now browsing by tag
13 March 2020 at 12:45 UTC
Updated: 13 March 2020 at 12:49 UTC
Don’t Panic: Potentially wormable flaw only present in latest systems
Microsoft released an out-of-band security update to patch a remote code execution (RCE) vulnerability impacting Server Message Block (SMB) on Thursday, just two days after its regular Patch Tuesday releases.
The software vendor was obliged to rush out a fix after security partner inadvertently disclosed details of the flaw, which is of a type previously exploited by high-profile threats such as the WannaCry worm.
If left unaddressed, the vulnerability (CVE-2020-0796) in Microsoft SMB 3.1.1 (SMBv3) could be exploited by a remote attacker to plant malicious code on vulnerable systems.
Exploitation would involve sending a specially crafted, compressed data packets to a targeted SMBv3 server.
The flaw stems from bugs in how “Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests”, an advisory from Microsoft explains.
New flaws on the Block
SMB is a networking protocol that’s used for sharing access to file and printers. The same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit harnessed by the infamous the WannaCry ransomware.
The vulnerability exists in a new feature that was added to Windows 10 version 1903, so older versions of Windows do not support SMBv3.1.1 compression are immune from the security flaw.
Both Windows 10 clients and Windows Server, version 1903 and later, need patching
Preliminary scans by security experts suggest only 4% of publicly accessible SMB endpoints are vulnerable.
Server-side workarounds have been released for organizations running affected software but unable to rapidly roll out patches. This includes disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall.
Satnam Narang, principal security engineer at security tools vendor Tenable, commented: “The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog.
“Soon after the accidental disclosure, references to it were removed from the blog post.”
At the time of writing, no proof of concept exploit code for CVE-2020-0796 has been publicly released.
Narang added that how readily exploitable this vulnerability might prove to be currently remains unknown.
“This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks,” Narang explained.
“It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.”
RELATED Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’
The post #hacking | Windows SMB: Accidental bug disclosure prompts emergency security patch appeared first on National Cyber Security.
View full post on National Cyber Security
With help from Eric Geller, Mary Lee, Martin Matishak and Alexandra S. Levine
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.
Story Continued Below
— Lawmakers and election equipment makers discussed researcher probes of the companies’ wares at a rare hearing on Thursday.
— A major software industry organization raised doubts about a proposed Commerce Department rule for information and communications technology supply chain security.
— The risk of possible Iranian cyberattacks has stayed on the agenda for DHS, researchers and others.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Stay strong, Betelgeuse. We’re all on your side. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
THE ROAD TO A CVD — Voting machine vendors keep inching toward a coordinated vulnerability disclosure program, Thursday’s House Administration Committee hearing revealed, but there are still some hitches emerging toward fuller collaboration with researchers. John Poulos, CEO of Dominion Voting Systems, testified that his company reached out to an organizer of DEFCON’s machine-hacking Voting Village because it was “interested in a more collaborative penetration testing with stakeholders,” and actually sent modern certified systems, but an internal conference dispute led to scuttling those plans.
The CEOs of Election Systems & Software (Tom Burt) and Hart InterCivic (Julie Mathis) both said their companies had submitted equipment to Idaho National Laboratory, which conducts vulnerability tests with DHS. Overall, Burt said he doesn’t want to hand-select red teams but is “interested in making sure we attract hackers who can make our systems better without requiring that the information that they discover be put into the public domain,” and would like to see the Election Assistance Commission manage the program and choose researchers.
At the same hearing, Chairwoman Zoe Lofgren expressed concern about the potential for internet connectivity on vote tabulators, and the vendors voiced support for federal rules creating reporting requirements for companies’ cybersecurity practices.
I DON’T EVEN KNOW WHERE TO START — The Commerce Department’s proposed regulation for information and communications technology supply chain security is unworkable because it gives the Commerce secretary “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies,” the software trade group BSA said in comments filed this morning as part of the proceeding. The proposed supply chain rule, released in November, would let the government block U.S. companies from buying equipment and services that jeopardize national security. But BSA said the rule needed a serious overhaul.
BSA policy director Christian Troncoso wrote that the rule needed better transparency mechanisms and “procedural safeguards,” more precise definitions of what types of transactions and entities are covered and better-defined criteria for blocking those transactions. BSA called for exempting companies from the rule if they meet certain supply chain security standards, ensuring that “an official with adequate levels of political accountability” supervises the process and formally involving the intelligence community in decisions.
The group also urged changes such as requiring annual reports to Congress, giving companies more time to respond to a proposed decision and letting an independent interagency group reverse any decision. Absent these changes, Troncoso said, the rule’s “broad scope” and “vaguely defined standards” will “put U.S. companies at a competitive disadvantage.”
UPDATING MY PROFILE — CISA Director Chris Krebs and agency leadership met with acting Homeland Security Secretary Chad Wolf this week to discuss efforts to shore up election security and stave off potential cyberattacks originating from Iran following the U.S.-led airstrike. CISA is urging organizations to “assess their cyber readiness and take steps to protect their networks and assets, including heightened awareness, increasing organizational vigilance, confirming reporting processes, and exercising incident response plans,” according to a note.
They also discussed the mounting threat of ransomware and CISA’s efforts to support governments and businesses, as well as efforts to protect the 2020 elections from foreign interference, such as providing cybersecurity services and developing and exercising incident response plans.
IRAN’S STILL A THING, PART TWO — That recent Saudi Arabian alert about Iranian cyberattacks involves its hackers placing data-wiping malware on Bahrain’s national oil company Bapco, ZDNet pieced together. The new wiper strain is dubbed Dustman, and seemingly didn’t have the impact the hackers were looking for. And it doesn’t appear directly linked to the recent U.S.-Iran tensions, the outlet reported.
A Dragos report out Thursday highlighted an Iranian hacking group’s password-spraying attacks on the North American energy sector. “MAGNALLIUM’s increased activity coincides with rising escalations between the U.S. and allies, and Iran in the Middle East,” the report states. “Dragos expects this activity to continue.”
And Check Point released numbers on Thursday about the volume of Iranian attacks in the week since the U.S. launched missiles that killed general Qassem Soleimani showing no particular major uptick in attacks. Turkey was the top target of Iranian hackers, at 19 percent, compared to 17 percent for the U.S.
KIDS’ PRIVACY BACK IN THE SPOTLIGHT — From our friends at Morning Tech: As we await comprehensive data privacy legislation from Congress, a bipartisan pair of House Energy and Commerce lawmakers are offering a separate privacy measure — one aimed at bringing COPPA, the 1998 federal children’s online privacy law, up to date.
Reps. Tim Walberg (R-Mich.) and Bobby Rush (D-Ill.) on Thursday introduced the PROTECT Kids Act (shorthand for Preventing Real Online Threats Endangering Children Today), which would make location data and biometric data categories protected under the law; ensure that rules safeguarding children online also apply to apps on mobile phones; give parents more control over children’s data and consent; and task the FTC with reviewing the decades-old COPPA law and making recommendations on it to Congress.
“In the past, predators and perpetrators sought to harm our children by lurking near schoolyards and playgrounds,” Rush said. “But now — due to incredible advancements in technology — they are able to stalk our children through their mobile devices and in video game lobbies.”
Meanwhile, in the Senate: Sens. Ed Markey (D-Mass.), author of the COPPA bill, and Josh Hawley (R-Mo.) last spring introduced a bipartisan COPPA 2.0 bill (S. 748) that would, similarly, expand existing federal privacy protections for children and compel the FTC to enforce them. The agency is also doing its own self-reflection on whether COPPA rules need to be changed or updated.
TWEET OF THE DAY — “Come and get us!”
RECENTLY ON PRO CYBERSECURITY — House and Senate Democrats urged the FCC to take on SIM swapping scams. … “Countries that award 5G contracts to Western-aligned companies over Huawei won’t be hobbling their transition to next-generation wireless networks, a senior State Department official said.” … Belgian security services advised the government to limit the use of “non-trusted suppliers.” … Companies are reacting to California’s landmark Privacy Act by interpreting the complex law as they see fit.
— Law firm Alston & Bird announced the election of 17 lawyers to its partnership, including Maki DePalo in the organization’s privacy and data security group.
— Intrusion Truth has returned with more information on Chinese tech companies recruiting hackers for the government. CyberScoop
— Las Vegas said it dodged a horrible cyberattack. ZDNet
— Herb Lin contemplated the intersection of cyber and psychological operations. Lawfare
— Malwarebytes said it found unremovable malware preinstalled on low-end smartphones sold to low-income Americans. ZDnet
— “Industry working groups tasked with implementing the Pentagon’s landmark cybersecurity certification program have selected the University of Virginia’s Ty Schieber as board chairman, to lead the process for selecting a board of directors for an accreditation body that is expected to be up and running later this month.” Inside Cybersecurity
— The PCI Security Standards Council and U.S. Chamber of Commerce blogged about Magecart.
— Rockwell Automation is buying Israeli cybersecurity company Avnet Data Security. Security Week
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).
The post #nationalcybersecuritymonth | Hitches in a voting vendor vulnerability disclosure program appeared first on National Cyber Security.
View full post on National Cyber Security
The Homeland Security Department on Wednesday released a draft of a binding operational directive that would require every federal agency to create a vulnerability disclosure policy.
Under the measure, each civilian agency would need to create a formal process for security researchers to share vulnerabilities they uncover within the organization’s public-facing websites and other IT infrastructure. Agencies must also develop a system for reporting and closing the security gaps that are uncovered through the program.
Despite the growing popularity of public cyber initiatives like bug bounties, security researchers often find themselves in a legal gray area when reporting cyber weaknesses to the government. By creating vulnerability disclosure policies, agencies can set clear guardrails on legal hacking.
“A [vulnerability disclosure policy] allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” Jeanette Manfra, assistant director for cybersecurity within the Cybersecurity and Infrastructure Security Agency, said in a blog post. “It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.”
The BOD would bring the rest of the government up to speed with the Pentagon and the General Services Administration’s tech office, which have already established vulnerability disclosure programs. DHS is also in the process of finalizing its own policy.
CISA will accept public feedback on the proposed directive through Dec. 27.
Specifically, the measure would give agencies six months to create a web-based system for receiving “unsolicited” warnings about potential vulnerabilities. They must also develop and publish a vulnerability disclosure policy, outlining the systems and hacking methods that are authorized under the program and describing the process for submitting vulnerabilities.
The directive would require agencies to consistently add new systems to the program over time. Within two years, “all internet-accessible systems and services” must be in scope of the policy, according to the measure. Every system launched after the directive is issued must automatically be considered in scope.
Agencies would also need to set procedures for handling submissions and report both specific vulnerabilities and program metrics directly to CISA.
While the directive gives agencies some latitude in the metrics and policies around their own policies, the measure could ultimately lay the foundation for a standardized, government-wide vulnerability disclosure program, Manfra said.
“We think a single, universal vulnerability disclosure policy for the executive branch is a good goal … but we expect that goal to be an unrealistic starting place for most agencies,” she said. “The directive supports a phased approach to widening scope, allowing each enterprise–comprised of the humans and their organizational tools, norms, and culture–to level up incrementally.”
The post #hacking | CISA Wants a Vulnerability Disclosure Program At Every Agency appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans In the past, outing nation-state cyber espionage groups caused a few to close up shop, but nowadays actors are more likely to switch to new infrastructure and continue operations. When cybersecurity services firm Mandiant released its APT 1 report in 2013, the Chinese group immediately shut […] View full post on AmIHackerProof.com
Singapore’s Government Technology Agency (GovTech) has launched a new vulnerability disclosure program on HackerOne so researchers can disclose vulnerabilities in government sites.
Started by Singapore’s GovTech, this program allows researchers to examine internet-accessible government sites and applications for vulnerabilities and disclose them to the agency.
“As part of the Government Technology Agency’s (“GovTech”) ongoing efforts to ensure the cyber-security of Government internet-accessible applications used by the citizens, business and public sector employees, GovTech has established this suspected vulnerability disclosure programme (“VDP”) to encourage the responsible reporting of suspected vulnerabilities or weaknesses in IT services, systems, resources and/or processes which may potentially affect Government internet-accessible applications. We look forward to working with the cyber-security research community and members of the public to keep our services safe for all users.”
Rresearchers who want to participate in the Singapore vulnerability disclosure program can target the following services for vulnerability research:
- Government internet-accessible applications for use by the public including Government internet-accessible applications, that are owned by any department or ministry of the Government, any Organ of State or any statutory board. Examples of such Government digital services are “gov.sg” and “ns.sg”, and examples of such mobile applications are “SingPass Mobile” and “SGSecure”.
- Government internet-accessible applications for use by Government employees only, that are provided by any department or ministry of the Government, any Organ of State, or any statutory board. Examples of such web-based and mobile applications are “pacgov.agd.gov.sg”, and “DWP Mobile”.
Unlike many popular bounty programs on HackerOne, researchers will not be rewarded with cash bounties for disclosing vulnerabilities. This decision may lead researchers to stay away from this program compared to using others that they can earn a living.
Singapore bug bounty challenge started over the weekend
Unlike the new vulnerability disclosure programs, HackerOne launched a bug bounty challenge for Singapore’s Ministry of Defense over the weekend that does offer cash rewards for discovered vulnerabilities.
This challenge started on July 28th 2019 and will go through October 21st, 2019.
“The three-week challenge will run from September 30, 2019 to October 21, 2019, and will bring together trusted hackers from around the world to test 11 government-owned targets, including websites and public digital systems belonging to MINDEF/Singapore Armed Forces (SAF) and other agencies in the defense sector. Hackers will search these systems for security weaknesses so they can be safely resolved and therefore, enhance the safety and security of these systems. This year’s bug bounty challenge also has an added focus on personal data protection.”
This challenge is only open to invited trusted researchers who will attempt to find bugs in eleven government-owned targets.
The post Singapore’s GovTech Launches Vulnerability Disclosure Program appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Dive Brief: The White House released the charter for the Vulnerabilities Equities Process (VEP), an interagency operation assessing whether the federal government should disclose cyber vulnerabilities it finds to vendors of a technology or whether it should “restrict” the finding in light of national security or law […] View full post on AmIHackerProof.com | Can You Be Hacked?