Thursday, February 28, 2019
STAR Continuous Increasing Trust and Integrity Brochure
This website uses third-party profiling cookies to provide services in line with the preferences you reveal while browsing the Website. By continuing to browse this Website, you consent to the use of these cookies. If you wish to object such processing, please read the instructions described in our
Privacy Policy.
from Cloud Security Alliance Blog https://ift.tt/2H59JlI
Cloud Security Alliance Debuts the Knowledge Center, a Comprehensive E-Learning Platform
Cloud Security Alliance Debuts the Knowledge Center, a Comprehensive E-Learning Platform
Offers individuals, enterprises high-quality flexible training to complement and enhance knowledge, schedules and budgets
SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch of the CSA Knowledge Center. Created by the CSA utilizing CSA research, the Knowledge Center is the only centralized place to gain training on unique, vendor-neutral backed research courses such as the Certificate of Cloud Security Knowledge (CCSK), CCSK Plus, Cloud Governance and Compliance (CGC) and Software Defined Perimeter (SDP) (coming soon) while simultaneously offering both individuals and enterprises flexibility and the ability to meet tight budgets while enhancing their skills - all via a simplified learning platform.
The Knowledge Center is ideal for individuals wanting a flexible learning environment in order to gain added credibility and knowledge of cloud security but who lack sufficient resources to do so either due to time or budget constraints. Organizations, meanwhile, face a different set of challenges with dispersed teams, priorities, and responsibilities. They want to take proactive measures to ensure that their teams are fully equipped and confident to safely and securely navigate any moves to a cloud platform or new technology. For them, CSA e-learning extends the training budget while certifying their employees in an industry-backed, cloud security course.
“As new technologies emerge that have an impact and place in cloud computing environment, the skills, and knowledge necessary to keep organizations secure grows. It’s not surprising then that individuals need more than a one-time certificate. However, in-person and virtual-led trainings can be difficult to attend due to time out of the office and inconvenient locations,” said CSA CEO Jim Reavis. “We see the CSA Knowledge Center as filling a need within the industry and becoming the go-to-platform when it comes to delving deeper into cloud computing concepts and the role new technologies play.”
Among its benefits to enterprises and individuals, alike, are:
- Stretched training budgets. Since the e-learning platform is less expensive, it stretches the training budgets of individuals and organizations farther.
- Flexibility. The platform gives individuals the ability to work around scheduled events, projects, and deadlines and go through content at their own pace.
- Credibility. The research that goes into the course is vendor-neutral and created by CSA’s network of professionals and subject-matter experts. The course material is straight from the source, and verified by CSA.
- Usability. An online, mobile, sleek platform makes taking the course a cleaner more pleasant experience.
Learn more about the Knowledge Center.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Contact
Kari Walker for the CSA
ZAG Communications
703.928.9996
[email protected]
Share this content on your favorite social network today!
from Cloud Security Alliance Blog https://ift.tt/2H4tQka
Cloud Security Alliance Launches STAR Continuous, a Compliance Assessment Program for Cloud Service Providers
Cloud Security Alliance Launches STAR Continuous, a Compliance Assessment Program for Cloud Service Providers
Chance to align security validation capabilities with cloud security compliance gives enterprises a competitive edge
SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced STAR Continuous Self Assessment, the first release of an evolving continuous-compliance assessment program for cloud services that gives cloud service providers (CSPs) the opportunity to align their security validation capabilities with cloud security compliance and certification on an ongoing basis.
CSA STAR Continuous is an integral part of the CSA STAR program, the industry’s leading cloud governance and compliance program that enables organizations to increase their levels of assurance and transparency for security and privacy. STAR consists of three levels of assurance (Self-Assessment, Third-Party Certification and Continuous Auditing), based upon the CSA Cloud Controls Matrix (CCM), the Consensus Assessments Initiative Questionnaire (CAIQ), and the CSA Code of Conduct for GDPR Compliance. Future releases will be Level 2 Extended Certification with Continuous Self-Assessment and Level 3 Continuous Certification.
“In attempting to reduce the complexity and costs of traditional IT, more organizations are evaluating cloud options first before making any new IT investments. However, many CIOs remain apprehensive about transferring services into the cloud—cyber security, ownership of data, and privacy are key concerns. Simultaneously, security controls, compliance, and the call for increased transparency are rapidly becoming baseline expectations of users – especially enterprise customers. STAR Continuous, which offers increased reliability of results, transparency and ease of use of the CSP’s assurance reports will give enterprises a competitive advantage in today’s environment,” said Daniele Catteddu, CTO, Cloud Security Alliance.
Among its benefits, STAR Continuous gives CSPs the opportunity to:
- update a STAR Self-Assessment on a monthly basis (STAR Continuous Self-Assessment);
- support a third-party based certification (e.g. STAR Certification) with additional and updated information on the CSP security posture (STAR Certification/Attestation + STAR Continuous Self- Assessment); and
- establish a process to continuously audit a CSP security program or ISMS and offer proof of an ISMS that goes beyond the basic compliance certification model and for proof that there is a process in place that continually monitors critical aspects of the system (STAR Continuous Auditing).
In addition, it can help cloud service providers:
- provide top management with greater visibility so they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;
- implement an audit that is designed to reflect how their organization’s objectives are aimed at optimizing the cloud services;
- demonstrate progress and performance levels that go beyond the traditional “point in time” scenario; and
- provide their customers with a greater understanding of the level of controls that are in place, along with their effectiveness.
CSA is committed to helping customers have a deeper understanding of their security postures and to that end developed the CSA STAR Program in 2011. Since that time, the organization has continued to invest heavily in its success. Among the milestones:
- CSA STAR Attestation, which combines the CSA’s best practices with SOC 2 attestation reporting developed by the American Institute of CPAs (AICPA).
- Governments and enterprises around the world referenced CSA STAR in 2014 as a requirement for their RFPs.
- CSA, in conjunction with Chinese certification body CEPREI, developed a version of CSA STAR for the Chinese market based on the CSA CCM and Chinese national standard GB/T 22080.
- Enhancements to the CSA STAR web page to provide site visitors with an improved user experience.
- Hiring of John DiMaria, formerly of the British Standards Institution (BSI). DiMaria was a key innovator and co-author of the CSA STAR Certification for cloud providers, in addition to designing and developing the CSA STAR webinars. Prior to joining CSA, DiMaria was an active volunteer where he was co-chair of the Open Certification Framework (OCF) and Cloud Trust Protocol (CTP) Working Groups.
To learn more or get started, download STAR Continuous Technical Guidance.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Contact
Kari Walker for the CSA
ZAG Communications
703.928.9996
[email protected]
Share this content on your favorite social network today!
from Cloud Security Alliance Blog https://ift.tt/2TmblhC
Cloud Security Alliance Debuts Internet of Things (IoT) Controls Framework and Accompanying Guide
Cloud Security Alliance Debuts Internet of Things (IoT) Controls Framework and Accompanying Guide
Framework introduces base-level security controls required to mitigate numerous risks associated with IoT systems
SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019– The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the release of the CSA IoT Controls Framework, its first such framework for IoT which introduces the base-level security controls required to mitigate many of the risks associated with an IoT system operating in a range of threat environments. Created by the CSA IoT Working Group, the new Framework together with its companion piece, the Guide to the CSA Internet of Things (IoT) Controls Framework, provide organizations with the context in which to evaluate and implement an enterprise IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies.
With the implementation of increasingly complex IoT systems—defined by the European Union Agency for Network and Information Security as “cyber-physical ecosystem[s] of interconnected sensors and actuators, which enables intelligent decision making”—organizations need clear guidance to identify appropriate security controls and allocate them to specific components within their system. These components include but are not limited to simple sensors, simple actuators, edge devices, fog computing, mobile device/application, on-premise intermediary device, cloud gateway, and cloud app/service.
“This has been quite an intense and involved effort and we are excited to offer the IoT Controls Framework as a resource for designers and developers, who are tasked with creating secure IoT systems and other evaluators of IoT systems. Designers and developers can use this tool to continually evaluate the security of their implementation as they progress through the development life cycle. The tool offers a holistic evaluation of an IoT system to ensure it meets industry-specified best practices,” said Brian Russell, chair of the CSA Internet of Things Working Group.
Utilizing the Framework, user owners will assign system classification based on the value of the data being stored and processed and the potential impact of various types of physical security threats. Regardless of the value assigned, the Framework has utility across numerous IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services.
The CSA IoT Working Group develops frameworks, processes and best-known methods for securing these connected systems. Further, it addresses topics including data privacy, fog computing, smart cities and more. Individuals interested in becoming involved in future IoT research and initiatives are invited to visit the Internet of Things Working Group join page.
Both the Framework and Companion Guide are free, downloadable resources. Visit the CSA in Booth 1535 Moscone South to learn more.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Contact
Kari Walker for the CSA
ZAG Communications
703.928.9996
[email protected]
Share this content on your favorite social network today!
from Cloud Security Alliance Blog https://ift.tt/2Tq73pi
Happy Birthday, Threat Response: Only a year old but boy have you seen some things!
Cisco Threat Response: For security analysts, by one of their own
The work of a security analyst is arduous and time consuming but rewarding too. I know, I spent a good part of my career sitting in a seat, investigating and responding to threats in a Security Operations Center (SOC). I spent way too many hours and weekends moving from console to console piecing together information from disparate systems to investigate a single threat. The various SOCs I was part of were made up of millions of dollars in the latest, best-of-breed technologies alongside open source components and scripts that were supposed to work together but too often didn’t.
That’s why I’ve been focused on designing and building systems to make the lives of the security analyst easier and their work more effective. It’s rewarding to see the products we’ve built have a positive impact on an analyst’s abilty to do their job effectively. A year ago, we introduced a new application for security analysts to make security investigations fast and easy. It pulls content for detection and response from across the security stack: from the cloud, network, endpoint together in a central location. We call it Cisco Threat Response.
Rapid Adoption
Since we released the first version of Threat Response a year ago, it has been used in more than 3,600 SOCs, and has even added value in organizations without full blown SOCs. The feedback has been incredible and has given us so much confidence in Cisco Threat Response, we’re giving it away at no cost to existing customers. It’s included with the license for any Cisco Security product that integrates with it. As good as our Cisco Security products perform on their own, we know that they are even more effective when they’re used together. It’s all about making your SOC operations run faster: from detection, through investigation, to remediation. How? It’s all API-driven.
API-Driven
Cisco Security products have used APIs for years. The difference now is that Cisco Threat Response pulls them together so you don’t have to. With long lists of observables to investigate, Threat Response gets you immediate answers by calling both threat intelligence and our security portfolio APIs — confirming threats and showing you exactly where you’re affected — delivering a clear view of what’s happening.
Customers are excited to learn they can also utilize these APIs to integrate Threat Response directly into their existing Security Incident and Event Management systems (SIEMs) and Security Orchestration, Automation, and Response tools (SOARs). Customers even report they see Threat Response reducing the burden on their SIEMs.
And our customers seem to love this approach. One customer wrote to us “I like quickly being able to see infections on my network and this presents them in a really nice fashion…” Another said, “You cannot hit a target you cannot see. Threat Response simplifies security analysis”
Security integrations that simplify SOC operations
Picture a typical investigation that happens many times a day in SOCs around the world: A potential Emotet malware outbreak. Maybe you’ve investigated it yourself. Emotet a well-known banking trojan that attackers love, keeps coming back in fresh, new forms. The Indicators of Compromise associated with it include a very, very long list of known file hashes, distribution domains, and command-and-control IP Addresses. Investigating these observables one at a time to see if you’re affected can take hours.
Cisco Threat Response calls threat intelligence APIs to gather the all the dispositions for each one at once. Then it calls the Cisco Security products’ APIs and learns what each one knows about every observable. Cisco AMP for Endpoints knows what systems have the malicious file hashes. Cisco Umbrella knows which devices called out to malicious domains. Integrating your Email Security Appliance (ESA) lets you know who received that attachment or phishing URL and so forth until it gathers everything necessary to show you exactly what is happening in your environment.
More than a Pretty Face
Threat Response reflects years of back-end integration work by engineering. It begins and ends with a highly integrated architecture of world-class threat intelligence coupled the integration of advanced security technologies covering the attack surface across the cloud, network and endpoint. This is critical for effective, consistent detection and response across the critical points of your architecture.
Borrowing from the earlier example, an unknown file in an Emotet variant gets analyzed by our Threat Grid Malware Analysis engine and finds malicious behavior. Our architecture allows Threat Grid to share this intelligence across the entire portfolio so this file is blocked at the endpoint, in email, on the network for every customer around the world in a matter of minutes. And Threat Response shows you exactly every place where you were targeted by that file and confirms where it was blocked or detected.
Getting the Full Picture – the Relations Graph
That clear view we provide is perhaps the most compelling technology in Cisco Threat Response. By visually depicting the relationships among the observables and dispositions, the affected systems in your environment (called Targets and shown in purple), and the other systems that are related to the outbreak, you’ll know immediately whether you’re affected and how. Skip the hours and hours of investigation time.
Plus, you can take action directly from the Relations Graph. It provides actions (called Pivot Menus) from which you can continue the investigation in the other products’ consoles (taking you there seamlessly) or call their APIs directly to take action. Those Targets shown in purple? Maybe you want to quarantine those hosts through AMP for Endpoints, which you can do with a single click. Those malicious C2 domains? Maybe you want to tell Umbrella to block, at the DNS layer, everything on your network from connecting to them, which you can with another click.
Sources of Detection
Threat Response is driven by the individual Cisco Security products and threat intelligence sources that feed into it. Cisco Talos research and Threat Grid for threat intelligence, Threat Grid for static and dynamic file analysis, AMP for Endpoints for dynamic and retrospective endpoint detection and response, Email Security (the number one vector of attack), Umbrella for internet domain intelligence and blocking, and Next Generation Firewall for network detection and blocking. Threat Response brings these products together to bring you context about the events seen in your environment allowing you to further enrich this context with your own intelligence sources.
Operationalizing Threat Intelligence
One of the most popular features is the browser plug in we’ve developed that takes unstructured data from any webpage or application, finds the observables or indicators of compromise and automatically renders a verdict on that observable (clean, malicious, unknown) based on our threat intelligence. Like that Talos blog example we used earlier: one click pulls all the observables mentioned on that page without the need to manually cut and paste each one (and there are 634 observables mentioned – I had them counted!) Moreover, you can access the Threat Response pivot menu, including domain blocking, without ever leaving the page.
The best part about Threat Response is rate of innovation within the application. The endgame is better cybersecurity through better SOC operations: faster detections, simpler investigations, and immediate responses. We love what we have released to date and even more excited about our roadmap. Our engineering teams are delivering new enhancements, including new features and product integrations every two weeks. There’s much more to say about Threat Response than I can detail in a blog. I encourage you to experience it for yourself. The work of the SOC teams is too important to be tedious and increasing their efficiency will have better security outcomes for everyone. The best way to take it for a test drive is to get a free trial of one of the products that integrate with it today:
AMP for Endpoints, Umbrella, Threat Grid, Email Security.
Learn more about Cisco Threat Response, check it out at cisco.com/go/threatresponse
Share:
from Cisco Blog » Security https://ift.tt/2TpJcWM
USN-3900-1: GD vulnerabilities
libgd2 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in GD.
Software Description
- libgd2 - GD Graphics Library
Details
It was discovered that GD incorrectly handled memory when processing certain images. A remote attacker could use this issue with a specially crafted image file to cause GD to crash, resulting in a denial of service, or possibly execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- libgd-tools - 2.2.5-4ubuntu1.1
- libgd3 - 2.2.5-4ubuntu1.1
- Ubuntu 18.04 LTS
- libgd-tools - 2.2.5-4ubuntu0.3
- libgd3 - 2.2.5-4ubuntu0.3
- Ubuntu 16.04 LTS
- libgd-tools - 2.1.1-4ubuntu0.16.04.11
- libgd3 - 2.1.1-4ubuntu0.16.04.11
- Ubuntu 14.04 LTS
- libgd-tools - 2.1.0-3ubuntu0.11
- libgd3 - 2.1.0-3ubuntu0.11
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2Th8nLr
IBM Security Bulletin: IBM Cloud Private is affected by an issue with runc used by Docker
IBM Cloud Private is affected by an issue with runc used by Docker. The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host
CVE(s): CVE-2019-5736
Affected product(s) and affected version(s):
IBM Cloud Private 3.1.x IBM Cloud Private 2.1.x
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10871642
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/156819
The post IBM Security Bulletin: IBM Cloud Private is affected by an issue with runc used by Docker appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team https://ift.tt/2IIsQ7P
IBM Security Bulletin: Kernel Buffer Overflow in IBM Security Trusteer Rapport for MacOS (CVE-2018-1985)
IBM Security Trusteer Rapport for MacOS is bundled with a driver which has a buffer overflow vulnerability. The affected driver was removed from the package.
CVE(s): CVE-2018-1985
Affected product(s) and affected version(s):
IBM Security Rapport for MacOS with version below 3.6.1908.26.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10869212
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/154207
The post IBM Security Bulletin: Kernel Buffer Overflow in IBM Security Trusteer Rapport for MacOS (CVE-2018-1985) appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team https://ift.tt/2TlNqPm
Anticipating the Unknowns: 2019 Cisco CISO Benchmark Study
Today, we released our CISO Benchmark Study, an annual global survey of information security leaders working at organizations of all sizes and in all industries all over the world. With over 3200 respondents across 18 countries, the study offers a solid view of what’s on the minds and to-do lists of those on the front lines of Infosec worldwide.
This year’s study focused on getting “ready for the unknowns” that exist outside and inside all organizations. Our lines of inquiry explored how respondents set themselves up for success, how they approach vendor/solution selection and alert management, and how they manage breach readiness and response. The findings shed light on actions that are delivering results when it comes to strengthening organizational cyber health, allowing CISOs and other security leaders to learn from their peers.
The Good News
A very interesting and positive finding revealed the benefits of collaboration between the networking and security teams. There was a strong correlation between those who were extremely collaborative and the total cost of their most impactful breach, which was below $100,000―the lowest category of a breach cost. This could suggest an easy way for companies to reap real benefits―by creating culture and processes where teams are aligned on the same outcomes to reduce the silos between these groups.
We also saw notable confidence in cloud-delivered security and in securing the cloud. Ninety three percent of CISOs reported that migrating to the cloud increased efficiency and effectiveness for their teams.
The survey showed the use of risk assessments and risk metrics that span across the business, in part due to cyber insurance, playing a more important role in technology selection and helping CISOs focus on their operational practices. Forty percent of respondents are using cyber insurance, at least in part, to set their budgets.
Measuring outcomes against investments is the best data-driven approach to budgeting. However, controlling security spending based on previous years’ budgets and percent of revenue were both popular choices, but they do not necessarily correlate with better security.
Opportunities for Improvement
Employees/users continue to be one of the greatest protection challenges for CISOs. Sadly, only 51 percent of survey respondents feel they are doing an excellent job of managing employee security. Risky user behavior (e.g. clicking on malicious links in email or websites) remains high and is one of the top CISO concerns. Having an organizational process that starts with security awareness training on day one is essential and should be part of any organization’s culture.
There are proven processes that organizations can employ to reduce their exposure and extent of breaches. Have a plan, test the plan and prepare with drills. Each party – Security, IT, Incident Response, Legal, PR, and Management should all know what role they play and practice it. No plan or drill is perfect, and during a real, dynamic situation, practice allows you to adjust in a predicable way that doesn’t surprise the team and ensures the incident has minimal impact. Bad things will happen, how you respond is the difference from it being a non-event and a headline.
And, it’s no surprise that alert management continues to pose challenges. That’s often because organizations are using multiple disparate security products that don’t share alert data or help prioritize alerts via limited dashboards. This is an area where AI and automation could greatly help. Although vendor consolidation is occurring slowly, there is still a long way to go. Reducing the number of security vendors also helps teams focus on more important work like remediation.
The study offers insights on several other key issues: technology infrastructure refresh, architectural approach and more. We invite you to download the report to read the full details.
It’s compelling for me as a CISO to see these findings. In my own role, I experience the benefits of collaboration and of setting metrics and target outcomes to help plan, budget and better manage risk for our company.
By integrating security and trust across the network, cloud, internet, email and endpoints, Cisco is proud to provide a cohesive set of solutions to comprehensively help security professionals detect and protect their entire enterprise. We’ll keep exploring the latest trends and developments that are challenging security professionals, so we can continue improving our solutions to address tomorrow’s security needs.
For more information, and to access our entire Cybersecurity Report Series of research-based, data-driven reports, visit https://www.cisco.com/go/securityreports.
Share:
from Cisco Blog » Security https://ift.tt/2VsEtBi
Hackers Favorite CoinHive Cryptocurrency Mining Service Shutting Down
Coinhive, a notorious in-browser cryptocurrency mining service popular among cybercriminals, has announced that it will discontinue its services on March 8, 2019.
Regular readers of The Hacker News already know how Coinhive's service helped cyber criminals earn hundreds of thousands of dollars by using computers of millions of people
visiting hacked websites.
For a brief recap: In recent years, cybercriminals leveraged every possible web vulnerability [in
Drupal,
WordPress, and
others] to hack thousands of
websites and wireless routers, and then modified them to secretly inject Coinhive's JavaScript-based Monero (XMR) cryptocurrency mining script on web-pages to financially benefit themselves.
Millions of online users who visited those hacked websites immediately had their computers' processing power hijacked, also known as
cryptojacking, to mine cryptocurrency without users' knowledge, potentially generating profits for cybercriminals in the background.
Now, while explaining the reason to shut down in a note
publishedon its website yesterday, the Coinhive team said mining Monero via internet browsers is no longer "economically viable."
"The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the 'crash' of the cryptocurrency market with the value of XMR depreciating over 85% within a year," the service said.
"This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive."
So users who have an account on Coinhive website with above the minimum payout threshold balance can withdraw funds from their accounts before April 30, 2019.
Though Coinhive was launched as a legitimate service for website administrators to alternative generate more revenue from their websites, its extreme abuse in
cyber criminals activitiesforced tech companies and security tools to label it as "malware" or "malicious tool."
To prevent cryptojacking by browser extensions that mine digital currencies without users' knowledge, last year
Google also banned all cryptocurrencymining extensions from its Chrome Web Store.
A few months after that Apple also banned all
cryptocurrency mining appsfrom its official app store.
from The Hacker News https://ift.tt/2T6le3P
Wednesday, February 27, 2019
Cisco Releases Security Updates
Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:
- Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability cisco-sa-20190227-rmi-cmd-ex
- Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability cisco-sa-20190227-wmda-cmdinj
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2II91gN
National Consumer Protection Week
National Consumer Protection Week (NCPW) is March 3–9. This annual event encourages individuals and businesses to learn about their consumer rights and how to keep themselves secure. The Federal Trade Commission (FTC) and its NCPW partners provide free resources to protect consumers from fraud, scams, and identity theft.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review FTC’s NCPW resource page, participate in the NCPW Twitter chats and Facebook Live event, and review the following CISA tips:
- Protecting Your Privacy
- Avoiding Social Engineering and Phishing Attacks
- Preventing and Responding to Identity Theft
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2EAY7Fo
USN-3898-2: NSS vulnerability
nss vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary
NSS could be made to crash if it received specially crafted network traffic.
Software Description
- nss - Network Security Service library
Details
USN-3898-1 fixed a vulnerability in NSS. This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Hanno Böck and Damian Poddebniak discovered that NSS incorrectly handled certain CMS functions. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service.
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 12.04 ESM
- libnss3 - 2:3.28.4-0ubuntu0.12.04.3
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2TnIOIo
USN-3899-1: OpenSSL vulnerability
openssl, openssl1.0 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary
OpenSSL could be made to expose sensitive information over the network.
Software Description
- openssl1.0 - Secure Socket Layer (SSL) cryptographic library and tools
- openssl - Secure Socket Layer (SSL) cryptographic library and tools
Details
Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain applications incorrectly used OpenSSL and could be exposed to a padding oracle attack. A remote attacker could possibly use this issue to decrypt data.
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- libssl1.0.0 - 1.0.2n-1ubuntu6.2
- Ubuntu 18.04 LTS
- libssl1.0.0 - 1.0.2n-1ubuntu5.3
- Ubuntu 16.04 LTS
- libssl1.0.0 - 1.0.2g-1ubuntu4.15
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2SraTKw
USN-3898-1: NSS vulnerability
nss vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
NSS could be made to crash if it received specially crafted network traffic.
Software Description
- nss - Network Security Service library
Details
Hanno Böck and Damian Poddebniak discovered that NSS incorrectly handled certain CMS functions. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service.
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- libnss3 - 2:3.36.1-1ubuntu1.2
- Ubuntu 18.04 LTS
- libnss3 - 2:3.35-2ubuntu2.2
- Ubuntu 16.04 LTS
- libnss3 - 2:3.28.4-0ubuntu0.16.04.5
- Ubuntu 14.04 LTS
- libnss3 - 2:3.28.4-0ubuntu0.14.04.5
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2XqrWjo
The Zero Trust Games are here!
Every year at RSA Conference, a pitched battle ensues for the heart and soul of the security practitioner. Or at least for the mind: there’s the word cloud of topics that show up most often in the CFP submissions, but there are more slogans, phrases and concepts that meet in the expo hall to fight for supremacy. Remember when we all argued about what “cloud” meant? That term seems to have settled down over time, and “risk” is still eluding firm definition, along with “machine learning” and “artificial intelligence,” but the newest kid on the block will probably be the one with the biggest variety of gladiators in the ring: “zero trust.”
Even though it’s still being debated and explained, it’s not a new concept. The Jericho Forum called it “de-perimeterization” at the turn of the century, although I suspect the term didn’t catch on more broadly because it’s difficult to pronounce after a couple of pints of beer. John Kindervag solved that problem by coining the term “zero trust,” which even I can say at two o’clock in the morning. Google dubbed their implementation BeyondCorp, Intel called theirs Beyond the Edge, and now we have Zero Trust eXtended (ZTX) from Forrester and CARTA from Gartner, it’s a wonder that anyone can find common ground.
Even the word “trust” can be slippery. In this context it can mean granting access without verifying (which you should never do), or it can mean granting access to something because you verified it. Either way, we can all agree on the concept that you shouldn’t trust something just because it’s on the inside of your network. That’s how attackers manage lateral movement, and how insiders of all sorts get free rein. The model of untrusted outside versus trusted inside doesn’t work well any more.
How do you verify something? How often do you check those factors, and for how long do you allow the access before you reset that trust and verify again? Most importantly, how do you keep verifying without annoying your users? These are the important questions that you should be asking if you’re interested in learning about zero trust (or, as we prefer to call it at Cisco, Trusted Access).
Whether you’re pursuing this model for your workforce, or your workloads, or both, consider where you might place today’s perimeters. If you think about a perimeter as being anyplace where you make an access control decision, it could be at more than one layer in the stack. Some decisions still belong at the network layer; others might rest with the application or even the identity. Be ready to explore the possibilities.
I’ll be presenting on this topic at our Cisco Customer Summit during RSA, and you’ll see many other discussions of zero trust throughout the conference. Paul Simmonds, one of the original Jericho Forum members and CEO of the Global Identity Foundation, will talk about “The Fallacy of the Zero-Trust Network.” Stop by our Duo booth (#1835, south expo) to see demos of how you can start your journey to zero trust with multi-factor authentication. Many members of the Duo & Cisco Security teams will be speaking in the Cisco booth (#6045, north expo) too, with such thrilling titles as “Zero Trust – A Transformational Approach” and “Zero Trust and the Flaming Sword of Justice.” No matter what you want to call it, we’ll pay tribute to it at RSA Conference, and we look forward to seeing you there.
Check out our event site to stay up-to-date on all of the Cisco happenings at RSAC 2019. We hope to connect with you soon!
Click here to subscribe to our RSAC blog series.
Share:
from Cisco Blog » Security https://ift.tt/2H2LULk
Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Cisco fixed this vulnerability in the following releases:
- RV110W Wireless-N VPN Firewall: 1.2.2.1
- RV130W Wireless-N Multifunction VPN Router: 1.0.3.45
- RV215W Wireless-N VPN Router: 1.3.1.1
Customers can download the software from the Software Center on Cisco.com by clicking Browse All and doing the following:
RV110W and RV215W
- Choose Routers > Small Business Routers > Small Business RV Series Routers > RV110W Wireless-N VPN Firewall or RV215W Wireless-N VPN Router > Wireless Router Firmware.
- Access releases by using the left pane of the RV110W Wireless-N VPN Firewall or RV215W Wireless-N VPN Router page.
RV130W
- Choose Routers > Small Business Routers > Small Business RV Series Routers > RV130W Wireless-N Multifunction VPN Router > Small Business Router Firmware.
- Access releases by using the left pane of the RV130W Wireless-N Multifunction VPN Router page.
from Cisco Security Advisory https://ift.tt/2XmB7BD
Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Cisco Webex Meetings Desktop App (Cisco Webex Meetings Suite WBS33)
This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases.
Administrators can update the Cisco Webex Meetings Desktop App for their user base by following the instructions available in the document IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App.
Users can update the Cisco Webex Meetings Desktop App by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window and then choosing the Check for Updates entry from the drop-down list. This is also documented in the article Update the Cisco Webex Meetings Desktop App.
Cisco Webex Productivity Tools (Cisco Webex Meetings Suite WBS32)
This vulnerability is fixed in Cisco Webex Productivity Tools Release 33.0.7.
Cisco Webex Productivity Tools is an optional companion application that allows users to quickly schedule and join meetings from their desktop without the need to access the Meetings website. The application should not be confused with the Cisco Webex Meetings Client, which is the main client application that provides the core functionality to host or attend a Webex meeting.
Administrators can update the Cisco Webex Productivity Tools for their user base by following the instructions available in the document IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App.
Users can update the Cisco Webex Productivity Tools by launching the Cisco Webex Meetings application and clicking Settings in the top right of the application window and then choosing Check for Updates from the drop-down list. This is documented in more detail in the article Check for Cisco Webex Productivity Tools Updates for Windows.
from Cisco Security Advisory https://ift.tt/2XssPIv
Cisco Security at Work: Threatwall at Mobile World Congress 2019
If you attended a Cisco Live or an RSA conference in the past couple of years you may have come across a display entitled “Cisco Security at Work”. This display, often referred to as the Threatwall, is a live display of threats on the wireless network at the conferences where it is deployed. Currently we have the Threatwall deployed at Mobile World Congress (MWC) 2019.
As open networks that event attendees can join, conference wireless networks are always interesting and over the last few years we have observed varying threats and trends in networks and so far, MWC has proven to be no exception.
First a brief description of the Threatwall. We feed the Threatwall with a ten gigabit SPAN from the edge of the wireless network which is sent through a Firepower appliance and a Stealthwatch Flow Sensor, facilitating the four screens which we display two visuals from the version 2.3 of the Firepower Management Console (FMC)) and version 7.0 of the Stealthwatch Management Console (SMC). In the deployment at MWC this week we are even using a beta version of the Stealthwatch 7.1 Flow Sensor that generates enhanced telemetry to better power Encrypted Traffic Analytics.
Here are some stats about the network after the first day of the conference as seen in both the FMC and the SMC dashboards:
- Over 58,000 hosts have joined the network, communicating 1.1T of internal (east-west traffic) and 46.8T of traffic exchanged between the conference network and the outside world
- Of the 46.8T of traffic, approximately 29.7T of it was encrypted
- The more than 58,000 hosts are of varying device types, with those running Mac OSX/iOS being the most prevalent.
The growth in encrypted traffic is interesting and continues a trend we’ve been seeing over the past several years. Digging deeper we can see that HTTPS is by far the most prevalent application on the network. The char below, Traffic by Application, is also potentially misleading as some of the listed applications (ex. Facebook) are in fact communicating over HTTPS.
Digging deeper in Stealthwatch we can actually see that there is approximately a 85%:15% ratio of HTTPS:HTTP traffic on the show floor today. This ratio is consistent with what we have seen on other conference networks and the percentage of HTTPS is slowly increasing at every event.
As a network that attracts many different people and devices, the MWC network, like any conference network, also attracts its fair share of threats and other oddities. The first observation of note is the number of hosts identified by Stealthwatch as scanning the network interior (23). Seven hosts on the inside network successfully connected to an SMB share on the internet and 89 DNS servers that are not the ones provided by the wireless network’s DHCP server.
Using DNS services other than those issued by the corporate network is a common methodology in malicious software and flipping over into the FMC we can see that there have been a number of hosts that appear to be infected with various forms of malware, specifically trojans that are reaching outbound.
We can also see that the trend of using a point of presence on a victim device to perform cryptomining is still quite prevalent. The first time we saw this trend in the Threatwall was at Cisco Live Barcelona 2018 and it continued throughout 2018 and now into 2019.
Now let’s take a look at Cognitive Intelligence and what threats it has detected using its multi-layer machine learning engine, inclusive of encrypted traffic analytics. We can see that there were several threats detected and identified in encrypted traffic, a number of these being ad injectors and information stealers. By clicking on one high severity threat we can see that it is indeed a cryptominer, identified using encrypted traffic analytics.
Finally, if we look at the details of the highest severity host detected by Cognitive Intelligence, we can see that this host has a variety of bad or unwanted behaviour, inclusive of the use of TOR, cryptomining and what looks like malware activity. Read this blog for more on how Stealthwatch analytics can detect cryptomining in encrypted traffic.
Conference networks consist of a varying collection of mobile devices coming together from all over the world and every time we deploy the Threatwall, we see interesting things and capture general trends in terms of what types of devices, traffic patterns, and threats are emerging. If you are at MWC in Barcelona this week I would encourage you to come by the Cisco booth and take a look at what we are seeing on the conference network in real time.
And if you miss Cisco Security at Work at MWC this week, the Threatwall will be deployed again next week at the RSA Conference in San Francisco. Hope to see you there!
Share:
from Cisco Blog » Security https://ift.tt/2Ebl7JG
IBM Security Bulletin: Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391)
A vulnerability in the Linux Kernel affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products.
CVE(s): CVE-2018-5391
Affected product(s) and affected version(s):
IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V3700
IBM Storwize V3500
IBM FlashSystem V9000
IBM FlashSystem 9100 Family
IBM Spectrum Virtualize Software
IBM Spectrum Virtualize for Public Cloud
All products are affected when running supported version 7.5.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10872368
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148388
The post IBM Security Bulletin: Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391) appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team https://ift.tt/2Nvs4JW
IBM Security Bulletin: Multiple Samba vulnerabilities affect IBM Spectrum Protect Plus (CVE-2018-1139, CVE-2018-1140, CVE-2018-10858, CVE-2018-10918, CVE-2018-10919)
There are multiple security vulnerabilities in Samba that affect IBM Spectrum Protect Plus. These vulnerabilities may result in potential information disclosure, denial of service, or execution of arbitrary code on the system.
CVE(s): CVE-2018-1139, CVE-2018-1140, CVE-2018-10858, CVE-2018-10918, CVE-2018-10919
Affected product(s) and affected version(s):
IBM Spectrum Protect Plus versions 10.1.0 through 10.1.2.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10796402
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148707
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148706
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148710
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148709
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148708
The post IBM Security Bulletin: Multiple Samba vulnerabilities affect IBM Spectrum Protect Plus (CVE-2018-1139, CVE-2018-1140, CVE-2018-10858, CVE-2018-10918, CVE-2018-10919) appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team https://ift.tt/2NtUxQg
Learn Ethical Hacking with 180 Hours of Training — 2019 Course Bundle
The world of cybersecurity is fast-paced and ever-changing.
New attacks are unleashed every day, and companies around the world lose millions of dollars as a result.
The only thing standing in the way of cybercrime is a small army of ethical hackers. These cybersecurity experts are employed to find weaknesses before they can be exploited. It’s a lucrative career, and anyone can find work after the right training.
The
2019 Ethical Hacker Master Class Bundleoffers the perfect education for aspiring professionals, with 10 courses and over 180 hours of video tutorials. Right now, you can get lifetime access to this
huge learning library for just $39— that’s over $4,800 off the face value.
According to the
Bureau of Labor Statistics, demand for cyber security experts will expand rapidly over the next three or four years. If you want to build a career in the industry, now is the time to take action.
The 2019 Ethical Hacker bundle helps you master all the fundamentals of cybersecurity and prepare for important exams.
You learn through concise video lessons, and each course provides plenty of hands-on experience.
Along the way, you learn how to set up your secure workflow and perform penetration tests on multiple platforms. The training also looks at intrusion detection, policy creation, social engineering, DDoS attacks, and much more. You even pick up some useful Python programming skills along the way.
Just as importantly, this bundle helps you stand out in the jobs market. The training includes full prep for three CompTIA exams: A+, Security+ and Network+. These certificates are essential for anyone who wants to work in cybersecurity and are highly valued in other technical roles.
There is no time limit on any of the courses, and you can stream the tutorials on both mobile and desktop devices.
The training is worth $4,883 in total, but you can
get lifetime access now for only $39.
from The Hacker News https://ift.tt/2TkqkbV
Severe Flaws in SHAREit Android App Let Hackers Steal Your Files
Security researchers have discovered two high-severity vulnerabilities in the SHAREit Android app that could allow attackers to bypass device authentication mechanism and steal files containing sensitive from a victim's device.
With over 1.5 billion users worldwide, SHAREit is a popular file sharing application for Android, iOS, Windows and Mac that has been designed to help people share video, music, files, and apps across various devices.
With more than 500 million users, the SHAREit Android app was found vulnerable to a file transfer application's authentication bypass flaw and an arbitrary file download vulnerability, according to a
blog postRedForce researchers shared with The Hacker News.
The vulnerabilities were initially discovered over a year back in December 2017 and fixed in March 2018, but the researchers decided not to disclose their details until Monday "given the impact of the vulnerability, its big attack surface and ease of exploitation."
"We wanted to give as many people as we can the time to update and patch their devices before disclosing such critical vulnerability," said Abdulrahman Nour, a security engineer at RedForce.
How SHAREit Transfers Files?
SHAREit server hosts multiple services via different ports on a device, but the researchers analyzed two designated services including Command Channel (runs on Port 55283) and Download Channel (runs on Port 2999).
Command Channel is a regular TCP channel where app exchanges messages with other SHAREit instances running on other devices using raw socket connections, including device identification, handling file transmission requests, and checking connection health.
Download Channel is the SHAREit application's own HTTP server implementation which is mainly used by other clients to download shared files.
According to the researchers, when you use the SHAREit Android app to send a file to the other device, a regular file transfer session starts with a regular device identification, then the 'sender' sends a control message to the 'receiver,' indicating that you have a file to share.
Once the 'receiver' verifies that the file is not duplicate, it goes to Download Channel and fetches the sent file using information from the previous control message.
Hackers Can Access Your Files Using SHAREit Flaws
However, researchers discovered that when a user with no valid session tries to fetch a non-existing page, instead of a regular 404 page, the SHAREit app responds with a 200 status code empty page and adds the user into recognized devices, eventually authenticating an unauthorized user.
According to the researchers, a fully functional proof-of-concept exploit for this SHAREit flaw would be as simple as curl
http://shareit_sender_ip:2999/DontExist,making it the weirdest and simplest authentication bypass ever.
Researchers also found that when a download request is initiated, SHAREit client sends a GET request to the sender's HTTP server, which looks like the following URL:
http://shareit_sender_ip:2999/download?metadatatype=photo&metadataid=1337&filetype=thumbnail&msgid=c60088c13d6
Since the SHAREit app fails to validate the 'msgid' parameter—a unique identifier generated for each request when the sender initiates a download—this enables a malicious client with a valid session to download any resource by directly referencing its identifier.
The flaws could be exploited by an attacker on a shared WiFi network, and unfortunately vulnerable SHAREit versions create an easily distinguished open Wi-Fi hotspot which one can use not only to intercept traffic (since it uses HTTP) between the two devices, but also to exploit the discovered vulnerabilities and have unrestricted access to vulnerable device storage.
Since exploitation simply involves sending a curl command referencing the path of the target file, one should know the exact location of the file one would like to retrieve.
To overcome this, researchers started looking for files with known paths that are already publicly available, including SHAREit History and SHAREit MediaStore Database, which may contain interesting information.
"There are other files that contain juicy information such as user's Facebook token, Amazon Web Service user's key, auto-fill data and cookies of websites visited using SHAREit webview and even the plaintext of user's original hotspot (the application stores it to reset the hotspot settings to original values) and much more," researchers said.
Using their proof-of-concept exploit dubbed
DUMPit!, the researchers managed to download nearly 3000 unique files having around 2GBs in less than 8 minutes of file transfer session.
The team contacted the SHAREit Team multiple times over multiple platforms in early January 2018 but got no response until early February when the researchers warned the company to release the vulnerability details to the public after 30 days.
The SHAREit team silently patched the vulnerabilities in March 2018, without providing researchers with exact patched versions of the Android app, vulnerability CVE IDs or any comments for the public disclosure.
"Communication with SHAREit team was not a good experience at all; Not only they took too long to respond to our messages, they also were not cooperative in any means, and we did not feel that our work or efforts were appreciated at all," researchers said.
After giving enough time to users to update their SHAREit app, researchers have now released technical details of the vulnerabilities, along with the PoC exploit,
DUMBit!, which can be downloaded from the
GitHubwebsite.
The vulnerabilities affect the SHAREit for Android application <= version 4.0.38. If you haven't yet, you should update your SHAREit app from
Google Play Storeas soon as possible.
from The Hacker News https://ift.tt/2VhIKau
New Flaws Re-Enable DMA Attacks On Wide Range of Modern Computers
Security researchers have discovered a new class of security vulnerabilities that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks.
Known for years,
Direct memory access (DMA)-based attackslet an attacker compromise a targeted computer in a matter of seconds by plugging-in a malicious hot plug device—such as an external network card, mouse, keyboard, printer, storage, and graphics card—into
Thunderbolt 3 portor the latest
USB-C port.
The DMA-based attacks are possible because Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity.
That means, simply plugging in an infected device, created using tools like
Interception, can manipulate the contents of the memory and execute arbitrary code with much higher privileges than regular universal serial bus peripherals, allowing attackers to bypass the lock screen or control PCs remotely.
To block DMA-based attacks, most operating systems and devices leverage Input/Output Memory Management Unit (IOMMU) protection technique to control which peripheral device (usually legitimate) can access memory and which region of the memory.
ThunderClap Flaws Bypass IOMMU to Re-Enable DMA Attacks
Now, a team of cybersecurity researchers from the University of Cambridge, Rice University, and SRI International has unveiled a set of new vulnerabilities in various major operating systems that could allow attackers to bypass
IOMMU protection.
By mimicking the functionality of a legitimate peripheral device, an attacker can trick targeted operating systems into granting it access to sensitive regions of memory.
In a paper published earlier this week, researchers detailed technical information of all new vulnerabilities that they claimed to have discovered using a hardware/software stack, called
Thunderclap, which they build and also released in the open-source.
"Our work leverages vulnerabilities in operating system IOMMU usage to compromise a target system via DMA, even in the presence of an IOMMU that is enabled and configured to defend against DMA attacks," the researchers said.
Besides this, the researchers also stressed that since IOMMU does not come enabled by default on most operating systems and since modern devices have USB-C, the attack surface of DMA attack has significantly increased which was earlier primarily limited to Apple devices with Thunderbolt 3 ports.
"The rise of hardware interconnects like Thunderbolt 3 over USB-C that combine power input, video output, and peripheral device DMA over the same port greatly increases the real-world applicability of Thunderclap vulnerabilities."
"In particular, all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected - check whether your laptop supports Thunderbolt."
How to Protect Against Thunderclap Vulnerabilities
Researchers have reported their findings to all major hardware and operating system vendors, and most of them have already shipped substantial mitigation to address the Thunderclap vulnerabilities.
"In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell," researchers said. "Recently, Intel has contributed patches to version 5.0 of the Linux kernel."
"The FreeBSD Project indicated that malicious peripheral devices are not currently within their threat model for security response."
Though not all software patches can entirely block DMA attacks, users are still advised to install available security updates to reduce the attack surface. According to the researchers, the best way to fully protect yourself is to disable the Thunderbolt ports on your machine, if applicable.
Additionally, researchers also developed a proof-of-concept attacking hardware that can execute the ThunderClap vulnerabilities on targeted systems, but they chose not to release it in public at this time.
from The Hacker News https://ift.tt/2H5Ao23
Tuesday, February 26, 2019
OpenSSL Releases Security Update
OpenSSL version 1.0.2r has been released to address a vulnerability for users of versions 1.0.2–1.0.2q. An attacker could exploit this vulnerability to obtain sensitive information.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the OpenSSL Security Advisory and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2SttOUM
Benefits, Risks And Recommendations For Information Security - ENISA
The key conclusion of this paper is that the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost- effective. This paper allows an informed assessment of the security risks and benefits of using cloud computing - providing security guidance for potential and existing users of cloud computing.
Release Date: 11/01/2009
from Cloud Security Alliance Blog https://ift.tt/2Vgewoq
Future Proofing the Connected World - Korean Translation
from Cloud Security Alliance Blog https://ift.tt/2NsgyiD
Cloud Penetration Testing Guidance
from Cloud Security Alliance Blog https://ift.tt/2VoCkqi
USN-3897-1: Thunderbird vulnerabilities
thunderbird vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in Thunderbird.
Software Description
- thunderbird - Mozilla Open Source mail and newsgroup client
Details
A use-after-free was discovered in libical. If a user were tricked in to opening a specially crafted ICS calendar file, an attacker could potentially exploit this to cause a denial of service. (CVE-2016-5824)
Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2018-18356, CVE-2018-18500, CVE-2019-5785)
Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, gain additional privileges by escaping the sandbox, or execute arbitrary code. (CVE-2018-18501, CVE-2018-18505)
An issue was discovered with S/MIME signature verification in some circumstances. An attacker could potentially exploit this by spoofing signatures for arbitrary content. (CVE-2018-18509)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- thunderbird - 1:60.5.1+build2-0ubuntu0.18.10.1
- Ubuntu 18.04 LTS
- thunderbird - 1:60.5.1+build2-0ubuntu0.18.04.1
- Ubuntu 16.04 LTS
- thunderbird - 1:60.5.1+build2-0ubuntu0.16.04.1
- Ubuntu 14.04 LTS
- thunderbird - 1:60.5.1+build2-0ubuntu0.14.04.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Thunderbird to make all the necessary changes.
References
- CVE-2016-5824
- CVE-2018-18356
- CVE-2018-18500
- CVE-2018-18501
- CVE-2018-18505
- CVE-2018-18509
- CVE-2019-5785
from Ubuntu Security Notices https://ift.tt/2EcHCOG
USN-3896-1: Firefox vulnerabilities
firefox vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
Firefox could be made to crash or run programs as your login if it opened a malicious website.
Software Description
- firefox - Mozilla Open Source web browser
Details
Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass same origin protections, or execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- firefox - 65.0.1+build2-0ubuntu0.18.10.1
- Ubuntu 18.04 LTS
- firefox - 65.0.1+build2-0ubuntu0.18.04.1
- Ubuntu 16.04 LTS
- firefox - 65.0.1+build2-0ubuntu0.16.04.1
- Ubuntu 14.04 LTS
- firefox - 65.0.1+build2-0ubuntu0.14.04.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Firefox to make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2H32vig