via the comic delivery system monikered Randall Munroe resident at XKCD!
The post XKCD ‘Unread’ appeared first on Security Boulevard.
The post XKCD ‘Unread’ appeared first on Malware Devil.
These crooks hacked into a network hoping to get everyone in the company to buy them gift cards.
Read More
The post Gift card hack exposed – you pay, they play appeared first on Malware Devil.
Consumers looking to purchase video doorbells this holiday season would do well to stick with reputable and trusted brands.
A recent review of nearly a dozen inexpensive video doorbells sold via online markets such as Amazon and eBay uncovered multiple security vulnerabilities in each device. The most serious among them was the practice by some of the devices to send Wi-Fi names, passwords, location information, photos, video, email, and other data back to the manufacturer for no obvious reason.
Security consultancy the NCC Group, in collaboration with UK consumer organization Which?, selected 11 video doorbells available on popular online markets in the UK. Some looked very similar to each other but were from different manufacturers. Other devices looked like copycats of Amazon Ring. All of the products had prices that were substantially lower than the average retail price for well-known brands, such as Ring and Google’s Nest Hello smart doorbell.
Though most of the tested models were from little-known brands, some of them had high user ratings and one of the products even was endorsed with Amazon’s Choice logo — meaning the retailer had recommended the product.
The NCC Group and Which? study uncovered security issues related to the hardware, associated applications, and servers that streamed and transferred data from the doorbells.
For example, two video doorbells from Victure and Ctroncs had a security flaw in them that could allow an attacker to steal the network password and use it to hack into the doorbell and the router as well as other devices connected to the network.
Another smart doorbell from Victure, which Amazon had labeled as a top seller and had a score of 4.3 out of 5 stars from over 1,000 users, was found to be sending a lot of sensitive data, including the Wi-Fi network name and password, in unencrypted fashion to servers in China.
One device being sold on Amazon and eBay, which had no discernible brand associated with it, had a vulnerable WPA-2 protocol implementation that would allow an attacker to gain access to a video doorbell owner’s entire home network. A Qihoo 360 smart video door, on Amazon, was easy to hack with just a standard SIM-card ejector, and another had a flaw that allowed attackers to knock the device offline by setting the device back to a “pairing” stage.
Phoning Home
“Given their availability across various online marketplaces, but very little information about the devices and their security, we felt it would be interesting to test them from a secure design and implementation perspective,” says Matt Lewis, research director at NCC Group.
“The most surprising finding was seeing some of the doorbells sending home Wi-Fi passwords over the Internet and unencrypted to remote servers,” he says. “It’s not really clear what the purpose of such a feature would be for, and it certainly exposes a person’s entire home network to potential attackers and criminals.”
Lewis says nearly all of the doorbells were observed sending at least some data back to remote servers located outside the UK and Europe, but it wasn’t always sensitive data.
According to the NCC Group, all 11 devices that were tested had one or more high-risk security vulnerability in them and a “large number” had weak, easy-to-guess default passwords. The vendor described two of the products as being critically vulnerable and nine others as having “high impact” security issues.
“The main takeaway for consumers is to really do their homework before purchasing devices like these and, where possible, stick with popular and known brands,” Lewis says. While lesser-known brands can be much cheaper, they usually have missing or inadequate security design and features, he says.
The new report highlights what numerous researchers have described as the growing threat to Internet security from insecure Internet of Things (IoT) devices. They have noted how a large percentage of smart devices — doorbells, connected thermostats, TVs, routers, printers, etc. — being installed in homes around the world are very weakly protected against snooping, data theft, sabotage, and other attacks.
The Mirai distributed denial-of-service (DDoS) attacks of 2016 were the first to demonstrate how attackers could abuse insecure IoT devices to cause widespread havoc. Since then, there have been numerous other incidents where attackers have hijacked large numbers of IoT devices and assembled botnets for launching DDoS attacks and for distributing ransomware and other malware.
Concerns over IoT vulnerabilities have prompted some legislative action. One example is California’s Internet of Things Security Law, which went into effect January 2020. The law requires manufacturers of connected devices to implement reasonable measures to protect any information that the devices might collect, contain, or transmit.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Security Researchers Sound Alarm on Smart Doorbells appeared first on Malware Devil.
Following the pandemic, at least 70% of companies will permit a significant portion of their employees to work from home at least two days a week — requiring a revamped cybersecurity model, according to a new report by Forrester Research.
About 60% of organizations will move to a hybrid work environment, Forrester says. The analyst firm calls this “anywhere work” because it combines a significant amount of remote and office work. A small portion of businesses, about 10%, will focus on transitioning to a fully virtual work environment, while 30% will mainly head back to the office.
The mix of arrangements will require companies to focus their cybersecurity efforts on zero-trust frameworks, multifactor authentication, and endpoint monitoring, says JP Gownder, vice president and principal analyst at Forrester’s Future of Work practice.
“There are technology solutions out there that make it possible,” he says. “From a cybersecurity perspective, if you are willing to upgrade to modern tools, if you adopt as much endpoint security as possible to manage devices and data, and if you are building a viable cloud infrastructure with modern design principles, you have a baseline for decent security.”
The report underscores that one of the lasting legacies of the coronavirus pandemic will be its demonstration that companies can support a massive remote workforce when necessary. While analysts see most workers going back to the office much of the time following the pandemic, their ability to work anywhere gives companies the option to have a significant remote workforce.
While that could translate into companies having double the number of remote workers compared with before the pandemic, the end result will be they can decide on the best workforce structure for their business. Eventually, less than 12% of workers will work from home full time, Forrester states in its “Use The Lessons Of 2020 To Create Your Anywhere-Work Strategy” report.
Companies, however, have to prepare for a mix of different work arrangements, and part of that preparation will be offering the technology necessary to do their jobs in a secure way.
“[That means] everything from the endpoint that you use, [to] a good management system for the devices, to understanding the different access points and peripherals used by workers, and connected devices. Down the line there may be more focus on things like camera security,” Gownder says. “Many of the things that we have already been doing in larger companies needs to be beefed up.”
Companies need to plan for the workforce structure they intend to pursue following the pandemic, Forrester stated. The necessity of remote work has shown many companies that modes of work they did not believe possible are actually sustainable.
Yet decision makers are not the only ones wary of long-term remote work. While 70% of employees believe they have kept up their productivity while working remotely, 44% are eager to return to return to the office, according to Forrester.
The best way to focus on the future of working anywhere is to focus on people, the firm says. Security is a major part of that. In addition to hardware, remote access services, and collaboration tools, security is a foundational part of the technology needed to make remote employees productive, the report states.
Companies that focus on ways to make workers productive as well as secure are much more likely to have customer-focused culture, Forrester says.
“[C]ompanies won’t need a centralized office to amass resources for employees if they invest in technology that makes it as easy to access those resources remotely as in the office,” the report states. “[T]his includes respecting the devices and connection options that workers already own or can conveniently access.”
The remote or hybrid model will not work for every company. Some businesses have argued that face-to-face collaboration is too valuable as a creative force, while other companies are limited by security needs, allowing workers to only access critical data from within company walls. For that reason, about 30% of companies plan to go back to mostly office-bound work following the pandemic, Gownder says.
“If you are dealing with data that can only be accessed on site, then that will be a problem for any company with critical functions working from their home,” he says.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post As ‘Anywhere Work’ Evolves, Security Will Be Key Challenge appeared first on Malware Devil.
Ransomware, already a major enterprise threat, is growing more problematic as operators brainstorm new ways to make their attacks easier to launch and more devastating for victims.
Mitchell Clarke and Tom Hall, both principal incident response consultants for Mandiant, have spent the past year analyzing the evolution in ransomware activity and watching as attackers grew smarter, intrusions took longer, and ransom demands spiked into the millions. New tactics demand businesses’ attention; as a result, executives have begun to grow concerned.
“We’re seeing more and more organizations at the board level, where CEOs and COOs are really asking questions of ransomware,” says Hall. “I don’t think the industry is catching up to it as widespread as it needs to be.”
Attackers used to “just throw ransomware here and there — maybe you get lucky and get a few systems,” Clarke adds. WannaCry and NotPetya, both destructive attacks, signified what was to come. Over time, more attackers realized they could generate more profit if they took down a whole organization as opposed to a handful of systems at once.
For the financially motivated ransomware operators, this was motivation to change their game.
“We’re seeing a movement from very traditional widespread attacks, where they’re hitting multiple organizations with pretty unsophisticated exploit kits, to following a full attack life cycle,” Hall explains. This encompasses gaining an initial foothold into the environment, to escalating privileges, to dropping tools and backdoors, and finally to executing the ransomware.
Advanced ransomware attackers have begun to exploit VPNs and remote desktop applications to gain entry, Clarke notes, adding that the REvil operators are especially good at this. Instead of creating a phishing campaign, intruders can scan the Web for vulnerable VPNs and use those to gain entry. They can later return and leverage that compromise for ransomware deployment.
“I think we’re seeing them look at all the options they have, see phishing as high effort, high cost, and see mass exploitation as low effort, high payoff,” he adds. In 2019 and 2020, many security researchers explored vulnerabilities in edge devices, Clarke continues. Their efforts led to the discovery of high-impact bugs that could enable access for unauthenticated attackers.
Rather than deploying ransomware wherever they could, today’s attackers have grown more intentional. While there is less financial gain as they go through the compromise phase, they know working on a single target for a longer period of time will eventually lead to a big payout.
“I think they realized that if they invest time in the breach, move laterally, gain access to the whole organization, all of a sudden you can put yourself in that business-continuity-threatening position where if your victim doesn’t pay you, they’re gone — they can’t operate,” Clarke says.
Ransomware-as-a-Service: A “Business” Targeting Businesses
The researchers have noticed growth in ransomware-as-a-service, which essentially automates the boring, repetitive attacks involved with ransomware campaigns. Attackers and victims used to negotiate ransom over email; now, targets are sent to a platform where they can see ransom demands and payment information or talk with the criminals to negotiate the return of files.
“I think the trend is more the professionalization — that transition from ad hoc crime to full-on startup-esque, business growth. … It’s not a nice way to talk about a criminal enterprise, but that’s how we’re feeling,” Clarke says. The end goal for attackers is to more effectively and efficiently grow their pool of victims — and their financial gain.
Just as attackers have realized the payoff of bringing down an entire organization, they have also recognized the time and resources needed to do it. They have access to plenty of businesses, he continues, but not enough operators to get through the backlog. To that end, they’ve begun to focus more on hiring affiliates and partners and growing their operations.
While the researchers haven’t noticed any patterns in terms of industry targeting, they have seen attackers focus on a particular company size. Ransom demands tend to fall between $2 million and $5 million, Hall says, and victims will need to support that kind of payment.
“For anyone, if you want to get paid, there’s no point in demanding something an organization is never going to be able to reach,” he adds.
While today’s cybercriminals are adapting some of the same tactics as advanced persistent threat groups, defenders’ best tactics remain the same. Both researchers advise the same network hygiene and security posture that businesses should use to defend against traditional ransomware attacks: multifactor authentication on external services such as email and VPN, and making sure you’re not running unsupported operating systems. These are all things that are basic for organizations to do, says Hall, but are often neglected or deprioritized without the proper security budget.
This isn’t just an IT and security problem,” he notes. “It’s a cultural and business problem.”
Clarke and Hall will present their full findings in an upcoming Black Hat Europe briefing: “It’s not FINished: The Evolving Maturity in Ransomware Operations,” on Wednesday, Dec. 9.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Ransomware Grows Easier to Spread, Harder to Block appeared first on Malware Devil.
Key Points:
• Being Strategic is vital and relevant to a successful Cybersecurity Program
• Understanding Organization Status of controls in real-time is a competitive advantage
• Cybersecurity tools are tactical – Risk Management is strategic
• Connecting Cybersecurity to Risk Management ensures to business goals and objectives are maximized to achieve corporate success
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw197
The post Cybersecurity & Integrated Risk Management – Top 10 for Trend 2021 – M. James Gomez – BSW #197 appeared first on Malware Devil.
VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.
Read More
The post Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending appeared first on Malware Devil.
Faith may be a marvelous foundation for many things, but it’s a terrible basis for cybersecurity. Andrew “Bunnie” Huang, founder of Bunnie Studios, says that evidence, not faith, should be the foundation on which security is built. “What we’re not looking to rely upon is faith-based trust, as in … I believe that this vendor has a great brand and therefore I will take their word at face value,” he says.
The problem with a move to evidence-based security is that it’s so difficult to rigorously inspect what is going on inside any given chip or system. And without such an inspection, a customer has to trust not just a vendor but the vendor’s entire supply chain. “I want to be able to confirm that there are no extra parts in a motherboard,” Huang says as he begins to describe a system he calls Precursor, which would allow people to compare what the motherboard looks like versus a published reference of that same motherboard.
Huang says that it’s important to understand the problem that Precursor is designed to solve. First, the system is designed to give insight into system hardware, not software. It does that with its own hardware based on a field-programmable gate array (FPGA) that will be programmed with the model of what the reviewed system is supposed to be. That model includes details down to the transistor and logic gate level on the tested system.
Attackers, especially sophisticated nation-state operators, may be able to build in or take advantage of backdoors that leave no trace, Huang says, but Precursor requires the software required to take advantage of a vulnerability to be much more complex. Instead of adding circuitry that might take advantage of a single counter, Huang says, a successful attacker might have to use techniques that took every counter into account on the hopes that one would “sneak through” the inspection process. That makes the hardware required much larger physically and much more complex.
Huang isn’t under the illusion that this will be a complete solution to the problem of hardware-based attacks, but it does restore some balance to the battle, he says. “The problem is that in hardware, we didn’t even have the cat and mouse game. In hardware, you’ve got something and you either believed it was what you got or you didn’t,” he explains. Now, the hardware attackers will have to work around the knowledge that their exploits can be discovered and exposed.
The FPGA-based system also will have the ability to push hardware patches to vulnerable hardware, Huang says. That can significantly reduce the cost of remediating vulnerabilities in hardware because entire systems might not have to be replaced in order to close the vulnerabilities.
Huang will discuss Precursor and its genesis in the concept of evidence-based trust in the keynote address for Black Hat Europe 2020. The address is scheduled for 9 a.m. to 10 a.m. GMT on Thursday, Dec. 10.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Evidence-Based Trust Gets Black Hat Europe Spotlight appeared first on Malware Devil.
‘Vishing’ attack on GoDaddy employees gave fraudsters access to cryptocurrency service domains NiceHash, Liquid.
Read More
The post GoDaddy Employees Tricked into Compromising Cryptocurrency Sites appeared first on Malware Devil.
White Papers
Video
Current Issue
2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!Flash Poll
Twitter Feed
Bug Report
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4…
CVE-2019-14586
PUBLISHED: 2020-11-23
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
CVE-2019-14587
PUBLISHED: 2020-11-23
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2020-0569
PUBLISHED: 2020-11-23
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-12351
PUBLISHED: 2020-11-23
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
The post Manchester United Suffers Cyberattack appeared first on Malware Devil.
The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.
Read More
The post TA416 APT Rebounds With New PlugX Malware Variant appeared first on Malware Devil.
In the Application Security News, a manifesto highlights principles and values for threat modeling, the CNCF releases a Cloud Native Security Whitepaper, Microsoft put security in the CPU with Pluton, mass scanning for secrets, ancient flaws resurface in Drupal, and steps for implementing source composition analysis!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/asw131
The post Drupal Flaws, DevSecOps Implementation, & Cloud Native Security White Paper – ASW #131 appeared first on Malware Devil.
We threat model every day without realizing it. And, of course, we often threat model with systems and products within our organizations. So how formal does our approach need to be? How do we best guide the “what could go wrong” discussion with DevOps teams? And what’s a sign that we’re generating useful threat models?
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/asw131
The post Threat Modeling Deep Dive – ASW #131 appeared first on Malware Devil.
White Papers
Video
Current Issue
2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!Flash Poll
Twitter Feed
Bug Report
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4…
CVE-2019-14586
PUBLISHED: 2020-11-23
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
CVE-2019-14587
PUBLISHED: 2020-11-23
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2020-0569
PUBLISHED: 2020-11-23
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-12351
PUBLISHED: 2020-11-23
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
The post Chinese APT Group Returns to Target Catholic Church & Diplomatic Groups appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
