Wednesday, May 31, 2017

China's cybersecurity law vows to better protect personal information


China's first ever cybersecurity law, which officially takes effect on June 1, vows to protect online users' information by prohibiting abuse from online service providers.

Passed by China's Parliament in November last year, the new law has banned ISPs from collecting and selling users' personal information that is irrelevant to their services. Users also have the right to request their information to be deleted in cases of abuse, according to a Sina news report.

Cybersecurity management employees are also required to protect information obtained, and are prohibited from selling or leaking this information.

The Supreme Court and Supreme Procuratorate in China have further stipulated that those who illegally obtain, sell, or provide personal information of over 50 items will be deemed as "severe cases" and subject to imprisonment, the report added.

The new regulation has also tried to strengthen data surveillance and storage for firms working in the country.

Article 37 of the cybersecurity law stipulated that "citizens' personal information and important business data collected and produced by critical information infrastructure operators during their activities within the territory of the People's Republic of China, shall be stored within the territory".

But the article failed to specifically define "critical information infrastructure operators", only broadly referring to them as "those [that] could cause serious damage to national security, the national economy and public interest if destroyed, functionality is lost, or data is leaked".

According to a Deloitte report on the website, critical information infrastructures can be categorized into "websites, platforms, and production businesses".

Other than influential organizations that affect the national economy and people's livelihood in China, "websites with more than 1 million daily average visits", "infrastructures that can cause leakage of data of more than 1 million people in the event of a cybersecurity incident", "infrastructures with more than 10 million registered users, or 1 million active users", and "infrastructures with daily average transaction or trade amounts of more than 10 million yuan" would all fall into the categories of critical information infrastructures as stated in the new law, Deloitte said.

A Reuters report said earlier that overseas business groups were requesting Chinese regulators to delay implementation of the law, believing the new rules would hurt activities.



from Latest Topic for ZDNet in... http://ift.tt/2rqFWfz

FBI Releases Article on Protecting Business Email Systems

Original release date: May 31, 2017

The Federal Bureau of Investigation (FBI) has released an article on Building a Digital Defense with an Email Fortress. FBI warns that scammers commonly target business email accounts with phishing and social engineering schemes. Strategies for preventing email compromises include avoiding the use of free web-based email accounts; using multi-factor authentication; and updating firewalls, antivirus programs, and spam filters.

US-CERT encourages users and administrators to review the FBI article for more information and refer to US-CERT Tips on Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Attacks.


This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System http://ift.tt/2sfACtw

Palo Alto Networks delivers strong Q3 results


Security company Palo Alto Networks delivered a strong fiscal third quarter that handily topped expectations.

The company reported a net loss of $60.9 million, or 67 cents a share, on revenue of $431.8 million, up 25 percent from a year ago. Non-GAAP earnings were 61 cents a share.

Wall Street was looking for fiscal third quarter earnings of 55 cents a share on revenue of $412 million.

In a statement, CEO Mark McLaughlin said the company added the "second highest number of new customers in the company's history."

As for the outlook, the company said it expects revenue between $481 million and $491 million with earnings of 78 cents a share to 80 cents a share on a non-GAAP basis. Wall Street was expecting earnings of 74 cents a share on revenue of $485 million.



from Latest Topic for ZDNet in... http://ift.tt/2sow57b

USN-3305-1: NVIDIA graphics drivers vulnerabilities

Ubuntu Security Notice USN-3305-1

31st May, 2017

nvidia-graphics-drivers-375 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

NVIDIA graphics drivers could be made to crash or run programs as an administrator.

Software description

  • nvidia-graphics-drivers-375 - NVIDIA binary X.Org driver

Details

It was discovered that the NVIDIA graphics drivers contained flaws in the
kernel mode layer. A local attacker could use these issues to cause a denial of
service or potentially escalate their privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
nvidia-367 375.66-0ubuntu0.17.04.1
nvidia-375 375.66-0ubuntu0.17.04.1
Ubuntu 16.10:
nvidia-367 375.66-0ubuntu0.16.10.1
nvidia-375 375.66-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
nvidia-367 375.66-0ubuntu0.16.04.1
nvidia-375 375.66-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
nvidia-367 375.66-0ubuntu0.14.04.1
nvidia-375 375.66-0ubuntu0.14.04.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-0350, CVE-2017-0351, CVE-2017-0352



from Ubuntu Security Notices http://ift.tt/2rVoal7

US Defense Contractor left Sensitive Files on Amazon Server Without Password


Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation's top intelligence contractor without a password, according to a new report.

UpGuard cyber risk analyst Chris Vickery

discovered

tens of thousands of documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.

The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors.

Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.

Master Credentials to a Highly-Protected Pentagon System were Exposed

Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance, Gizmodo

reports

.

What's more?

The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.

The sensitive files have since been secured and were likely hidden from those who didn't know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.

"In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level," Vickery says.

Vickery is reputed and responsible researcher, who has previously tracked down a number of exposed datasets on the Internet. Two months ago, he discovered an unsecured and publicly exposed database, containing nearly

1.4 Billion user records

, linked to River City Media (RCM).

Vickery is the one who, in 2015, reported a huge cache of more than

191 Million US voter records

 and details of nearly

13 Million MacKeeper users

.

Both NGA and Booz Allen are Investigating the Blunder

The NGA is now investigating this security blunder.

"We immediately revoked the affected credentials when we first learned of the potential vulnerability," the NGA said in a statement. "NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."

However, Booz Allen said the company is continuing with a detailed forensic investigation about the misstep.

"Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment," a Booz Allen spokesperson told Gizmodo. 
"We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."

Booz Allen Hamilton is the same consulting firm that employed whistleblower

Edward Snowden

when he disclosed the global surveillance conducted by the NSA. It is among top 100 US federal contractor and once

described

as "the world’s most profitable spy organisation."



from The Hacker News http://ift.tt/2qGLaQb

China's new cybersecurity law rattles tech giants

(Image: file photo)

China's new cybersecurity law has a lot of people scratching their heads, trying to figure out how it affects their businesses -- if at all.

The gist of the law seems simple enough. The law will ban the collection and sale of user's personal information. Companies operating in China will also have to store their customer's data on servers in the country (which has been delayed until the end of 2018 to figure out some kinks), and customers will have the right to have their data erased. At the same time, individuals will have to register with their real names on messaging apps and social networks.

According to the state-run Xinhua news agency, the new law -- approved by the country's "rubber-stamp" parliament -- was introduced in response to the growing threat of cyber-terrorism and hacking, which would replace a large patchwork of different, loosely collected laws.

"Those who violate the provisions and infringe on personal information will face hefty fines," said the news agency, via Reuters.

But there's the problem. Nobody seems to know exactly how the law works.

The law is set to go into effect Thursday, but "there's unfortunately a lot of confusion" about how it work or be enforced, according to Michael Chang, a Nokia executive and vice-president of the European Union Chamber of Commerce in China, speaking to The New York Times.

"We still have a lot of unclarified territory that needs to be addressed as soon as possible," he said, suggesting Beijing had conveyed "less than half" of the law's specifics.

Many US and European businesses are already reportedly concerned, according to a letter sent to the Chinese regulator in charge of the law's enforcement, calling it "fraught with weaknesses."

That's because many of the same companies, predominantly data-hungry firms -- like software and service providers -- are concerned it will prevent Western giants from entering the lucrative Chinese market.

The Chinese regulator denied that was the case, saying the new provisions do "not restrict foreign companies or their technology and products entering the Chinese market," despite the country's reduced reliance on Western technologies in the wake of the Edward Snowden disclosures into US mass surveillance. Just as the US has been concerned about Chinese espionage, Beijing has pushed away many US tech giants for fear of US snooping.

But there is some hope. China isn't the first country to want to rein in its citizens' data -- either for their safety or government surveillance, take your pick.

Russia, last year, introduced a similar law under a similar guise of "preventing terrorism" (read, "increasing surveillance" in a region where speech and expression are already heavily restricted).

Companies operating in the country were told to store Russian citizen data on servers within its borders. Those breaking the rules or refusing to comply would be added to a blacklist.

One such company was LinkedIn, according to several reports, which at the time had six million users in Russia. But many other companies largely acquiesced. Hardware and device makers, like Apple and Lenovo, were among the first to comply -- not least because it was easier. And other data-hungry companies, like eBay, Facebook, and Google, took longer to transfer data into the region in order to keep operating -- though their current status isn't known. Some firms, like Spotify, have scrapped plans to enter the country altogether, citing conflict with the rules.

Suffice to say, it's been a mixed bag of reaction, but on the most part accepted the country's rules.

While the two sets of cybersecurity laws share similarities, China is a bigger market that most Western companies can't avoid -- even if they have yet to break into the region.

With Russia's case, even though the rules seemed arbitrary, archaic, and generated legal disquietness, they were at least easy to follow.

Beijing has since tried to defuse complaints and concerns by Western firms over possible disruptions.

But with looming threats of fines and a void where there should be clarity, it's looking like many multinationals could be in for a bumpy few quarters.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.



from Latest Topic for ZDNet in... http://ift.tt/2snzRhe

Google adds security features to Gmail


Google is adding some new security features to Gmail, including improved phishing detection that relies on a dedicated machine learning model.

Anywhere from 50 to 70 percent of messages received in Gmail are spam, but machine learning techniques help Google bock spam and phishing messages with more than 99.9 percent accuracy, the company says.

Its latest machine learning model improves the process by delaying select messages (less than .05 percent of messages on average) for further phishing analysis.

Google says it's new detection models will also help generate new URL click-time warnings, giving users a warning prompt when they've clicked on a suspicious link. As new patterns are found, the models will adapt and get better with time.

Additionally, Google is adding unintended external reply warnings to Gmail to prevent users from accidentally sending protected data to someone outside of their company. Gmail shouldn't overdo it with the warnings, Google says, since its contextual intelligence will alert Gmail if the recipient is an existing contact or someone the sender interacts with regularly.

Google is also adding new built-in defenses against ransomware and polymorphic malware, blocking millions of additional emails. The threats are identified by combining signals from spam, malware and ransomware with attachment heuristics (emails that could be threats based on signals) and sender signatures (already marked malware).



from Latest Topic for ZDNet in... http://ift.tt/2rF3VZr

Why Do Phishing Fears Top the List of Security Professionals’ Concerns?

Risk managers, legal experts and brokers say phishing and social engineering are, by far, the biggest security threats facing their companies and clients. In fact, 80 percent of legal experts polled by Advisen for Experian Data Breach Resolution’s 2017 Cyber Risk Preparedness and Response Survey, 68 percent of brokers and 61 percent of risk managers cited phishing/social engineering as their top concern.

Why do they feel that way? A look at the numbers and some insight into human nature can explain their fears — and help you understand why your organization should be just as concerned about phishing risks.

By the numbers

Phishing and social engineering are particularly effective forms of cyberattack because they use technology and knowledge of human nature to manipulate employees into actions that serve the attacker’s purpose. How effective are they?

The human risk factor

Phishing in general and spear phishing in particular are successful because human beings are often the chink in an organization’s cybersecurity armor. All it takes is one overly curious and under-cautious employee clicking on a suspicious email, or a well-meaning worker who responds to a seemingly authentic request for proprietary information. Those scenarios are the stuff of nightmares for information security professionals, and unfortunately they happen all too frequently.

Multiple studies show that negligent employees cause more data breaches than other sources, whether they succumb to a phishing attack or lose a company laptop at the airport. However, studies also show that cybersecurity training, including a component on phishing, can help reduce employee-related risks.

Training is critical

Among organizations that train employees on how to spot and avoid phishing attacks, 52 percent reported they were able to see quantifiable results — fewer successful phishing attacks — based on their training, Wombat said. Respondents to the Advisen survey stressed the importance of creating a company culture in which cybersecurity is everyone’s job and knowledge of phishing and how to thwart attacks is the norm.

Employee training in cybersecurity should begin as part of the onboarding process when the worker joins your organization, and everyone should get a refresher at least annually. While 67 percent of those surveyed by Ponemon said their organizations didn’t incentivize employees to proactively protect sensitive information or report potential issues, any successful culture of security should reward those who are embracing their roles as protectors — and not just punish those who fall short.

The post Why Do Phishing Fears Top the List of Security Professionals’ Concerns? appeared first on Data Breach Resolution.



from Data Breach Resolution http://ift.tt/2roQsE7

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager appliances

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 and IBM Runtime Environment Java Version 8 used by IBM Security Access Manager version 8 and 9 appliances. These issues were disclosed as part of the IBM Java SDK updates in January 2017.

CVE(s): CVE-2017-3241, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2017-3261, CVE-2017-3231, CVE-2017-3259, CVE-2016-2183

Affected product(s) and affected version(s):

IBM Security Access Manager for Web version 8, all firmware versions

IBM Security Access Manager for Mobile version 8, all firmware versions

IBM Security Access Manager version 9, all firmware versions

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2smzbsB
X-Force Database: http://ift.tt/2lAcror
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2msOwVj
X-Force Database: http://ift.tt/2lAc9xE
X-Force Database: http://ift.tt/2msIPqs
X-Force Database: http://ift.tt/2dR3VyC

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager appliances appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2roahLE

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7.0.9.50 and 6.0.16.30 used by IBM Sterling Connect:Direct FTP+. These issues were disclosed as part of the IBM Java SDK updates in Jan 2017.

CVE(s): CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183

Affected product(s) and affected version(s):

IBM Sterling Connect:Direct FTP+ 1.3.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2roe1wQ
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2dR3VyC

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2sme3Te

IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java affect IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments.

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. These issues were disclosed as part of the IBM Java SDK updates in January 2017.

CVE(s): CVE-2017-3241, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2017-3252, CVE-2016-5552, CVE-2016-5547, CVE-2016-2183

Affected product(s) and affected version(s):

IBM OS Image for Red Hat Linux Systems 3.0.0.0 and earlier.
IBM OS Image for AIX Systems 2.1.1.0 and earlier.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2rorpkm
X-Force Database: http://ift.tt/2lAcror
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2lAk4Lp
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2dR3VyC

The post IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java affect IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2rnYOvF

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM® Java Runtime affects IBM BigFix Compliance Analytics.

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 Service Refresh 3 Fixpack 20 and IBM® Runtime Environment Java™ Version 8 Service Refresh 3 Fixpack 20 that is used by IBM BigFix Compliance Analytics. These issues were disclosed as part of the IBM Java SDK updates in January 2017.

CVE(s): CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183

Affected product(s) and affected version(s):

IBM BigFix Security Compliance Analytics 1.9.70

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2rorp3Q
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2dR3VyC

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM® Java Runtime affects IBM BigFix Compliance Analytics. appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2smqcY5

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 7 and 8 and IBM® Runtime Environment Java™ Versions 7 and 8 that are used by IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web version 7 software. These issues were disclosed as part of the IBM Java SDK updates in January 2017.

CVE(s): CVE-2017-3241, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2017-3261, CVE-2017-3231, CVE-2017-3259, CVE-2016-2183

Affected product(s) and affected version(s):

IBM Tivoli Access Manager for e-business 6.0, 6.1, 6.1.1

IBM Security Access Manager for Web 7.0 (software)

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2rohgo6
X-Force Database: http://ift.tt/2lAcror
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2lAiqcB
X-Force Database: http://ift.tt/2msOwVj
X-Force Database: http://ift.tt/2lAc9xE
X-Force Database: http://ift.tt/2msIPqs
X-Force Database: http://ift.tt/2dR3VyC

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2roa6jB

IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware

There are multiple vulnerabilities in IBM® Runtime Environment Java™ used by Tivoli Storage Manager for Virtual Environments (IBM Spectrum Protect for Virtual Environments): Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware. These issues were disclosed as part of the IBM Java SDK updates in January 2017.

CVE(s): CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183

Affected product(s) and affected version(s):

The following levels of Tivoli Storage Manger for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments) are affected:

  • 8.1.0.0 through 8.1.0.1
  • 7.1.0.0 through 7.1.6.4
  • 6.4.0.0 through 6.4.3.5

The following levels of FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware are affected:

  • 4.1.0.0 through 4.1.6.1
  • 3.2.0.0 through 3.2.0.8

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2smxgUE
X-Force Database: http://ift.tt/2lA4akm
X-Force Database: http://ift.tt/2lAx183
X-Force Database: http://ift.tt/2msD77U
X-Force Database: http://ift.tt/2msBF5I
X-Force Database: http://ift.tt/2dR3VyC

The post IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2smxg76

IBM Security Bulletin: IBM Security Access Manager appliances may be affected by a kernel vulnerability known as the Dirty COW bug (CVE-2016-5195)

Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a race condition when handling the copy-on-write (COW) breakage of private read-only memory mappings by the memory subsystem. This vulnerability is known as the Dirty COW bug. Under certain circumstances, IBM Security Access Manager appliances might be affected by this vulnerability.

CVE(s): CVE-2016-5195

Affected product(s) and affected version(s):

IBM Security Access Manager for Web 7.0 appliances, all firmware versions.

IBM Security Access Manager for Web 8.0 appliances, all firmware versions.

IBM Security Access Manager for Mobile 8.0 appliances, all firmware versions.

IBM Security Access Manager 9.0 appliances, all firmware versions.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2smhIQW
X-Force Database: http://ift.tt/2gQ8nw9

The post IBM Security Bulletin: IBM Security Access Manager appliances may be affected by a kernel vulnerability known as the Dirty COW bug (CVE-2016-5195) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2smtVVE

IBM Security Bulletin: MQ Explorer directory created with owner ‘555’ on Linux x86-64 vulnerability affects IBM MQ (CVE-2016-6089)

IBM MQ including MQ Explorer installed on Linux x86-64 environment. After the completion of installation, all directories under opt/mqm/mqexplorer/eclipse are created with owner “555” (non-existant user) and group mqm. This vulnerability allows a local user to alter the contents of the opt/mqm/mqexplorer/eclipse directory and make the product unusuable.

CVE(s): CVE-2016-6089

Affected product(s) and affected version(s):

IBM MQ v9.0.0.0

IBM MQ v9.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2smebBZ
X-Force Database: http://ift.tt/2ro8NRG

The post IBM Security Bulletin: MQ Explorer directory created with owner ‘555’ on Linux x86-64 vulnerability affects IBM MQ (CVE-2016-6089) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2smzaF3

IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware

OpenSSL vulnerabilities were disclosed on January 28, 2016, March 1, 2016, May 3, 2016, and September 22 and 26, 2016 by the OpenSSL Project. OpenSSL, used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage Manager for Virtual Environments): Data Protection from VMware, has addressed the applicable CVEs.

CVE(s): CVE-2016-0701, CVE-2015-3197, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-2842, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176, CVE-2016-2108, CVE-2016-6302, CVE-2016-6304, CVE-2016-6305, CVE-2016-6303, CVE-2016-2182, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-6306, CVE-2016-6307, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-6308, CVE-2016-2181

Affected product(s) and affected version(s):

These security exposures affect network connections between IBM Spectrum Protect (formerly Tivoli Storage Manager) and VMware services. This exposure affects:



from IBM Product Security Incident Response Team http://ift.tt/2roneVY

IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware

OpenSSL vulnerabilities were disclosed on June 11, 2015 and December 3, 2015 by the OpenSSL Project. OpenSSL, used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage Manager for Virtual Environments): Data Protection from VMware, has addressed the applicable CVEs.

CVE(s): CVE-2015-1791, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794

Affected product(s) and affected version(s):

These security exposures affect network connections between IBM Spectrum Protect (formerly Tivoli Storage Manager) and VMware services. This exposure affects:



from IBM Product Security Incident Response Team http://ift.tt/2smlXvT

Blue screen of death saved Windows XP from WannaCry ransomware, say security researchers

bsod.jpg

For many WannaCry victims using Windows XP, the worst-case scenario was a blue-screen of death, say researchers.

Image: freeimageslive.co.uk

When WannaCry hit the world in mid-May, much focus was put on how the widespread use of the out-of-date Windows XP operating system helped it spread so fast.

The UK's National Health service was one of the highest-profile victims of the cyberattack -- and many of its bespoke systems still rely on Windows XP -- while Microsoft were quick to release a security patch for the long unsupported operating system.

And while Windows XP systems were among those affected by WannaCry, later analysis suggests that 98 percent of victims were running Windows 7.

But that's not to say WannaCry wasn't problematic for targets using Windows XP, with a new report by cybersecurity researchers at Kryptos suggesting that while the operating system was mostly immune from falling victim to the ransomware, many failed attacks resulted in computers crashing and displaying the 'blue-screen of death' and requiring a hard reset.

Researchers tested WannaCry ransomware against a number of operating systems running in a test environment: Windows XP with Service Pack 2, Windows XP with Service Pack 3, Windows 7 64 bit with Service Pack 1, and Windows Server 2008 with Service Pack 1.

While attacks against Windows 7 successfully installed WannaCry, after a number of attempts the supposedly vulnerable Windows XP was much more resilient to the ransomware than expected, with the OS running Service Pack 2 not becoming infected at all.

However, Windows XP running SP 2 was affected, but rather than becoming infected with WannaCry and requesting a ransom in return for locked files, the system kept blue-screening and rebooting itself.

"The worst-case scenario, and likely scenario, is that WannaCry caused many unexplained blue-screen-of-death crashes," say researchers.

While this phenomenon will have no doubt been frustrating for organisations which found their machines repeatedly crashing, at least they hadn't been infected by ransomware.

However, that doesn't mean Windows XP isn't vulnerable, as completely unpatched systems can still fall prey to WannaCry. The operating system remains a popular target for cybercriminals looking to exploit weaknesses in the many systems which have never been updated.

While WannaCry caused Chaos across the globe, the ransomware hasn't been particularly lucrative for its creators, only making around $110,000 in the almost three weeks since the initial outbreak -- a poor return for such a widespread campaign.

While the identity of those behind the WannaCry campaign remains unknown, researchers at cybersecurity firms including Symantec and Kaspersky have tentatively linked the attack to the Lazarus Group, a hacking operation which is believed to have acted in support of North Korea.

Meanwhile, linguistic analysis of ransom notes displayed to WannaCry victims suggests the author -- at least of the ransom demand -- is a natural or extremely fluent Chinese speaker. Both the authorities and cybersecurity firms continue to look for answers surrounding the origins of this destructive ransomware.

READ MORE ON WANNACRY



from Latest Topic for ZDNet in... http://ift.tt/2qActki

Cisco, IBM forge security integration partnership


Cisco and IBM will integrate security products, services and threat intelligence in a new partnership.

Both companies have sizeable security businesses. Under the terms of the deal, Cisco's security suite will integrate with IBM's QRadar across networks, end points and cloud.

In addition, IBM Global Services will support Cisco products in managed security services. Cisco and IBM will also partner on security research as IBM X-Force and Cisco Talos teams collaborate on intelligence and coordinate on cybersecurity response.

It's likely that similar partnerships and interoperability agreements will emerge among security players. Enterprises typically have a bevy of security vendors for various services and software.

Specifically, Cisco and IBM will integrate the following:

  • Cisco's security offerings will integrate with IBM's Cognitive Security Operations Platform.
  • Cisco will build applications for IBM's QRadar security analytics platform. Two of those new applications will be available on IBM's security app exchange.
  • Cisco's Next-Generation Firewall (NGFW), Next-Generation Intrusion Protection System (NGIPS) and Advanced Malware Protection (AMP) and Threat Grid will integrate with IBM's platforms.
  • IBM's Resilient Incident Response Platform will integrate with Cisco's Threat Grid.



from Latest Topic for ZDNet in... http://ift.tt/2qB0yyi

The Significance of Log Sources to Building Effective Intelligence-Driven Incident Response

The Significance of Log Sources to Building Effective Intelligence-Driven Incident Response

- May 31, 2017 - 0 Comments

Many organizations today fail in adequately acquiring the necessary visibility across their network to perform efficient and effective Incident Response tasks, one of which is Intelligence-Driven Incident Response; defined as driving intelligence mechanisms to dig deeper into detecting, containing, and eradicating the latest cyber threats. Occasionally, adversaries may leave evidence on compromised devices which may be helpful for identifying Techniques, Tactics, and Procedures (TTPs) of value for attribution of an attack to a particular group, association, or individual; which allows responders to identify additional affected systems and pursue further leads. Such critical components to threat intelligence include Indicators of Compromise (IOCs), but are not limited to: file names, file paths, hash values, IP Addresses, Uniform Resource Identifiers (URIs), and common tools used by known individuals or groups.

Organizations often struggle in achieving this next-level of proactiveness without the precise logs required to investigate thoroughly. Many organizations simply can’t ingest every single log type from each technology used within the organization, furthermore are typically limited to the number of Events Per Second (EPS) into a central log aggregator or Security Information and Event Management (SIEM) product, whether it’s a bandwidth constraint, limitation of the product or even a license issue. While some enterprises may be fortunate enough not to have such technological limitations, others may simply not have the man power or expertise necessary to provide efficient and effective monitoring and detection. Whether this is a resource deficiency or absence of skill, some organizations tend to ingest as many logs as they can, and then leverage use of these logs when an incident arises in an attempt to conduct a thorough investigation and response.

This is not the approach that should be taken and is why we here at Cisco, assist organizations in building effective, world-class Security Operations Centers (SOCs) that will help prioritize log sources based on the Use Case, Event, and Sense of Urgency desired to detect and prevent an attack as it happens, and impulse to more of an Intelligence-driven Incident Response competency, shown in the figure below. For instance, logs should not be ingested without first building a use case scenario for the business to determine if the use case can be successfully achieved. This is similar to building a business case for a particular investment in technology and answers the question of ‘What’s your end-goal’? All use cases have one end-goal which is attribution to the detection of a threat, a fundamental necessity to the response of an incident. However, a use case can’t be built without the technology logging the appropriate necessities, and vice-versa, attribution can’t be achieved without a successful use case.

A use case should also identify the key stakeholders, timeliness and lifetime, and the investment required (both from a time and monetary perspective) of the use case, for such to be fully operational, effective, and efficient within an environment. Regardless of where the limitation lies upon, addressing the constraint initially; will allow the organization to build a successful use case, incorporate the necessary logs, prioritize based on the industry relevancy that a threat (use case) may have based on previously discovered high impacted/high risk incidents.

By integrating such proactive measures, organizations can take an initiative to stay one step ahead before falling victim to a serious cyber security incident. Is your organization prioritizing the necessary log sources?

See how Cisco Security Advisory Services can help your organization here.

Tags:


from Cisco Blog » Security http://ift.tt/2qAFXui

Acronis Backup 12 features world's first blockchain-based data integrity verification and ransomware protection

data61-blockchain-distributed-ledger.jpg

Ransomware can have a devastating effect on organizations, and as attacks are set to double every year, IT admins are going to be on the lookout for solutions that can help protect and clean up the aftermath of such attacks.

And to help deal with this emerging threat, Acronis has released a new tool to help with just that. Acronis Backup 12 is not only the only backup solution that ensure the authenticity and integrity of data backups by storing backup file checksum certificates in the blockchain database, but it also features automatic ransomware protection.

See also : The quickest, simplest way to speed up an old, tired PC

Acronis Backup 12 is the world's easiest and fastest backup solution for all the data an organization has, whether that is located on-premises, in remote systems, in private and public clouds, or on mobile devices.

It features Active Protection technology which detects and proactively blocks unauthorized encryption of files and backups, and reversing suspicious changes to data, backup files, and backup agents, along with Acronis Notary, a blockchain-based authentication of all backups made, securing them from damage or tampering.

And Acronis Backup 12 is built for speed -- it can be installed on over 21 different platforms in as little as three clicks, has a Recovery Time Objective of 15 seconds, and is twice as fast as the closest competitor.

Acronis Backup 12

Acronis Backup 12 also features multi-user management, easy to use touch-friendly apps, and built-in encryption.

Acronis Backup 12 comes with a 30-day free trial, and one terabyte of cloud space for storage, making it easy to test drive.

See also:



from Latest Topic for ZDNet in... http://ift.tt/2sdCLWC

Want To Empower Remote Workers? Focus On Their Data

By Jeremy Zoss, Managing Editor, Code42

Here’s a nightmare scenario for IT professionals: Your CFO is working from the road on a high-profile, highly time sensitive business deal. Working late on documentation for the deal, a spilled glass of water threatens everything. His laptop is fried; all files are lost. What options does your organization have? How can you get the CFO these critical files back, ASAP, when he’s on the other side of the country?

Remote user downtime has high costs
It’s not just traveling executives that worry IT pros. Three-quarters of the global workforce now regularly works remotely, and one in three work away from the office the majority of the time. Across every sector, highly mobile, on-the-go users play increasingly important roles. When these remote users lose, destroy or otherwise corrupt a laptop, the consequences can be serious.

  • On-site consultants: Every hour of downtime is lost billable time.
  • Distributed sales teams: Downtime can threaten deals.
  • On-site training and technical support: Downtime interrupts services, which can hurt relationships and reputations.
  • Work-from-home employees: These might not be high-profile users, but downtime brings productivity to a halt—a cost magnified across the growing work-from-home workforce in most organizations.

Maximizing remote productivity starts with protecting remote user data
Businesses clearly recognize the huge potential in empowering remote workers and mobile productivity. That’s why they’re spending time and money on enabling secure, remote access to digital assets. But too many forget about the other end of the spectrum: collecting and protecting the digital assets that remote workers are creating in real-time—files and data that haven’t made it back to the office yet. As productivity moves further away from the traditional perimeter, organizations can’t let that data slip out of view and beyond backup coverage.

Get six critical tips to empower your mobile users
Read the new white paper and see how endpoint visibility provides a powerful foundation for enabling and supporting anytime-anywhere users.

The post Want To Empower Remote Workers? Focus On Their Data appeared first on Cloud Security Alliance Blog.



from Cloud Security Alliance Blog http://ift.tt/2raYsbr

Windows 10 tip: Use BitLocker to encrypt your system drive

check-tpm-device-manager.jpg

BitLocker requires a TPM version 1.2 or later for a standard configuration.

Click to enlarge

Most modern business-class PCs that were designed for Windows 10 support BitLocker Drive Encryption. With BitLocker encryption turned on for the system drive, an attacker who steals your device but doesn't have your sign-in credentials is completely locked out of your data.

The requirements for BitLocker Drive Encryption are fairly simple. Your hardware must include a Trusted Platform Module (TPM) chip, version 1.2 or later, and you must be running a business edition of Windows 10: Pro, Enterprise, or Education. (It's possible to enable BitLocker without a TPM, using a USB flash drive to store the encryption key, but I don't recommend it.)

To see whether your PC has a TPM chip (and, if so, which version), follow these steps:

  1. Right-click Start and then click Device Manager on the Quick Link menu.
  2. In Device Manager, look for the heading Security Devices. If it doesn't exist, your system isn't equipped with a TPM.
  3. If the Security Devices heading exists, expand it to show Trusted Platform Module hardware, including version number, like the one shown here.

If that seems like too much work, just run the BitLocker Encryption Wizard, which includes its own compatibility checker.

Open File Explorer, click This PC, right-click the icon for your system drive (usually drive C), and then click Turn on BitLocker. If your system doesn't meet the specifications, you'll get an error message. If everything's clear, you can follow the wizard's prompts to save your recovery key and begin the encryption process.

Previous tip: Create direct shortcuts to shared network folders

Next week: Another Windows 10 tip from Ed Bott

see all of ed bott's Windows 10 Tips



from Latest Topic for ZDNet in... http://ift.tt/2slRMop

Shadow Brokers launch subscription service for fresh exploits, zero-day leaks

black-vine-header-imagecredsymantec.jpg Symantec

While the world scrambled to fight off the WannaCry ransomware which caused serious disruption to core services worldwide, the Shadow Brokers threat group were planning to cash in on the market for exploits used to deliver such malware.

The subscription service, beginning in June, will cost 100 ZCash coins to join per month, roughly $23,000 at the time of writing.

ZCash (ZEC) is a virtual currency, not unlike Bitcoin, which uses the Equihash as an algorithm and tight information controls to disguise transactions.

"If you caring about loosing $20k+ then not being for you," the group said. "Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing "the game" is involving risks."

Shadow Brokers say they have not decided what to include in the next dump yet, but lamented that no bidders decided to buy the full dump in August last year, of which the price was set at an astounding $567 million.

Originally, the threat group was dismissed. However, they proved the potential severity of the treasure trove they hold -- stolen from the US National Security Agency (NSA)'s elite Equation Group -- when the latest dump included Windows SMB exploits used to spread WannaCry.

"The time for "I'll show you mine if you show me yours first" is being over," the group said. "This is being wrong question. Question to be asking 'Can my organization afford not to be first to get access to theshadowbrokers dumps?'"

Shadow Brokers have hinted that the dump may include web browser, router, handset exploits and tools, fresh exploits for the Microsoft Windows 10 operating system, compromised network data from SWIFT users and central banks, or even information from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The first dump is expected to hit between 1 and 17 July in a mass email to any who choose to pay up and subscribe, news which is likely to put researchers on edge.

See also: Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded

Earlier this month, researchers discovered a vast cryptocurrency-mining botnet which also infects slave PCs for the operation through the NSA-leaked exploit.



from Latest Topic for ZDNet in... http://ift.tt/2qznvGs

LinkedIn Hacker, Wanted by US & Russian, Can be Extradited to Either State


The alleged Russian hacker, who was

arrested by the Czech police in Prague

last October on suspicion of massive 2012 data breach at LinkedIn, can be extradited to either the United States or Russia, a Czech court ruled on Tuesday.

Yevgeniy Aleksandrovich Nikulin

, a 29-years-old Russian national, is accused of allegedly hacking not just

LinkedIn

, but also the online cloud storage platform

Dropbox

, and now-defunct social-networking company Formspring.

However, he has repeatedly denied all accusations.

Nikulin was arrested in Prague on October 5 by the Czech police after Interpol issued an international arrest warrant against him.

Nikulin appeared at a court hearing held inside a high-security prison in Prague on Tuesday and emaciated after eight months in solitary confinement.

The court ruling, pending appeals, left the final decision in the hands of Czech Justice Minister Robert Pelikan, who can approve extradition to one of the countries and block the other.

The United States has requested Nikulin extradition for carrying out hacking attacks and stealing information from several American social networking companies, including LinkedIn, Dropbox, and Formspring, between March 2012 to July 2012.

However, Russia, where Nikulin is facing a lesser charge, has requested his extradition on a separate cyber theft charge of stealing $3,450 via the Internet in 2009.

"Both [case] documents are very, very sufficient for reasonable suspicion that [the offenses] took place and that there is a reason to press charges," the judge said.


Hacker Claims FBI Pressured Him to Confess to US Election Hacks

Nikulin's arrest last October came three days before the United States officially accused Russia of hacking the Democratic National Committee (DNC) and interfering in the 2016 presidential election.

Nikulin's lawyer says the case is a set-up, indicating that his arrest may have deeper inclinations than over the cyber attacks against American firms.

The Guardian

reported

Nikulin was interrogated in Prague, where he currently remains imprisoned, by FBI special agent Jeffrey Miller.

Nikulin wrote in a letter from prison that during his interrogation, Miller reportedly brought up the US election hacking and claimed that the FBI agent pressured him to admit to the DNC hack and promised him good treatment if he accepted to cooperate.

Nikulin wrote in the letter that he rejected the offer. His lawyer indicated that Nikulin was not a hacker, but just a victim of an FBI plot.

"Do you really imagine that a high-ranking FBI agent is going to travel all the way from San Francisco just to read this guy his rights?," Nikulin lawyer said.

Mark Galeotti, a senior security researcher at the Institute of International Relations Prague, also showed his concern about an FBI agent traveling to another country to extradite a hacker.

"An FBI agent traveling from the US to a third country as part of an extradition request is extremely unusual and highlights that the case is seen as significant," Galeotti said, as quoted by the Guardian.

Nikulin's Russian lawyer stated that his client's life revolved around buying and selling luxury cars, adding that Nikulin was "useless with computers" and capable of checking his email and no more and, far from being a super-hacker who can hack big firms.

Tuesday's court hearing was held in a tiny room inside the prison for security reasons, to which Nikulin’s Czech lawyer said: "

In all my 25 years as a lawyer, I don’t remember any cases being tried inside the prison, including serial killers or organized crime cases.

"

Now, the final decision is in the hands of the Czech Justice Minister Robert Pelikan, who is slated to decide where Nikulin will be extradited: The United States, where he can face a "disproportionately harsh" sentence of 54 years behind bars, or Russia, where he faces a lesser charge of cyber theft.



from The Hacker News http://ift.tt/2rjihLX

Cash isn't everything when bug bounties compete with the black market

screen-shot-2017-05-30-at-15-46-09.jpg HackerOne

SINT MAARTEN -- Bug bounties, where security experts are credited and paid for disclosing vulnerabilities in software and systems to vendors, can be lucrative.

There is a common mentality that not only does every bug have a set price, but the black market has sway and influence on how much vendors are willing to pay. But, according to HackerOne chief technology officer Alex Rice, this couldn't be further from the truth.

Speaking to ZDNet, Rice said that illegal trading in bugs and exploits doesn't dictate the price vulnerabilities demand in the white hat market. Vendors are offering less cash than what the bugs would get on the black market, and yet they are still "winning" the battle to secure the reports.

Why? Because there needs to be a balance between cash rewards, keeping bug bounty hunters happy, and making these schemes worthwhile for companies.

However, Rice says that the average price of a bounty is determined by a number of other factors.

"We see with most customers that the price of a bug is not related to the severity of it," Rice said. "[Instead], business impact is one of the most important measurements which goes into pricing -- but it's not the only one."

You would be forgiven for thinking that the more severe and potentially dangerous the vulnerability, the more money would be on the table as an incentive for researchers to find and disclose it.

However, the issue is more complicated than it seems.

"When a business prices vulnerabilities, they spend a lot more time considering the scarcity of the bug and how many they think they have, which is the hardest thing to try and work out [as] you can't know," Rice said.

The potential impact a bug would have on a business and revenue is important, but once a company has estimated the number of bugs they have in what Rice calls an "art or science," as an informed guess, a "natural curve" in pricing occurs.

"It's not that you look at your peers and go, hey, everyone is paying $20,000 for a [remote code execution bug, or RCE], I'm going to pay $20,000 for an RCE," the executive said. "You have to ask: how long have they been doing that, what was their growth curve to get to there, and how many do they have in between that period of time?"

In Kaspersky's case, when the security firm first launched a beta bug bounty program, the price for an RCE was set at $2,000.

However, six months in and with enough data to guess at how many bugs of this severity may be out there, the price was bumped up to $5,000.

The next stage is deciding when to raise the price of a particular kind of vulnerability report. Companies don't necessary want to start up high and be pummeled with report after report -- not only because submissions take some time to go through, but also because they must have the resources available to resolve vulnerabilities.

As noted by Rice, Microsoft, as an example, issues higher bug bounty payouts during beta stages as "this is the time when their engineers are ready to start fixing them."

"The natural curve where the price for these vulnerabilities changes most dramatically not based on what you can do with it, but the scarcity of it and the team's current backlog," Rice says. "Defenders very rarely base their pricing on the black market."

Once these prices have been established, the financial lure offered by both legitimate exploit purchasers such as Zimperium and illegal traders in the internet's underbelly is often far beyond the average reward offered directly by vendors.

According to Rice, however, they are still able to compete with the black market without offering anywhere near the same prices.

Apple, for example, only launched a bug bounty program last year, offering up to $200,000 for serious vulnerabilities. Before this, the company's Hall of Fame was enough to receive a constant stream of bug reports without paying a single cent for them.

See also: A look at the top HackerOne bug bounties of 2016 | Wassenaar Arrangement: When small words have the power to shatter security | 2017's biggest hacks, leaks, and data breaches

Why? Not only do researchers use the same devices in which they may discover bugs and so would like to see them fixed, but there is an "intrinsic motivation" in seeing their work do some good -- and receiving the credit for it.

"You have to be comfortable with a huge amount of moral ambiguity and no real feedback in how you're doing or whether it makes a difference [to sell bugs on the black market]," Rice says. "It turns out that is really important to most folks."



from Latest Topic for ZDNet in... http://ift.tt/2skTyGi

Tuesday, May 30, 2017

Australia's grand cyber plan swamped by reality: ASPI


The Australian government's Cyber Security Strategy faces serious difficulties. Modest efforts have been swamped by reality, according to a highly critical report released by the Canberra-based Australian Strategic Policy Institute (ASPI) on Wednesday.

Progress has been slower than hoped, there's no clear timeline for implementation, transparency is lacking, and private-sector partners are still in the dark as to what the government's implementation plan actually is.

Only four of the planned 83 outcomes have been achieved so far, the report said, with work on just 20 more being "on track". Some 22 outcomes need more attention, and work hasn't even started on a further 14 outcomes.

For the remaining 11 outcomes, it's impossible to tell whether work is progressing well or not, because the strategy doesn't specify any qualitative or quantitative targets.

"The constant stream of cyber events, from this month's ransomware incident to France's election hack, highlight how serious a national challenge cybersecurity has become. Unfortunately, while the government is working hard, the pace and scale of the issue is outgrowing the government's current efforts," said a statement from the report's authors, principal analyst Liam Nevill and analyst Zoe Hawkins from the ASPI's International Cyber Policy Centre (ICPC).

According to their report, developments this year have been "humbling litmus tests", highlighting the work that still needs to be done to improve Australia's cyber posture. In March 2017, for example, a report from the Australian National Audit Office (ANAO) revealed what the ICPC called "sub-par cybersecurity" in key agencies, raising questions about the take-up of the strategy's principles.

"The infamous 2016 #censusfail also revealed the pain points of Australia's cyber incident response capability, with inconsistent messaging coming straight to the fore."

Collecting data to measure the strategy's progress hasn't been started either. According to Nevill and Hawkins, that's critical to understanding the next steps for cybersecurity in Australia. The very design of the strategy has been an obstacle, they said.

"Some of the document's outcomes are not quantifiable, so confidently measuring success is impossible. Many of the outcomes that are practically measurable are framed in terms of a relative change but are put forward without supporting baseline information necessary to measure progress," the report said.

"Disappointingly, the government's failure to enact a communications strategy associated with strategy's implementation has meant that a coherent and comprehensive narrative on implementation success has yet to be developed. This is not surprising, given that the human and financial resources afforded to the Department of the Prime Minister and Cabinet [PM&C] are simply not commensurate with the size and importance of the task."

Australia's Cyber Security Strategy was launched in April 2016, with the broad goal of "advancing and protecting our interests online". The government released a progress report, the First Annual Update, in April 2017, and that report is basis for the ICPC's analysis. The bulk of their 44-page report is a detailed commentary on the government's reported progress against all 83 planned outcomes, as well as details of the budget allocated to projects so far.

The four outcomes achieved so far are: appointing Dan Tehan as Minister Assisting the Prime Minister for Cyber Security on 18 July 2016; the Australian Securities and Investments Commission (ASIC) and the Australian Securities Exchange (ASX) launching their cybersecurity health checks for ASX100 companies in November 2016, with the industry-led Cyber Health Check Report released in April 2017; the Australian Signals Directorate (ASD) updating its Top Four strategies to mitigate cyber incidents to become the Essential Eight in February 2017; and releasing the strategy's first Annual Update in April 2017.

The ICPC report also noted achievements such as establishing the Australia Cyber Security Growth Network (ACSGN) and international Austrade landing pads for startups, and the allocation of AU$500 million of new funding for cybersecurity related initiatives.

The ICPC has made 11 recommendations across the strategy's five themes.

Amongst them are calls for the strategy to adapt and evolve more rapidly, with measurable and time-bound annual action plans.

"The first annual update only seems to have assessed actions, not outcomes, and in doing so an opportunity has been missed to explain what has changed because of strategy implementation efforts," the report said.

The ICPC also calls for better support for mid-tier and small to medium enterprises; better communication across the board, moving from public awareness to behavioural change; and clearer leadership structures.

"Elements of cyber policy responsibility are found in PM&C, the Department of Defence, DFAT [Department of Foreign Affairs and Trade], the Attorney-General's Department, and so on. This can be challenging for those responsible for coordinating the delivery of the initiatives," the report said.

"While an agency along the lines of Singapore's Cyber Security Agency may not be the most appropriate response for the Australian Government, the co-location of key personnel may help to streamline the delivery of policy initiatives and enhance engagement."

Despite the many criticisms, however, the ICPC report does reflect some remaining confidence.

"The confluence of leadership focus, the media spotlight, and a mutual desire for public-private partnership means that the scene is set for Australia to learn from these implementation lessons and collectively move forward, committed to building on the successes of the past year."



from Latest Topic for ZDNet in... http://ift.tt/2rhThVh

IBM Security Bulletin: Multiple Vulnerabilities in tcpdump affect AIX

There are multiple vulnerabilities in tcpdump that impact AIX.

CVE(s): CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486

Affected product(s) and affected version(s):

AIX  5.3, 6.1, 7.1, 7.2
        
  The following fileset levels are vulnerable:
        
  key_fileset = aix
        
  Fileset             Lower Level  Upper Level   KEY
  -----------------------------------------------------
  bos.net.tcp.server   5.3.12.0     5.3.12.6    key_w_fs
  bos.net.tcp.server   6.1.9.0      6.1.9.201   key_w_fs
  bos.net.tcp.server   7.1.3.0      7.1.3.49    key_w_fs
  bos.net.tcp.server   7.1.4.0      7.1.4.31    key_w_fs
  bos.net.tcp.tcpdump  7.2.0.0      7.2.0.2     key_w_fs
  bos.net.tcp.tcpdump  7.2.1.0      7.2.1.0     key_w_fs
        
   
  Note: To find out whether the affected filesets are installed 
  on your systems, refer to the lslpp command found in AIX user's
  guide.

  Example:  lslpp -L | grep -i bos.net.tcp.server

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2sjdlpI
X-Force Database: http://ift.tt/2rl8SWu
X-Force Database: http://ift.tt/2ovoaWw
X-Force Database: http://ift.tt/2rkOxR2
X-Force Database: http://ift.tt/2rziyKC
X-Force Database: http://ift.tt/2pxDsbe
X-Force Database: http://ift.tt/2ovNnQP
X-Force Database: http://ift.tt/2pxjOMu
X-Force Database: http://ift.tt/2rkZ7aF
X-Force Database: http://ift.tt/2rz7HA8
X-Force Database: http://ift.tt/2rkUw8r
X-Force Database: http://ift.tt/2rkTrxi
X-Force Database: http://ift.tt/2ovhS9A
X-Force Database: http://ift.tt/2pxBQOx
X-Force Database: http://ift.tt/2ovyPRj
X-Force Database: http://ift.tt/2rzaBFd
X-Force Database: http://ift.tt/2rlG40e
X-Force Database: http://ift.tt/2ryUEPn
X-Force Database: http://ift.tt/2rlG4xg
X-Force Database: http://ift.tt/2pxnCx0
X-Force Database: http://ift.tt/2ovtjxL
X-Force Database: http://ift.tt/2rziquw
X-Force Database: http://ift.tt/2rlXkCr
X-Force Database: http://ift.tt/2rz80uN
X-Force Database: http://ift.tt/2pxnvlj
X-Force Database: http://ift.tt/2rz4wIO
X-Force Database: http://ift.tt/2rl1F8C
X-Force Database: http://ift.tt/2rlG6oS
X-Force Database: http://ift.tt/2ryNwCD
X-Force Database: http://ift.tt/2ovpwRm
X-Force Database: http://ift.tt/2rkT5Xo
X-Force Database: http://ift.tt/2pxuElB
X-Force Database: http://ift.tt/2rlAA5C
X-Force Database: http://ift.tt/2rz3vjM
X-Force Database: http://ift.tt/2rlQbCk

The post IBM Security Bulletin: Multiple Vulnerabilities in tcpdump affect AIX appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2rldTht

BWT Podcast EP5 – It Has Been 0-days Since This Term was Abused


BWT Podcast EP5 – It Has Been 0-days Since This Term was Abused

Beers with Talos Episode 5 “It Has Been 0-days Since This Term was Abused” is now available.  Beers with Talos offers a topical, fast-paced, and slightly irreverent take on cybersecurity issues. If you are an executive, a grizzled SOC vet, or a n00b, you will take something away from each episode.  We won’t promise it’s anything good… but it’s something.

In this episode: Craig, Joel, Matt, Nigel and Mitch cover the potential of Samba echoing WannaCry and blocking SMB ports (but you already did that, RIGHT?). There is also some history lessons to give proper usage guidance on words like 0-days, backdoors, and other terms that the industry loves to hype and abuse for extra clicks.

You can listen via iTunes or directly on the Talos Podcasts page.

Complete show notes are available on the Talos blog.  Leave us a comment there or tweet us with your feedback and ideas for future topics.

Tags:


from Cisco Blog » Security http://ift.tt/2sjhV7j