On January 14th Microsoft released an important update:
SANS reported that “Today’s Microsoft Update corrects a severe flaw that may allow malware to bypass many end point protections. Install the update today. The error is deep in cryptographic and certificate functions in crytp32.dll and CryptoAPI. The concern is that it will allow attackers to mimic legitimate Microsoft applications, send infected (but apparently valid) software updates and possibly circumvent encrypted sessions on the system. We’ve scheduled a global webcast on Wednesday at noon EST to explain the problem and risks you averted by installing the patches immediately.”
This article is about how to prepare effective security reports to be able to explain security profile of organizations to board members more clearly. The article claims that the focus of the report should be risk-based and financially expressed to draw attention of board. In a word, a language that the board and the business can understand should be used while preparing security reports. To do so, Cyber risk quantification is a good method. For instance, the likely reduction of risks following the implementation of a particular control may be presented so that the board can recommend the best cost-benefit option. Also, dashboards, key risk indicators on security projects help board to be a part of strategic decision-making for cybersecurity and allows CISOs to make their support.
The article talks about patch vulnerability management. Although patch vulnerability management control is in place in organization or they perform the Common Vulnerability Scoring System (CVSS) which is the open industry standard for assessing the severity of computer system security vulnerabilities, there are still risks which hacker can gain unauthorized access to systems. Here are the following reasons;
– Organizations might not have a good control on human factor, security control configuration policies, password credential strength, and privileged access management.
– Attackers use social engineering technique by targeted phishing. After that, hackers can learn more about organzation’s network and system.
– Attackers attack by using Group Policy Object (GPO) hijacking schemes, man-in-the-middle techniques (MitM) to sniff out credentials, or conduct DHCP spoofing attacks, password cracking, end-point exploitation, and post-exploitation
The suggestion for this issue is to apply automated penetration testing in order to continuously monitor 24/7.
U.S. Government Confirms Critical Browser Zero-Day Security Warning For Windows Users
There is an alternative browser like Chrome, Opera or Firefox to avoid this Zero-Day Security that has no patch yet.
To exploit this zero-day vulnerability, a threat actor could use a maliciously-created website implementing JScript as the scripting engine, that would kick-off an exploit if the visitor was using the Internet Explorer browser to view.
Microsoft said that a remote code execution (RCE) vulnerability had been found in the scripting engine of the Internet Explorer (IE) web browser. It’s a critical vulnerability, assigned as CVE-2020-0674, that impacts IE across all versions of Windows and can corrupt memory so that an attacker can execute arbitrary code. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft warned, “if the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.” Which is about as dangerous as it gets, as that attacker could create new accounts, install malware, view and alter data and so on
Title: “Apple reveals worldwide national security requests for customer data”
After Apple published its biannual transparency report, Corinne Reichert, the publisher of the article, noted the significant increases in certain requests from foreign government agencies. Corinne also made sure to summarize how many requests from national security are made under the Foreign Intelligence Surveillance act, mentioning the amount of users effected and to what degree. Among the more interesting statistics she includes is that foreign governments made requests for 31,778 devices and the customer information associated with those devices including purchases.
The article “Google pledges a speedy Stagefright security fix for Nexus devices” is about that Google deals with vulnerabilities that have not been compromised in a timely manner. Google provided android partners with a patch for the Stagefright vulnerability to prevent users from being unknowingly monitored by third parties. The bug hasn’t affected android users yet, but after Google finds out and updates the patch, Google will focus more on securing Nexus devices.
The growing awareness of cyber-security is only increasing and it’s very efficient when a company is able to perform a penetration test to inform themselves of how strong their information systems is.
The FBI has issued a warning to its private industry partners about a possible foreign hacking group compromising the networks of two US municipalities.
The group was able to gain access to the networks via unpatched Microsoft SharePoint servers – Microsoft had began to issue these specific patches in March 2019. While the hackers didn’t get very far before their activity was detected, the group was still able to steal one municipality’s Active Directory database.
The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.
“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.
It’s a pretty big issue as it covers a hug amount of data.
Citrix is experiencing a vulnerability in their VPN service. This is affecting customers with a specific VPN service and affects over 26,000 servers. Citrix is releasing patches but it may take some time for a ll servers to update and fix the vulnerability. Many government agencies were affect by the vulnerability as well. This is an example of why a patch management program is necessary within your security plan. This allows for your organization to stay patched and as secure as possible when a vulnerability like this is found.
The attached article outlines the removal and seizure of the domain “weleakinfo.com”. This site, served as a central location where anyone could register for an account and buy names, emails, usernames, and passwords of over 12 billion people world wide. The removal and seizure of the domain was completed by not only the FBI but also in conjunction with Dutch, UK, and German authorities. I find this article very pertinent to show what US and global powers are doing to fight against hackers and the criminal organizations they work for and form.
The below article is a research conducted by Princeton University, which exposes 5 major US wireless (AT&T, T-Mobile, Verizon, Tracfone, and US Mobile )carriers to sim-swapping vulnerability. The articles also illustrates the practical scenario which was carried out by researchers to expose this vulnerability.
Analysis of industrial control systems (ICS) shows that many products contain features that were not designed with security in mind, allowing malicious hackers to abuse them and potentially wreak havoc.
In all, PAS has identified more than 380,000 known vulnerabilities on the 10,000 industry endpoints analyzed, most of which affect software produced by Microsoft. https://www.securityweek.com/hackers-can-cause-damage-industrial-systems-abusing-design-weaknesses
On January 14th Microsoft released an important update:
SANS reported that “Today’s Microsoft Update corrects a severe flaw that may allow malware to bypass many end point protections. Install the update today. The error is deep in cryptographic and certificate functions in crytp32.dll and CryptoAPI. The concern is that it will allow attackers to mimic legitimate Microsoft applications, send infected (but apparently valid) software updates and possibly circumvent encrypted sessions on the system. We’ve scheduled a global webcast on Wednesday at noon EST to explain the problem and risks you averted by installing the patches immediately.”
https://sans.org/cryptoapi-nb
This article is about how to prepare effective security reports to be able to explain security profile of organizations to board members more clearly. The article claims that the focus of the report should be risk-based and financially expressed to draw attention of board. In a word, a language that the board and the business can understand should be used while preparing security reports. To do so, Cyber risk quantification is a good method. For instance, the likely reduction of risks following the implementation of a particular control may be presented so that the board can recommend the best cost-benefit option. Also, dashboards, key risk indicators on security projects help board to be a part of strategic decision-making for cybersecurity and allows CISOs to make their support.
Article: https://www.infosecurity-magazine.com/opinions/build-risk-report-board-love/
The article talks about patch vulnerability management. Although patch vulnerability management control is in place in organization or they perform the Common Vulnerability Scoring System (CVSS) which is the open industry standard for assessing the severity of computer system security vulnerabilities, there are still risks which hacker can gain unauthorized access to systems. Here are the following reasons;
– Organizations might not have a good control on human factor, security control configuration policies, password credential strength, and privileged access management.
– Attackers use social engineering technique by targeted phishing. After that, hackers can learn more about organzation’s network and system.
– Attackers attack by using Group Policy Object (GPO) hijacking schemes, man-in-the-middle techniques (MitM) to sniff out credentials, or conduct DHCP spoofing attacks, password cracking, end-point exploitation, and post-exploitation
The suggestion for this issue is to apply automated penetration testing in order to continuously monitor 24/7.
Source: https://www.infosecurity-magazine.com/opinions/patch-perfect-vulnerable/
U.S. Government Confirms Critical Browser Zero-Day Security Warning For Windows Users
There is an alternative browser like Chrome, Opera or Firefox to avoid this Zero-Day Security that has no patch yet.
To exploit this zero-day vulnerability, a threat actor could use a maliciously-created website implementing JScript as the scripting engine, that would kick-off an exploit if the visitor was using the Internet Explorer browser to view.
Microsoft said that a remote code execution (RCE) vulnerability had been found in the scripting engine of the Internet Explorer (IE) web browser. It’s a critical vulnerability, assigned as CVE-2020-0674, that impacts IE across all versions of Windows and can corrupt memory so that an attacker can execute arbitrary code. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft warned, “if the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.” Which is about as dangerous as it gets, as that attacker could create new accounts, install malware, view and alter data and so on
Source: https://www.forbes.com/sites/daveywinder/2020/01/18/us-government-confirms-critical-zero-day-security-warning-for-windows-users/
Title: “Apple reveals worldwide national security requests for customer data”
After Apple published its biannual transparency report, Corinne Reichert, the publisher of the article, noted the significant increases in certain requests from foreign government agencies. Corinne also made sure to summarize how many requests from national security are made under the Foreign Intelligence Surveillance act, mentioning the amount of users effected and to what degree. Among the more interesting statistics she includes is that foreign governments made requests for 31,778 devices and the customer information associated with those devices including purchases.
Source: https://www.cnet.com/news/apple-reveals-worldwide-national-security-requests-for-customer-data/
The article “Google pledges a speedy Stagefright security fix for Nexus devices” is about that Google deals with vulnerabilities that have not been compromised in a timely manner. Google provided android partners with a patch for the Stagefright vulnerability to prevent users from being unknowingly monitored by third parties. The bug hasn’t affected android users yet, but after Google finds out and updates the patch, Google will focus more on securing Nexus devices.
Link: https://www.itworld.com/article/2954357/google-pledges-a-speedy-stagefright-security-fix-for-nexus-devices.html
https://www.insurancebusinessmag.com/us/risk-management/news/the-importance-of-penetration-testing-versus-cyber-risks-195378.aspx
The growing awareness of cyber-security is only increasing and it’s very efficient when a company is able to perform a penetration test to inform themselves of how strong their information systems is.
The FBI has issued a warning to its private industry partners about a possible foreign hacking group compromising the networks of two US municipalities.
The group was able to gain access to the networks via unpatched Microsoft SharePoint servers – Microsoft had began to issue these specific patches in March 2019. While the hackers didn’t get very far before their activity was detected, the group was still able to steal one municipality’s Active Directory database.
https://www.scmagazine.com/home/security-news/apts-cyberespionage/report-fbi-issues-alert-after-two-municipalities-hacked-via-sharepoint/
The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.
“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.
It’s a pretty big issue as it covers a hug amount of data.
https://www.infosecurity-magazine.com/news/uk-gov-database-leak/
Citrix is experiencing a vulnerability in their VPN service. This is affecting customers with a specific VPN service and affects over 26,000 servers. Citrix is releasing patches but it may take some time for a ll servers to update and fix the vulnerability. Many government agencies were affect by the vulnerability as well. This is an example of why a patch management program is necessary within your security plan. This allows for your organization to stay patched and as secure as possible when a vulnerability like this is found.
https://arstechnica.com/information-technology/2020/01/as-attacks-begin-citrix-ships-patch-for-vpn-vulnerability/
The attached article outlines the removal and seizure of the domain “weleakinfo.com”. This site, served as a central location where anyone could register for an account and buy names, emails, usernames, and passwords of over 12 billion people world wide. The removal and seizure of the domain was completed by not only the FBI but also in conjunction with Dutch, UK, and German authorities. I find this article very pertinent to show what US and global powers are doing to fight against hackers and the criminal organizations they work for and form.
https://threatpost.com/feds-cut-off-access-billions-breached-records/152001/
The below article is a research conducted by Princeton University, which exposes 5 major US wireless (AT&T, T-Mobile, Verizon, Tracfone, and US Mobile )carriers to sim-swapping vulnerability. The articles also illustrates the practical scenario which was carried out by researchers to expose this vulnerability.
https://cyware.com/news/new-research-reveals-that-major-us-wireless-carriers-are-vulnerable-to-sim-swapping-attacks-4353b5be
Analysis of industrial control systems (ICS) shows that many products contain features that were not designed with security in mind, allowing malicious hackers to abuse them and potentially wreak havoc.
In all, PAS has identified more than 380,000 known vulnerabilities on the 10,000 industry endpoints analyzed, most of which affect software produced by Microsoft.
https://www.securityweek.com/hackers-can-cause-damage-industrial-systems-abusing-design-weaknesses