Friday, November 30, 2018

Twitter user hacks 50,000 printers to tell people to subscribe to PewDiePie

Disorganized crime and state-backed hackers: How the cybercrime and cyberwar landscape is constantly changing

Marriott breach: Starwood's hacker tier rewards millions of customer records

Cyberwar and the future of cybersecurity (free PDF download)

Survey shows IT professionals concerned about cyberwarfare, end users, and conducting international business

Moscow's new cable car system infected with ransomware two days after launch

​Marriott faces massive data breach expenses even with cybersecurity insurance

These are the worst hacks, cyberattacks, and data breaches of 2018


November: Information relating to roughly 4,500 customers of the Ontario Cannabis Store (OCS) was improperly shared and leaked, including the names or initials of nominated signatories, postcodes, dates of delivery, reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.

While the breach was small, the sensitive subject matter -- and the recent decision to make recreational cannabis legal in Ontario, Canada -- made the incident stand out. It may now be legal, but that does not mean smokers would be happy with others knowing about their recreational use.



from Latest Topic for ZDNet in... https://ift.tt/2TY5MmY

500 Million Marriott Guest Records Stolen in Starwood Data Breach


The world's biggest hotel chain Marriott International today disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests.

Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

The incident is believed to be one of the largest data breaches in history, behind

2016 Yahoo hacking

in which nearly 3 billion user accounts were stolen.

The breach of Starwood properties has been happening since 2014 after an "unauthorized party" managed to gain unauthorized access to the Starwood's guest reservation database, and had copied and encrypted the information.

Marriott discovered the breach on September 8 this year after it received an alert from an internal security tool "regarding an attempt to access the Starwood guest reservation database in the United States."

On November 19, the investigation into the incident revealed that there was unauthorized access to the database, containing "guest information relating to reservations at Starwood properties on or before September 10, 2018."

The stolen hotel database contains sensitive personal information of nearly 327 million guests, including their names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date, and communication preferences.

What's worrisome? For some users, stolen data also includes payment card numbers and payment card expiration dates.

But, according to Marriott, "the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)." Attackers need two components to decrypt the payment card numbers, and "at this point, Marriott has not been able to rule out the possibility that both were taken."

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," the company said in a statement.

Marriott confirmed that its investigation into the incident only identified unauthorized access to the separate Starwood network and not the Marriott network. It has also begun informing potentially impacted customers of the security incident.

The hotel company has begun notifying regulatory authorities and also informed law enforcement of the incident and continues to support their investigation.

Since the data breach falls under European Union's General Data Protection Regulation (GDPR) rules, Marriott could face a maximum fine of 17 million pounds or 4 percent of its annual global revenue, whichever is higher, if found breaking any of these rules.



from The Hacker News https://ift.tt/2AD0F2H

IBM Security Bulletin: Potential Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1840)

Nov 30, 2018 8:01 am EST

Categorized: Medium Severity

Share this post:

There is a potential privilege elevation vulnerability in WebSphere Application Server after migration from WebSphere Application Server Version 8 when a security domain is configured to use a federated repository other than global federated repository.

CVE(s): CVE-2018-1840

Affected product(s) and affected version(s):

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10735767
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/150813



from IBM Product Security Incident Response Team https://ift.tt/2rfLDvG

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring

Nov 30, 2018 8:01 am EST

Categorized: High Severity

Share this post:

There are several vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring (ITM) components.

CVE(s): CVE-2018-1517, CVE-2018-1656, CVE-2018-2964, CVE-2018-2973, CVE-2018-2952, CVE-2018-2940, CVE-2018-12539

Affected product(s) and affected version(s):

The following components of IBM Tivoli Monitoring (ITM) are affected by this bulletin:

-Java (CANDLEHOME) ITM 6.2.3 Fix Pack 1 (JRE 1.6) through 6.3.0 Fix Pack 7 (JRE 7) (CVE-2018-1656 and CVE-2018-12539 only)
-Java (Tivoli Enterprise Portal client browser or webstart) ITM 6.2.3 Fix pack 1 through 6.3.0 Fix Pack 7 (All CVE’s listed)

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10738853
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141681
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/144882
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/146827
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/146835
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/146815
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/146803
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148389



from IBM Product Security Incident Response Team https://ift.tt/2BGP0l5

This is how Docker containers can be exploited to mine for cryptocurrency

Marriott announces data breach affecting 500 million hotel guests

Now Russian hackers are using Brexit as part of their cyber attacks

Samba Trojan becomes the bread and butter of fresh attack campaign

Using the cloud to turn governance into a business advantage

Tech support scammers are using this new trick to bypass security software

Floyd Mayweather, DJ Khaled settle SEC charges over illegal endorsement of cryptocurrency ICOs

Thursday, November 29, 2018

USN-3833-1: Linux kernel (AWS) vulnerabilities

30 November 2018

linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems

Details

Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)

Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1029-aws - 4.15.0-1029.30
linux-image-aws - 4.15.0.1029.29

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References



from Ubuntu Security Notices https://ift.tt/2AFc4iq

USN-3832-1: Linux kernel (AWS) vulnerabilities

linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems

Details

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)

Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Daniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653)

Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)

Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
linux-image-4.18.0-1006-aws - 4.18.0-1006.7
linux-image-aws - 4.18.0.1006.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes. XXX MAYBE WITH XXX ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References



from Ubuntu Security Notices https://ift.tt/2TSE3El

Labor will not back full encryption Bill as it offers interim deal again

Encryption debate reminiscent of climate change arguments: Senetas

GCHQ details how law enforcement could be silently injected into communications

Protecting Against Identity Theft

Original release date: November 29, 2018

As the holidays draw near, many consumers turn to the internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.

CISA encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:

If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan.


This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System https://ift.tt/2RoFcBE

US Senate computers will use disk encryption


The US Senate will enable disk encryption on all Senate computers as a basic security measure that will make it harder for spies or criminals to extract sensitive data from stolen Senate staff PCs or hard drives.

The decision was taken last month by the Senate Committee on Rules and Administration, which instructed the Senate Sergeant at Arms (SAA) to begin the data encryption process.

"I applaud these efforts as this new common-sense cybersecurity policy will better protect sensitive Senate data from those who might wish to compromise it," said Oregon Democrat Senator Ron Wyden, the one who initially pushed the Committee to implement this measure over the summer.

"This new policy will make it much harder for any would-be spy or criminal who steals a Senate computer to access Senate data," Sen. Wyden added. "This is particularly important for laptops, which are more vulnerable to foreign government surveillance when Senate staff take them home or on work-related travel."

Details about the exact timeline or progress of the disk encryption process have not been made available, but Senators and their staff should hope this doesn't go as bad as the adoption of multi-factor authentication. A government report published in September revealed that only 11 percent of the Department of State's devices used multi-factor authentication.

It is also no surprise that Sen. Wyden was behind the push to have the Senate deploy disk encryption. Previously, the same Senator had also asked the government to stop using Adobe Flash on its computers and sites, urged the DOD to move all of its sites to HTTPS by the end of the year, asked the White House Cybersecurity Coordinator to deploy a solution that blocks ads on US government networks and computers to ward off malvertising, and has pressed the DHS to deploy an emerging technology called Encrypted Server Name Identification (ESNI).

He also called out the FBI director's 'ill-informed' views on encryption backdoors, pushed Verizon, Sprint, AT&T, and T-Mobile to stop sharing real-time cell phone location data with third-party companies, revealed that US border officials haven't properly verified visitor passports for more than a decade, and inquired the FCC to find out if police stingrays disrupt 911 calls.

More cybersecurity coverage:



from Latest Topic for ZDNet in... https://ift.tt/2DPxxbP

Palo Alto Networks to launch next-gen firewall for 5G networks

After Microsoft complaints, Indian police arrest tech support scammers at 26 call centers

Sky Brasil exposes data of 32 million subscribers

USN-3795-3: libssh regression

libssh regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

USN-3795-1 and USN-3795-2 introduced a regression in libssh.

Software Description

  • libssh - A tiny C SSH library

Details

USN-3795-1 and USN-3795-2 fixed a vulnerability in libssh. The upstream fix introduced a regression. This update fixes the problem.

Original advisory details:

Peter Winter-Smith discovered that libssh incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libssh-4 - 0.8.1-1ubuntu0.3
Ubuntu 18.04 LTS
libssh-4 - 0.8.0~20170825.94fa1e38-1ubuntu0.2
Ubuntu 16.04 LTS
libssh-4 - 0.6.3-4.3ubuntu0.2
Ubuntu 14.04 LTS
libssh-4 - 0.6.1-0ubuntu3.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2FXftPQ

Hackers can exploit this bug in surveillance cameras to tamper with footage

AriseBank CEO faces 120 years behind bars over alleged cryptocurrency scam

USN-3831-1: Ghostscript vulnerabilities

ghostscript vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Ghostscript.

Software Description

  • ghostscript - PostScript and PDF interpreter

Details

It was discovered that Ghostscript contained multiple security issues. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
ghostscript - 9.26~dfsg+0-0ubuntu0.18.10.1
libgs9 - 9.26~dfsg+0-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
ghostscript - 9.26~dfsg+0-0ubuntu0.18.04.1
libgs9 - 9.26~dfsg+0-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
ghostscript - 9.26~dfsg+0-0ubuntu0.16.04.1
libgs9 - 9.26~dfsg+0-0ubuntu0.16.04.1
Ubuntu 14.04 LTS
ghostscript - 9.26~dfsg+0-0ubuntu0.14.04.1
libgs9 - 9.26~dfsg+0-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2Q2l4sJ

IBM Security Bulletin: IBM StoredIQ Privilege Insufficient Authorization

Nov 29, 2018 8:01 am EST

Categorized: Medium Severity

Share this post:

IBM StoredIQ has addressed the vulnerability of not implementing proper authorization of user roles.

CVE(s): CVE-2018-1928

Affected product(s) and affected version(s):

Affected Product Affected Versions
IBM StoredIQ 7.6.0.0. – 7.6.0.17

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10741611
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/153119



from IBM Product Security Incident Response Team https://ift.tt/2zzJMWZ

IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow leading to privilege escalation (CVE-2018-1897).

Nov 29, 2018 8:01 am EST

Categorized: High Severity

Share this post:

Db2 is vulnerable to a buffer overflow leading to privilege escalation.

CVE(s): CVE-2018-1897

Affected product(s) and affected version(s):

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10737295
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/152462



from IBM Product Security Incident Response Team https://ift.tt/2zvsOci

IBM Security Bulletin: IBM StoredIQ is affected by a cross-site request forgery

IBM StoredIQ is affected by a cross-site request forgery.

CVE(s): CVE-2018-1927

Affected product(s) and affected version(s):

Affected Product Affected Versions
IBM StoredIQ 7.6.0.0. – 7.6.0.17

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10741605
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/153118

The post IBM Security Bulletin: IBM StoredIQ is affected by a cross-site request forgery appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2zxyG4S

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7 used by Financial Transaction Manager for Corporate Payment Services. Financial Transaction Manager for Corporate Payment Services (FTM CPS) has addressed the applicable CVEs.

CVE(s): CVE-2017-3732, CVE-2017-3736, CVE-2018-1656, CVE-2018-12539

Affected product(s) and affected version(s):

FTM CPS: 2.1.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10731339
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/121313
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134397
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/144882
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148389

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2zqFCkf

KingMiner malware hijacks the full power of Windows Server CPUs

GCHQ: We don't tell tech companies about every software flaw

Wednesday, November 28, 2018

Dell Resets All Customers' Passwords After Potential Security Breach


Multinational computer technology company Dell disclosed Wednesday that its online electronics marketplace experienced a "cybersecurity incident" earlier this month when an unknown group of hackers infiltrated its internal network.

On November 9, Dell detected and disrupted unauthorized activity on its network attempting to steal customer information, including their names, email addresses and hashed passwords.

According to the company, the initial investigation found no conclusive evidence that the hackers succeeded to extract any information, but as a countermeasure Dell has reset passwords for all accounts on Dell.com website whether the data had been stolen or not.

Dell did not share any information on how hackers managed to infiltrate its network at the first place or how many user accounts were affected, but the company did confirm that payment information and Social Security numbers were not targeted.

"Credit card and other sensitive customer information were not targeted. The incident did not impact any Dell products or services," Dell

says

.

You are affected if you have ever created an account on the Dell website to purchase any of their products or to access the online support.

"Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement," the company said.

We will update this story as more information becomes available.



from The Hacker News https://ift.tt/2P8vPo2

Autonomous cyber defences are the future: Richard Stiennon

Huawei 'looking into' New Zealand 5G ban to find way forward

Cisco Releases Security Update

Dunkin' Donuts accounts may have been hacked in credential stuffing attack

Dell announces security breach

Hackers are opening SMB ports on routers so they can infect PCs with NSA malware

SamSam ransomware created by Iranian hackers, says US DoJ

The destructive ransomware demanded $6m in ransoms and caused $30m in damages during a series of high-profile outbreaks in 2018.

from Latest Topic for ZDNet in... https://ift.tt/2PXHOdc

USN-3829-1: Git vulnerabilities

git vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Git.

Software Description

  • git - fast, scalable, distributed revision control system

Details

It was discovered that Git incorrectly handled layers of tree objects. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15298)

It was discovered that Git incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-19486)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
git - 1:2.19.1-1ubuntu1.1
Ubuntu 18.04 LTS
git - 1:2.17.1-1ubuntu0.4
Ubuntu 16.04 LTS
git - 1:2.7.4-0ubuntu1.6
Ubuntu 14.04 LTS
git - 1:1.9.1-1ubuntu0.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2FLIZrp

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used


from The Hacker News https://ift.tt/2r9weNa

How secure is serverless computing?

Building security into a serverless environment

from Latest Topic for ZDNet in... https://ift.tt/2AyYnS3

New industrial espionage campaign leverages AutoCAD-based malware

Researchers warn about industrial espionage group targeting companies in the energy sector with AutoCAD-based malware.

from Latest Topic for ZDNet in... https://ift.tt/2P7q5uK

Where AWS falls short, and how it's fixing the problem

New research from ThousandEyes shows AWS is significantly less stable than Google Cloud or Microsoft Azure in Asia, but the new AWS Global Accelerator addresses the issue -- for a price. [Cloud TV]

from Latest Topic for ZDNet in... https://ift.tt/2Sd1qqm

AMP for Endpoints Updates: Fall 2018

Our engineering and research team work 24/7 to ensure business continuity for our customers. Here are the most recent new features and capabilities released for the AMP for Endpoints Console.

from Cisco Blog » Security https://ift.tt/2P8HDX5

Cisco Prime License Manager SQL Injection Vulnerability

A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.

The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181128-plm-sql-inject
Security Impact Rating: Critical
CVE: CVE-2018-15441

from Cisco Security Advisory https://ift.tt/2QndWX1

ElasticSearch server exposed the personal data of over 57 million US citizens

Leaky database taken offline, but not after leaking user details for nearly two weeks.

from Latest Topic for ZDNet in... https://ift.tt/2r84vwi

Phishing warning: If you work in this one industry you're more likely to be a target

Cyber crooks looking to steal secrets are focusing their attacks on one sector.

from Latest Topic for ZDNet in... https://ift.tt/2E2E7Nc

Singapore State Courts' digital files accessed illegally due to system loophole

A loophole in its criminal case filing system has resulted in 223 State Courts electronic documents to be accessed without authorisation, enabling accused persons to view court documents in other case files.

from Latest Topic for ZDNet in... https://ift.tt/2P7Nuw3

CSA Research Complete Artifact Bundle

This is a Cloud Security Alliance Bundle containing 185 Artifacts.

from Cloud Security Alliance Blog https://ift.tt/2DPbGBl

IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-12539)

There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 used by IBM Elastic Storage Server. This issue was disclosed as part of the IBM Java SDK updates in July 2018.

CVE(s): CVE-2018-12539

Affected product(s) and affected version(s):

The Elastic Storage Server 5.3 thru 5.3.1.1
The Elastic Storage Server 5.0.0 thru 5.2.3
The Elastic Storage Server 4.5.0 thru 4.6.0
The Elastic Storage Server 4.0.0 thru 4.0.6

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10740169
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148389

The post IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-12539) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2QnLh43

IBM Security Bulletin: Vulnerability in IBM Java Runtime affect IBM SONAS (CVE-2016-0705)

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, that is used by IBM SONAS. IBM SONAS has addressed the applicable CVEs.

CVE(s): CVE-2016-0705

Affected product(s) and affected version(s):

IBM SONAS
The product is affected when running a code releases 1.5.0.0 to 1.5.2.9

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10734253
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/111140

The post IBM Security Bulletin: Vulnerability in IBM Java Runtime affect IBM SONAS (CVE-2016-0705) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2Qk4VOD

IBM Security Bulletin: The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale (CVE-2018-1783)

The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale which could allow an unprivileged, authenticated user with access to a GPFS node to forcefully terminate GPFS and deny access to data available through GPFS (CVE-2018-1783).

CVE(s): CVE-2018-1783

Affected product(s) and affected version(s):

The Elastic Storage Server 5.3 thru 5.3.1.1
The Elastic Storage Server 5.0.0 thru 5.2.3
The Elastic Storage Server 4.5.0 thru 4.6.0
The Elastic Storage Server 4.0.0 thru 4.0.6

The Elastic Storage Server 3.5.0 thru 3.5.6
The Elastic Storage Server 3.0.0 thru 3.0.5
The Elastic Storage Server 2.5.0 thru 2.5.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10740139
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148806

The post IBM Security Bulletin: The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale (CVE-2018-1783) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2QmzR0B

IBM Security Bulletin: The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale (CVE-2018-1782)

The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale which could allow a local, unprivileged user to cause a kernel panic on a node running GPFS by accessing a file that is stored on a GPFS file system with mmap, or by executing a crafted file stored on a GPFS file system. (CVE-2018-1782).

CVE(s): CVE-2018-1782

Affected product(s) and affected version(s):

The Elastic Storage Server 5.3.1 thru 5.3.1.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10740171
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148805

The post IBM Security Bulletin: The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale (CVE-2018-1782) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2QqDCC9

IBM Security Bulletin: Cross-site scripting vulnerability affects multiple IBM Rational products based on IBM Jazz technology

Cross-site scripting vulnerability affects components used by the following products that may affect those products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and Rational Software Architect Design Manager (RSA DM).

CVE(s): CVE-2018-1762

Affected product(s) and affected version(s):

Rational Collaborative Lifecycle Management 5.0 – 6.0.6

Rational Quality Manager 5.0 – 5.0.2
Rational Quality Manager 6.0 – 6.0.6

Rational Team Concert 5.0 – 5.0.2
Rational Team Concert 6.0 – 6.0.6

Rational DOORS Next Generation 5.0 – 5.0.2
Rational DOORS Next Generation 6.0 – 6.0.6

Rational Engineering Lifecycle Manager 5.0 – 5.0.2
Rational Engineering Lifecycle Manager 6.0 – 6.0.6

Rational Rhapsody Design Manager 5.0 – 5.0.2
Rational Rhapsody Design Manager 6.0 – 6.0.6

Rational Software Architect Design Manager 5.0 – 5.0.2
Rational Software Architect Design Manager 6.0 – 6.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10742281
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148616

The post IBM Security Bulletin: Cross-site scripting vulnerability affects multiple IBM Rational products based on IBM Jazz technology appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2QrF7ju

IBM Security Bulletin: IBM® Db2® LUW on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2018-1723). CVE-2018-1723, gpfs, spectrum scale Security Bulletin

Db2 LUW is affected by a vulnerability in IBM® Spectrum Scale Version 4.1.x and 4.2.x that is used by DB2® pureScale™ Feature on AIX and Linux. IBM Spectrum Scale is previously known as General Parallel File System (GPFS).

CVE(s): CVE-2018-1723

Affected product(s) and affected version(s):

All fix pack levels of IBM DB2 V10.5 and V11.1.1 editions running on AIX and Linux are affected, and only for those customers who have DB2® pureScale™ Feature installed.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10734067
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/147373

The post IBM Security Bulletin: IBM® Db2® LUW on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2018-1723). CVE-2018-1723, gpfs, spectrum scale Security Bulletin appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2BDApqE

IBM Security Bulletin: This Power System firmware update is being released to address DHCP issue number CVE-2018-5732

POWER9/POWER8: In response to a recently reported DHCP client security vulnerability, a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE-2018-5732.

CVE(s): CVE-2018-5732

Affected product(s) and affected version(s):

Firmware releases FW910 is affected.

Firmware releases FW810, FW820, FW830, FW840, FW860 are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10716563
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/139613

The post IBM Security Bulletin: This Power System firmware update is being released to address DHCP issue number CVE-2018-5732 appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/2KDnpEf

Atrium Health data breach exposed 2.65 million patient records

The security incident also exposed an estimated 700,000 Social Security numbers.

from Latest Topic for ZDNet in... https://ift.tt/2rcghFX

Second time lucky: Cisco pushes fix for failed Webex vulnerability patch

New attack techniques have rendered the original patch useless.

from Latest Topic for ZDNet in... https://ift.tt/2AqY3VA

IBM QRadar Advisor with Watson boosted with MITRE framework

The machine learning system is being given a crash course in cybercriminal techniques.

from Latest Topic for ZDNet in... https://ift.tt/2TS1Mo3

USN-3830-1: OpenJDK regression

openjdk-8, openjdk-lts regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

USN-3804-1 introduced a regression in OpenJDK.

Software Description

  • openjdk-lts - Open Source Java implementation
  • openjdk-8 - Open Source Java implementation

Details

USN-3804-1 fixed vulnerabilities in OpenJDK. Unfortunately, that update introduced a regression when validating JAR files that prevented Java applications from finding classes in some situations. This update fixes the problem.

We apologize for the inconvenience.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
openjdk-11-jdk - 10.0.2+13-1ubuntu0.18.04.4
openjdk-11-jre - 10.0.2+13-1ubuntu0.18.04.4
openjdk-11-jre-headless - 10.0.2+13-1ubuntu0.18.04.4
Ubuntu 16.04 LTS
openjdk-8-jdk - 8u191-b12-0ubuntu0.16.04.1
openjdk-8-jre - 8u191-b12-0ubuntu0.16.04.1
openjdk-8-jre-headless - 8u191-b12-0ubuntu0.16.04.1
openjdk-8-jre-jamvm - 8u191-b12-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2KCU2ly

Pegasus gov't spyware used to target colleague of slain drug cartel journalist

Just days after the death of a reporter investigating drug cartels, the spyware appeared on the radar.

from Latest Topic for ZDNet in... https://ift.tt/2P6tpGv

FBI Shuts Down Multimillion Dollar – 3ve – Ad Fraud Operation

Google, the FBI, ad-fraud fighting company WhiteOps and a collection of cyber security companies worked together to shut down one of the largest and most sophisticated digital ad-fraud schemes that infected over 1.7 million computers to generate fake clicks used to defraud online advertisers for years and made tens of millions of dollars in revenue. Dubbed 3ve (pronounced "Eve"), the online


from The Hacker News https://ift.tt/2TOYNN8

TA18-331A: 3ve – Major Online Ad Fraud Operation

Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

  • %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
  • %UserProfile%\AppData\Local\Temp\<RANDOM>.exe
  • %UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

  • %UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat
  • %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe
  • %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk
  • %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat

Kovter is known to hide in the registry under:

  • HKCU\SOFTWARE\<RANDOM>\<RANDOM>

The customized CEF browser is dropped to:

  • %UserProfile%\AppData\Local\<RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

  • /?ptrackp=\d{5,8}
  • /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
  • /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
  meta:
    desc = "Encoded strings in unpacked Kovter samples."
  strings:
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
  condition:
    all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

  • Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
  • Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
  • Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
  • Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

References

Revision History

  • November 27, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System https://ift.tt/2BBGIel

Tuesday, November 27, 2018

FBI dismantles gigantic ad fraud scheme operating across over one million IPs

DOJ also charged eight suspects. Three suspects have already been arrested.

from Latest Topic for ZDNet in... https://ift.tt/2BAXNVG

New Zealand bans Spark from using Huawei for 5G

The New Zealand GCSB said the use of Huawei equipment in Spark's 5G network would 'raise significant national security risks'.

from Latest Topic for ZDNet in... https://ift.tt/2RowKTj

Employees tell Google not to be complicit in Chinese oppression and human rights abuse

300 Google employees have signed an open letter calling on the company to abandon its Chinese search engine.

from Latest Topic for ZDNet in... https://ift.tt/2r8gyK8

Microsoft warns about two apps that installed root certificates then leaked the private keys

It's a Superfish and eDellRoot déjà vu!

from Latest Topic for ZDNet in... https://ift.tt/2SeSKQo

3ve – Fraudulent Online Advertising

Original release date: November 27, 2018

The Department of Homeland Security and the Federal Bureau of Investigation have released a joint Technical Alert (TA) on a major online ad fraud operation—referred to by the U.S. Government as "3ve."

NCCIC encourages users and administrators to review Alert TA18-331A: 3ve – Major Online Ad Fraud Operation for more information.


This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System https://ift.tt/2r9cpG4

Seven GDPR complaints filed against Google over user location tracking

GDPR complaints have been filed today against Google in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden.

from Latest Topic for ZDNet in... https://ift.tt/2KBThcw

USN-3827-2: Samba vulnerabilities

samba vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM

Summary

Several security issues were fixed in Samba.

Software Description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-3827-1 fixed a vulnerability in samba. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Florian Stuelpner discovered that Samba incorrectly handled CNAME records. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-14629)

Alex MacCuish discovered that Samba incorrectly handled memory when configured to accept smart-card authentication. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-16841)

Garming Sam discovered that Samba incorrectly handled memory when processing LDAP searches. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-16851)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
samba - 2:3.6.25-0ubuntu0.12.04.16

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2FHclax

USN-3816-3: systemd regression

27 November 2018

systemd regression

A security issue affects these releases of Ubuntu and its derivatives:

Summary

USN-3816-1 caused a regression in systemd-tmpfiles.

Software Description

  • systemd - system and service manager

Details

USN-3816-1 fixed vulnerabilities in systemd. The fix for CVE-2018-6954 caused a regression in systemd-tmpfiles when running Ubuntu inside a container on some older kernels. This issue only affected Ubuntu 16.04 LTS. In order to continue to support this configuration, the fixes for CVE-2018-6954 have been reverted.

We apologize for the inconvenience.

Original advisory details:

Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. (CVE-2018-15686)

Jann Horn discovered a race condition in chown_one(). A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-15687)

It was discovered that systemd-tmpfiles mishandled symlinks in non-terminal path components. A local attacker could potentially exploit this by gaining ownership of certain files to obtain root privileges. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
systemd - 229-4ubuntu21.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2BCqQIN

CSA Finances for Chapters



from Cloud Security Alliance Blog https://ift.tt/2DYPd5N

Sample Chapter Event Announcement



from Cloud Security Alliance Blog https://ift.tt/2FJXhc2

CSA Standard Services to Chapters



from Cloud Security Alliance Blog https://ift.tt/2raeXni

CSA Chapter Quick Start Guide



from Cloud Security Alliance Blog https://ift.tt/2FHKpmX

USN-3828-1: WebKitGTK+ vulnerabilities

27 November 2018

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software Description

  • webkit2gtk - Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libjavascriptcoregtk-4.0-18 - 2.22.4-0ubuntu0.18.10.1
libwebkit2gtk-4.0-37 - 2.22.4-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
libjavascriptcoregtk-4.0-18 - 2.22.4-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 - 2.22.4-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2r9HE3q

Android adware has plagued the Google Play Store in the past two months

Samba Releases Security Updates

Original release date: November 27, 2018

The Samba Team has released security updates to address several vulnerabilities in Samba. An attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Samba Security Announcements for CVE-2018-14629, CVE-2018-16841, CVE-2018-16851, CVE-2018-16852, CVE-2018-16853, and CVE-2018-16857 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT National Cyber Alert System https://ift.tt/2SlYUOT

Securing Access to Our Nation’s Critical Infrastructure


It’s Critical Infrastructure Security and Resilience Month, but I think we can all agree that the topic at hand is, uh, more of a long-term necessity. About 85 percent of the nation’s critical infrastructures are privately owned and operated, as cited in NIST’s SP 800-82 Guide to Industrial Control Systems (ICS) Security.

That means much of what our country runs on is heavily interconnected and interdependent, while the security of which may vary greatly from industry to private organization. Not all of the threats to energy and utilities firms are particularly unique, but they could have, needless to say, quite serious consequences.

As a recent Vectra report stated, the threats to energy and utilities firms typically target their enterprise IT networks, rather than the actual industrial control systems (ICS). And while NIST dictates that the ICS network should be logically separated from the corporate network with minimal access points between them, there is always some potential risk to be weighed.

How Do Attacks Against Energy & Utility Firms Work?

These attacks can take many months and involve a number of different stages, as Vectra outlined in their report on the hidden threat of cyberattacks in the energy and utilities industry, and as I’ve summarized/editorialized a bit below:

Point of Entry

The first step is to gain a foothold into energy and utility networks by stealing a user’s credentials through means of phishing and malware, then maintaining external remote access with tools like virtual private networks (VPNs), Remote Desktop Protocol (RDP) and Outlook Web Access (OWA).

With common remote access tools like VPNs, attackers’ activity often blend in with normal administrative access and actions, making it more difficult for organizations to detect malicious behavior.

Reconnaissance

With external remote access, attackers then identify file servers within the network and collect information about hosts, users, operator behaviors and other additional data.

During the recon stage, attackers will also conduct scans via RDP to find both accounts and RDP servers that will accept logins via those accounts. This allows attackers to find accounts to access while evading detection, rather than conducting a port sweep or scan that may call more attention to their malicious intentions.

Lateral Movement & Exfiltration

Armed with privileged administrator credentials, attackers move to access domain controllers via RDP, as well as workstations and servers containing data from industrial control systems and supervisory control and data acquisition (SCADA) files.

Other ICS Attack Scenarios

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides a few resources on recommended best practices for security, including an overview of the different types of attackers that commonly target energy and critical infrastructure organizations. Those range from national governments to industrial spies, organized crime groups, hacktivists and more.

ICS-CERT also provides some detailed overviews of common network architecture configurations of production and control systems. One of those diagrams depicts a vendor support agreement with control systems that allows for remote access, typically through a VPN to enable vendors to assist during upgrades or system malfunction. Attackers may gain access via VPNs to connect to the control system’s network, or to vendor resources.

The ICS-CERT site also provides many other potential attack scenarios, from database links to poorly configured firewalls and more. One easy way to establish a connection and issue commands is to connect directly with data acquisition servers that often “lack even basic authentication.”

Mitigating Against Energy & Utility Security Risks

The common attack themes seen here are centered around gaining access to enterprise networks by means of weak or unsecured remote access points. Protect against these risks by verifying the trust of the user and their device:

  • Verify the identity of all users with Duo Security’s strong two-factor authentication, before granting users access to corporate applications and resources.
  • Get visibility into every device used to access corporate applications – including both corporate-managed and personally-owned devices.
  • Ensure the trustworthiness of user devices by checking that they meet your security standards – not jailbroken, running the latest operating systems and browsers, passcode-protected, etc.
  • Protect access to your applications by enforcing policies that limit access to only trusted users and devices that meet your risk tolerance levels – block those outside of your designated geolocation, or prompt users to update before granting them access.
  • Streamline the user login experience with single sign-on (SSO) and let users log in once to securely access all of their different cloud and on-premises apps.

Learn more about securing access to enterprise IT applications, including how to protect access to remote access tools like VPNs, OWA, RDP and more with Duo Security.

Share:



from Cisco Blog » Security https://ift.tt/2r6Kbvz

Microsoft's multi-factor authentication service goes down for second week in a row

DNSpionage Campaign Targets Middle East

DNSpionage Campaign Targets Middle East This blog post was authored by Warren Mercer and Paul Rascagneres. Executive Summary Cisco Talos recently discovered a new campaign targeting Lebanon and the United...

from Cisco Blog » Security https://ift.tt/2ArKp4t

Everyone will use encryption, Australia should get over it: UN Special Rapporteur

USN-3827-1: Samba vulnerabilities

samba vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Samba.

Software Description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

Florian Stuelpner discovered that Samba incorrectly handled CNAME records. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-14629)

Alex MacCuish discovered that Samba incorrectly handled memory when configured to accept smart-card authentication. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-16841)

Garming Sam discovered that Samba incorrectly handled memory when processing LDAP searches. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-16851)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
samba - 2:4.8.4+dfsg-2ubuntu2.1
Ubuntu 18.04 LTS
samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.5
Ubuntu 16.04 LTS
samba - 2:4.3.11+dfsg-0ubuntu0.16.04.18
Ubuntu 14.04 LTS
samba - 2:4.3.11+dfsg-0ubuntu0.14.04.19

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References



from Ubuntu Security Notices https://ift.tt/2DWwPu4

This worm spreads a fileless version of the Trojan Bladabindi

Uber fined $1.1 million by UK and Dutch regulators over 2016 data breach


British and Dutch data protection regulators Tuesday hit the ride-sharing company Uber with a total fine of $1,170,892 (~ 1.1 million) for failing to protect its customers’ personal information during a 2016 cyber attack involving millions of users.

Late last year, Uber unveiled that the company had suffered a

massive data breach

in October 2016, exposing names, email addresses and phone numbers of 57 million Uber riders and drivers along with driving license numbers of around 600,000 drivers.

Besides this, it was also reported that instead of disclosing the breach at the time, the company

paid $100,000 in ransom

to the two hackers with access to the stolen data in exchange for keeping the incident secret and deleting the information.

Today Britain’s Information Commissioner’s Office (ICO)

fined

Uber 385,000 pounds ($491,102), while the Dutch Data Protection Authority (Dutch DPA)

levied

a 600,000 euro ($679,790) penalty on Uber for failing to protect the personal information of its 3 million British and 174,000 Dutch citizens, respectively.

"In 2016 a data breach occurred at the Uber concern in the form of unauthorized access to personal data of customers and drivers. The Uber concern is fined because it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach," the Dutch DPA says.

The ICO also confirmed that the attackers were able to compromise Uber’s cloud-based storage system using stuffing attack—"a process by which compromised username and password pairs are injected into websites until they are matched to an existing account"—a loophole that could have been "avoided."

"Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users," the ICO states.

The UK watchdog also said that none of the affected customers compromised by the incident were notified of the breach. Instead, Uber started monitoring affected riders and drivers accounts for fraud 12 months after the cyber attack, when the incident was made public last year.

At the time, Uber notified regulatory authorities and offered affected drivers free credit monitoring and identity theft protection.

The company assured its users that other personal details, such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, were not accessed in the attack.



from The Hacker News https://ift.tt/2SewAgW

IBM Security Bulletin: Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio (CVE-2018-3139 and CVE-2018-3180)

Nov 27, 2018 8:02 am EST

Categorized: Medium Severity

Share this post:

Vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 used by WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio. These issues were disclosed as part of the IBM Java SDK updates in October 2018. These issues are also addressed by WebSphere Application Server Network Deployment shipped with WebSphere Service Registry and Repository.

CVE(s): CVE-2018-3139, CVE-2018-3180

Affected product(s) and affected version(s):

WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio V8.0 and V8.5 are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10738633
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/151455
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/151497



from IBM Product Security Incident Response Team https://ift.tt/2FJh2kf