselves online, which led company’s business at risk.

To keep password sharing mechanism secure in an organization, there exist some password management tools specially designed for enterprises use, such as Vaultier, CommonKey, Meldium, PassWork, and Zoho Vault.

Meldium Enterprise Password Manager Software

LogMeIn's

Meldium password management tool

comes with a one-click single sign-on solution that helps businesses access to web apps securely and quickly.

It automatically logs users into apps and websites without typing usernames and passwords and also tracks password usage within your organization.

Meldium password manager is perfect for sharing accounts within your team member without sharing the actual password, which helps organizations to protect themselves from phishing attacks.

Zoho Vault Password Management Software

Zoho Vault

is one of the best Password Manager for Enterprise users that helps your team share passwords and other sensitive information fast and securely while monitoring each user's usage.

All your team members need to download is the Zoho browser extension. Zoho Vault password manager will automatically fill passwords from your team's shared vault.

Zoho Vault also provides features that let you monitor your team's password usage and security level so that you can know who is using which login.

The Zoho Vault enterprise-level package even alerts you whenever a password is changed or accessed.

For Extra Security, Use 2-Factor Authentication

No matter how strong your password is, there still remains a possibility for hackers to find some or the other way to hack into your account.

Two-factor authentication is designed to fight this issue. Instead of just one password, it requires you to enter the second passcode which is sent either to your mobile number via an SMS or to your email address via an email.

So, I recommend you to enable

two-factor authentication

now along with using a password manager software to secure your online accounts and sensitive information from hackers.

Note:

Once adopted, start relying on your password manager because if you are still using weak passwords for your important online accounts, nobody can save you from malicious hackers.



from The Hacker News http://ift.tt/2a6Wimf

Friday, July 29, 2016

NIST blog clarifies SMS deprecation in wake of media tailspin

IBM Security Bulletin: SQL Server Password Disclosure via IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server and IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (CVE-2016-3059)

When using IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server or IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server, the Microsoft SQL Server’s user ID and password is presented in plain text via task completion status details available within the MMC GUI’s Task List view.

CVE(s): CVE-2016-3059

Affected product(s) and affected version(s):

The following levels of IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases) are affected:

  • 6.4.0.0 through 6.4.1.8
  • 6.3.0.0 through 6.3.1.6

The following levels of IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (IBM Spectrum Protect Snapshot) are affected:

  • 3.2.0.0 through 3.2.1.8
  • 3.1.0.0 through 3.1.1.6

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2aj3jLQ
X-Force Database: http://ift.tt/2ajVUPL



from IBM Product Security Incident Response Team http://ift.tt/2aj2S46

IBM Security Bulletin: IBM® SDK for Node.js™ in IBM Bluemix may be affected by CVE-2016-1669

Buffer overflow in the Google V8 Javascript implementation used by IBM SDK for Node.js

CVE(s): CVE-2016-1669

Affected product(s) and affected version(s):

These vulnerabilities affect IBM SDK for Node.js v1.1.1.2 and previous releases.
These vulnerabilities affect IBM SDK for Node.js v1.2.0.13 and previous releases.
These vulnerabilities affect IBM SDK for Node.js v4.4.5.0 and previous releases.
These vulnerabilities affect IBM SDK for Node.js v6.1.0.0 and previous releases.
The corresponding open-source versions are v0.10.45, v0.12.14 and v4.4.5, respectively.

To check which version of the Node.js runtime runtime your Bluemix application is using, navigate to the “Files” menu item for your application through the Bluemix UI. In the “logs” directory, check the “staging_task.log”.

You can also find this file through the command-line Cloud Foundry client by running the following command:

cf files <appname> logs/staging_task.log

Look for the following lines:

—–> IBM SDK for Node.js Buildpack _______

If the Node.js engine version is not v0.10.46, v0.12.15 or v4.4.6, your application may be vulnerable.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2aj2oek
X-Force Database: http://ift.tt/29qowH9



from IBM Product Security Incident Response Team http://ift.tt/2aj2zGp

IBM Security Bulletin: IBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)

IBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)

CVE(s): CVE-2016-1181, CVE-2016-1182

Affected product(s) and affected version(s):

– FTM for CPS v2.1.1.0, v2.1.1.1, v2.1.1.2, v2.1.1.3

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2ajVRDo
X-Force Database: http://ift.tt/2974C3a
X-Force Database: http://ift.tt/29tkNpV



from IBM Product Security Incident Response Team http://ift.tt/2aj3vL5

IBM Security Bulletin: FileNet Workplace can be affected by the Open Redirection Vulnerability (CVE-2016-3047)

FileNet Workplace is susceptible to the Open Redirection Vulnerability.

CVE(s): CVE-2016-3047

Affected product(s) and affected version(s):

FileNet Workplace 4.0.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2ajVeK8
X-Force Database: http://ift.tt/2aj37wl



from IBM Product Security Incident Response Team http://ift.tt/2ajW3Td

IBM Security Bulletin: Fix available for Cross Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2016-2925)

Fix available for Cross Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2016-2925)

CVE(s): CVE-2016-2925

Affected product(s) and affected version(s):

WebSphere Portal 8.5
WebSphere Portal 8.0
WebSphere Portal 7
WebSphere Portal 6.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2acjRen
X-Force Database: http://ift.tt/2aj4Wcg



from IBM Product Security Incident Response Team http://ift.tt/2ajVEAi

IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM PureApplication System. (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109)

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM PureApplication System. IBM PureApplication System has addressed the applicable CVEs.

CVE(s): CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109

Affected product(s) and affected version(s):

IBM PureApplication System V2.2
IBM PureApplication System V2.1
IBM PureApplication System V2.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2aj2UZT
X-Force Database: http://ift.tt/1NwOPLs
X-Force Database: http://ift.tt/25myFMu
X-Force Database: http://ift.tt/1NwOQz5
X-Force Database: http://ift.tt/1VjTr9i
X-Force Database: http://ift.tt/1Z0wO8Z



from IBM Product Security Incident Response Team http://ift.tt/2ajVCIs

IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Deployer (CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109)

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM Workload Deployer. IBM Workload Deployer has addressed the applicable CVEs.

CVE(s): CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109

Affected product(s) and affected version(s):

IBM Workload Deployer version 3.1 and later

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2aj3whZ
X-Force Database: http://ift.tt/1NwOPLs
X-Force Database: http://ift.tt/25myFMu
X-Force Database: http://ift.tt/1VjTr9i
X-Force Database: http://ift.tt/1Z0wO8Z



from IBM Product Security Incident Response Team http://ift.tt/2ajW5dJ

IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways

SSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. IBM DataPower Gateways has addressed the applicable CVEs.

CVE(s): CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176

Affected product(s) and affected version(s):

IBM DataPower Gateways all versions through 7.0.0.13, 7.1.0.10, 7.2.0.6, 7.5.0.1 and 7.5.1.0.

CVE-2016-2018 affects only versions through 7.0.0.13 and 7.1.0.10.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2ajWpZS
X-Force Database: http://ift.tt/1VjTr9i
X-Force Database: http://ift.tt/1NwOQz5
X-Force Database: http://ift.tt/1NwOPLs
X-Force Database: http://ift.tt/25myFMu
X-Force Database: http://ift.tt/1Z0wO8Z
X-Force Database: http://ift.tt/25mym4p



from IBM Product Security Incident Response Team http://ift.tt/2aj2dQr

IBM Security Bulletin: Vulnerabilities in OpenSSL affect WebSphere Cast Iron Cloud integration

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by WebSphere Cast Iron Cloud integration and has addressed the applicable CVEs

CVE(s): CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176

Affected product(s) and affected version(s):

This vulnerability affects all versions of the product
WebSphere Cast Iron v 7.5.x,
WebSphere Cast Iron v 7.0.0.x,
WebSphere Cast Iron v 6.4.0.x
WebSphere Cast Iron v 6.3.0.x
WebSphere Cast Iron v 6.1.0.x

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2aj2OkS
X-Force Database: http://ift.tt/1VjTr9i
X-Force Database: http://ift.tt/1NwOQz5
X-Force Database: http://ift.tt/1NwOPLs
X-Force Database: http://ift.tt/25myFMu
X-Force Database: http://ift.tt/1Z0wO8Z
X-Force Database: http://ift.tt/25mym4p



from IBM Product Security Incident Response Team http://ift.tt/2ajVQPN

IBM Security Bulletin: IBM QRadar SIEM and Incident Forensics relies on an untrusted input. (CVE-2016-2881)

The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

CVE(s): CVE-2016-2881

Affected product(s) and affected version(s):

· IBM QRadar SIEM 7.2.n

· IBM QRadar SIEM 7.1.n

· IBM QRadar Incident Forensics 7.2.n

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2aj2UsZ
X-Force Database: http://ift.tt/2ajVUz8



from IBM Product Security Incident Response Team http://ift.tt/2aj2tPl

Introducing executive dashboards in CTA

FBI investigate US political party hacks, Russian ties

Cleaning up after cyber attacks is good, but deterring attackers is better

Pwnie Express makes IoT, Android security arsenal open source

Getting caught using a VPN in the UAE will cost you over $500,000

Must-have mobile apps to encrypt your texts and calls


Silent Phone is one of several encrypted communication services offered by Silent Circle, the developer behind the Blackphone security-focused smartphone range.

Silent Phone is a subscription-based service which harnesses end-to-end encryption with the keys held by the subscriber rather than the company, and so no government eyes can snoop on your calls. The service also offers secure conference calls, messaging and file transfers.

Via: Silent Circle



from Latest Topic for ZDNet in... http://ift.tt/2aBV1nC

Brazil Freezes $11.7 Million of Facebook Funds for Not Complying with Court Orders


Facebook's legal war with Brazilian government seems to be never-ending.

Facebook-owned cross-platform messaging service WhatsApp has already been blocked a total of three times in Brazil since December for failing to comply with a court order asking the company to access WhatsApp data under criminal investigation.

But, now the Brazilian government has taken an even tougher step.

On Wednesday, the public federal prosecutor in the Brazilian state of Amazonas said the court froze 38 Million real (

US $11.7 Million

) of funds held in Facebook's bank account, Reuters

reports

.

The prosecutor has said that the decision to freeze Facebook funds was made after the social media giant failed to comply with the court order to hand over data of WhatsApp users who are under criminal investigation.

Since WhatsApp communications are

end-to-end encrypted

, even the company would not be able to access any message exchanged between users.

Facebook representatives weren't immediately available for comment on the recent decision by the Brazilian court.

Previously, when WhatsApp was blackout in Brazil, a WhatsApp spokesman said in a statement:

"In recent months, people from all across Brazil have rejected judicial blocks of services like WhatsApp. Indiscriminate steps like these threaten people's ability to communicate, to run their businesses, and to live their lives. As we have said in the past, we cannot share information we don't have access to."

The court case between the Brazilian government and Facebook has been long-running now.

The court has previously

banned WhatsApp for three days

, but the most recent ban came last week when Brazillian judge Daniela Barbosa ordered the telecom operators to shut down WhatsApp nationwide. But a few hours later, Brazil’s supreme court suspended the ruling.

In March, Judge Marcel Maia Montalvão of Sergipe state ordered the

incarceration of a Facebook executive

for not turning over data from a WhatsApp account tied to a drug-trafficking investigation.

Facebook Vice President Diego Jorge Dzodan was arrested on his way to work in São Paulo and jailed, but subsequently released the next day.



from The Hacker News http://ift.tt/2agaMMK

Kaspersky Lab presents new versions of its flagship consumer security solutions with enhanced data protection features

Kaspersky Lab has presented the new versions of its flagship security solutions Kaspersky Internet Security and Kaspersky Total Security, which provide users with additional opportunities to manage their Internet protection and to ensure their data safety. 

Kaspersky Evolution 2016

Kaspersky Internet Security and Kaspersky Total Security are security solutions for the whole family; they protect Windows, Mac, and Android users against malware, dangerous sites, online tracking, fraud and money theft. 

This year Kaspersky Lab products for Windows have integrated several new functions. Now users can protect their data from being intercepted during an unsafe Internet connection with the help of Secure Connection. In addition, they can patch potential "holes" in their device security with Software Updater and Software Cleaner. 

"At Kaspersky Lab we believe that IT security is not only about the effectiveness of a security solution. It is also about the user’s own cyber savviness. Cyber savvy people behave carefully and watchfully online, and they are also ready to apply the latest technological achievements to protect what is most important for them – whether that’s personal information, files, privacy, their devices or peace of mind for their family members. We are striving to offer the user these possibilities with each new version of our solutions", commented Elena Kharchenko, Head of Consumer Product Management, Kaspersky Lab. 

Secure Connection 

Secure Connection allows users to connect to the Internet safely, by encrypting all data sent and received through the network . This is especially important when performing financial operations, authorization on sites, or transferring confidential information, as in these cases traffic interception by a stranger could cause users serious (for example, financial) losses. 

This function is especially useful while traveling, when many people are increasingly connecting to insecure Wi-Fi networks to stay in touch. According to the Kaspersky Lab study, every fifth (18%) user has fallen victim to cybercriminals when traveling. This is not surprising considering the fact that – what a coincidence! – one in five (18%) travelers does not take any steps to protect them online. Secure Connection is now a necessary protection measure when connecting to a public Wi-Fi. 

The Kaspersky Lab protection component, Secure Connection, can be launched from the main window of Kaspersky Internet Security or Kaspersky Total Security. It can also be activated automatically when the device is connected to public Wi-Fi or the user is inputting confidential information online, such as on banking websites, online stores, payment systems, e-mail, social networks, etc. 

Within the security product’s license, users have 200 MB of encrypted traffic at their daily disposal, and for an additional monthly or annual fee they can get an unlimited volume of traffic.

Software Updater 

One of the common methods of malware penetrating the computer is the use of errors (so-called vulnerabilities) in the programs installed on it. Developers regularly update their products, however not all users regularly update these on their devices. Software Updater can automatically find the applications that need to be updated and, if the user agrees, install the latest versions from vendor sites on their computer. The user can also request the update of an application manually or add any of them to the list of applications that should not be updated (for example, if the older version is required). 

Software Cleaner 

According to the Kaspersky Lab study, 37% of users store programs that they do not use on their device. In addition to the fact that this overloads the device memory, it also provides extra opportunities for cybercriminals to penetrate the system. Software Cleaner scans all applications installed on the computer and marks those posing potential risk. Users sometimes do not even know about these applications being installed on their devices or are unaware of their negative affects. 

Software Cleaner will inform users of a program if it has been installed without their awareness or clear consent (for example, as additional software during the installation of another application), or if it slows down the user’s device, provides incomplete/incorrect information about its functions, operates in the background mode, shows banners and messages without permission (e.g., advertising), or is rarely used. Upon receipt of a report from Software Cleaner, the user can either remove or leave the application in question. 

In addition to the new functions, Kaspersky Internet Security and Kaspersky Total Security have been enhanced with improved advanced technologies such as the multi-level protection of financial transactions (with Safe Money), the prevention of the installation of unwanted applications (with Application Manager, part of the former Change Control feature) and the blocking of advertising banners in the browser (with Anti-Banner).



from Corporate News http://ift.tt/2ahXyOw

Thursday, July 28, 2016

Amazon saw spike in US demands for customer data

​ Phishing, sophisticated attacks most troubling to IT security pros

BlackBerry's 'improved' crypto brings same security, less trust

Cybersecurity is becoming an unsustainable tax on business

Using VPN in the UAE? You'll Be Fined Up To $545,000 If You Get Caught!


If you get caught using a VPN (Virtual Private Network) in Abu Dhabi, Dubai and the broader of United Arab Emirates (UAE), you could face temporary imprisonment and fines of up to $545,000 (~Dhs2 Million).

Yes, you heard that right.

Online Privacy is one of the biggest challenges in today's interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance.

Here VPNs and proxy servers come into Play.

VPNs and proxy servers are being used by many digital activists and protesters, who are living under the most oppressive regimes, to protect their online activity from prying eyes.

However, using VPN or proxy in the UAE could land you into great difficulty.

The UAE President Sheikh Khalifa bin Zayed Al Nahyan has issued new sovereign laws for combating cyber crimes, which includes a regulation that prohibits anyone, even travelers, in the UAE from using VPNs to secure their web traffic from prying eyes.

Also Read: Best VPN Services for Fast, Anonymous and Secure Browsing

According to the laws, anyone using a VPN or proxy server can be imprisoned and fined between $136,000 and $545,000 (Dhs500,000 and Dhs2 Million).

The laws have already been issued by the UAE President and have now been reported to the official government news service WAM.

For those unfamiliar, Virtual Private Network (VPN) securely routes your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.

Nowadays, VPNs have become a valuable tool not just for large companies, but also for individuals to dodge content restrictions as well as to counter growing threat of cyber attacks.

The UAE's top two telecom companies, Etislat and Du, have banned VoIP -- the phone calling features in popular apps like WhatsApp, Viber, Facebook Messenger and SnapChat that deliver voice calls over the Internet for free -- from within the Gulf nation.

Also Read: Opera Browser Now Offers Free and Unlimited Built-in VPN Service

However, soon the vast number of UAE residents who use VPNs and proxies within the UAE for years to bypass the VoIP ban could be in difficulty.

Out of two new laws issued last week, one lays out fines for anyone who uses a VPN or proxy server, local news

reports

. The new law regarding VPNs states:

"Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs500,000 and not exceeding Dhs2 million, or either of these two penalties."

The new move is in favor of telecom companies for whom VoIP 'over-the-top' apps have long been a major issue, as consumers no longer need to pay international calling rates to speak to their loved ones.



from The Hacker News http://ift.tt/2ak0fCN

Singapore unveils new guidelines for FSI outsourcing, cloud

QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System


Do you know that you can access your WeChat, Line and WhatsApp chats on your desktop as well using an entirely different, but fastest authentication system?

It's

SQRL

, or Secure Quick Response Login, a QR-code-based authentication system that allows users to quickly sign into a website without having to memorize or type in any username or password.

QR codes are two-dimensional barcodes that contain a significant amount of information such as a shared key or session cookie.

A website that implements QR-code-based authentication system would display a QR code on a computer screen and anyone who wants to log-in would scan that code with a mobile phone app.

Once scanned, the site would log the user in without typing in any username or password.

Since passwords can be stolen using a keylogger, a man-in-the-middle (MitM) attack, or even brute force attack, QR codes have been considered secure as it randomly generates a secret code, which is never revealed to anybody else.

But, no technology is immune to being hacked when hackers are motivated.

QRLJacking: Hijacking QR Code Based Login System

Information security researcher

Mohamed Abdelbasset Elnouby

has come up with a proof-of-concept demonstrating a new session hijacking technique that can be used to hack accounts from services that use "Login with QR code" feature as a secure way to login to accounts.

Dubbed

QRLJacking

(or Quick Response code Login Jacking), the technique is a

"simple-but-nasty attack vector"

that affects all the applications that rely on Login with QR code feature.

All an attacker needs to do is to convince the victim into scanning the attacker's QR code.

Here's How QRLJacking Technique Works:

Mohamed explained me the complete working of QRLJacking attack, along with live demonstration, via Skype. Here's how the attack works:

  1. The attacker initializes a client side QR session and clones the Login QR Code into a phishing page.
  2. The attacker then sends the phishing page to the victim.
  3. If convinced, the victim scans the QR Code with a specific targeted Mobile App.
  4. The mobile app sends the secret token to the target service to complete the authentication process.
  5. As a result, attacker, who initializes a client side QR session, gains control over the victim's account.
  6. Then the service starts exchanging all the victim's data with the attacker's browser session.

So, to carry out a successful QRLJacking attack, all an attacker needs:

  • A QR Code Refreshing Script.
  • A well crafted Phishing Web page.

Video Demonstration: Hacking Whatsapp Account Using QRLJacking

"

The attackers need to do to initialize a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones displayed on the phishing website which they created, because as we know a well implemented QR Login process should have an expiration interval for the QR codes,

" the explanation reads.

A successful QRLJacking attack gives an attacker the ability to apply a full account hijacking scenario on the vulnerable QR-Code-based Login service resulting in account hijacking and other information like victim's accurate current GPS location, device IMEI number, SIM card data and other sensitive data that the client app presents at the login process.

For in-depth details about the QRLjacking attack, you can head on to

OWASP

and

Github

.



from The Hacker News http://ift.tt/2ayXrUF

EU recommends outlawing backdoors, while UK pushes for them

Cybersecurity experts most wanted in Singapore

Tor inquiry: 'Sexually aggressive' Appelbaum humiliated and frightened others

PhishMe raises $42.5 million in Series C funding

谷歌电子市场发现另一种可盗取媒体文件的应用程序

Kaspersky Lab and the Russian-Armenian University to Train IT Security Specialists

Kaspersky Lab and the Russian-Armenian University to Train IT Security Specialists

28 Jul 2016
Press Releases

Kaspersky Lab and the Russian-Armenian (Slavic) University (RAU) are introducing a new Master's program ‘Mathematical and Software Information Protection’ for the University’s existing students and applicants. The program on information security entails a two-year Master's training course that begins on September 1, 2016. Kaspersky Lab has helped RAU with the development of the MA degree program. In addition, the company's experts will teach students a number of specialized disciplines.

The official announcement of the new Master's course in information security at RAU came during the signing of a memorandum of cooperation between Kaspersky Lab and the university. During a face-to-face meeting, Eugene Kaspersky, chairman and CEO of Kaspersky Lab, and RAU rector Armen Darbinyan declared their intention to develop a mutually beneficial relationship between their two organizations and implement joint educational projects. In addition, the RAU rector officially awarded Eugene Kaspersky with an honorary doctorate of the university.

Commenting on cooperation between Kaspersky Lab and the university in establishing the new course, Mr. Darbinyan said: "Our university has always been at the forefront of training specialists in information technologies, and we continue to build capacity in this area. As of the start of the new school year a new Master's program to train specialists in the field of information security will be introduced. This is very significant not only for the university but also for the whole country, because today Armenian companies are experiencing an acute shortage of highly qualified IT security specialists. And the fact that training specialists in information security will be carried out at our university with the assistance of Kaspersky Lab, the recognized world leader in the field of cybersecurity, is a great honor for us".

In turn, Eugene Kaspersky said: "Cyber​​threats are constantly evolving: they are becoming more complex, secretive and dangerous, so we should always be one step ahead of those behind them – cybercriminals. Over the last 19 years we have accumulated extensive knowledge and experience in the field of developing security solutions to combat cyberattacks, in detecting the world’s most sophisticated malware, and in investigating cybersecurity incidents. In our industry we face a global problem of a shortage of highly qualified specialists. This is why we consider it very important to support educational programs in this area. We hope that very soon graduates of the new Master's program will start actively saving the world from cyberthreats. And not a moment too soon".



from Corporate News http://ift.tt/2ayRLtg

Kaspersky Lab North America Certified as a Great Place to Work

Kaspersky Lab North America Certified as a Great Place to Work

28 Jul 2016
Press Releases

Kaspersky Lab announced that it was certified as a great workplace by the independent analysts at Great Place to Work®. Kaspersky Lab earned this credential based on extensive ratings provided by its employees in anonymous surveys, which found that 87 percent of Kaspersky Lab North America employees say it’s a great workplace. A summary of these ratings can be found at http://ift.tt/2ankU8e.

“Our years of cybersecurity expertise combined with talented and passionate individuals has been the recipe for success at Kaspersky Lab,” said Alena Reva, vice president, human resources, Kaspersky Lab North America. “People are at the core of our business and our mission, and we strive to create a culture where employees are encouraged to explore their big ideas in order to discover new ways to further protect our customers and grow our business.”

In addition to the Great Place to Work certification, Kaspersky Lab was recently named one of CRN’s Coolest Endpoint Security Vendors. The inaugural 2016 Security 100 list recognized the coolest security vendors in each of five categories: Endpoint Security; Identity and Access Management and Data Protection; Network Security; SIEM and Threat Detection; and Web and Application Security.

"We applaud Kaspersky Lab for seeking certification and releasing its employees' feedback," said Kim Peters, vice president, Great Place to Work's Recognition Program. "These ratings measure its capacity to earn its own employees' trust and create a great workplace - critical metrics that anyone considering working for or doing business with Kaspersky Lab should take into account as an indicator of high performance."

Kaspersky Lab North American employees completed 172 surveys, resulting in a 90 percent confidence level and a margin of error of ± 4.24.



from Corporate News http://ift.tt/2ayRZk3

メディアを盗み出すアプリ、Google Play に再び出現

Sunuba Gaming が公開している HTML Source Code Viewer というアプリは、開発ツールに偽装しながら、写真と動画をモバイルデバイスから盗み出します。

Read More

from Symantec Connect - Securi... http://ift.tt/2aM1Sr4

Wednesday, July 27, 2016

Pay, Resist or Punt? How Will Your Organization Handle a Ransomware Attack?

InformationSecurityOnline

 

Ransomware has been prominent over the last year. If it becomes as ubiquitous as identity theft and data breaches — and signs point in that direction – how will your organization deal with it when a hacker uses malicious code to lock you out of your own computer systems?

Will you alert the authorities and turn to a ransomware IT expert to unlock the encrypted data? Will you take the risk of a costly and prolonged disruption in business? Or will you do what one hospital recently did, paying the crook to release their systems? Hollywood Presbyterian Memorial Center in Los Angeles shelled out $17,000 earlier this year to unlock its systems after a ransomware attack, the L.A. Times reported.

Escalating risks of ransomware attacks

Ransomware is a malicious code that a hacker places on a digital device or computer network. The code locks the device or network owner out of their own data, and sometimes out of the entire system. The perpetrators demand money — a ransom — in exchange for a code to unlock the malicious encryption.

In 2015, the FBI logged more than 2,400 reports of ransomware attacks resulting in losses in excess of $24 million, according to the bureau. Kaspersky’s numbers are even more appalling; ransomware attacks increased five-fold between April 2015 and March 2016, the security software giant says.

Criminals are aiming ransomware attacks everywhere, at individuals through their smartphones, and organizations through computer networks. Kaspersky says ransomware attacks through phones soared nearly 300 percent in the past year. And earlier this year, the FBI issued warnings about a new type of ransomware that specifically targets businesses, Reuters reported.

For organizations, the costs of a ransomware attack far exceed monetary losses of paying the ransom. Companies must also consider the loss of productivity, costs of IT services, legal fees, reputational damages and more.

Before you respond to ransomware attacks

Already this year, cases like the Hollywood Presbyterian Medical Center attack have made headlines — largely because the victims are paying the ransoms. Faced with the possibility of lengthy and costly business disruptions, many organizations may decide it’s less expensive to pay a ransom and regain control of their systems.

Before making a decision about how to respond to a ransomware attack, businesses should keep these critical points in mind:

  • Although it makes sense to distrust criminals, security experts say in the case of ransomware attacks there seems to be “honor among thieves.” Payment of the ransom usually ends up with data and systems being recovered. The crooks are focused on making money quickly and easily, and they know if they were to extort funds and then fail to deliver on their promises, word would get around and people would stop paying.
  • You need to decide before ever becoming a victim of ransomware whether you’ll pay or not. The decision is not purely a question of security; business risk must come into consideration. Perhaps your organization has certain systems that are so critical, you decide you would pay the ransom if they were attacked. You may decide not to pay for less important systems or devices. If you decide you won’t pay ransom, it’s essential to plan how you’ll manage operational disruption and recover data. For example, you’ll need an excellent back-up system so that if ransomware locks your current data, you can easily gain access to an up-to-date backup.
  • Decide if you’ll treat a ransomware attack as a data breach, and notify customers whose data might be affected. Ransomware doesn’t actually steal or export any information from systems. Consult with outside legal and breach resolution experts to understand what circumstances might trigger a need for legal notification.
  • Be sure your cyber insurance policy covers ransomware attacks. Will your insurer pay the ransom? Will the policy cover the costs of business disruption?
  • Take preventive steps to make your system more resistant to ransomware attacks. Keep regular backups of critical data and systems. Know where critical information and systems reside within your network.

Unfortunately, ransomware works for the criminals. They’re making money at it, and are thus unlikely to give up any time soon. It’s vital for companies to be aware of ransomware risks, make important decisions before falling victim, and take steps to minimize the damages of a potential attack.

 

The post Pay, Resist or Punt? How Will Your Organization Handle a Ransomware Attack? appeared first on Data Breach Resolution.



from Data Breach Resolution http://ift.tt/2aeLeOY

Cybersecurity startup PhishMe raises $42.5 million Series C


Cybersecurity training provider PhishMe says it has raised $42.5 million in Series C funding led by Paladin Capital Group. Bessemer Venture Partners, a $4 billion venture capital firm, also participated.

Founded in 2011, PhishMe aims to help companies thwart phishing attacks and other threats to business networks through consistent employee training, including spear phishing tests and other phishing simulations.

The Virginia-based start-up plans to use the latest cash injection to expand its portfolio, fund research and development efforts, and expand into international markets across Europe and Asia. PhishMe previously raised $13 million in a Series B round of funding last year. PhishMe's original funding round raised $2.5 million.

Alex Ferrara, a partner at Bessemer Venture Capital. said PhishMe stands out among other security vendors because it tries to influence the human element in detecting phishing campaigns.

Humans tend to be the weak links in the security chain, often falling for phishing campaigns or unwittingly connecting malware-ridden personal devices to corporate networks. PhishMe's pitch is that businesses can mitigate these risks by better training its staff.

"The most damaging cyber-attacks almost always involve phishing or spear phishing attempts and that is why empowering the human element or employees to detect these phishing campaigns has become a top priority for modern enterprises," Ferrara said.

Overall, security start-ups have enjoyed unfettered access to venture funding, unlike many of their cloud and software vendor peers. Security firms are also hot targets for acquisition, with everyone from Cisco to IBM snapping up start-ups with a bent on cybersecurity. Cisco recently bought Massachusetts-based CloudLock for $293 million, while IBM acquired Resilient Systems in February to beef up its security operations.



from Latest Topic for ZDNet in... http://ift.tt/2awrEUn

LastPass Zero-Day Bug Lets Hackers Steal All Your Passwords


A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.

LastPass is a password manager that works as a browser extension and automatically fills credentials for you.

All you need is to remember one master password to unlock all other passwords of your different online accounts, making it much easier for you to use unique passwords for different sites.

However, the password manager isn't as secure as it promises.


Also Read: Popular Password Managers Are Not As Secure As You Think

Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass.

"Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap," Ormandy revealed on Twitter.

Once compromise a victim's LastPass account, hackers would be able to access a treasure trove of passwords for victim's other online services.

Since LastPass is working on a fix to the zero-day vulnerability, technical details about the issues have not been disclosed by the researcher.

Also Read: You Wouldn't Believe that Too Many People Still Use Terrible Passwords

Coincidentally, another security researcher Mathias Karlsson also announced that he had uncovered some issues in LastPass, that has already been patched by the company.

A specially crafted URL is enough to take complete control of its user's accounts.

As Karlsson explained in a blog post published today, an attacker could send a specially-crafted URL to the victim in order to steal passwords from his/her vault.

This specific vulnerability resided in the autofill functionality of the LastPass browser extension, where a faulty regular expression for parsing the URL was allowing an attacker to spoof the targeted domain.

"By browsing this URL: http://avlidienbrunn.se/@twitter.com/@hehe.php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com," Karlsson explained.

Therefore, by abusing form auto-fill functionality, a hacker could steal victim's, let’s say, Facebook password, by sending the POC URL containing facebook.com to the victim.

This particular flaw has already been patched by the company within a day, and Karlsson has even been awarded with a bug bounty of $1,000.

Also Read: Who's to Blame for Weak Passwords?

Well, the issues in password managers are really worrying, but this doesn’t mean that you should stop using password managers. Password managers still encourage you to use unique and complex passwords for every single site.

In wake of the latest issue, users can avoid browser-based password managers and instead switch to offline versions, like KeePass.



from The Hacker News http://ift.tt/2axtjsi

Cisco Nexus 1000v Application Virtual Switch Cisco Discovery Protocol Packet Processing Denial of Service Vulnerability

A vulnerability in Cisco Discovery Protocol packet processing for the Cisco Nexus 1000v Application Virtual Switch (AVS) could allow an unauthenticated, remote attacker to cause the ESXi hypervisor to crash and display a purple diagnostic screen, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient input validation of Cisco Discovery Protocol packets, which could result in a crash of the ESXi hypervisor due to an out-of-bound memory access. An attacker could exploit this vulnerability by sending a crafted Cisco Discovery Protocol packet to a targeted device. An exploit could allow the attacker to cause a DoS condition.

Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeOtJm A vulnerability in Cisco Discovery Protocol packet processing for the Cisco Nexus 1000v Application Virtual Switch (AVS) could allow an unauthenticated, remote attacker to cause the ESXi hypervisor to crash and display a purple diagnostic screen, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient input validation of Cisco Discovery Protocol packets, which could result in a crash of the ESXi hypervisor due to an out-of-bound memory access. An attacker could exploit this vulnerability by sending a crafted Cisco Discovery Protocol packet to a targeted device. An exploit could allow the attacker to cause a DoS condition.

Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeOtJm
Security Impact Rating: Medium
CVE: CVE-2016-1465

from Cisco Security Advisory http://ift.tt/2aeOtJm

Cisco Wireless LAN Controller Denial of Service Vulnerability

A vulnerability in wireless frame management service of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the affected device.

The vulnerability is due to insufficient handling of wireless management frames. An attacker could exploit this vulnerability by sending crafted wireless management frames to the device.

Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNXLw A vulnerability in wireless frame management service of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the affected device.

The vulnerability is due to insufficient handling of wireless management frames. An attacker could exploit this vulnerability by sending crafted wireless management frames to the device.

Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNXLw
Security Impact Rating: Medium
CVE: CVE-2016-1460

from Cisco Security Advisory http://ift.tt/2aeNXLw

Cisco Videoscape Session Resource Manager Denial of Service Vulnerability

A vulnerability in system resource management in the Cisco Videoscape Session Resource Manager (VSRM) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition because the device unexpectedly restarts.

The vulnerability occurs because the VSRM is not installed using best practices and in a secure environment where DoS attacks are prevented before reaching the adjacent network. An attacker could exploit this vulnerability only by being on the adjacent network and directing a flood of traffic at the devices upstream to the VSRM. An exploit could allow the attacker to cause a DoS condition. The VSRM resumes normal operation when the attack ceases on the upstream devices.

Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNHw0 A vulnerability in system resource management in the Cisco Videoscape Session Resource Manager (VSRM) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition because the device unexpectedly restarts.

The vulnerability occurs because the VSRM is not installed using best practices and in a secure environment where DoS attacks are prevented before reaching the adjacent network. An attacker could exploit this vulnerability only by being on the adjacent network and directing a flood of traffic at the devices upstream to the VSRM. An exploit could allow the attacker to cause a DoS condition. The VSRM resumes normal operation when the attack ceases on the upstream devices.

Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNHw0
Security Impact Rating: Medium
CVE: CVE-2016-1467

from Cisco Security Advisory http://ift.tt/2aeNHw0

Cisco Prime Service Catalog Reflected Cross-Site Scripting Vulnerability

A vulnerability in the HTTP web-based management interface of the Cisco Prime Service Catalog (PSC) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of the affected system.
 
The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link.

Additional information about XSS attacks and potential mitigations is available:


Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNzwH A vulnerability in the HTTP web-based management interface of the Cisco Prime Service Catalog (PSC) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of the affected system.
 
The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link.

Additional information about XSS attacks and potential mitigations is available:


Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNzwH
Security Impact Rating: Medium
CVE: CVE-2016-1462

from Cisco Security Advisory http://ift.tt/2aeNzwH

Cisco FireSIGHT System Software Snort Rule Bypass Vulnerability

A vulnerability in Snort rule detection in Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass configured rules that use Snort detection.
 
The vulnerability is due to improper handling of HTTP header parameters. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected device. An exploit could allow the attacker to bypass configured rules that use Snort detection.

Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNxVB A vulnerability in Snort rule detection in Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass configured rules that use Snort detection.
 
The vulnerability is due to improper handling of HTTP header parameters. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected device. An exploit could allow the attacker to bypass configured rules that use Snort detection.

Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/2aeNxVB
Security Impact Rating: Medium
CVE: CVE-2016-1463

from Cisco Security Advisory http://ift.tt/2aeNxVB

Cisco Email Security Appliance File Type Filtering Vulnerability

A vulnerability in the email message filtering feature of Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an ESA to fail to detect and act upon a specific type of file that is attached to an email message.

The vulnerability is due to improper application of message filtering rules to email attachments that contain a specific type of file and are submitted to an affected appliance. An attacker could exploit this vulnerability by sending an email message with a crafted attachment to an affected appliance. A successful exploit could allow the attacker to cause the ESA to fail to detect and act upon possible malware in the email attachment.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: http://ift.tt/2aeOjBV A vulnerability in the email message filtering feature of Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an ESA to fail to detect and act upon a specific type of file that is attached to an email message.

The vulnerability is due to improper application of message filtering rules to email attachments that contain a specific type of file and are submitted to an affected appliance. An attacker could exploit this vulnerability by sending an email message with a crafted attachment to an affected appliance. A successful exploit could allow the attacker to cause the ESA to fail to detect and act upon possible malware in the email attachment.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: http://ift.tt/2aeOjBV
Security Impact Rating: Medium
CVE: CVE-2016-1461

from Cisco Security Advisory http://ift.tt/2aeOjBV

The Official Talos Guide to Black Hat 2016

Another media-stealing app found on Google Play

The HTML Source Code Viewer app by Sunuba Gaming poses as a development tool then steals pictures and videos from mobile devices.

Read More

from Symantec Connect - Securi... http://ift.tt/2aepKoL

Signal Sciences pushes real-time security solution to tech firms

End of SMS-based 2-Factor Authentication; Yes, It's Insecure!


SMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past.

Two-Factor Authentication or 2FA adds an extra step of entering a random passcode sent to you via an SMS or call when you log in to your account as an added layer of protection.

For example, if you have 2FA enabled on Gmail, the platform will send a six-digit passcode to your mobile phone every time you sign in to your account.

But, the

US National Institute of Standards and Technology (NIST)

has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns.

Here's what the relevant paragraph of the latest DAG draft reads:
"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

Due to rise in data breaches, two-factor authentication has become a standard practice these days. Many services are offering SMS-based 2FA to its consumers, just to ensure that hackers would need both their passwords and mobile phone in order to hack their accounts.

SMS-based Two-Factor Authentication is Insecure

However, NIST argues that SMS-based two-factor authentication is an insecure process because it's too easy for anyone to obtain a phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient.

In fact, SMS-based two-factor authentication is also vulnerable to hijacking, if the individual uses a voice-over-internet protocol (VoIP) service, which provides phone call service via a broadband internet connection instead of a traditional network.

Since some VoIP services allow the hijacking of SMS messages, hackers could still gain access to your accounts protected with SMS-based two-factor authentication.

Also, the

designing flaws in SS7

or Signalling System Number 7 also allows an attacker to divert the SMS containing a one-time passcode (OTP) to their own device, which lets the

attacker hijack any service

, including Twitter, Facebook or Gmail, that uses SMS to send the secret code to reset account password.

Even some devices leak secret 2FA code received via SMS on the lock screen.


NIST Suggests BIOMETRIC! But...

The DAG draft notes that two-factor authentication via a secure app or biometrics, like a fingerprint scanner, may still be used to secure your accounts.

"Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have)," the draft reads.

Well, Biometric-based two-factor authentication process would require companies to store one copy of your biometric data on their cloud servers for verification.

So, would your share your fingerprints with Google or Facebook? Apple was criticized for the same when there was a rumor that

iPhone's Touch ID fingerprint sensor

will upload users' data to its cloud storage.

Many tech companies such as Facebook and Google offer in-app code generator as an alternative solution for two-factor authentication, which does not rely on SMS or Network carrier.

Last month, Google made its two-factor authentication a lot easier and faster by introducing a new method called

Google Prompt

that uses a simple push notification where you just have to tap on your mobile phone to approve login requests.



from The Hacker News http://ift.tt/2au4rAz

KeySniffer Lets Hackers Steal Keystrokes from Wireless Keyboards


Radio-based wireless keyboards and mice that use a special USB dongle to communicate with your PC can expose all your secrets – your passwords, credit card numbers and everything you type.

Back in February, researchers from the Internet of things security firm Bastille Networks demonstrated how they could take control of wireless keyboards and mice from several top vendors using so-called

MouseJack

attacks.

The latest findings by the same security firm are even worse.

Researchers have discovered a new hacking technique that can allow hackers to take over your wireless keyboard and secretly record every key you press on it.

Dubbed

KeySniffer

, the hack is death for millions of wireless, radio-based keyboards.

The Cause: Lack of Encryption and Security Updates

The

KeySniffer

vulnerability affects wireless keyboards from eight different hardware manufacturers that use cheap transceiver chips (

non-Bluetooth chips

) – a less secure, radio-based communication protocol.

The issue with these chips is that they don’t receive Bluetooth’s frequent security updates.

Moreover, the affected keyboards use unencrypted radio transmission.

This means anyone within 100 meters range of your computer and around $15-$30 long-range radio dongle can intercept the communications between affected wireless keyboards and your computer.

Eventually, this allows the attacker to collect secretly everything you type, including your passwords, credit card numbers, personal messages and even weird porn searches.

The keyboards from a surprising range of vendors, including Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack, and Toshiba, are vulnerable to KeySniffer.

This isn’t the first time researchers have targeted wireless keyboards. In 2015, a white hat hacker developed a cheap Arduino-based device, dubbed

KeySweeper

, which covertly logs, decrypts and reports back all keystrokes from Microsoft wireless keyboards.

Although KeySweeper was due to the weak encryption used by Microsoft, the KeySniffer discovery is different as in this case; manufacturers are actually making and selling wireless keyboards with no encryption at all.

One of the affected hardware makers, Kensington responded to this matter, saying that only a single version of its keyboards was affected by KeySniffer flaw and that a firmware update with AES encryption has been released.

Since there are millions of people who do use one of the wireless keyboards identified by Bastille Networks, it has been advised to you to either go back to the wires or at least switch to Bluetooth.

The radio-based wireless keyboards and mice are a good target for hackers. Two months back, the

FBI also issued warning

for private industry partners to look out for highly stealthy keyloggers that quietly sniff passwords and other input data from wireless keyboards.



from The Hacker News http://ift.tt/2a9hbu2