MIS 5214 - Section 001 - David Lanter
March 15, 2017 by David Lanter 34 Comments
Mustafa Aydin says
March 16, 2017 at 5:39 pm
Legacy systems play major role in U.S. government breaches
– Research by Min-Seok Pang, Temple University, MIS
New research is turning on its head the idea that legacy systems — such as Cobol and Fortran — are more secure because hackers are unfamiliar with the technology. New research found that these outdated systems, which may not be encrypted or even documented, were more susceptible to threats.
By analyzing publicly available federal spending and security breach data, the researchers found that a 1% increase in the share of new IT development spending is associated with a 5% decrease in security breaches.
“In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidents, a result that contradicts a widespread notion that legacy systems are more secure,” the paper found. The research paper was written by Min-Seok Pang, an assistant professor of Management Information Systems at Temple University, and Huseyin Tanriverdi, an associate professor in the Information, Risk and Operations Department at the University of Texas at Austin.
Federal agencies have seen a rapid increase in security incidents, the paper points out, citing federal data assembled by the Government Accountability Office. From 2006 through 2014, the number of reported security incidents increased by more than 1,100 percent, or from 5,503 to 67,168. An incident can cover a range of activities, such as a denial of service, successfully executed malicious code, and breaches that give intruders access
One of the largest federal system breaches occurred in 2015, when hackers gained access to some 18 million records at the Office of Personnel Management.
If the federal government doesn’t modernize its systems, Pang said it may see more large breaches similar to the OPM hack. In the absence of modernization, Pang said that effective IT governance “mitigates security risks of the legacy systems.” It also recommended moving systems to the cloud. Pang said the government needs to pass the Modernizing Government Technology Act. That legislation, which was approved by the House last year, would have boosted IT spending by about $9 billion from 2017 to 2021 had it reached the president’s desk.
Yang Li Kang says
March 20, 2017 at 9:47 am
Great find! It is no surprise that legacy systems cost organizations a lot of money to maintain but the lack of security must really put a nail in the coffin for organization to modernize their systems.
Zhengshu Wu says
April 9, 2017 at 4:27 pm
One plausible solution is to separate a separate monitor connected to a separate desktop computer connected to its own internal isolated network; one for Internet access and one for internal network access for example.
Mansi Paun says
March 16, 2017 at 10:12 pm
HSBC Users Targeted With Spam email containing Fake Security Software
Symantec researchers warn of a recent spam campaign that’s impersonating UK-based banking giant HSBC. The spam campaign is attempting to distribute malware masquerading as legitimate security software.
The spam email, designed to look as though they had been sent by HSBC, and even displaying an “@hsbc.com” email address claim to be distributing malware detection software Rapport from Trusteer, which is a legitimate security program designed to protect online bank accounts from fraud but instead, users are being connected to a malicious information stealing application instead. The malware uses Windows GodMode to keep itself hidden on the compromised machines.
To appear more convincing, the spam messages feature security advisory information and eco-friendly messaging and warns recipients against opening attachments from unknown or non-trustworthy sources. Howeve, it also includes a series of elements that clearly suggest it isn’t as legitimate as it pretends to be. For instance, the email subject line mentions the phrase “Payment Advice” followed by a large gap and then 10 random characters, the language and sentence structure in the email are suspicious, with some not making sense at all, and the email has a “virus detection software” as attachment, and not “payment advice,” as claimed. Moreover, the email features a .7z attachment, which legitimate emails wouldn’t
The .7z file includes the fake Rapport executable and an Instruction.jar file. When executed, the malware creates a folder for itself, and then hides it by leveraging the Windows GodMode (also known as Windows Master Control Panel shortcut, it offers access to various control settings in some Windows variants, and various malware families have been abusing it for persistency).
Upon successful infection, the malware modifies registry entries (to disable notifications) and a series of system tools, in an attempt to shield itself. Next, the Trojan starts the communication with the command and control (C&C) server, allowing the remote attacker to steal information from the compromised machine.
This spam run was active for 24 hours from February 10 through February 11, but Symantec suggests that it could be part of a larger campaign.
Source : http://www.securityweek.com/hsbc-users-targeted-fake-security-software
Vaibhav Shukla says
March 18, 2017 at 1:04 am
Crafty Phishing Technique Can Trick Even Tech-Savvy Gmail Users
Gmail users in recent months have been targeted by a sophisticated series of phishing attacks that use emails from a known contact whose account has been compromised. The emails contain an image of an attachment that appears to be legitimate,
The sophisticated attack displays “accounts.gmail.com” in the browser’s location bar and leads users to what appears to be a legitimate Google sign-in page where they are prompted to supply their credentials, which then become compromised.
The technique works so well that many experienced technical users have fallen prey to the scam.It was observed that Google Chrome released 56.0.2924, which changes the behavior of the browser’s location bar. The change results in the display of not secure messages when users see a data URL.
Google last month announced additional steps to protect G Suite customers against phishing, using Security Key enforcement. The technique helps administrators protect their employees using only security keys as the second factor.Bluetooth low energy Security Key support, which works on Android and iOS mobile devices, is another user option
Abhay V Kshirsagar says
March 18, 2017 at 5:29 pm
Good bots, Bad bots
Bots are attracted towards websites due to the unique content or product, pricing information, sign-up pages, login, account pages, web forms like forums and reviews. According to Distil’s Bad Bot Report, 96% of websites with login pages were hit by bot activity, 97% of websites with proprietary content or pricing elements were hit by unwanted scraping. Websites containing forms were hit 30% of times by spam bots. 40% of internet traffic that was recorded in 2016 came from bots.
These bad bots are used by rival companies that are looking for a competitive advantage, which can be through pricing information or inventory level information, data theft, accounting hijacking, etc. These are characterized as bad bots.
On the other hand, good bots are crawlers. For example, Bingbot and Googlebot that companies like Microsoft and Google use for indexing web pages for their search engine. In 2016, Google bots accounted for almost 19% of web traffic, down 30% from 2015.
Bad bots disguise as good bots and claim to be one of the four browsers (Chrome, Firefox, IE/Edge, Safari). The recent credential dumps like Ashley Madison and LinkedIn was sophistication of bad bots who are now running rampant on websites.
Noah J Berson says
March 18, 2017 at 6:07 pm
“WikiLeaks Publishes Vault 7, Collection of Alleged CIA Hacking Tools”
In a large document dump, WikiLeaks published documentation of alleged CIA hacking tools. The files are distributed by torrent, a peer sharing protocol, in a 930 MB collection of files. Some of the tools range from confidential to top secret, as well as classified as borrowed from other intelligence agencies around the world. Wikileaks claims that this is just the first dump of many in their “year0” collection of stolen intelligence documents. Some documents describe working tools while others are programs the CIA were looking into developing.
A lot of the tools have interesting names to go with their powerful nature as hacking tools. Sparrowhawk is a key-logger that works on Unix platforms. Weeping Angel is an exploit of Samsung TVs through a USB device to compromise the microphones. The documents also describe a collection of exploits for multiple OSes that the CIA has been holding onto and not informing manufacturers of. These exploits even if kept secret do not have to be exclusive to the CIA as cyber criminals may have also discovered them. There are also reports that the CIA was looking into hacking cars remotely which has been theorized as an assassination technique.
The veracity of the leaks is unknown but a lot does seem plausible given the state of technology today. Trump did say “By the way, with the CIA, I just want people to know, the CIA was hacked,” in an interview which may confirm the documents as legitimate CIA files.
Binu Anna Eapen says
March 18, 2017 at 6:25 pm
New Ransomware named Kirk emerges:
A Star Trek themed ransomware named Kirk written in Python targeting 625 different file types has emerged and the attacker are demanding ransom to be paid in virtual currency Monero. The threat is paired with a decryptor called Spock in reference to the characters in Star Trek Kirk and Spock. Monero is an open-source cryptocurrency launched on April 18,2014 with focus on Privacy. Kirk has been recognized as the first kind of a ransomware to demand Monero instead of bitcoins.
The ransomware generates an AES key which is used to encrypt the victim’s files and encrypts the key using embedded RSA-4096 public encryption key. It saves it in a file called pwd in the same directory as the executable. The attackers alone can decrytpt the file and advise the victims not to delete the file to be able to provide the decryptor.
Kirk ransomware displays a message box showing the same slogan as the LOIC network stress tool: “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v126.96.36.199.”, and meanwhile searches the hard drive for files to encrypt. It targets a total of 625 file types, encrypts them and appends the .kirk extension to the encrypted file’s name leaving a ransom note in the same folder as the executable and displays in a window on the desktop. Users are then instructed to purchase around $1,100 worth of Monero and send it to a specific address. After making the payment, the victim should send the pwd file and the payment transaction ID to the email@example.com or firstname.lastname@example.org email addresses.The Spock decryptor is supposedly sent to the victim after the payment is made.
Also right now there are no known victims and the file is not yet decryptable.
April 9, 2017 at 4:16 pm
There is a solution to remove the ransomware :
Priya Prasad Pataskar says
March 18, 2017 at 10:37 pm
A cyber attack revealed last Monday published that a travel trade company called Abta was a recent hacking target. This attack reports loss of PII for over 43000 customers. On Feb 27th, 2017 1000 files from this company were infected. No financial data was stolen but PII like name, address, phone numbers which can be further used by criminals are leaked. The passwords stolen were encrypted hence the risk is low.
Abta has informed their customers and also actively monitoring any further threats. Abta members and customer are being given information on how stolen data can be misused and how should they take care. Social engineering attacks would be the main concern here.
Andrew Avanessian, VP of Avecto security said hat this was preventable threat on the server. It takes only one compromised server to infect the entire network.
April 9, 2017 at 4:29 pm
The ABTA breach brings to light the dangers of trusting critical data to a third-party, web hosting provider. With the AWS outage happening only a few weeks ago, it is clear that there is substantial risk in trusting third party providers with such sensitive data. With advances in private cloud technology organisations can bring data back under the control of corporate IT to mitigate these risks
Seunghyun (Daniel) Min says
March 19, 2017 at 12:36 am
Yahoo! Hack! How It Took Just One-Click to Execute Biggest Data Breach in History
In the digital world, it just takes one click to get the keys to the kingdom. Do you know spear-phishing was the only secret weapon behind the biggest data breach in the history? It’s true, as one of the Yahoo employees fell victim to a simple phishing attack and clicked one wrong link that let the hackers gain a foothold in the company’s internal networks. You may be familiar with phishing attacks — an attempt to steal user credentials or financial data — while, Spear-phishing is a targeted form of phishing in which attackers trick employees or vendors into providing remote-access credentials or opening a malicious attachment containing an exploit or payload.
Here’s how the Yahoo’s massive data breach was traced back to human error and who were the alleged masterminds behind this hack.
On Wednesday, the US government charged two Russian spies (Dmitry Dokuchaev and Igor Sushchin) and two criminal hackers (Alexsey Belan and Karim Baratov) in connection with the 2014 Yahoo hack that compromised about 500 million Yahoo user accounts.
March 20, 2017 at 9:51 am
Employees are the organizations’ biggest vulnerability and as we can see here, an employee slip-up can cause the company a huge loss. Employee awareness and cybersecurity training is critical to reduce the risk of cyber threats such as spear-phishing.
Neil Y. Rushi says
March 19, 2017 at 11:27 am
Competition held to hack multiple OS and browsers along with other things
The Pwn2Own is an event where firms compete for money to try and hack Windows, MAC, Linux operating systems and browsers along with plug-ins. This allows firms to expose vulnerabilities in systems and what methods were used to break into the systems. The event is a great way to learn how hackers can gain access to a network by various means such as buffer weaknesses found in the kernel, bugs, etc. I think just attending one of these events would be a nice to witness what methods these firms are using to hack into operating systems and browsers.
Jianhui Chen says
March 19, 2017 at 3:47 pm
2.2 Million Email Addresses Exposed in Wishbone Data Breach
A popular social media app known as Wishbone has suffered a data breach that exposed 2.2 million email addresses along with 287,000 cell numbers.
In the middle of March 2017, security researcher Troy Hunt received a MongoDB database that belongs to Wishbone. The app, first founded in 2015, allows users to vote on two-choice polls. Over the past two years, it’s grown into one of the top 10 social networking apps for iPhone. Today, the app has as many as five million unique downloads from predominantly teenage users.
It’s therefore serious business that the database received by Hunt contained 2,326,452 full names, 2,247,314 unique email addresses, 287,502 cellphone numbers, and other personal information.
Wen Ting Lu says
March 20, 2017 at 7:44 pm
It’s a serious problem that over two million people’s information has been breached. As the article mentioned the social media app says the data breach didn’t compromise any passwords but that users should consider changing their combinations as a precaution. It’s very important that users are creating strong passwords for their accounts. The reason for that is people tends to use the same passwords for different accounts because it’s easy to remember, however, once one account is hacked then there is very likely that all other accounts will be breached. Craig Young, security researcher for Tripwire explains that:” passwords are often the weakest link in an otherwise secure system. The reuse of passwords across multiple systems and the use of simple passwords commonly found in password cracking dictionaries account for a large number of account hijackings.” Some tips on how password hygiene can protect your accounts includes:
-Change your passwords on a regular basis.
-Stop using passwords and start using passphrases.
-Be liberal with character substitutions
-Use a different password for each website or service
Yulun Song says
March 19, 2017 at 4:09 pm
The article that I read for this week is called “63% of Orgs Use Cloud, IoT Without Proper Security.” This article talked about that a full 63% of enterprises are using cloud, big data, internet of things(IoT) and container environments without securing sensitive data. Based on the 2017 Thales Data Threat Report, 93% of respondents will use sensitive data in an advanced technology (defined as cloud, software as a service or SaaS, big data, IoT and container) environments this year— and a majority of those respondents(63%) believe their organizations are deploying these technologies ahead of having appropriate data security solutions in place. Interestingly though, while concerns about data security in cloud environments remain high, they’ve dropped off since last year. In 2016, 70% of respondents voiced worries about security breaches from attacks targeting cloud service providers (CSPs); in 2017, 59% expressed fears about this. That makes it still the No 1 concern, but by a far smaller margin than just a year ago.
March 20, 2017 at 9:58 am
Cloud technology is still relatively new and the security aspect of it is still in the gray area. Organizations may jump into and utilize the cloud too early without properly assessing the risk of moving into the cloud.
Fangzhou Hou says
March 19, 2017 at 5:20 pm
“Amnesty Warns of Phishing Attacks on Qatar Activists”
Human rights watchdog Amnesty International has uncovered a sophisticated phishing campaign targeting journalists, activists and other entities in Nepal and Qatar interested in migrants’ rights.
The campaign, dubbed Operation Kingphish, involves an online persona named “Safeena Malik” – Malik can mean “king” in Arabic. Amnesty International learned that Safeena Malik had contacted several individuals via email and social media over the course of 2016. Safeena Malik, who claimed to be an activist interested in human rights, had accounts on several social media websites, including Twitter, Facebook and LinkedIn. “She” reached out to dozens of people, many involved in the issue of migrants’ rights in Qatar. Qatar has attracted the attention of several human and labor rights organizations for its exploitation of migrant workers, many of which are from Nepal. Some of the documented cases are related to the construction of stadiums and infrastructure for the FIFA World Cup competition that will be hosted by Qatar in 2022.
According to Amnesty, many of the attacks launched using the fake Safeena Malik profiles attempted to lure targeted individuals to realistic Google phishing pages. In order to avoid raising suspicion, the phishing pages displayed the email address and profile picture of the targeted user, and a legitimate document was displayed once the password had been handed over to the attacker. Documents on human trafficking and ISIS funding, and fake Google Hangouts invitations were used to lure targeted users to the phishing pages. Safeena Malik also sent out private messages on Facebook to obtain the Gmail addresses of the targets. The persona had hundreds of connections on social media and often joined groups focusing on migrant workers and forced labor in an effort to identify potential targets and make it appear as if “she” was part of the community.
Amnesty identified 30 different targets by analyzing the profile pictures hosted on the server used by the attacker to deliver the phishing pages, although the organization believes the actual number is much higher.
“Most identified targets were activists, journalists, and labour union members. While some of targets had published critical opinions about Qatar’s international affairs, the majority of identified targets were affiliated with organisations supporting migrant workers in Qatar,” said activist and security researcher Claudio Guarnieri. “Interestingly, a significant number of them are from Nepal, which is one of the largest nationalities amongst migrant workers in Qatar, and a country that has featured prominently in the migrant worker narrative on Qatar.” While experts could not find too much evidence, they believe the attacks were likely carried out by a state-sponsored actor. One of the IP addresses used to access some of the compromised email accounts had been associated with an ISP headquartered in Doha, Qatar.
However, when contacted by Amnesty, the government of Qatar denied any involvement and expressed interest in stopping the attacks. Experts pointed out that the operation could be the work of an actor that seeks to damage Qatar’s reputation. This is not the only social engineering campaign targeting human and labor rights organizations focusing on the situation in Qatar. In December, Amnesty International published a report detailing a fake human rights organization named Voiceless Victims. It is unclear if the two campaigns are directly connected.
March 19, 2017 at 5:31 pm
Hyperconnectivity and IoT Set to Radically Disrupt Cyber by 2019
“…By 2019, organizations will be faced with a hyper-connected world where the pace and scale of change—particularly in terms of technology—will have accelerated substantially. ISF said that we’ll see premeditated internet outages bringing trade to its knees; ransomware hijacking the IoT; privileged insiders coerced into giving up the crown jewels; automated misinformation and falsified information that compromises performance; subverted blockchains that shatter trust; surveillance laws exposing corporate secrets; privacy regulations impeding the monitoring of insider threats; and a headlong rush to deploy artificial intelligence that will lead to unexpected outcomes.
In all, the document highlights nine major threats, broken down into three challenging themes that organizations can expect to face over the next two years as a result of increasing developments in technology:
1. Disruption: From an over reliance on fragile connectivity requiring a seismic shift in the way business continuity is planned, practiced and implemented.
2. Distortion: As trust in the integrity of information is lost, the monitoring of access and changes to sensitive information will become critical as will the development of complex incident management procedures.
3. Deterioration: When controls are eroded by regulations and technology bringing a heightened focus on risk assessment and management in the light of regulatory changes and the increased prevalence of artificial intelligence in everyday technology.
Some of the recommendations include changing up existing business continuity plans to engage with internal and external stakeholders to agree alternative methods of communication (e.g. telex, satellite, microwave); and lobbying for minimum security standards for IoT devices via regulation. Having a clear sense of who has access to which critical assets and how to manage that will be crucial; as will monitoring access and changes made to sensitive information, using tools such as a Federated Identity and Access Management (FIAM) systems and Content Management Systems (CMS).
The ISF also recommends building collaboration across the organization, and conducting a risk assessment to understand the impact of metadata being lost by a communications provider. Businesses should also hire AI specialists now.”
Wenlin Zhou says
March 19, 2017 at 8:30 pm
63% of Orgs Use Cloud, IoT Without Proper Security
A full 63% of enterprises are using cloud, big data, internet of things (IoT) and container environments without securing sensitive data.
According to the 2017 Thales Data Threat Report, 93% of respondents will use sensitive data in an advanced technology (defined as cloud, software as a service or SaaS, big data, IoT and container) environments this year—and a majority of those respondents (63%) believe their organizations are deploying these technologies ahead of having appropriate data security solutions in place.
Interestingly though, while concerns about data security in cloud environments remain high, they’ve dropped off since last year. In 2016, 70% of respondents voiced worries about security breaches from attacks targeting cloud service providers (CSPs); in 2017, 59% expressed fears about this. That makes it still the No 1 concern, but by a far smaller margin than just a year ago.
The second biggest concern, cited by 57% of respondents, is “shared infrastructure vulnerabilities”, followed by “lack of control over the location of data” (55%). On the SaaS side, 57% of respondents report they are leveraging sensitive data in SaaS environments – up from 53% in 2016. When it comes to SaaS insecurities, respondents are most fearful about online storage (60%), online backup (56%), and online accounting (54%).
“Most major cloud providers have larger staffs of highly trained security professionals than any enterprise, and their scalability and redundancy can provide protection from the kinds of DDoS attacks that can plague on-premises workloads,” said Garrett Bekker, principal analyst for information security at 451 Research. “Perhaps as a result of the recognition of these public cloud security realities, security concerns overall for public cloud are waning.”
Big data is a big topic of conversation—so it might be unsurprising to learn 47% of respondents are using sensitive data in big data environments. When it comes to security hered, respondents cite their top fear as “sensitive data everywhere” (46%), followed by “security of reports” (44%) and “privileged user access” (36%).
IoT adoption is even higher, with 85% of respondents taking advantage of IoT technology and 31% using sensitive data within IoT environments. Despite IoT’s popularity, and despite the personal or critical nature of many IoT tools (medical and fitness devices; video cameras and security systems; power meters), only 32% of respondents report being ‘very concerned’ about their data. When pressed about their top fears, 36% of respondents cited “protecting the sensitive data IoT generates”, followed by “identifying sensitive data” (30%) and “privacy concerns” (25%).
Meanwhile, although less than five years old, container environments have proven exceptionally popular. Eighty-seven percent of respondents have plans to use containers this year, with 40% already in production deployment. But similar to the emerging IoT environment (and owing to their relative immaturity), there remains a lack of enterprise-grade security controls in most container environments. Security is cited as the number one barrier to container adoption by 47%, followed by ‘unauthorized container access’ (43%), “malware spread between containers” (39%), and “privacy violations resulting from shared resources” (36%).
The report also found that while advanced technologies show great promise and business benefits, they are relatively young and in some cases, untested. Understanding this risk, respondents are gravitating towards a proven security control—encryption. According to the report, 60% of respondents would increase their cloud deployments if CSPs offered data encryption in the cloud with enterprise key control. Data encryption (56%) and digital birth certificates with encryption technology (55%) are also listed as the two most popular security options for IoT deployments. Rounding out the list is containers, with 54% of respondents citing encryption as the number one security control necessary for increasing container adoption.
Organizations interested in both taking advantage of advanced technologies and keeping data secure should strongly consider: Deploying security tool sets that offer services-based deployments, platforms and automation; discovering and classifying the location of sensitive data within cloud, SaaS, big data, IoT and container environments; leveraging encryption and bring your own key (BYOK) technologies for all advanced technologies, the report recommended.
“The digital world we live in, which encompasses everything from cloud to big data and the IoT, demands an evolution of IT security measures,” said Peter Galvin, VP of strategy, Thales e-Security. “The traditional methods aren’t robust enough to combat today’s complicated threat landscape. Fortunately, adopters of advanced technologies are getting the message—as evidenced by the number of respondents expressing an interest in or embracing encryption. Putting an ‘encrypt everything’ strategy into practice will go a very long way towards protecting these powerful, yet vulnerable, environments.”
Khawlah Abdulaziz Alswailem says
March 19, 2017 at 10:05 pm
Credit-card breach hits another restaurant chain
In the latest example, several high-end eateries run by Select Restaurants in Cleveland were the victims of fraudulent cards used by customers at its restaurants, according to a report posted Thursday on KrebsOnSecurity, a reliable site written by reporter Brian Krebs. Krebs said he learned about the case from anti-fraud teams at multiple financial institutions investigating “a great deal of fraud on cards used at a handful of high-end restaurants around the country.”
A month ago, hundreds of Arby’s restaurants were affected by a breach in their payment systems. In January, Popeyes restaurants acknowledged it was also hit last summer, in a similar breach.
Fraud from stolen credit and debit cards seems to be happening regularly at U.S. restaurants where older magnetic stripe cards are still sometimes in use instead of more secure chip cards. But even PIN and chip cards can’t be defended against the kind of internal POS breaches that occurred at Select Restaurants, said Gartner analyst Avivah Litan.
victims apparently had primarily used magnetic stripe credit and debit cards at payment terminals at the affected restaurants. Mag-stripe cards rely on an older and less secure payment technology than do the newer chip cards. U.S. banks and card networks like Visa, MasterCard and other card companies have been giving customers new cards embedded with smart chips in recent years, although the U.S. is one of the last countries to convert to chip card technology.
March 20, 2017 at 7:25 pm
Thanks for sharing the article. I do believe that it is more secure with chips added to the credit cards; however, with that magnetic strip still in place on cards with chips, the ATM could even be a potential danger. It is very important that we are being aware that at any given point in time there could be a skimming device on the ATM. We must make sure to cover up the keypad with our hand as we’re punching the pin number, because there could be a camera anywhere recording the pin number we entered. In addition, in order to secure our personal information we must make sure to have VPN, a virtual private network, that encrypts and locks down our information on free public WiFi.
March 20, 2017 at 9:29 am
Critical Flaw Exposes Many Ubiquiti Devices to Attacks
Dozens of products from Ubiquiti Networks are affected by a critical flaw that can be exploited to hijack devices. The security hole was reported to the vendor in November, but patches have yet to be released for most of the impacted versions. The vulnerability, discovered by researchers at SEC Consult, has been described as a command injection in the administration interface of Ubiquiti devices.The flaw can be exploited by authenticated attackers from a low privileged read-only account, or remotely by unauthenticated hackers if they can trick a user into clicking on a specially crafted link. The remote attack works due to the lack of cross-site request forgery (CSRF) protection. An attacker can exploit the vulnerability to open a reverse root shell and take over the device. Depending on what the device is used for, it may also be possible for an attacker to hijack other machines on the network.
March 20, 2017 at 7:04 pm
Intel Launches $30K Bug Bounty
The article I read is about Intel Corp has announced the launch of its first bug bounty program at CanSecWest with HackerOne. For software, rewards can range up to $7,500; for firmware, up to $10,000; and for hardware, up to $30,000. The program enlists white hats all over the globe to hunt for bugs in their software, firmware and hardware. The company believed that they will be better protect their customers by partnering constructively with the security research community. “We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” the company said.
Unsurprisingly, the harder a vulnerability is to mitigate, the more the chipmaker will pay. Intel said that it considers several factors when determining the severity of a vulnerability. The first step is to use the CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model for the given product. Items that are not in the program scope include Intel Security (McAfee) products; third-party products and open source; and Intel’s web Infrastructure. Recent acquisitions also are not in-scope for the bug bounty program for a minimum period of six months after the acquisition is complete.
April 9, 2017 at 4:12 pm
Interesting news. This is a good way to identify vulnerabilities and also encourage white hats students like us to learn and explore by incentives.
Mengting Li says
March 21, 2017 at 1:38 pm
New Financial Regulation Forces Cyber Security into the Board Room
Consider the advice of the professional pentester. A recent survey found that only 10% of the class “completely repaired all identified vulnerabilities”. Almost one-third of the bosses think they are only working for regulatory purposes. This is a danger to all regulations, especially those that attempt to “do not dictate”: the greater the room for supervised entities, the more likely they are to become a consistent box check rather than a security implementation.
The author of the new regulation is not aware of the problem and seeks to restrict the regulation to require the regulated entity to submit an annual Certificate of Conformity to the Financial Services Authority. This includes “within the scope of the area, system or process within which the covered entity determines that significant improvements, updates or redesigns are required, the covered entity shall record identification and planned and ongoing remedial measures to address these areas, systems or processes.
The certificate requires the board or senior management to “examine, if necessary,” documents, reports, certificates and opinions of such officers, employees, representatives, external suppliers and other individuals or entities. In addition, the declaration must be “signed by the chairman or senior officer of the board”.
Yu Ming Keung says
March 22, 2017 at 3:33 pm
Poor Passwords, Cloud and Network Complexity Plague Orgs
Many organisations are still vulnerable to brute force attackers because attackers most likely target default or easily-guessed usernames and passwords to breach enterprise defences. The increasing complexity and attack surface expansion is being compounded by cloud and internet of things (IoT) growth, and that network segmentation also a problem.
While increases in malware are clearly a major threat to both enterprises and service providers, network complexity is creating its own vulnerability, the report found. The average enterprise is using six different cloud services, and network segmentation is increasing, yet 54% of enterprises are monitoring less than half of those network segments, and less than 19% of companies believe that their IT teams are adequately trained on the wide array of network appliances they are managing.
Overall, Organizations need to constantly monitor, test and shift security tactics to keep ahead of attackers in the fast-paced threat landscape we all deal with today. This is especially important as new cloud services and increased IoT devices are routinely being introduced
Deepali Kochhar says
March 22, 2017 at 10:54 pm
Brain-Inspired System Aims to Improve Threat Detection
A new “brain-inspired” computer system promises improved detection of cyber threats by looking for specific patterns that can more efficiently reveal indicators of compromise in a network.
Dubbed the Neuromorphic Cyber Microscope, aims to address the limitation current systems have when it comes to the detection of more complex indicators of compromise.
The designers of the system explain that many modern cybersecurity systems might be looking for general indicators of compromise or only for specific patterns, and often require interaction from security analysts to correctly sort the real dangers from false alarms.
By using its brain-inspired design, the new system promises not only to address this limitation by looking for complex patterns that indicate specific “bad apples,” but also to offer energy consumption savings, as it requires “less electricity than a standard 60-watt light bulb.
While conventional detection systems compare the received data against a library of malicious patterns, the Neuromorphic Cyber Microscope was designed to compare streaming data to suspicious patterns in a time-dependent manner, which should improve its detection efficiency.
Brou Marie Joelle Alexandra Adje says
March 23, 2017 at 7:56 am
Proposed bill would legally allow cyber-crime victims to hack back
The article I read is about a proposed bill which would legally allow victims of ongoing cyber-attacks to fight back against hackers by granting victims more powers to engage in active defense measures to identify the hacker and disrupt the attack. Now the question is “Is it wrong to hack back in order to counter hacking attack when you have become a victim? “what do you think?
I personally think that it is a very bad idea because it will make things worse and hackers will eventually come up with more tricks and attacks more people. Hacking back is not a way to solve data breach issues at all. In fact, accessing a system that does not belong to you or distributing code designed to enable unauthorized access to anyone’s system is an illegal practice. Above all, people need to remember that the virtual world is different from the physical world in which we live in. Even if this bill is passed in the US, it doesn’t mean that it applies in other countries. What if the hacker is in another country?
Paul Linkchorst says
March 24, 2017 at 8:55 am
According to the article found on Tripwire.com, a new form of ransomware labled Cerber has been spreading. The cerner ransomware uses what is known as a “blank slate” attack campaign. These kind of attacks use blank emails where text of the email is blank and the subject line contains a random series of number and words. However, attached to these emails are a zip file that contains a word document with malicious macros included and a .js file with malicious scripts. These malicious code will lock the end-users computer and holding it until a ransom of 1 bitcoin (~$1,000) is paid. While my research has not identified any victims of the attack, it is important for security professionals to be aware of these new type of campaigns. If a firewall or content-filtering service on the email are not functioning, then these types of email might be able to reach the end user and therefore, might be able to lock a computer for ransom.
Adam M Joskowicz says
March 25, 2017 at 11:03 am
World’s first ‘lip password’ utilizes a user’s lip motions to create password
Scientists have invented a new technology entitled “lip motion password” which utilizes a person’s lip motions to create a password. Professor Cheung Tiu-ming from the Department of Computer Science, Hong Kong Baptist University and his team are behind the new technology. which utilizes a person’s lip motions to create a password. This system verifies a person’s identity by simultaneously matching the password content with the underlying behavioral characteristics of lip movement. Nobody can mimic a user’s lip movement when uttering the password which can be changed at any time. This novel technology, the first in the world and has been granted a US patent in 2015, is expected to be used in financial transaction authentication. This system has a higher security benefit than using fingerprint, because once the fingerprint system is stolen or hacked, the user must find a new method of security (you cannot change a fingerprint). Professor Cheung said, “the same password spoken by two persons is different and a learning system can distinguish them.” The study adopted a computational learning model which extracts the visual features of lip shape, texture and movement to characterize lip sequence. Samples of lip sequence are collected and analyzed to train the models and determine the threshold of accepting and rejecting a spoken password.
March 27, 2017 at 3:46 pm
This is very interesting! I am so excited to test it out when it become available, I did some more research on this topic, and I believe this is a better system than voice activation, which can be inhibited by background noise. Further, people with hearing or speech impairments can use it, and this method is not susceptible to language barriers. In addition, the researchers mentioned In the future, the lip password could be integrated with facial recognition authentication systems for even more robust security and verification.
Younes Khantouri says
April 21, 2017 at 2:14 am
Protecting the enterprise with cyber secure IT architecture
Demand to an IT architecture that helps the companies manage their data and make the communication with clients easier, caused so many issues to protect these companies IT systems. Digitization of data always gives the chance to the Hackers to have a way accessing to the companies information.
Creating interfaces to help clients and third parties to access to certain data in the company can cause a leakage because while the organization is growing more people get involved. that will make the same data circulate between the people from different organizations.
Digitization doesn’t only introduce more openings for hakers, it increases the organization’s data assets. In other words, within the banking sector, the large data can help these banks to analyse the customers information to know about their transactions, names, even demographics.
It’s the IT organizations job to help taking advantage of new technologies as well as securing the customers information. To stay ahead of attackers, these IT organizations have to design a platforms and infrastructures with a very secured architecture.
You must be logged in to post a comment.