Saturday, September 30, 2017

Behind the glare of recent hacks, some companies actually paying homage to data protection


While more stories on corporate hacks rolled into the bad news bin last week, the good news was some executives and enterprises have been paying attention - and taking action.

Among this news and its associated nasty consequences, we pause to recognize some bits of hope for more secure days ahead.

While ex-Equifax CEO Richard Smith recently said the thought of a hack kept him up at night, it seems his words were more a revelation that he was sleeping during the work day.

Meanwhile, Jim Routh has been wide-awake during his day job as Aetna's chief information security officer. He is overseeing a new authentication system to replace passwords and providing a bright spot for a health-care industry often criticized for its inadequate security.

Also, the folks at SAP seem to have their lights on, announcing an acquisition designed to aid the company in satisfying authentication requirements for upcoming European Union mandates on data privacy.

And Google increased the lumens shining on its security game, according to news reports, with a forthcoming hardware-backed authentication system using cryptography to protect at-risk users such as corporate executives, politicians and others with heightened security profiles.

Are these lights at the end of the tunnel? It's likely too early for that, but these developments are akin to a star escaping from a black hole.

"Passwords as binary authentication tools have been standard but are really reaching an end of life," Aetna's Routh said in an interview with Information Security Media Group.

Aetna is eliminating passwords in favor of continuous behavioral authentication based on algorithms. The technology will be applied to mobile and web applications, and Routh cites security and ease-of-use as drivers.

SAP reportedly spent somewhere in the neighborhood of $350 million to acquire Gigya, which develops a customer identity and access management platform. SAP will use the technology in part to meet regulations such as the European Union's General Data Protection Regulation (GDPR) and the updated Payment Services Directive (PSD2) that go into effect next year.

Here' the light SAP sees in its efforts. A GDPR violation would result in a fine equal to 4% of revenue. For SAP, with $22 billion in revenue, that's an $880 million penalty - or $530 million more than what SAP paid for Gigya. The acquisition should make bean counters and the CISO happy - and the company's end-users safer.

We'll have to wait on Google's details, but it is extending and improving two-factor authentication that began with Google Authenticator (since retired) and has extended to public key cryptography solutions based on FIDO Alliance protocols.

The only head shaking revelation this week is that ex-Equifax CEO Smith may drift away from his former company's carnage on a $7.6 million golden parachute.

We can only hope those doing the work to build better authentication systems eventually get the recognition they deserve.

(Disclosure: My employer is a member of the FIDO Alliance)



from Latest Topic for ZDNet in... http://ift.tt/2fBvURK

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2017-10115, CVE-2017-10116, CVE-2017-10108, CVE-2017-10109)

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 used by IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in Jul 2017.

CVE(s): CVE-2017-10116, CVE-2017-10115, CVE-2017-10109, CVE-2017-10108

Affected product(s) and affected version(s):

IBM Tivoli System Automation for Multiplatforms 4.1.0.0 – 4.1.0.3
IBM Tivoli System Automation for Multiplatforms 3.2.2.9

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2x4Gf3O
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2vEvu3j
X-Force Database: http://ift.tt/2vff6pW

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2017-10115, CVE-2017-10116, CVE-2017-10108, CVE-2017-10109) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2fzKpFO

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2017-10115, CVE-2017-10116, CVE-2017-10108, CVE-2017-10109)

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 used by IBM Tivoli System Automation Application Manager. IBM Tivoli System Automation Application Manager has addressed the applicable CVEs. These issues were also addressed by WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager.

CVE(s): CVE-2017-10116, CVE-2017-10115, CVE-2017-10109, CVE-2017-10108

Affected product(s) and affected version(s):

IBM Tivoli System Automation Application Manager 4.1.0.0 – 4.1.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fBgY6f
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2vEvu3j
X-Force Database: http://ift.tt/2vff6pW

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2017-10115, CVE-2017-10116, CVE-2017-10108, CVE-2017-10109) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2x4GcoE

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i.

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is used by IBM i.

CVE(s): CVE-2017-10198, CVE-2017-10125, CVE-2017-10067, CVE-2017-10115, CVE-2017-10118, CVE-2017-10176, CVE-2017-10078, CVE-2017-10074, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10116, CVE-2017-10102, CVE-2017-10087, CVE-2017-10089, CVE-2017-10107, CVE-2017-10110, CVE-2017-10111, CVE-2017-1376, CVE-2017-10193, CVE-2017-10081, CVE-2017-10105, CVE-2017-10053, CVE-2017-10108, CVE-2017-10109, CVE-2017-10135, CVE-2017-10243, Not Applicable

Affected product(s) and affected version(s):

Releases 6.1, 7.1, 7.2 and 7.3 of IBM i are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fyAZdz
X-Force Database: http://ift.tt/2vQpmnS
X-Force Database: http://ift.tt/2vfEyLU
X-Force Database: http://ift.tt/2x4YZ1U
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2vQnzPT
X-Force Database: http://ift.tt/2wpoWsl
X-Force Database: http://ift.tt/2wEm9Mt
X-Force Database: http://ift.tt/2vEUffF
X-Force Database: http://ift.tt/2x52Goj
X-Force Database: http://ift.tt/2x4LWxw
X-Force Database: http://ift.tt/2x4P6Bt
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2veVuCa
X-Force Database: http://ift.tt/2x52GEP
X-Force Database: http://ift.tt/2vEW7Fc
X-Force Database: http://ift.tt/2vECPQw
X-Force Database: http://ift.tt/2x4P64r
X-Force Database: http://ift.tt/2vENxqi
X-Force Database: http://ift.tt/2vfk1Hi
X-Force Database: http://ift.tt/2wpoYAt
X-Force Database: http://ift.tt/2vEjNtH
X-Force Database: http://ift.tt/2x588Yf
X-Force Database: http://ift.tt/2wEhie8
X-Force Database: http://ift.tt/2vff6pW
X-Force Database: http://ift.tt/2vEvu3j
X-Force Database: http://ift.tt/2wp6HTz
X-Force Database: http://ift.tt/2vQ1oZY
X-Force Database:

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2fA0HhS

IBM Security Bulletin: A vulnerability in libgcrypt affects IBM Flex System Manager (FSM) (CVE-2017-7526)

A vulnerability has been discovered in libgcrypt that is embedded in FSM. This bulletin addresses that issue.

CVE(s): CVE-2017-7526

Affected product(s) and affected version(s):

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fyzr32
X-Force Database: http://ift.tt/2x4FQOQ

The post IBM Security Bulletin: A vulnerability in libgcrypt affects IBM Flex System Manager (FSM) (CVE-2017-7526) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2fzwqzv

IBM Security Bulletin: Multiple vulnerabilities in strongswan affect IBM Flex System Manager (FSM) (CVE-2017-9023, CVE-2017-9022)

Multiple vulnerabilities have been identified in strongswan that is embedded in the FSM. This bulletin addresses these vulnerabilities.

CVE(s): CVE-2017-9023, CVE-2017-9022

Affected product(s) and affected version(s):

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2x3n1vk
X-Force Database: http://ift.tt/2fAlwJM
X-Force Database: http://ift.tt/2x2U3vD

The post IBM Security Bulletin: Multiple vulnerabilities in strongswan affect IBM Flex System Manager (FSM) (CVE-2017-9023, CVE-2017-9022) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2fyyPKP

IBM Security Bulletin: A vulnerability in bash affects IBM Flex System Manager (FSM) (CVE-2016-9401)

A vulnerability has been discovered in bash that is embedded in FSM. This bulletin addresses that issue.

CVE(s): CVE-2016-9401

Affected product(s) and affected version(s):

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2x32dUB
X-Force Database: http://ift.tt/2h99Hy7

The post IBM Security Bulletin: A vulnerability in bash affects IBM Flex System Manager (FSM) (CVE-2016-9401) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2x4FQyk

IBM Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM)

Multiple vulnerabilities have been identified in ntp that is embedded in the FSM. This bulletin addresses these vulnerabilities.

CVE(s): CVE-2017-6464, CVE-2017-6463, CVE-2017-6462, CVE-2017-6460, CVE-2017-6458, CVE-2016-9042

Affected product(s) and affected version(s):

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fyYMKm
X-Force Database: http://ift.tt/2r4q15Z
X-Force Database: http://ift.tt/2qzbdZv
X-Force Database: http://ift.tt/2r4uxl5
X-Force Database: http://ift.tt/2fzwnUl
X-Force Database: http://ift.tt/2x4tje5
X-Force Database: http://ift.tt/2fyYOls

The post IBM Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2x3Ti5E

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM)

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 1.6 and 1.7 that is used by FSM. These issues were disclosed as part of the IBM Java SDK updates in April 2017. This bulletin addresses these vulnerabilities.

CVE(s): CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843

Affected product(s) and affected version(s):

Flex System Manager 1.3.4.0
Flex System Manager 1.3.3.0
Flex System Manager 1.3.2.1
Flex System Manager 1.3.2.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2x3n2PU
X-Force Database: http://ift.tt/2pYkfm0
X-Force Database: http://ift.tt/2pvwR1f
X-Force Database: http://ift.tt/2lLwOQm
X-Force Database: http://ift.tt/2mlzP6B
X-Force Database: http://ift.tt/2lLuetu
X-Force Database: http://ift.tt/2mlCjlv

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2fyYJhE

Friday, September 29, 2017

Singapore government assures SingPass-MyInfo will stay secure


The Singapore government has assured that the move to link all 3.3 million citizen accounts, used to access e-government services, to an autofill form system will not leave user data any less secured.

Its CIO agency GovTech announced earlier this week that all registered SingPass users would be given a MyInfo profile, enabling certain fields to be automatically pre-filled once the data had been previously provided to another government agency. This "tell-us-once" concept was designed so users would not need to repeatedly enter information into online forms sent to government agencies, it said.

Since its launch in early-2016, MyInfo had garnered 200,000 enrolments, according to GovTech. By December 2017, this number would be significantly boosted when all 3.3 million SingPass accounts would automatically be linked to their MyInfo profiles.

With the tie-up, citizens' personal details such as their name, identification number, and date of birth, would be used to automatically fill up online government forms--after they had logged in via their SingPass account. This meant that data in their MyInfo profile would be made available to all government agencies.

"SingPass acts as an authentication gateway, while the MyInfo service provides the user's basic personal data to form the digital user profile, to make transactions easier and more secure," GovTech said.

And SingPass users would not have the option to opt out of the service, according to a GovTech spokesperson, who said this move was necessary as the government worked towards its aim to establish a national digital identity.

The Singapore government in February said it was exploring plans to build a national identification system that could be used to access both public and private sector services, hence, expanding the functions of SingPass to include access to a wider range of transactions.

MyInfo currently was available on 24 e-government services, with another 140 to be added by 2018. Access in May this year also was extended to four banks, including DBS and Standard Chartered, but explicit user consent had to be provided before personal details were allowed to be retrieved from MyInfo to facilitate 19 online services, such as credit card application.

There now were plans to extend the service to more locally-registered private organisations by year-end, said GovTech, which added that user consent would be sought for transactions that required financial data such as income tax statements, before personal data was released.

Its spokesperson told ZDNet that credit card or bank account details would not be captured by the system.

She added that citizens still would have the option to preview any pre-filled data before submitting it or delete the data and manually key the required information into the form.

MyInfo data not stored in single repository

While often had been described in local reports as a "digital data vault", MyInfo was not a centralised repository that stored user data in a common database. Instead, it extracted the relevant citizen data provided to--and archived by--the respective government agencies, as and when they were required to pre-fill forms.

Stressing that the government took a "serious stance" on security, the GovTech spokesperson said: "MyInfo data is stored across multiple systems [that] are safeguarded by cybersecurity measures, including a combination of end-to-end encryption and multi-layered security. In line with industry best practices, these measures are reviewed and updated on a regular basis to enhance data protection."

Data available via MyInfo ranged from personal details such as passport number and residential status, to contact information including mobile number, e-mail address, and billing address.

ZDNet also asked if the SingPass-MyInfo system would be considered a critical information infrastructure (CII) and, therefore, impacted by the country's upcoming cybersecurity bill. While GovTech was unable to provide a confirmation, Singapore-based tech lawyer Bryan Tan said it should be a function related to "government" under the list of 11 CIIs outlined in the proposed bill.

If passed, the bill would require operators of local CIIs to take steps to safeguard their systems and swiftly report threats and incidents. The proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.

The bill listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.

A partner at law firm Pinsent Masons, Tan said the proposed bill defined CII as "a computer or a computer system that is necessary for the continuous delivery of essential services...Singapore relies on.

"The loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore," he said, citing the draft bill.

ZDNet asked about possible recourse SingPass users could take if their accounts suffered a security breach, resulting in their personal data being leaked.

Tan explained that Singapore's Cybersecurity Act did not outline specific recourse, so general laws should apply. "Specifically, breach of statutory duty," he noted. "I am not sure if receiving money also is a good way to compensate. For instance, getting credit protection services might be a more appropriate remedy."

Providers of such services typically helped customers track their credit movement and would trigger an alert--notifying their bank or credit providers--if any unauthorised charges were made to their account.

Originally scheduled to be tabled later this year, Singapore's proposed cybersecurity bill now was expected to be introduced in parliament next year.



from Latest Topic for ZDNet in... http://ift.tt/2ydzZ9Y

Threat Round Up for Sept 22 – Sept 29

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 22 and September 29. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically […]

from Cisco Blog » Security http://ift.tt/2wpnuDV

Strengthening the weak link in security


We live in turbulent times. The same technology that has been an engine of change and progress also provides hackers unprecedented surface area to commit headline-earning crimes. Cybercrime could cost the global economy an estimated market value of US$3 trillion and in 2015, the cost of a data breach amounted to US$ 3.8 million - think about the impact to your business today.

Our digital world requires new approaches to protect against, detect, and respond to security threats. Buying the latest security product won't stop your organization from being attacked and your security team can't be your only line of defence.

While we may have built strong walls to protect ourselves from external threats, have we considered the vulnerabilities that lie within? With the growing number of contractors, freelancers, and temporary employees throughout an enterprise, every person in your organization could be a gateway for the next breach.

Building a secure modern enterprise can only be achieved by having a comprehensive security vision. Here are 5 important questions to consider and action on to strengthen your weak link in security.

  • How often do you see non-sanctioned cloud services in use?
  • Are we protecting ourselves against insider threats?• Do we have a cybersecurity task force in place?
  • Is our BYOD policy secure?
  • Do you feel limited by your security budget or staff size?

Find the answers at 5 Questions Executives Should Be Asking Their Security Teams.



from Latest Topic for ZDNet in... http://ift.tt/2xDOe7g

Millions of Up-to-Date Apple Macs Remain Vulnerable to EFI Firmware Hacks


"

Always keep your operating system and software up-to-date

."

This is one of the most popular and critical advice that every security expert strongly suggests you to follow to prevent yourself from major cyber attacks.

However, even if you attempt to install every damn software update that lands to your system, there is a good chance of your computer remaining outdated and vulnerable.

Researchers from security firm Duo Labs

analysed

over 73,000 Macs systems and discovered that a surprising number of Apple Mac computers either fails to install patches for EFI firmware vulnerabilities or doesn't receive any update at all.

Apple uses Intel-designed Extensible Firmware Interface (EFI) for Mac computers that work at a lower level than a computer's OS and hypervisors—and controls the boot process.

EFI runs before macOS boots up and has higher-level privileges that, if exploited by attackers, could allow EFI malware to control everything without being detected.

"In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove—installing a new OS or even replacing the hard disk entirely is not enough to dislodge them," Duo researchers say.

What's worse? In addition to neglecting to push out EFI updates to some systems, Apple does not even warn its users of the failed EFI update process or technical glitch, leaving millions of Macs users vulnerable to sophisticated and advanced persistent cyber attacks.

On average, Duo said 4.2% of 73,324 real-world Macs used in the enterprise environments were found running a different EFI firmware version they should not be running—based on the hardware model, the operating system version, and the EFI version released with that OS.

You will be surprised by knowing the numbers for some specific Mac models—43% of the analysed iMac models (21.5" of late 2015) were running outdated, insecure firmware, and at least 16 Mac models had never received any EFI firmware updates when Mac OS X 10.10 and 10.12.6 was available.

"For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates," Duo researchers say.
"Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version,"

Duo also found 47 models that were running 10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware update with patches to address the known vulnerability, Thunderstrike 1.

While 31 models did not get the EFI firmware patch addressing the remote version of the same flaw, Thunderstrike 2.

The Thunderstrike attacks, initially developed by the National Security Agency (NSA), were also exposed in the WikiLeaks Vault 7 data dumps, which also mentioned the attack relies on the outdated firmware.

More details on the vulnerable Mac models can be found in the Duo Labs research report.

According to the researchers, their research was focused on the Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack, but it can be widely deployed.

"However, we are of the belief that the main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple," the researchers said.

Enterprises with a large number of Mac computers should review their models outlined in the Duo Labs

whitepaper

, "

The Apple of Your EFI: Findings From an Empirical Study of EFI Security,

" to see if their models are out-of-date.

Mac users and administrators can also check if they are running the latest version of EFI for their systems by using free open-source tool

EFIgy

, which will soon be made available by the company.



from The Hacker News http://ift.tt/2ycwPDm

DNSSEC Key Signing Key Rollover Postponed

Original release date: September 29, 2017

The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that the change to the Root Zone Key Signing Key (KSK) scheduled for October 11, 2017, has been postponed. A new date for the Key Roll has not yet been determined.

DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to updating a PKI Root Certificate. Maintaining an up-to-date Root KSK as a trust anchor is essential to ensuring DNSSEC-validating DNS resolvers continue to function after the rollover. While DNSSEC validation is mandatory for federal agencies, it is not required of the private sector. Systems of organizations that do not use DNSSEC validation will be unaffected by the rollover.

Users and administrators are encouraged to review ICAAN announcement KSK Rollover Postponed and the US-CERT Current Activity on DNSSEC Key Signing Key Rollover for more information.

US-CERT will provide additional information as it becomes available.


This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System http://ift.tt/2fEMSCu

IBM Security Bulletin: IBM WebSphere Commerce has a vulnerability in Marketing ESpots that could cause a denial of service (CVE-2017-1569)

Share this post:

IBM WebSphere Commerce has a vulnerability in Marketing ESpots that could cause a denial of service.

CVE(s): CVE-2017-1569

Affected product(s) and affected version(s):

WebSphere Commerce versions 8.0.0.0 – 8.0.0.19
WebSphere Commerce versions 8.0.1.0 – 8.0.1.13
WebSphere Commerce versions 8.0.3.0 – 8.0.3.4
WebSphere Commerce versions 8.0.4.0 – 8.0.4.5
WebSphere Commerce versions 7.0.0.1 – 7.0.0.9

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2ye8j52
X-Force Database: http://ift.tt/2yLIMNo



from IBM Product Security Incident Response Team http://ift.tt/2yc4XPK

IBM Security Bulletin: eDiscovery Manager is affected by an Open Source Apache POI Vulnerability

eDiscovery Manager addressed the following vulnerability. Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when is processing XML data.By using a specially crafted OOXML file, a remote attacker might exploit this vulnerability to use all available CPU resources.

CVE(s): CVE-2017-5644

Affected product(s) and affected version(s):

IBM eDiscovery Manager v2.2.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2yM5LrT
X-Force Database: http://ift.tt/2r0y7x3

The post IBM Security Bulletin: eDiscovery Manager is affected by an Open Source Apache POI Vulnerability appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2yMyRqX

IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, Business Process Manager, IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator (CVE-2017-1194)

Share this post:

A security vulnerability affects WebSphere Application Server that is shipped with IBM Cloud Orchestrator. IBM Cloud Orchestrator has addressed the vulnerability.

CVE(s): CVE-2017-1194

Affected product(s) and affected version(s):

Principal Product and Version(s) Affected Supporting Product and Version
IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3
  • IBM WebSphere Application Server V8.5.5 through 8.5.5.11
  • Business Process Manager 8.5.5 through V8.5.7 CF201703
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4
  • IBM WebSphere Application Server V8.5.5 through 8.5.5.12
  • IBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator V2.3, V2.3 0.1
  • IBM WebSphere Application Server V8.0.1 through V8.0.0.11
  • IBM Business Process Manager V8.5.0.1
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3
  • IBM WebSphere Application Server V8.5.5 through 8.5.5.11
  • Business Process Manager 8.5.5 through V8.5.7 CF201703
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4
  • IBM WebSphere Application Server V8.5.5 through 8.5.5.12
  • IBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1
  • IBM WebSphere Application Server V8.0.1 through V8.0.0.11
  • Tivoli System Application Automation Manager 4.1
  • Business Process Manager 8.5.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2yMCw8n
X-Force Database: http://ift.tt/2s04pcE



from IBM Product Security Incident Response Team http://ift.tt/2yMCwVV

IBM Security Bulletin: A security vulnerability has been identified in IBM Cloud Orchestrator (CVE-2017-1159)

There is a potential security vulnerability in IBM Cloud Orchestrator. IBM Cloud Orchestrator has addressed this vulnerability.

CVE(s): CVE-2017-1159

Affected product(s) and affected version(s):

  • IBM Cloud Orchestrator V2.4 – V2.4.0.4
  • IBM Cloud Orchestrator V2.5 – V2.5.0.3
  • IBM Cloud Orchestrator V2.3, V2.3.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2yMCjSD
X-Force Database: http://ift.tt/2rzrD5V

The post IBM Security Bulletin: A security vulnerability has been identified in IBM Cloud Orchestrator (CVE-2017-1159) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2yMCkpF

IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-8919)

Share this post:

There is a security vulnerability in WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager that is shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise. Additionally, the vulnerability affects Jazz™ for Service Management and IBM Tivoli Monitoring, which are shipped with Cloud Orchestrator Enterprise.

CVE(s): CVE-2016-8919

Affected product(s) and affected version(s):

Principal Product and Version(s)
Affected Supporting Product and Version
IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3
  • WebSphere Application Server V8.5.5 through V8.5.5.11
  • Business Process Manager 8.5.5 through V8.5.7 CF201703
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2,V2.4.0.3, V2.4.0.4
  • WebSphere Application Server V8.5.0.1 through V8.5.5.12
  • IBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2
  • IBM Tivoli System Automation Application Manager V4.1
IBM Cloud Orchestrator V2.3, V2.3.0.1
  • IBM WebSphere Application Server V8.0, V8.0.11
  • IBM Business Process Manager Standard V8.5.0.1
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3
  • WebSphere Application Server V8.5.5 through V8.5.5.11
  • Business Process Manager 8.5.5 through V8.5.7 CF201703
  • IBM Tivoli System Automation Application Manager 4.1
  • IBM Tivoli Monitoring 6.3.0.2
  • Jazz™ for Service Management V1.1.0.1 through V1.1.2.1
IBM Cloud Orchestrator Enterprise V2.4, V2.4.01, V2.4.0.2,V2.4.0.3
  • WebSphere Application Server V8.5.0.1 through V8.5.5.12
  • IBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2
  • IBM Tivoli System Automation Application Manager 4.1
  • IBM Tivoli Monitoring 6.3.0.1 through V6.3.0.2
  • Jazz™ for Service Management V1.1.0.1 through V1.1.2.1
IBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1
  • IBM WebSphere Application Server V8.0, V8.0.11
  • IBM Business Process Manager Standard V8.5.0.1
  • IBM Tivoli Monitoring V6.3.0.1
  • Jazz™ for Service Management V1.1.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2yMyJrt
X-Force Database: http://ift.tt/2iIIHRy



from IBM Product Security Incident Response Team http://ift.tt/2yMCgpV

Flawed Apple Mac firmware updates may leave them vulnerable to attack

apple-macbook-pro-touch-bar-15-inch-2017-4194.jpg

Some Apple Macbook models have been found to potentially contain a firmware vulnerability.

Image: Sarah Tew/CNET

A flaw in the way Apple Mac firmware is updated could leave users unprotected from targeted cyber attacks - even though they believe the correct updates have been applied.

Researchers at Duo Labs analysed over 73,000 Mac systems and found that the Extensible Firmware Interface [EFI] in many popular Mac models are vulnerable to sophisticated attacks and malicious firmware vulnerabilities, such as those exposed in the recent WikiLeaks Vault 7 data dumps.

The researchers said there was a surprisingly high level of discrepancy between the EFI versions they expected to find running on the real-world Mac systems and the EFI versions they actually found running.

"This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. This means that users and admins are often blind to the fact that their system's EFI may continue to be vulnerable."

The researchers said the security support provided for EFI firmware depends on the hardware model of Mac. "Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI."

The EFI firmware of a computer is responsible for booting and controlling the functions of hardware devices and systems, helping the machine get from powering up to booting the operating system.

While difficult to carry out, a successful attack on EFI firmware gives hackers a high level of privilege on the infected system. Such a compromise is difficult to detect and even harder to fix, because even completely wiping the hard disk can't wipe type sort of infection.

The researchers said the security support provided for EFI firmware also depends on the version of the OS a system is running: for example a Mac model running OS X 10.11 can receive distinctly different updates to its EFI than the same Mac model running macOS 10.12.

"This creates the confusing situation where a system is fully patched and up to date with respect to its software, but is not fully patched with respect to its EFI firmware - we called this software secure but firmware vulnerable." they said.

They said that for the main EFI vulnerabilities already acknowledged by Apple and patched, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates.

"From an attackers perspective, EFI attacks are particularly attractive because they provide low-level access. They also provide a lot of persistence and are very stealthy," Pepijn Bruienne, research and development engineer at Duo Security told ZDNet.

"These characteristics put it into the category of being in the tool-kit of a well-resourced adversary, think of industrial espionage, nation state type attacks rather than indiscriminate drive-bys," he adds.

Such an attack against unpatched firmware - which researchers say would most likely be carried out against targeted users handling sensitive information or with high level clearance - could leave systems vulnerable to the likes of Thunderstrike - a vulnerability that allows malware to be injected into Macs via the Thunderbolt port.

One researcher recently demonstrated how such a vulnerability can be used to compromise a machine and access stored on it.

Given patches were released to fix this over two years ago, users would naturally expect to be protected against such an attack.

However, researchers say that an average of just over four percent of Macs analysed in production environments were found to be running a version of EFI firmware different on what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version. Analysis of one particular version of iMac suggests 43 percent weren't running secure firmware.

It's recommended that, if possible, users should update to the latest version of OS 10.12.6 which will provide the latest versions of EFI firmware released by Apple and patch them against known security issues. Duo Security has also released some tools to help users check the status of their EFI firmware.

While the flaws only affect a comparatively small number of users, they still represent a security issue. However, Duo Security has commended Apple's willingness to work with them in fixing the vulnerabilities.

"The flaws we found here are definitely a concern and it's good that we've been able to publicly point it out to them. The response has been great, they've taken everything to heart," said Bruienne.

"Of all of the vendors out there that are EFI users for their hardware, they're definitely the most advanced at getting EFIs under control and making sure that end-users are somewhat certain that they get these updates".

Duo Security hope that the 'The Apple of Your EFI: Findings From an Empirical Study of EFI Security' will encourage all vendors to improve EFI security, given how it's almost impossible to discover is such systems have been hacked in the case of a successful attack.

"As the pre-boot environment becomes increasingly like a full operating system in and of its own, it must also be treated like a full OS in terms of the security support and attention applied to it," said Bruienne.

Responding to the research, Apple told ZDNet sister-site CNET that it "continues to work diligently in the area of firmware security" and the company is "always exploring ways to make our systems even more secure."

READ MORE ON CYBERCRIME



from Latest Topic for ZDNet in... http://ift.tt/2xCXfNP

Google warns that govt is demanding more of your private data than ever

screen-shot-2017-09-29-at-11-53-50.png

Google reports a steady increase in worldwide requests for user data, mostly from US and European governments.

Image: Google

Google received more government requests for user data in the first half of this year than ever before. It also admits it's significantly underreported the number of non-US accounts targeted by US intelligence.

Google's latest Transparency Report covering January to June 2017 shows once again it's the go-to firm when governments need data on people.

Due the breadth of Google's services, this data could include your Gmail messages, documents and photos you've saved on Google services, and videos on YouTube

During the period, Google received 48,941 requests for data from 83,345 accounts and produced user information for 65 percent of requests. This time last year it received 44,943 requests from 76,713 accounts.

About half the requests come from the US government. Other major sources of requests include Germany, France, and the UK. Many countries in the report have made fewer than 10 requests.

The report doesn't show US national security requests made under the Foreign Intelligence Surveillance Act (FISA) for the current period. Using Section 702 of the FISA Amendment Act of 2008, agencies like the NSA can force Google to hand over content from non-US citizens for foreign intelligence purposes.

Current figures are subject to a six-month delay. However, Google has revised upwards the number of accounts affected by these requests, which have been significantly underreported for the past three years.

In January 2016 to June 2016, for example, Google originally said there were 500-999 requests for 18,500 to 18,900 accounts. In fact the 500-999 requests were for 25,000 to 25,499 accounts.

Account figures were revised upwards for all periods to the first half of 2014. It also over-reported account figures in the second half of 2010.

screen-shot-2017-09-29-at-11-54-52.png

Google has also listed corrections to non-US user accounts affected by FISA requests.

Image: Google

Apple yesterday also revealed the scale of the government requests it faced in the first half of 2017, which do include FISA requests for the current period.

It received between 13,250 and 13,499 national security orders, affecting between 9,000 and 9,249 accounts. In the corresponding period last year it only received up to 2,999 orders. Apple also received 30,814 requests for access to 233,052 devices.

Google is lobbying for changes to key laws that enable law enforcement around the world to request user data. In the US, it's asked for the definition of foreign intelligence information under Section 702 FISA to be narrowed if and when it's reauthorized.

It's also campaigning for reforms to processes under mutual legal assistance treaties (MLATs) between nations, and the US Electronic Communications Privacy Act (ECPA).

Google has previously argued that MLAT processes are too slow, and wants other countries to be able use ECPA to access data from US providers, so long as they commit to baseline privacy, due process, and human rights principles.

"Providing a pathway for such countries to obtain electronic evidence directly from service providers in other jurisdictions will remove incentives for the unilateral, extraterritorial assertion of a country's laws, data localization proposals, aggressive expansion of government access authorities, and dangerous investigative techniques," wrote Richard Salgado, Google's director of Law Enforcement and Information Security.

"These measures ultimately weaken privacy, due process, and human rights standards."



from Latest Topic for ZDNet in... http://ift.tt/2fBWkq4

Most Singapore firms unsure if old employee accounts properly removed


Only 7 percent of professionals responsible for IT security in Singapore say they remove user access immediately after a change in employment status.

In addition, just 4 percent were confident they had no dormant accounts in their network, according to an online survey conducted by Dimensional Research and commissioned by Quest Software's One Identity. The study polled 100 respondents in Singapore, who were part of a global survey that encompassed 913 professionals with IT security responsibilities across eight markets, including Australia, Hong Kong, and Germany.

And while 39 percent in Singapore said they were "very confident" they knew which dormant user accounts existed within the network, 93 percent acknowledged it would take at least a month to identify these accounts. In comparison, 84 percent across all global markets said it would take a month or longer to do the same.

Another 81 percent in Singapore lacked confidence that accounts of former employees, as well as employees who had changed roles, had been fully deactivated or changed in a timely fashion, compared to 70 percent globally.

Some 25 percent were "very confident" user rights and permissions were correctly allocated according to their roles, the study revealed. Not surprisingly, 88 percent expressed concerns about risks presented by dormant accounts.

While 99 percent had processes in place to identify dormant users, only 22 percent were provided tools to help them find these accounts. Just 5 percent in the country performed audits of employee roles more than once a month.

Lennie Tan, One Identity's Asia-Pacific Japan vice president and general manage, said: "The alarming results of our study prove that organisations in Singapore are exposing unsecured identities and creating security holes for hackers to exploit. Those that don't adopt stronger defenses and innovative solutions to mitigate the growing risk more quickly, might face serious consequences including reputation and financial loss."

The identity management vendor said one of the easiest ways to gain access into corporate IT networks was by stealing user credentials, such as user names and passwords. This then would enable malicious hackers to further access other critical data including customers' personally identifiable information (PII) and financial records.

"The more time inactive accounts are available to bad actors, the more damage can potentially be done including data loss, theft, and [data] leakage, which could end up in irreparable damage to reputations, compliance violations, as well as possibly large fines and a significant drop in stock valuation," One Identity said.

In its annual audit report released earlier this year, Singapore's Auditor-General's Office (AGO) uncovered numerous lapses involving how local government ministries and agencies managed their IT systems. These included unapproved administrative changes, unauthorised third-party access, and failure to remove former employee accounts.

The Central Provident Fund Board, for example, failed to promptly remove 14 user accounts after employees had left the board, including six that were used after the staff's last working day. Similar lapses were found at NParks, which did not remove access rights of 104 suspended user accounts after the employees had left the organisations, some as far back as a decade ago.

Hong Kong, Australia face similar challenges

According to the One Identity survey, findings in Hong Kong and Australia were similar to Singapore's.

Just 10 percent of respondents in Hong Kong were confident there were no dormant accounts in their corporate network, while 16 per cent said they immediately removed user access after a change in employment status.

Some 63 percent lacked confident that accounts of former employees were fully deactivated in a timely fashion, while 88 percent said it took at least a month to identify dormant accounts. Another 79 percent were concerned about risks posed by dormant accounts, though, just 7 percent said roles were audited more than once a month.

And while 96 percent had processes in place to identify dormant users, only 14 percent had tools to help them do so.

Over in Australia, 82 percent of respondents said it would take at least a month to identify dormant user accounts, while 66 percent lacked confidence accounts of former employees were fully deactivated in a timely fashion.

Just 8 percent said they immediately removed user access upon a change in employment status, and 19 percent were "very confident" user rights and permissions were correctly assigned to the employee's roles.

While 92 percent had processes to identify dormant users, 29 percent had tools to help them find such accounts. In addition, just 9 percent were confident there were no dormant user accounts within their corporate network. Twenty percent were "very confident" they knew which dormant user accounts existed, while 56 percent expressed concerns about the risk posed by such accounts.

Just 10 percent in Australia conducted audits of employee roles more than once a month.



from Latest Topic for ZDNet in... http://ift.tt/2yc0EnP

Amazon's Whole Foods Market Suffers Credit Card Breach In Some Stores


Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach.

Whole Foods Market—acquired by Amazon for $13.7 billion in late August—

disclosed

Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores.

Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada.

The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details.

The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach.

Instead, only certain venues such as taprooms and table-service restaurants located within its stores—which use a separate POS system—were impacted.

Whole Foods Market has hired a cybersecurity firm to help it investigate the credit card breach and contacted law enforcement authorities of this incident.

"When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue," Whole Foods said in a statement on its website.

The company is also encouraging its customers to closely monitor their credit card statements and "report any unauthorized charges to the issuing bank."

According to Whole Foods Market, none of the affected systems being investigated are, in any way, connected to Amazon.com systems.

Whole Foods Market has become the latest of the victim of the high-profile cyber attack. Earlier this month, Global tax and auditing firm

Deloitte suffered a cyber attack

that resulted in the theft of private emails and documents of some of its clients.

Also last week, the U.S. Securities and Exchange Commission (SEC) also disclosed that unknown

hackers managed to hack

its financial document filing system and illegally profited from the stolen information.

Last month, credit rating agency

Equifax publicly disclosed a breach

of its systems that exposed personal details, including names, addresses, birthdays and Social Security numbers, of potentially

143 million US customers

.



from The Hacker News http://ift.tt/2xFSxN8

Thursday, September 28, 2017

Queensland reports 37 attempted denial of service attacks against government


During the 2016-17 financial year the Queensland government said it successfully mitigated 37 "major" denial of service attacks against government infrastructure.

The state's Department of Science, Information Technology and Innovation also provided security intelligence by collecting and analysing an average of 8 million logged events per day from more than 130 sources over the 12-month period.

The statistics were published in the department's 2016-17 Annual Report [PDF], which also said it delivered a suite of whole-of-government cybersecurity protections and programs to "increase capability and maturity across government".

The department also said it worked closely with the federal government to help establish the first Joint Cybersecurity Centre in Brisbane.

Launched in February, the centres aim to boost cybersecurity resilience in the country by bringing industry, government, and law enforcement together to share relevant threat information under the one roof.

The Brisbane centre is the first stage of the AU$47 million program that will also see similar centres established in Sydney, Melbourne, Adelaide, and Perth.

The AU$47 million Joint Cyber Security Centre program was designed in partnership with industry and forms part of Australia's Cyber Security Strategy.

In February last year, the state announced its own cybersecurity commitment, pumping AU$12.5 million into tackling cybercrime and potential threats made against the state's IT infrastructure, with the four-year investment used to form a new Cyber Security Unit and keep it running to provide further protection of the government's systems.

Shortly after, it emerged that Department of Premier and Cabinet director-general David Stewart had his email account hijacked, and that it was used to circulate bogus emails in his name that contained a malicious virus.

Looking forward, the department said it wishes to further strengthen the government's cybersecurity defences and capability through proactive incident detection and mitigation and "addressing cybersecurity challenges". It also hopes to build on existing internal capability to mature data-sharing and data analytics across government.

The annual report also summarised the department's yearly activities, including those under the state's Advance Queensland initiative.

One achievement director-general Jamie Merrick highlighted in his foreword was the government's uptake in procuring services from small and medium-sized businesses.

"In 2015-16, we doubled the number of contracts we had with small and medium-sized businesses; in the last year, we have more than doubled that again," Merrick wrote. "Not only is this delivering smarter and lower cost public services, it is also supporting the growth of Queensland businesses."

According to Merrick, the department is changing the way it does business, and said industry is responding. The department is also accountable for the state's IT services provider, CITEC, which was saved from outsourcing in May 2015.

CITEC provides security, cloud, datacentre, managed IT, services, and networks to other state government departments and agencies.

Over the 12 month period summarised in the department's annual report, the state government processed an estimated 19 billion government business transactions each week, worth over AU$40 billion every year, through the infrastructure and platforms managed by CITEC.

Although the IT agency experienced major woes in the past, CITEC maintained an availability of 99.98 percent on more than 22,590 network devices, 1800 servers, and 2800kW of datacentre power during 2016-17. It also maintained 99.93 percent service availability for the Queensland Government Customer Identity Management (CIDM) system, the department said.



from Latest Topic for ZDNet in... http://ift.tt/2xJKrEK

Mozilla Releases Security Updates

Original release date: September 28, 2017

Mozilla has released security updates to address multiple vulnerabilities in Firefox ESR 52.4 and Firefox 56. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

US-CERT encourages users and administrators to review the Mozilla Security Advisories for Firefox ESR 52.4 and Firefox 56 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System http://ift.tt/2wna0bN

Preparing Today for Tomorrow’s Threats

For the European Union, the U.S., and many countries around the world, October is Cyber Security Awareness Month, a time to broaden awareness and expand the conversation on staying safe and secure online. This time of year presents an opportunity to reflect on the state of cybersecurity – how we’re dealing with today’s challenges and […]

from Cisco Blog » Security http://ift.tt/2fCnLjz

EU ratchets up pressure on tech companies to curb "illegal content"


The European Commission on Thursday published new guidelines for online platforms to step up the prevention, detection and removal of objectionable content such as hate speech and terorrist-related content.

"The Commission expects online platforms to take swift action over the coming months," it said in a release, noting that terrorism and illegal hate speech are "already illegal under EU law, both online and offline."

If tech companies don't implement the guidelines, the release said, the Commission will "assess whether additional measures are needed... including possible legislative measures to complement the existing regulatory framework."

The guidelines address three categories: detection and notification, effective remove and the prevention of re-appearance. For detection, the EC expects platforms to cooperate more closely with "competent national authorities" by appointing points of contact. The guidlines also urge companies to set up automated detection effeorts, as well as to work with "trusted flaggers" with "expert knowledge" on what constitutes illegal content.

For "effective removal," the guidelines say companies may be subject to timeframes "where serious harm is at stake," though the timeframes have yet to be specified. The guidelines also say companies should introduce safeguards to prevent "over-removal." Lastly, the guidelines urge companies to develop more automatic tools to prevent illegal content from re-appearing after it's been removed.

"The rule of law applies online just as much as offline," Commissioner Vera Jourová said in a statement. "We cannot accept a digital Wild West, and we must act. The code of conduct I agreed with Facebook, Twitter, Google and Microsoft shows that a self-regulatory approach can serve as a good example and can lead to results. However, if the tech companies don't deliver, we will do it."

In a press conference Thursday, the AFP reports, Jourová said she deleted her own Facebook account "because it was the highway for hatred, and I am not willing to support it."

Jourová also reportedly said she most recently met with Silicon Valley leaders just last week in a visit to California, and they all reconized the need for action.

In May of last year, Microsoft, Google, Twitter and Facebook all signed a European Commission code of conduct requiring a more active approach in tackling hate speech and terrorist propaganda online. Among other things, it called on tech comapnies to review the "majority" of valid notifications for the removal of hate speech in less than 24 hours, and to and remove or disable access to the content if required.

Tech companies have since made multiple promises and announced various initiatives aimed at curbing nefarious online content. Just last week, the Global Internet Forum to Counter Terrorism -- comprised of Facebook, Microsoft, Twitter and YouTube -- said it made a "multimillion-dollar" commitment to support research on terrorist abuse of the internet.

Tech firms have also become more aggressive at shutting down what they deem to be objectionable content. In the wake of the violent protests this year in Charlottesville, Virginia, Google pulled domain registration support for the neo-Nazi site The Daily Stormer. Facebook, meanwhile, hired a fleet of contractors to look for potential terrorist activity -- before giving a clear definition of what it considers terrorism.

Along with curbing hate speech and terrorism, online platforms are now coming under scrutiny for enabling bad actors to interfere in democratic elections. Executives from Facebook, Google, and Twitter have been asked to testify next month to the US Congress regarding Russia's alleged interference in the 2016 US presidential election.

Related coverage:



from Latest Topic for ZDNet in... http://ift.tt/2xJgnJB

TruSense aging-in-place system passively monitors independent seniors

These are all the new Echo devices Amazon just announced

Mention the problem of obtrusive wearables to most tech enthusiasts and their minds may quickly turn to headgear for viewing virtual or augmented reality. But for some segments of the population, the stakes are higher than being cut off from an immersive first-person shooter. This includes elderly people at risk of a fall. My father, who was perfectly cogent and mobile at the age of 86, was one of those people. Earlier this year, about six weeks after falling in his home, he passed away from pneumonia. He opposed wearing any kind of alert bracelet that would have notified me or a monitoring center of his situation.

Things might have been different had he had access to TruSense. TruSense is an "aging in place" system of sensors that passively monitors the path of a person throughout the home during the day. The Cincinnati-based company uses many of the same core technologies as whole-home security systems such as the one recently released by Nest. However, instead of monitoring the activity of unwelcome strangers in your home, it is intended to monitor the activities of residents and ensure they are living within the norms of their routines. For example, a remote adult child can see a record that notes an elderly parent has gone into the kitchen for breakfast or if she has left the house for a doctor's appointment.

trusense-dashboard.png

TruSense's web interface allows remote monitoring of activities.

An earlier system based on this concept was Lively, a promising Kickstarter project that raised only 15,000 of its 100,000 goal. The company behind Lively was purchased soon after, but the acquiring company quickly moved away from such a product.

Like Lively, TruSense eschews cameras and instead offers a comprehensive set of sensors for unobtrusively monitoring the daily activities of independent but at-risk seniors. These include activity, contact, and even water sensors to detect flooding. But TruSense claims that it -- unlike Next, Vivint, or AT&T's DigitalLife effort -- isn't concerned with developing its own devices. Rather, it is open to a wide range of sensors as it focuses on the infrastructure software and services around the product. In addition to what might become a tedious log of ordinary daily activities, TruSense offers day-at-a-glance summaries. Its most sophisticated feature is performing analysis on input from multiple sensors to potentially predict warning signs.

TruSense isn't entirely passive. A modern connected system, it includes integration with Alexa via the included Echo Dot. This would have been particularly helpful for my dad, as he was unable to get to his phone after his fall. It is also a feature that, again, doesn't require anything to be worn. That said, TruSense can also extend its monitoring beyond the home via a GPS pendant, an OBDII car monitor and even a GPS SmartSole for one's shoe.

Read also: More artificial intelligence, fewer screens: the future of computing unfolds | Alexa, Cortana, Google, Siri user? Watch out for these inaudible command attacks | Amazon to open store-in-store concept inside some Kohl's locations

There's no question that TruSense collects a huge amount of information about a resident's life. The company claims its operations are HIPPA-compliant and the owner of the system (in the case of the resident) can control who gets to see what. Ultimately, this must be weighed against the risk of an unmonitored accident and the preferences of the person being monitored. Furthermore, much of its appeal is in avoiding what could ultimately be a speculative event. (To counter that somewhat, the company also says it looks for positive trends in behavior as well.) That said, it would have been a compelling option for my dad who was living proudly and independently without a major incident -- until there was one.

TruSense packages start at $199. The company estimates that a two-bedroom home would probably require $299 to $349 worth of gear. It charges $49 per month for its core monitoring service. The company offers a 60-day trial that refunds the service fee if service is not continued.

PREVIOUS AND RELATED COVERAGE

This $700 device locks up the smart home and throws away the key

Premium design and materials aim to justify a high cost of entry to preventing unwelcome entries.

IPsoft launches healthcare practice around AI assistant Amelia

IPsoft said Amelia can be put to work in hospitals to help manage operational and administrative processes.



from Latest Topic for ZDNet in... http://ift.tt/2fu7qtv

Hackers Exploiting Microsoft Servers to Mine Monero - Makes $63,000 In 3 Months


Mining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency.

Security researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helps cybercriminals made more than $63,000 worth of Monero (XMR) in just three months.

According to a

report

published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers.

Although ESET's investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like cryptocurrency.

The vulnerability (

CVE-2017-7269

) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0—the web server in Windows Server 2003 R2.

Therefore, hackers are only targeting unpatched machines running Windows Server 2003 to make them part of a botnet, which has already helped them made over $63,000 worth of Monero.

Since the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. You can learn more about the vulnerability

here

.

The newly discovered malware mines Monero that has a total market valuation of about $1.4 billion, which is far behind Bitcoin in market capitalisation, but cybercriminals’ love for Monero is due to its focus on privacy.

Unlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today.

Another reason of hackers favouring Monero is that it uses a proof-of-work algorithm called

CryptoNight

, which suits computer or server CPUs and GPUs, while Bitcoin mining requires specific mining hardware.

However, this is not the first time when analysts have spotted such

malware mining Monero

by stealing computing resources of compromised computers.

In mid-May, Proofpoint researcher Kafeine discovered cryptocurrency mining malware, called '

Adylkuzz

,' which was using EternalBlue exploit—created by the NSA and dumped last month by the Shadow Brokers in April—to infect unpatched Windows systems to mine Monero.

A week before that, GuardiCore researchers discovered a new botnet malware, dubbed

BondNet

, that was also infecting Windows systems, with a combination of techniques, for primarily mining Monero.



from The Hacker News http://ift.tt/2fUqOR3

Apple reported a spike in secret national security orders this year

(Image: CNET/CBS Interactive)

Apple received fewer government demands for data during the first-half of this year, but it saw a spike in secret national security orders.

New figures revealed in the company's first biannual transparency report shows that Apple received 30,814 demands to access 233,052 devices in the first-half of the year, down 6 percent compared to last year.

Apple also received 3,020 requests for data on 43,836 accounts, such as iCloud content, stored photos, email, contacts, and device backups. Those account requests are down by 15 percent compared to last year. Apple noted that the high number of accounts related to unauthorized access. In March, hackers demanded a ransom or it would remotely wipe "millions" of iCloud accounts. The hackers never followed through with their threat.

But the number of national security orders, including secret rulings from the Foreign Intelligence Surveillance Court, spiked during the period.

The company received between 13,250 and 13,499 national security orders, affecting between 9,000 and 9,249 accounts.

That's a threefold increase compared to the year earlier, which saw up to 2,999 orders for the period.

It's the largest number of national security orders that Apple has ever reported in five years of publishing transparency reports.

Apple and other companies remain subject to heavy reporting restrictions on national security orders. Since the introduction of the Freedom Act in 2015, the Justice Department was forced to relax the rules on how companies report secret and classified orders, allowing tech companies to report the number of secret demands in narrower bands.

In its last report, Apple revealed it had become the latest tech giant to have a national security letter declassified. As with all national security letters, the order to turn over customer data includes a gag order, preventing the company or anyone else from disclosing the contents -- even to the customer in question. The company didn't post the details of the letter.

Apple did not reveal any declassified orders in this report.

The company also confirmed it has "not received any orders" for bulk account data, a legal provision typically reserved for phone companies.

The company also said it received 1,108 requests to preserve account data, typically in order to allow an authority to obtain the proper legal process for the data. Almost all the preservation requests came from the US government.

For the first time, Apple revealed that it provided data in 44 cases in civil non-governmental cases.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More



from Latest Topic for ZDNet in... http://ift.tt/2xNb6Ry

Facebook, Google, Twitter execs to testify at Russia hearings


Executives from Facebook, Google, and Twitter have been asked to testify to the United States Congress as lawmakers continue to investigate Russia's alleged interference in the 2016 US presidential election, committee sources have said on Wednesday.

The Senate intelligence committee asked that the executives testify at a public hearing on November 1, 2017.

"In the coming month, we will hold an open hearing with representatives from tech companies in order to better understand how Russia used online tools and platforms to sow discord in and influence our election," the committee's Democrat representative Adam Schiff and Republican representative Mike Conaway said.

While the representatives did not specify which technology companies would be testifying, Facebook and Google confirmed they had received invitations from the Senate committee.

Some US lawmakers -- increasingly alarmed by the evidence suggesting Russian hackers used the internet to spread fake news and otherwise influence the 2016 election in favour of US commander-in-chief Donald Trump -- have been pushing for more information about the influence of social media platforms.

Early Wednesday, Trump posted a tweet accusing Facebook of always being "anti-Trump", adding that television networks and publications such as The New York Times and the Washington Post, have also been anti-Trump.

"But the people were Pro-Trump! Virtually no President has accomplished what we have accomplished in the first 9 months-and economy roaring," he added.

Facebook founder and frontman Mark Zuckerberg subsequently responded to Trump's tweets in the form of a Facebook post, saying both Trump and liberals are accusing the social media giant of influencing election results.

"Both sides are upset about ideas and content they don't like. That's what running a platform for all ideas looks like," Zuckerberg said in the post.

He went on to explain Facebook's influence in the 2016 presidential election, saying that "more people had a voice in this election than ever before", with "billions of interactions" about a variety of issues that "may have never happened offline". Some of these issues were not reported in the media, Zuckerberg added.

"[The] data we have has always shown that our broader impact -- from giving people a voice to enabling candidates to communicate directly to helping millions of people vote -- played a far bigger role in this election," he said in his post.

The CEO also said it was the "first" US election where the internet was the primary medium of communication between candidates and the electorate.

"Every candidate had a Facebook page to communicate directly with tens of millions of followers every day," he said, adding that campaigns spent "hundreds of millions" advertising online, which is "1000x more than any problematic ads we've found."

Facebook revealed earlier this month that suspected Russian trolls purchased more than $100,000 worth of divisive ads on its platform between June 2015 to May 2017, a revelation that triggered calls for new disclosure rules for online political ads.

Facebook said the purchases came from around 500 "inauthentic" accounts and pages that seemed to be affiliated with each other. The social media giant shut down the active accounts and pages -- which it said appeared to have been operating from Russia -- for violating its policies.

Facebook last week said it will turn over to the US Congress Russian-linked ads that may have been intended to sway the 2016 US election.

"We support Congress in deciding how to best use this information to inform the public, and we expect the government to publish its findings when their investigation is complete," Zuckerberg said at the time.

In his recent post, Zuckerberg additionally recalled Facebook's efforts in encouraging people to vote.

"[Our efforts] helped as many as 2 million people register to vote. To put that in perspective, that's bigger than the get out the vote efforts of the Trump and Clinton campaigns put together," he said. "That's a big deal."

Zuckerberg said Facebook will do its part to "defend against nation states attempting to spread misinformation and subvert elections".

"We'll keep working to ensure the integrity of free and fair elections around the world, and to ensure our community is a platform for all ideas and force for good in democracy," he added.

The Daily Beast, citing anonymous sources, also reported that a Facebook group called the "United Muslims of America" was a fake account linked to the Russian government. The group was reportedly making false claims about politicians, including Democratic presidential candidate Hillary Clinton.

The Senate and House intelligence committees are the main congressional panels investigating allegations that Russia interfered in the latest US presidential election, as well as possible collusion between Trump associates and Russia.

The general consensus of law enforcement, the Federal Bureau of Investigation, and the conclusion of the Central Intelligence Agency's own investigations suggest Russia was involved in election scheming, something that Trump and Russian officials have continued to dismiss, with the latter describing the allegations as "amusing rubbish".

Russian president Vladimir Putin had also insisted that Russia as a country never engaged in hacking activities, but conceded that some "patriotic" individuals may have, likening a hacker's free will to that of an artist, in a speech delivered to news agencies in June.

At the time, Putin lamented what he described as "Russo-phobic hysteria" in the US, saying such rhetoric makes it "somewhat inconvenient to work with one another or even to talk", adding that "someday this will have to stop".

He also alleged that some evidence pointing at Russian hackers' participation in cyber attacks -- although he did not specify which -- could have been falsified in an attempt to smear Russia.

"I can imagine that some do it deliberately, staging a chain of attacks in such a way as to cast Russia as the origin of such an attack," Putin said in June.

"Modern technologies allow that to be done quite easily."

Earlier this week, Russia's communications watchdog Roskomnadzor said it will block access to Facebook next year if the social media giant does not comply with a law requiring websites to store personal data of Russian citizens on Russian servers.

With AAP



from Latest Topic for ZDNet in... http://ift.tt/2xD1pTH

Banking Trojan Attempts To Steal Brazillion$

This post was authored by Warren Mercer, Paul Rascagneres and Vanja Svajcer Introduction Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss. Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South […]

from Cisco Blog » Security http://ift.tt/2fTFMH6

IBM Security Bulletin: Smart Cloud Entry is affected by ISC BIND vulnerabilities

Multiple vulnerabilitieshave been identified in ISC BIND. ISC BIND shipped with IBM SmartCloud Entry Appliance.

CVE(s): CVE-2017-3142, CVE-2017-3143

Affected product(s) and affected version(s):

For all IBM

IBM SmartCloud Entry Appliance 2.3.0 through 2.3.0.4 fix pack 11,
IBM SmartCloud Entry Appliance 2.4.0 through 2.4.0.4 fix pack 11,
IBM SmartCloud Entry Appliance 3.1.0 through 3.1.0.4 fix pack 26,
IBM SmartCloud Entry Appliance 3.2.0 through 3.2.0.4 fix pack 26

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2fsZmt7
X-Force Database: http://ift.tt/2v5WKuc
X-Force Database: http://ift.tt/2tJHrDP

The post IBM Security Bulletin: Smart Cloud Entry is affected by ISC BIND vulnerabilities appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2wYhE0j