Thursday, August 31, 2017

​Privacy Commissioner to probe Australian government agencies on compliance


Australian Information and Privacy Commissioner Timothy Pilgrim has said his office will be conducting assessments of Australian government agencies over the next 12 months in accordance with the Office of the Australian Information Commissioner's (OAIC) commitments under the Privacy Act 1988.

Under the nearly 30-year-old Act, the OAIC has the power to conduct an assessment of any business or Australian government agency to help them understand their privacy obligations.

As mentioned in the OAIC's Corporate Plan 2017-18, the probe will require the commissioner to encourage agencies and businesses to "respect and protect" the personal information of citizens that they handle.

The plan [PDF] details the OAIC's intention to also conduct commissioner-initiated inquiries, which will see Pilgrim investigate an incident that may be an interference with privacy without first receiving a complaint from an individual.

Over the next 12 months, the OAIC also plans to develop and implement an Australian Public Service (APS) Privacy Governance Code, as well as a "maturity model" and a toolkit to allow government agencies to benchmark against and self-assess their privacy compliance performance.

Pilgrim's office will also work with agencies, particularly the Department of Prime Minister and Cabinet, to ensure that the Australian government's Public Data Policy Statement is implemented in a way that upholds the highest standards of privacy for individuals, the Corporate Plan published on Thursday explains.

In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February, which will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.

The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".

Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.

In preparation of the legislation, the OAIC said it will be developing guidance and support tools for businesses and government agencies to help them fully comply, and it will also be educating the community about the commencement and operation of the data breach scheme.

The commissioner's office will measure its public awareness through increased media and social media mentions about privacy rights, the plan explains.

Under another internal performance measurement, the OAIC has given itself a target of finalising 80 percent of data breach notifications within 60 days.

Also flagged in the Corporate Plan was the OAIC's desire to continue the administration of the My Health Records data breach notification scheme, as well as new initiatives to review the privacy guidelines of the Medicare Benefits and Pharmaceutical Benefits Programs under s135AA of the National Health Act 1953 and the Privacy (Credit Reporting) Code 2014 over the next year.



from Latest Topic for ZDNet in... http://ift.tt/2vNohgC

Palo Alto reports strong Q4 as it adds new customers


Palo Alto Networks reported strong fourth quarter earnings as the company saw strong demand and grew its customer base to more than 42,500.

The security company reported a net loss of $38.2 million, or 42 cents a share, on revenue of $509.1 million, up 27 percent from a year ago. Non-GAAP earnings were 92 cents a share for the fourth quarter.

Wall Street was expecting fourth quarter non-GAAP earnings of 79 cents a share on revenue of $487.3 million.

Palo Alto Networks aims to thwart credential theft |

Mark McLaughlin, CEO of Palo Alto, said it added about 3,000 new customers for a quarter. The company updated a bevy of products including a security service called GlobalProtect, a logging service and application framework.

In addition, CFO Steffan Tomlinson will retire.

For fiscal 2017, Palo Alto reported a net loss of $216.6 million, or $2.39 a share, on revenue of $1.8 billion, up 28 percent from a year ago. Non-GAAP annual earnings were $2.71 a share.

As for the outlook, Palo Alto projected first quarter revenue between $482 million to $492 million with non-GAAP earnings of 67 cents a share to 69 cents a share. For fiscal 2018, Palo Alto projected revenue between $2.12 billion and $2.16 billion, up 21 percent to 23 percent from 2017. Non-GAAP annual earnings will be about $3.24 a share to $3.34 a share.

The guidance was roughly in line with Wall Street expectations.



from Latest Topic for ZDNet in... http://ift.tt/2iLDBJw

A server hosting dozens of popular file converter sites has been hacked

(Image: file photo; alternative: Twitter)

The server hosting dozens of free-to-use online file conversion websites has been hacked several times in the past year using a well-known, easy-to-use exploit.

The security researcher, who asked not to be named for fear of legal repercussions, told ZDNet that the attacker obtained "full root access" to the server and its contents.

The researcher said the level of access would allow an attacker to quietly exfiltrate any file uploaded to the sites, but said it was "impossible to tell" what the shells were for, or if they were in actively used.

The Paris-based server hosted sites -- including combinepdf.com, imagetopdf.com, jpg2pdf.com, pdftoimage.com, pdfcompressor.com, and wordtojpeg.com, among others -- that let users convert files and documents to other formats.

These are hardly the most popular sites in the world, but thousands of people use the sites each day, based on various traffic metrics and statistics sites. Key search terms like "pdf convert" and "image convert" bring up several of the affected sites in the first page of Google search results, giving them an edge over other conversion sites.

The server was vulnerable to a year-old set of bugs found in the ImageMagick library, a popular tool used to convert images. The bugs, known collectively as "ImageTragick," are extremely easy to exploit -- in one case, as simple as uploading an image file containing four lines of code to the server. The bug is so serious that Facebook paid a record bug bounty to a researcher who found that the social network was vulnerable, and Yahoo stopped using the software altogether. Countless servers and websites remain unpatched to this day.

As soon as the image is uploaded, the code runs, opening up a bind shell on the server, which listens for commands or code from an attacker's server.

According to the researcher, there were three other bind shells open on this vulnerable server.

"The impact of this incident is concerning to me," said the researcher. "All data going in or out of the server was being tampered with for months on end without the server owner noticing it."

We tracked down and contacted the owner of the server, who did not provide his name, but he replied with an aggressive response when provided with details of his vulnerable server.

"That config file is half a year old. If you claim my server still has that problem with Image-f**king-Magick, please send me the new config file," said the server owner. "If you can't, well, you're too late."

The server owner later said he had updated his servers and rebuffed several claims about his server's security.

There's no easy way to determine if a server is vulnerable unless the server is actively exploited with a malicious image. The security researcher did not retest the server after ZDNet reached out to the server owner for fear of legal repercussions, so there is no way to verify that the sites have in fact been patched.

"The fact that he has control over sites that are so widely used for manipulating documents, even if they weren't compromised, is really worrying," the researcher said.

"This should be a lesson for all of us," the researcher said. "If you don't want something to be stolen, don't give it away, especially to sites that you don't trust."

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More



from Latest Topic for ZDNet in... http://ift.tt/2wm0ic8

Massive Email Campaign Sends Locky Ransomware to Over 23 Million Users


Whenever we feel like the

Locky ransomware

is dead, the notorious

threat returns with a bang

.

Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the

Locky ransomware

.

Lukitus Campaign Sends 23 Million Emails in 24 Hours

The campaign

spotted

by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were "extremely vague," with subjects lines such as "please print," "documents," "images," "photos," "pictures," and "scans" in an attempt to convince victims into infecting themselves with Locky ransomware.

The email comes with a ZIP attachment (hiding the malware payload) that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.

Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called

Lukitus

(which means "locked" in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim's desktop that instructs the victim to download and install Tor browser and visit the attacker's site for further instructions and payments.

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a "Locky decryptor" in order to get their files back.

This Lukitus attack campaign is still ongoing, and AppRiver researchers had

"quarantined more than 5.6 million"

messages in the campaign on Monday morning.

Sadly, this variant is impossible to decrypt as of now.

2nd Locky Campaign Sends over 62,000 Emails

In separate research, security firm Comodo Labs

discovered

another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed

IKARUSdilapidated

, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of "zombie computers" to conduct coordinated phishing attacks.

According to security researchers at Comodo, "this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations' infrastructures."

The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.

The cyber criminals operating Locky's IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.

This massive Locky ransomware campaign targets "tens of thousands" of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Here's How to Protect Yourself From Ransomware Attacks

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including

WannaCry

,

NotPetya

, and

LeakerLocker

.

Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails:

Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.

Backup Regularly:

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system Up-to-date:

Always keep your antivirus software and systems updated to protect against latest threats.



from The Hacker News http://ift.tt/2elOWuy

Back to Basics: Worm Defense in the Ransomware Age


Back to Basics: Worm Defense in the Ransomware Age

This post was authored by Edmund Brumaghin

“Those who cannot remember the past are condemned to repeat it.” – George Santayana

The Prequel

In March 2017, Microsoft released a security update for various versions of Windows, which addressed a remote code execution vulnerability affecting a protocol called SMBv1 (MS17-010). As this vulnerability could allow a remote attacker to completely compromise an affected system, the vulnerability was rated “Critical” with organizations being advised to implement the security update. Additionally, Microsoft released workaround guidance for removing this vulnerability in environments that were unable to apply the security update directly. At the same time, Cisco released coverage to ensure that customers remained protected.

The following month, April 2017, a group publishing under the moniker “TheShadowBrokers” publicly released several exploits on the internet. These exploits targeted various vulnerabilities including those that were addressed by MS17-010 a month earlier. As is always the case, whenever new exploit code is released into the wild, it becomes a focus of research for both the information security industry as well as cybercriminals. While the good guys take information and use it for the greater good by improving security, cybercriminals also take the code and attempt to find ways to leverage it to achieve their objectives, whether that be financial gain, to create disruption, etc.

Read More >>



from Cisco Blog » Security http://ift.tt/2eHsVqQ

Android Oreo: Google adds in more Linux kernel security features

android-security-1.jpg

Google has outlined four key kernel hardening features its engineers have backported from upstream Linux to Android kernels on devices that ship with Android 8.0 Oreo.

They will benefit "all Android kernels supported in devices that first ship with this release", according to Sami Tolvanen, a senior software engineer on the Android Security team.

The new kernel protections should also help developers who are responsible for building Android hardware drivers detect kernel security bugs before shipping them to users.

According to Google, 85 percent of the kernel vulnerabilities in Android were due to bugs in vendor drivers. Kernel bugs themselves made up more than a third of Android security bugs last year.

Android Oreo is the first time Android's kernel has the added protection of Kernel Address Space Layout Randomization (KASLR), which makes it harder for attackers to remotely exploit the kernel. KASLR is available in Android kernels 4.4 and newer.

"KASLR helps mitigate kernel vulnerabilities by randomizing the location where kernel code is loaded on each boot. On ARM64, for example, it adds 13-25 bits of entropy depending on the memory configuration of the device, which makes code reuse attacks more difficult," explains Tolvanen.

Google has also backported Linux 4.8's "hardened usercopy" feature to protect usercopy functions, which the kernel uses to transfer data between user space to kernel space memory. The security feature adds bounds checking to user copy functions. This has been backported to Android kernels 3.18 and above: according to Tolvanen, nearly half of Android kernel vulnerabilities since 2014 have been due to missing or invalid bounds checking.

Android Oreo also introduces "Privileged Access Never emulation", a software version of ARM v8.1's hardware-based PAN, which helps prevent the kernel from accessing user space memory directly and forces developers to go through user copy functions.

"Upstream Linux introduced software emulation for PAN in kernel version 4.3 for ARM and 4.10 in ARM64. We have backported both features to Android kernels starting from 3.18," notes Tolvanen.

The fourth hardening measure restricts a memory region to read-only after the kernel has been initialized in order to reduce the internal attack surface of the kernel. This was introduced in Linux 4.6 and has been backported to Android kernels 3.18.



from Latest Topic for ZDNet in... http://ift.tt/2gloy4F

IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud.

There are multiple vulnerabiltities in the IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in July 2017.

CVE(s): CVE-2017-10107, CVE-2017-10116, CVE-2017-10115

Affected product(s) and affected version(s):

IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.2.4.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2elFgQN
X-Force Database: http://ift.tt/2vECPQw
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2xsr7ZC

The post IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2iJ552m

IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU

There are multiple vulnerabiltities in the IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in July 2017. These may affect some configurations of IBM WebSphere Application Server Traditional, IBM WebSphere Application Server Liberty and IBM WebSphere Application Server Hypervisor Edition.

CVE(s): CVE-2017-10107, CVE-2017-10116, CVE-2017-10115

Affected product(s) and affected version(s):

IBM SDK, Java Technology Editions shipped with WebSphere Application Server Liberty up to 17.0.0.2. IBM SDK, Java Technology Editions shipped with IBM WebSphere Application Server Traditional Version 9.0.0.0 through 9.0.0.4, 8.5.0.0 through 8.5.5.12, Version 8.0.0.0 through 8.0.0.13, Version 7.0.0.0 through 7.0.0.43.

  • This does not occur on IBM SDK, Java Technology Editions that are shipped with WebSphere Application Servers Fix Packs 17.0.0.3, 9.0.0.5 8.5.5.13, 8.0.0.14, and 7.0.0.45 or later.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2elF9ES
X-Force Database: http://ift.tt/2vECPQw
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2xsr7ZC

The post IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2iJIbaZ

IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498)

If an authenticated user deletes an instance while it is in resize state, it will cause the original instance to not be deleted from the compute node it was running on. An attacker can use this to launch a denial of service attack. All Nova setups are affected.

CVE(s): CVE-2016-7498

Affected product(s) and affected version(s):

PowerVC Standard Edition 1.3.1.x

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2iJI5jD
X-Force Database: http://ift.tt/2elF6ZI

The post IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2iJI6UJ

IBM Security Bulletin: Vulnerabilities in kernel affect Power Hardware Management Console

Power Hardware Management Console is affected by security vulnerabilities in the Linux Kernel. Power Hardware Management Console has addressed the applicable CVEs.

CVE(s): CVE-2016-10229, CVE-2016-5828, CVE-2016-2847, CVE-2016-3156, CVE-2016-2117, CVE-2016-2053, CVE-2015-8956, CVE-2015-8845, CVE-2015-8844, CVE-2015-8374

Affected product(s) and affected version(s):

Power HMC V8.8.6.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2elF1Fo
X-Force Database: http://ift.tt/2iJHYVf
X-Force Database: http://ift.tt/2elF2cq
X-Force Database: http://ift.tt/2iJHZZj
X-Force Database: http://ift.tt/2elF2Js
X-Force Database: http://ift.tt/2iKS3kK
X-Force Database: http://ift.tt/2elF3gu
X-Force Database: http://ift.tt/2iJYtRu
X-Force Database: http://ift.tt/2elIdB2
X-Force Database: http://ift.tt/2iJI27r
X-Force Database: http://ift.tt/2elF3Nw

The post IBM Security Bulletin: Vulnerabilities in kernel affect Power Hardware Management Console appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2iJI3bv

IBM Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779)

libtirpc is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVE.

CVE(s): CVE-2017-8779

Affected product(s) and affected version(s):

Power HMC V8.4.0.0
Power HMC V8.5.0.0
Power HMC V8.6.0.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2elI8NK
X-Force Database: http://ift.tt/2eTsjBt

The post IBM Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2elI9kM

IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console

BIND is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

CVE(s): CVE-2017-3136, CVE-2017-3137, CVE-2017-3138, CVE-2017-3139, CVE-2017-3142, CVE-2017-3143

Affected product(s) and affected version(s):

Power HMC V8.4.0.0
Power HMC V8.5.0.0
Power HMC V8.6.0.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2iJHT3T
X-Force Database: http://ift.tt/2q2NYu4
X-Force Database: http://ift.tt/2pzgwZi
X-Force Database: http://ift.tt/2pyZomr
X-Force Database: http://ift.tt/2t2tHHQ
X-Force Database: http://ift.tt/2v5WKuc
X-Force Database: http://ift.tt/2tJHrDP

The post IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2elET8S

IBM Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592)

IBM PowerVC may disclose some sensitive values in an error message.

CVE(s): CVE-2017-2592

Affected product(s) and affected version(s):

PowerVC Standard Edition 1.3.1.x

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2iJHQVL
X-Force Database: http://ift.tt/2elEPpE

The post IBM Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2iKniwn

IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200)

IBM PowerVC may disclose some sensitive information while creating images with ‘copy_from’ feature in the v1 Image Service API.

CVE(s): CVE-2017-7200

Affected product(s) and affected version(s):

PowerVC Standard Edition 1.3.1.x
PowerVC Standard Edition 1.3.2.x

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2gs4Ish
X-Force Database: http://ift.tt/2eHk4oY

The post IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2gt1sNa

White Ops, Trade Desk partner to tackle ad fraud

malware-analysis-category-965x395credmalwarebytes.jpg Anatoliy Babiy | Malwarebytes

White Ops and The Trade Desk have announced a new deal which aims to prevent malvertising and fraudulent ads from causing businesses losses in revenue.

On Thursday, the companies said the "landmark" agreement "completely changes how the advertising industry tackles fraud" by going back to the basics with human control at the end of each impression served.

Malvertising and fraudulent ads, which lead to click-fraud and data theft or may be utilized by bots to generate fraudulent revenue for cyberattackers, unfortunately, are a serious issue for marketers, companies, and the general public alike.

Businesses face revenue loss in the face of ad-click fraud, and reputations can take a hit when fake ads slip through ad network nets, such as in the case of the Daily Mail, in which millions of readers were exposed to the Angler exploit kit thanks to a malicious ad.

This type of criminal activity is popular as should an attacker have a malicious ad mistakenly accepted by a legitimate network, they are gifted not only with potentially millions of viewers as potential victims but are also trusted.

Earlier this year, White Ops and ANA released the latest Bot Baseline report, which claimed US companies will face a loss of roughly $6.5 billion this year, which is down 10 percent from approximately $7.2 billion in 2016.

A large segment of such loss is due to fake impressions being accepted and served.

White Ops and The Trade Desk believe that removing complete reliance on automated systems to regulate ads may be the key to the problem. To do so, human operators will be given the final say to keep malvertising and fake ads off the books.

White Ops' Human Verification technology as a concept is simply a way to make sure a human operator is available to scan and check ad impression requests before they are released.

The deal ensures that every impression served through The Trade Desk that runs through White Ops will be checked in real-time to prevent the purchase of fraudulent impressions.

The companies will co-run servers and data centers to scan biddable ad impressions. If non-human impressions, also known as "Sophisticated Invalid Traffic" (SIVT) are detected, the impression will be blocked -- which will hopefully prevent companies from loss of ad revenue.

"White Ops is a cyber security firm that is focused on one thing -- validating whether a human is on the other end of every online interaction," said Sandeep Swadia, CEO of White Ops. "This initiative is the first ever to use White Ops' Human Verification technology across an advertising platform."

"Given The Trade Desk's reach, we believe this partnership will be great for the industry and will make a significant dent in the cybercriminals' economics," Swadia added.

Previous and related coverage



from Latest Topic for ZDNet in... http://ift.tt/2vv404f

AngelFire: CIA Malware Infects System Boot Sector to Hack Windows PCs


A team of hackers at the CIA, the Central Intelligence Agency, allegedly used a Windows hacking tool against its targets to gain persistent remote access.

As part of its

Vault 7 leaks

, WikiLeaks today

revealed

details about a new implant developed by the CIA, dubbed

AngelFire

, to target computers running Windows operating system.

AngelFire framework implants a persistent backdoor on the target Windows computers by modifying their partition boot sector.

AngelFire framework consists five following components:

1. Solartime

— it modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.

2. Wolfcreek

— a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications

3. Keystone

— a component that utilizes DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system.

4. BadMFS

— a covert file system that attempts to install itself in non-partitioned space available on the targeted computer and stores all drivers and implants that Wolfcreek starts.

5. Windows Transitory File system

— a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.

According to a user manual leaked by WikiLeaks, AngelFire requires administrative privileges on a target computer for successful installation.

The 32-bit version of implant works against Windows XP and Windows 7, while the 64-bit implant can target Server 2008 R2, Windows 7.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks published another CIA project, dubbed

ExpressLane

, which detailed about the spying software that the CIA agents used to spy on their intelligence partners around the world, including FBI, DHS and the NSA.

Since March, WikiLeaks has published 22 batches of "

Vault 7

" series, which includes the latest and last week leaks, along with the following batches:

  • CouchPotato — A CIA project that revealed its ability to spy on video streams remotely in real-time.
  • Dumbo — A CIA project that disclosed its ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.
  • Imperial — A CIA project that revealed details of 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux OS.
  • UCL/Raytheon — An alleged CIA contractor that analysed in-the-wild advanced malware and submitted at least five reports to the agency for help it develops its malware.
  • Highrise — An alleged CIA project that allowed the US agency to stealthy collect and forward stolen data from compromised smartphones to its server via SMS messages.
  • BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the spy agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux computers using different attack vectors.
  • OutlawCountry — An alleged CIA project that allowed the agency to hack and remotely spy on computers running Linux operating systems.
  • ELSA — Alleged CIA malware that tracks geo-location of targeted laptops and computers running the Microsoft Windows OS.
  • Brutal Kangaroo — A tool suite for Microsoft Windows OS used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
  • Cherry Blossom — A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
  • Pandemic — A CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
  • Athena — A spyware framework that the agency designed to take full control over the infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
  • AfterMidnight and Assassin — 2 alleged CIA malware frameworks for the Microsoft Windows platform that's meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
  • Archimedes — Man-in-the-middle (MitM) attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
  • Scribbles — Software allegedly designed to embed 'web beacons' into confidential documents, allowing the CIA agents to track insiders and whistleblowers.
  • Grasshopper — A framework which allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
  • Marble — Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
  • Dark Matter — Hacking exploits the spying agency designed to target iPhones and Macs.
  • Weeping Angel — Spying tool used by the CIA agents to infiltrate smart TV's, transforming them into covert microphones.
  • Year Zero — CIA hacking exploits for popular hardware and software.


from The Hacker News http://ift.tt/2elB1oB

This giant ransomware campaign just sent millions of malware-spreading emails

locky-decryptor-page.jpg

Over 23 million emails containing Locky were sent in a short amount of time.

Image: AppRiver

Once considered almost dead, Locky ransomware has continued its resurgence with a new email distribution campaign which researchers say is one of the largest malware campaigns of this half of the year.

Over 23 million messages containing Locky were sent in just 24 hours on 28 August, with the attacks spiking in time to hit US workers as they arrived at their desks on Monday morning.

The new campaign was discovered by researchers at AppRiver who say it represents "one of the largest malware campaigns seen in the latter half of 2017"

Millions of emails were sent with subjects such as 'please print', 'documents' and 'scans' in an effort to spread Locky ransomware.

The malware payload was hidden in a ZIP file containing a Visual Basic Script (VBS) file, which if clicked, goes to download the latest version of Locky ransomware - the recently spotted Lukitus variant - and encrypts all the files on the infected computer.

lockyemail.jpg

Locky distribution email.

Image: AppRiver

While the delivery method might seem basic, it's worth remembering that only a handful for the millions of messages sent need to successfully deliver the malicious payload to provide the attackers with a significant profit.

Victims unfortunate to succumb to Locky are presented with a ransom note demanding 0.5 Bitcoins [$2,300/£1800] in order to pay for "special software" in the form of "Locky decryptor" in order to get their files back.

Instructions on downloading and installing the Tor browser and how to buy Bitcoin are provided by the attackers in order to ensure victims can make the payment.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Unfortunately for victims of Locky, researchers are yet to crack the latest version of the ransomware in order to provide free decryption tools.

Locky is one of the most successful families of ransomware of all time, rising to prominence during 2016 following a number of high profile infection incidents. Indeed, Locky was so successful that at one point it was one of the most common forms of malware in its own right.

But Locky has since had its position of king of ransomware usurped by Cerber, although this sudden resurgence shows that it remains very much a threat, especially as there isn't a free decryption tool available to come to the aid of infected victims.

This isn't the first time Locky has reappeared after a period of inactivity - the ransomware appeared to stop spreading in December last year before coming back to life in January.

While it has never reached the scale it had last year, those behind Locky are still working on it to add new tricks to make it stronger and easier to spread, meaning it still poses a threat.

READ MORE ON CYBERCRIME



from Latest Topic for ZDNet in... http://ift.tt/2wLwmqN

As enterprise security concerns grow, a tailwind emerges for Box


Video: Demand for new security tools grows as businesses adopt cloud computing

special feature

Integrating the Hybrid Cloud

As far and fast as cloud computing is embedding itself into the enterprise, there remain many cloud-resistant applications and services.

Read More

When cloud computing first took off, the least regulated industries were some of the first to get on board, given they had fewer privacy or security concerns to consider. Since then, however, that dynamic has effectively been turned on its head, argues Box CEO and co-founder Aaron Levie.

"Security in the cloud has generally exceeded security and privacy and compliance solutions for on-premise environments," Levie said to ZDNet, "almost forcing regulated industries to move to the cloud much more quickly."

Also: VMware expands multi-cloud offerings, adds new intent-based security product | Google Cloud unveils its custom security chip, new security features | Why you're still scared of the Cloud

To differentiate itself inthe cloud content management business, Box has focused heavily on building up security and compliance offerings. On Wednesday, the company posted solid second quarter financial results that demonstrated how the strategy has paid off. Its largest European transaction for the quarter came from the Metropolitan Police of London.

"We're seeing some of our fastest growth in industries that are the most regulated and most security-conscious," Levie said, citing business in the life sciences and financial services sectors, along with government. "Intially, that would've been counterintuitive."

Increasing security, privacy and compliance concerns -- driven in part by new regulations like the GDPR -- should particularly help Box win companies that are multinational or headquartered outside of the US, Levie suggested on Wednesday's earnings conference call.

"In general, we see a significant amount of headwind for large enterprises, having to deal with all of the varied compliance in privacy challenges of just operating a global business today in the digital age," he said on the call. "So that headwind for a customer, becomes a tailwind for us."

Box plans to add to its advantage in this space with its new investments in artificial intelligence. So far, the company has teamed up with Google to bring computer vision capabilities to its platform, but Levie said AI will be useful for more than just data management.

"Applying AI to content security and in a compliance-oriented way is incredibly hard and something we have a pretty significant amount of focus on," he told ZDNet. "We're pretty excited what machine learning and artificial intelligence will do to further our differentiation in this market."



from Latest Topic for ZDNet in... http://ift.tt/2vIa45h

HackerOne aims to pay bug bounty hunters $100 million by 2020

pd5.jpg File Photo

HackerOne believes that by 2020, ethical hackers will have earned themselves $100 million in bug bounties through the platform.

In recent years, bug bounty schemes have become a popular method for companies to find the talent needed to discover and fix security flaws in their platforms and products.

With so many companies clamoring to gain the attention of a limited pool of skilled security professionals and enthusiasts, simply credit for finding an issue is not always enough of a lure.

However, bug bounties are a way to dangle the financial carrot, also issue credit where credit is due, as well as open up a line of communication between ethical hacker and companies.

To plug the gap between companies which had no established bug bounty systems in place and researchers who wanted to be paid for their efforts, HackerOne has gained quite a following, with hundreds of companies using the service to run their own programs -- and some using interesting tactics to keep the ball rolling.

Uber, for example, uses a virtual treasure map to help hackers uncover vulnerabilities and runs a loyalty program to keep researchers keen, while Shopify and GitHub boosted payouts this year for extra coverage. In addition, Zenefits sponsored an event at Black Hat this year that offered double bounties to those attending the conference in Vegas.

In a blog post on Wednesday, CEO of HackerOne Marten Mickos outlined the success so far of these programs, of which over 50,000 vulnerabilities have so far been found and fixed.

There are over 100,000 hackers registered with HackerOne, and over $20 million has been paid so far in bounties. By 2020, the company predicts that $100 million will be issued in rewards for resolving 200,000 bugs, and potentially over one million hackers will be registered with the program.

While difficult to predict, Mickos estimates that 16,000 of these vulnerabilities will be critical issues.

"Let's further assume that every 10th of those critical vulnerabilities could have led to a data breach or costly security incident if left unfixed," the executive says. "Knowing that the average cost of a data breach is $7 million in the US, we can estimate a total saving of around $10 billion dollars."

According to HackerOne, some of the most successful hackers on the platform are earning most than 18 times the salary of an average software engineer in their home countries, and with such financial rewards to be had, the success of such programs is likely to continue.

"The bounties hackers are awarded for their contributions to a safer internet are changing lives," Mickos says. "They are paying for education, supporting their families, buying homes and cars, and building a future that may not have been possible otherwise."

"Through the relationships with security teams, hackers are starting new careers and building fantastic skills and resumes. The future is brighter when we work together," he added.

Previous and related coverage



from Latest Topic for ZDNet in... http://ift.tt/2elnpcK

Singapore focus on critical infrastructures essential to public safety


Singapore's emphasis on the security of its critical infrastructures is necessary to safeguard general public safety and compel these systems to keep pace with current security landscape.

The country's proposed cybersecurity bill, unveiled last month, outlined measures to protect local critical information infrastructures (CIIs) and ensure swift response to threats and incidents. It listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.

The bill formalised the duties of CII operators, detailing their responsibilities that included providing information on the technical architecture of the CII, carrying out regular risk assessments of the CII, complying with codes of practice, and reporting of cybersecurity incidents "within the prescribed period" after the event.

The focus on CII was important especially since many such systems such as water and power typically were built to last a long time, said Foo Tsiang-Tse, managing director of Singapore-based cybersecurity vendor Quann. He pointed to 2016 reports that the US Pentagon still was using computing systems that required eight-inch floppy disks.

Infrastructures in these industries often had not caught up with the technology currently used in other sectors, even though system availability for these networks was especially critical, Foo said in an interview with ZDNet.

He underscored the need of heightened awareness of where vulnerabilities were and for CII owners to perform vulnerability assessments of their systems, so potential leakages could be identified and plugged.

He also pointed to the need to monitor operational technology (OT) systems, so operators were aware of abnormalities. "OT systems are expected to run in a stable and consistent manner, so if something is out of the ordinary, sensors should be able to pick it up, including things like port scanning," he said. A big part of Quann's products and services focused on OT, which Gartner defined as hardware and software that detected or triggered a change through direct monitoring or control of physical devices within an organisation.

In addition, CII systems such as telecommunication infrastructures were critical in ensuring public safety networks, used by first responder and emergency services, remained up and running.

In recent years, such networks had advanced alongside improvement in LTE coverage. Citing ABI Research, Sandeep Girotra, Nokia's Asia-Pacific Japan senior vice president, said LTE-based public safety networks already were in more advanced stages in developed nations expected to be in most markets by 2020.

Public safety networks required special considerations that were not necessarily supported by regular enterprise mobile networks, such as mission critical communications after a natural disaster, Girotra told ZDNet. Instant video connectivity needed for CCTV surveillance, too, had much higher requirements for capacity and speed.

"Public safety communications need to be given priority over any other voice or data traffic in busy 4G LTE networks," he said. "A vital step in the transition towards LTE-based public safety networks is to give priority to first responders and their command centres, allowing them to share mission-critical information in emergency situations."

He added that LTE-based public safety networks would further benefit from running on the same frequency bands as commercial LTE networks, so devices that supported the latter could continue to operate in an emergency situation.

Never assume you won't be breached

Girotra noted that while Singapore had been ramping up its efforts in cybersecurity, recent breaches involving the Ministry of Defense and local universities indicated the country would continue to face continuous threats.

Vulnerabilities could emerge from lack of comprehensive security strategy that encompassed all network layers, applications, and devices. These, he said, should include network design and integration, optimisation, and management. Scalability, in particular, was critical, he said, adding that public safety features should be available as software upgrades, so networks could support future requirements.

More importantly, Foo urged, countries and organisations must adopt a security-by-design mindset and ensure any IT or operating system was developed with cybersecurity topmost in mind.

"You can design an architecture so that it reduces the threat surface and build in sensors to monitor critical systems as well as put in place emergency response plans," he explained, adding that such plans also should be regularly practised and tested.

He also stressed the need for Asia-Pacific markets, in particular, to change and stop assuming they could prevent breaches. He noted how, in matured digital economies such as North America, there was general acceptance that security breaches would occur and the focus then was on how to deal with such incidents.

Asia, though, mostly took on a different mindset and focused instead on prevention, he said. This could have harmful spillover effects where, for instance, organisations that adopted such thinking might not put sufficient effort in ensuring they implemented a well though-out emergency response action plan, Foo warned.

He revealed that he still encountered customers in Singapore that subscribed to the mantra to "make sure we don't get breached".

He further underscored the need to adopt a security-by-design as the country pushed on with its smart nation efforts, especially as testbeds and trials were rolled out.

The challenge here would be that security might end up as an afterthought, Foo said, noting that various government agencies and companies would be involved in such pilots--each with different priorities and considerations for security.

Girotra also stressed the need for Singapore to regard security as a critical factor in driving its smart nation vision, especially since robust networks were needed to support millions of connected devices and user experience across different industries.

Emerging technologies, too, could be integrated to beef up capabilities in public safety. Drones, for instance, could be used in floods and earthquakes to stream video and other sensor data in real-time from the disaster area to control centres as well as assist in rescue operations, said Girotra.

He noted that wearable technology also could help ensure the safety of first responders and emergency services personnel, providing valuable information about their surroundings and improving their situational awareness where visibility might be limited.

In addition, data sensors would facilitate real-time monitoring and predictive maintenance of equipment, while remotely controlled autonomous robots could be deployed to identify problems that would otherwise by challenging or dangerous for humans to perform.



from Latest Topic for ZDNet in... http://ift.tt/2wpMpb6

Essential apologizes for 'humiliating' customer data leak

screen-shot-2017-08-31-at-08-55-07.jpg Essential

Essential founder and CEO Andy Rubin has apologized for a "humiliating" security failure which led to the leak of information belonging to customers.

Essential touts itself as "creating solutions for the way people live in the 21st century," and the firm's first offering, a modular smartphone, is designed to stand out from the competition by eradicating bloatware and offering long battery life.

With shipments winging their way to customers, Essential made a catastrophic and frankly sloppy mistake which has placed the personal data of customers at risk.

On Wednesday, the CEO said in a blog post that yesterday, information belonging to roughly 70 customers was accidentally shared with other customers.

It was not just email addresses and names, however. In some cases, driver license and IDs were also freely shared.

This week, early adopters of Essential smartphones warned on Reddit that an email claiming to be from the company was asking for sensitive documents, such as copies of IDs and driver licenses, to verify their subscriptions.

In part, the email said:

"Our order review team requires additional verifying information to complete the processing of your recent order. [..] Please provide an alternative email and phone number to confirm this purchase.

We would like to request a picture of a photo ID (e.g. driver's license, state ID, passport) clearly showing your photo, signature and address."

Many believed this to be a phishing scheme, specially crafted for new Essential customers and designed to steal their sensitive data.

As one Reddit user noted, "no company in their right mind (at least none that want to stay in business) would ever send an email asking for personal details like an ID/Passport," however, Rubin has since admitted it was the company's error and not a threat actor.

To make matters worse, those who replied were pinged through a poorly-configured Zendesk setup, which CC'ed responses to other customers.

"Being a founder in an intensely competitive business means you occasionally have to eat crow," Rubin said. "It's humiliating, it doesn't taste good, and often, it's a humbling experience. As Essential's founder and CEO, I'm personally responsible for this error and will try my best to not repeat it."

"We have disabled the misconfigured account and have taken steps internally to add safeguards against this happening again in the future," the executive added.

In an attempt to keep customers sweet and show that they are taking the security issue seriously, the company is offering impacted customers a year of LifeLock, an identity theft protection service, for free.

For a new company to make such a daft mistake, this may not be enough -- although the executive also said on Twitter that free phones may be in the pipeline, too.

screen-shot-2017-08-31-at-09-08-43.jpg

"I remain heartened and motivated by the groundswell of support that Essential has experienced since unveiling the company on May 30th," Rubin says. "We continue to believe deeply in our vision and the innovation we are bringing to life via our Home, Phone and 360 Camera products. I humbly thank our customers and channel partners for your patience and understanding as we proceed with the launch of our first products."

It isn't good enough, especially for a company looking to take on established players such as Apple, Samsung, and Huawei. We will have to wait and see if Essential learns from its mistake.

Previous and related coverage



from Latest Topic for ZDNet in... http://ift.tt/2eH05qt

Instagram Suffers Data Breach! Hacker Stole Contact Info of High-Profile Users


Instagram has recently suffered a possibly serious data breach with hackers gaining access to the phone numbers and email addresses for many "high-profile" users.

The 700 million-user-strong, Facebook-owned photo sharing service has currently notified all of its verified users that an unknown hacker has accessed some of their profile data, including email addresses and phone numbers, using a bug in Instagram.

The flaw actually resides in Instagram's application programming interface (API), which the service uses to communicate with other apps.

Although the company did not reveal any details about the Instagram's API flaw, it assured its users that the bug has now been patched and its security team is further investigating the incident.

"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information—specifically email address and phone number—by exploiting a bug in an Instagram API," Instagram said in a statement. 
"No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation."

Instagram declined to name the high-profile users targeted in the breach, but the news comes two days after some unknown hacker hijacked most followed Instagram account belonged to Selena Gomez and posted her ex-boyfriend

Justin Bieber's nude photographs

.

Selena's Instagram account with over 125 Million followers was restored later in the day and the photos were removed.

However, Instagram did not mention if the recent data breach was related to Selena's hacked account.

With email addresses and phone numbers in their hands, the hackers next step could be used the information in tandem with social engineering techniques in an effort to gain access to verified users' Instagram accounts to embarrass them.

The company notified all verified users of the issue via an email and also encouraged them to be cautious if they receive suspicious or unrecognised phone calls, text messages, or emails.

Instagram users are also highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.

Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.



from The Hacker News http://ift.tt/2wqgKXa

新型勒索软件对企业危害最大

勒索软件版图在2017年发生了巨大变化,而企业首当其冲地承受着WannaCry和Petya等新型自行传播勒索软件所造成的危害。

Read More

from Symantec Connect - Securi... http://ift.tt/2erV3kS

Oops! WikiLeaks Website Defaced By OurMine


OurMine is in headlines once again—this time for defacing

WikiLeaks

website.

The notorious hacking group, OurMine, is known for breaching into high-profile figures and companies' social media accounts, including Facebook CEO

Mark Zuckerberg

, Twitter CEO

Jack Dorsey

, Google CEO

Sundar Pichai

,

HBO

,

Game of Thrones

and Sony's

PlayStation Network

(PSN).

According to screenshots circulating on

Twitter

, the official website of WikiLeaks has reportedly been defaced by the OurMine hacking group, who left a message on the site, as shown above.

WikiLeaks is a whistleblowing website that since March, has been revealing top CIA hacking secrets under

Vault 7

, including the agency's ability to break into

different mobile

and

desktop platforms

, security camera

live video streams

,

air-gap computers

and many more.

There is no indication of WikiLeaks servers and website been compromised, instead it seems their website has been redirected to a hacker-controlled server using DNS poisoning attack.

In DNS poisoning attack, also known as DNS spoofing, an attacker gets control of the DNS server and changes a value of name-servers in order to divert Internet traffic to a malicious IP address.

Shortly after the defacement, the site administrators regained access to their DNS server and at the time of writing, the WikiLeaks website is back online from its official legitimate servers.

OurMine is a Saudi Arabian group of hackers which claims to be a "white hat" security firm.

The group markets itself by taking over social media accounts of high-profile targets and then encourages them to contact the hacking group to buy its IT security service in an effort to protect themselves from future cyber attacks.



from The Hacker News http://ift.tt/2eledoE

Wednesday, August 30, 2017

Enterprises (especially retail, hospitality) struggle with payment card data security standards

pci-dss-compliance.png

Enterprises are complying with the Payment Card Industry Data Security Standard (PCI DSS) more, but the number of organizations in compliance is still low enough to leave the door open for cyberattacks, according to Verizon.

First, the good news. According to the Verizon 2017 Payment Security Report, 55.4 percent of organizations complied with PCI when validated in 2016, up from 48.4 percent in 2015. However, maintaining compliance is an issue, said Verizon.

And there are still 44.6 percent of organizations such as retailers, restaurants and hotels not up to PCI standards. PCI DSS standards are there to allow businesses to take card payments and protect systems from cardholder data breaches. The requirements include items such as firewalls, data in transit controls, encryption and authentication.

That lack of compliance is notable because of all of the payment card data breaches investigated by Verizon no organizations were fully compliant at the time of the breach. Simply put, PCI DSS compliance is directly linked to data breaches.

Also: Ransomware incidents surge, education a hot bed for data breaches, according to Verizon

Meanwhile, of the companies that pass validation almost half of them fall out of PCI DSS compliance within a year.

Key items from the Verizon payment security report:

  • The IT services industry had the highest full PCI DSS compliance with 61.3 percent fully compliant during interim validation.
  • 59.1 percent of financial services organizations were fully compliant, but many struggled with security procedures, configurations, vulnerability management and overall risk.
  • 50 percent of retailers and 42.9 percent of hospitality organizations were PCI-DSS compliant. Retailers struggled with security testing, encrypted data transmissions and authentication and hospitality and travel groups struggled with security hardening, protecting data in transit and physical security.
  • 13 percent of companies failed interim assessments due to absent controls.

Verizon added that enterprises need to consolidate security controls for easier management, develop expertise and their people, maintain internal controls and interlink them and automate.



from Latest Topic for ZDNet in... http://ift.tt/2xOTDoK

Instagram API found leaking 'high-profile' email addresses and phone numbers


Instagram has alerted all its verified users of unlawful access to phone and email contact information for its "high-profile" users thanks to a buggy API.

The company said no passwords were accessed, it quickly fixed the bug, and is conducting an investigation into the incident.

"At this point we believe this effort was targeted at high-profile users," the photo-sharing site said in its alert. "We encourage you to be extra vigilant about the security of your account and exercise caution if you encounter any suspicious activity such as unrecognized incoming calls, texts, and emails."

"Your experience on Instagram is important to us, and we are sorry this happened."

In June, it was discovered a hacking group was controlling its malware via comments on Britney Spears' Instagram account.

A fake Firefox extension would search a specific Instagram post to work out where the malware command and control server was location, security researchers at Eset said.

"The extension uses a bit.ly URL to reach its [server], but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post," the researchers said.

"The extension will look at each photo's comment and will compute a custom hash value."

The same month, the Facebook-owned company was used, without its knowledge, as a recruiting tool to lure people into a bank fraud scheme.

Suspects posted bank photos to Instagram and sought people to "like" their posts. When people responded, they were asked to give away their account information in exchange for a cut of the money the suspects planned to steal from the banks.



from Latest Topic for ZDNet in... http://ift.tt/2grb1w8

Albanian domain registrar kicks Neo-Nazi site Daily Stormer offline

(Image: file photo)

The Daily Stormer is offline -- again.

The controversial racist and neo-Nazi website was kicked off the internet by its most recent domain registrar, just hours after the site's owner Andrew Anglin announced that the site was once again online.

Host.al, an Albanian domain registrar, confirmed in an email to ZDNet that it has "blocked" the site after receiving complaints. The company said it had also seen "a number of tweets" pointing at the issue.

Members of the Anonymous Albania collective had reportedly contacted the domain registrar.

"Domains that incite racism, hatred or crime are not allowed in the .al zone," said a registrar spokesperson.

According to the rules (available in English) that govern the .al top-level domain zone, sites that contain "abusive, insulting, racist names, words related to crimes or misbehavior and those that conflict with the good customs and traditions" can be blocked.

"As a side note, Albania has been one of the countries that has always taken a stand against racism," the spokesperson added. "During WW2, Albania was a safe haven for many Jewish refugees from other countries."

The Daily Stormer was pulled offline around 12:30pm ET.

At the time of writing, the site was still available in US, but was down in the UK and parts of Europe -- likely a result of slow propagation of the global domain name system.

Anglin did not respond to a request for comment.

It's the latest internet drop-off in recent weeks, after the site was promoting a white supremacist rally in Charlottesville, Virginia, in which a protester was killed.

The company was first dropped by its domain registrar GoDaddy for violating its terms of service, and then Google also canceled the site's service later that same day. Cloudflare, a long-standing advocate of free speech and not picking and choosing its customers, also pulled its site protection services from the site, leaving it vulnerable to denial-of-service attacks.

The site eventually took to the dark web, which can only be accessed through the Tor anonymity network.

Gizmodo reported Monday that Stormfront, a long-standing neo-Nazi website, had also been knocked offline. Its domain registrar, a division of Web.com, said that after two decades of service, Stormfront was in "clear violation" of the company's acceptable use policies.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More



from Latest Topic for ZDNet in... http://ift.tt/2gqM5oJ

Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities

Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victim’s machine. If an attacker builds a specially […]

from Cisco Blog » Security http://ift.tt/2vsP4Uj

USN-3407-1: PyJWT vulnerability

Ubuntu Security Notice USN-3407-1

30th August, 2017

pyjwt vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS

Summary

PyJWT could be made to crash if it received specially crafted input.

Software description

  • pyjwt - Python implementation of JSON Web Token

Details

It was discovered that a vulnerability in PyJWT doesn't check
invalid_strings properly for some public keys. A remote attacker
could take advantage of a key confusion to craft JWTs from scratch.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
python-jwt 1.4.2-1ubuntu0.1
python3-jwt 1.4.2-1ubuntu0.1
Ubuntu 16.04 LTS:
python-jwt 1.3.0-1ubuntu0.1
python3-jwt 1.3.0-1ubuntu0.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-11424



from Ubuntu Security Notices http://ift.tt/2wTFqKz

Gazer: A New Backdoor Targets Ministries and Embassies Worldwide


Security researchers at ESET have

discovered

a new malware campaign targeting consulates, ministries and embassies worldwide to spy on governments and diplomats.

Active since 2016, the malware campaign is leveraging a new backdoor, dubbed

Gazer

, and is believed to be carried out by Turla advanced persistent threat (APT) hacking group that's been previously linked to Russian intelligence.

Gazer, written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers in two steps—first, the malware drops

Skipper

backdoor, which has previously been linked to Turla and then installs Gazer components.

In previous cyber espionage campaigns, the Turla hacking group used Carbon and Kazuar backdoors as its second-stage malware, which also has many similarities with Gazer, according to research [

PDF

] published by ESET.

Gazer receives encrypted commands from a remote command-and-control server and evades detection by using compromised, legitimate websites (that mostly use the WordPress CMS) as a proxy.

Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.

Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.

Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network.

So far ESET researchers have identified four different variants of the Gazer malware in the wild, primarily spying on Southeast European and former Soviet bloc political targets.

Interestingly, earlier versions of Gazer were signed with a valid certificate issued by Comodo for "Solid Loop Ltd," while the latest version is signed with an SSL certificate issued to "Ultimate Computer Support Ltd."

According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.



from The Hacker News http://ift.tt/2woLiZ2

iOS 11's most underrated security feature? A password manager

iphone-password-manager

Logging into Twitter and other apps with one tap. (Image: ZDNet)

iOS 11 comes with a new feature that could finally make passwords less annoying.

The iPhone and iPad software comes with a password manager, which lets users access their account details for apps and websites.

Whenever a login box appears -- including in apps -- a small key-prompt will appear, allowing the user to open their bank of passwords. The password manager is protected by the user's device passcode, or Touch ID if it's enabled, to prevent others from snooping.

In many cases, if there is just one set of credentials for an app or website, users will be presented their username or email address. And, with one tap, the login fields are populated with the user's password.

Many users who'll be new to iOS 11 will find that their password manager will already be populated with login information. That's because passwords that were saved in Safari -- either on older versions of iOS or their Macs -- are now stored in the iOS 11's password manager. The key difference is that the saved passwords now work within apps, too.

Password managers are ever increasing in popularity because they take the effort out of remembering your entire set of account passwords across various apps, websites, and services. In most cases, password managers encourage users to use strong, unique passwords, which prevent hackers from reusing stolen credentials from one service to attack a user on another site.

Although the feature is a boon for personal user security, it won't be a death knell to other password managers -- many of which have far more security and privacy-focused features packed in than Apple's relatively barebones version. At the time of writing, for example, the password manager feature doesn't allow users to generate passwords, a feature of most other password managers.

Given that the iOS 11 software is still in pre-release mode, it's possible its functionality and feature set may change.

iOS 11 is set to be released alongside the upcoming iPhone 8 at an event slated for September 12.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More



from Latest Topic for ZDNet in... http://ift.tt/2xy4rIc

Stealthy malware targets embassies in snooping campaign

istock-112788278.jpg

The Turla hacking group is targeting undisclosed embassies with a new backdoor.

Image: iStock

A notorious cyber espionage and hacking operation is using a new tool to spy on embassies and consulates in Europe according to cyber security researchers.

Dubbed Gazer, the malware allows the group to spy on infected Windows systems and makes careful effort to cover its tracks by wiping files securely from compromised systems.

It was uncovered by researchers at security company ESET, who believe the tool has been used since 2016 and is highly likely to be the work of Turla, a well-known advance persistent threat group. Researchers uncovered the snooping campaign when analysing a new malware sample which exhibited similarities with other Turla code analysed in the past.

The group is known to target government and diplomatic bodies - especially in Europe - using a combination of watering hole attacks and spear-phishing campaigns to infiltrate victims.

Gazer shares a number of similarities with previous Turla malware, including being written in C++ and the using the delivery of a first stage backdoor - often installed on another machine on the network - before dropping the final, much stealthier payload.

This second-stage backdoor receives instructions from Turla's command and control servers which used compromised, legitimate websites as a proxy. The backdoor also takes advantage of virtual file system in the Windows registry to evade antivirus defences.

The exact number of victims compromised by Gazer in this way hasn't been revealed - nor have the specific targets been disclosed - but researchers say the number of detections is low, perhaps because the attackers usually try to only compromise specific systems.

"The tactics, techniques and procedures we've seen here are in-line what we typically see in Turla's operations," said Jean-Ian Boutin, Senior Malware Researcher at ESET. "Turla go to great lengths to avoid being detected on a system."

Those behind Gazer use their own customized cryptography in order to obfuscate the backdoors' actions and communications with a command and control server. This type of activity points to Turla being a highly advanced group - the operation has previously been linked to the Russian government.

READ MORE ON CYBERCRIME



from Latest Topic for ZDNet in... http://ift.tt/2gpG5MO

Businesses most at risk from new breed of ransomware

The ransomware landscape has shifted dramatically in 2017 and organizations bore the brunt of the damage caused by new, self-propagating threats such as WannaCry and Petya.

Read More

from Symantec Connect - Securi... http://ift.tt/2vJAov6

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager

There are multiple vulnerabilities in IBM® SDK, Java™ Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 40 and earlier releases and IBM SDK, Java Technology Edition, Version 8 Service Refresh 3 Fix Pack 12 and earlier releases used by IBM Algo Credit Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2017.

CVE(s): CVE-2017-10115, CVE-2017-10078, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10116, CVE-2017-10087, CVE-2017-10089, CVE-2017-10107, CVE-2017-10110

Affected product(s) and affected version(s):

IBM Algo Credit Manager: 5.2 – 5.4

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2vEIA0o
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2wEm9Mt
X-Force Database: http://ift.tt/2x52Goj
X-Force Database: http://ift.tt/2x4LWxw
X-Force Database: http://ift.tt/2x4P6Bt
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2x52GEP
X-Force Database: http://ift.tt/2vEW7Fc
X-Force Database: http://ift.tt/2vECPQw
X-Force Database: http://ift.tt/2x4P64r

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2vEQJSJ

IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition

Java SE issues disclosed in the Oracle July 2017 Critical Patch Update, plus one additional vulnerability.

CVE(s): CVE-2017-10111, CVE-2017-10110, CVE-2017-10107, CVE-2017-10101, CVE-2017-10096, CVE-2017-10090, CVE-2017-10089, CVE-2017-10087, CVE-2017-10102, CVE-2017-10116, CVE-2017-10074, CVE-2017-10078, CVE-2017-10115, CVE-2017-10067, CVE-2017-10125, CVE-2017-10243, CVE-2017-10109, CVE-2017-10108, CVE-2017-10053, CVE-2017-10105, CVE-2017-10081, CVE-2017-1376

Affected product(s) and affected version(s):

IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45 and earlier releases
IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 45 and earlier releases
IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 5 and earlier releases
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 5 and earlier releases
IBM SDK, Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 7 and earlier releases

For detailed information on which CVEs affect which releases, please refer to the IBM SDK, Java Technology Edition Security Vulnerabilities page.

NOTE 1: CVE-2017-10111, CVE-2017-10074 and CVE-2017-10081 affect IBM SDK, Java Technology Edition on Solaris, HP-UX and Mac OS only.
NOTE 2: CVE-2017-1376 does not affect IBM SDK, Java Technology Edition on Solaris, HP-UX and Mac OS.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2x52EwH
X-Force Database: http://ift.tt/2vENxqi
X-Force Database: http://ift.tt/2x4P64r
X-Force Database: http://ift.tt/2vECPQw
X-Force Database: http://ift.tt/2x4P6Bt
X-Force Database: http://ift.tt/2vEtYOD
X-Force Database: http://ift.tt/2x52Goj
X-Force Database: http://ift.tt/2vEW7Fc
X-Force Database: http://ift.tt/2x52GEP
X-Force Database: http://ift.tt/2veVuCa
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2vEUffF
X-Force Database: http://ift.tt/2wEm9Mt
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2x4YZ1U
X-Force Database: http://ift.tt/2vfEyLU
X-Force Database: http://ift.tt/2wECTmy
X-Force Database: http://ift.tt/2vEvu3j
X-Force Database: http://ift.tt/2vff6pW
X-Force Database: http://ift.tt/2wEhie8
X-Force Database: http://ift.tt/2x588Yf
X-Force Database: http://ift.tt/2vEjNtH
X-Force Database: http://ift.tt/2vfk1Hi

The post IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2vEYF6k