now browsing by tag


#cybersecurity | #hackerspace | Flood of New Advisories Expose Massive Gaps in Firmware Security

Source: National Cyber Security – Produced By Gregory Evans

Download the PDF >

Last week Intel and Cisco published security advisories revealing dozens of vulnerabilities in firmware and hardware that impact laptops, servers and routers.  Intel disclosed an incredible 77 new vulnerabilities across a broad spectrum of components, including Intel CPUs, BMC, CSME, TXT, SGX, AMT, TPM and more.  There were two critical and 34 high severity bugs, some of which would allow an unauthenticated user to potentially enable escalation of privileges, information disclosure or denial of service. Two notable vulnerabilities included a timing leakage on Intel firmware-based TPM (fTPM) and an STMicroelectronics’ TPM chip that allows an attacker to recover 256-bit private keys from digital signature schemes, and an updated Zombieload Attack disclosure from Graz University of Technology and KU Leuven that impacts more recent processors, including Intel’s line of Cascade Lake CPUs. 

Eclypsium also released an update to our research on widespread vulnerabilities in Windows drivers involving more than 40 drivers from at least 20 different vendors, adding a new disclosure about a PMX driver rated as a high severity vulnerability. Cisco added to the week’s tally with multiple vulnerabilities impacting the firmware of their small business routers. 

As a result, the listing of firmware vulnerabilities reported to the National Vulnerability Database in 2019 is up more than 30% from last year, and is six times larger than three years ago. For IT teams tasked with protecting infrastructure from attack, the challenge of keeping up with firmware updates has grown significantly, and the severity of the issues demonstrates how big the gaps are in firmware security.

Don’t expect the rate of growth in firmware vulnerabilities to wane.  At the root of this problem is the growing number and complexity of the components in laptops, servers and network devices. Dozens of components in a typical laptop now have their own firmware—often with millions of lines of code—and all are susceptible to bugs and design flaws that can impact security. Because hardware design cycles are long, updates to firmware are increasingly used to solve hardware problems, but this also introduces new attack vectors.  For example, our research showed that the tool released by Intel to detect and mitigate a recent AMT vulnerability included a vulnerable driver as part of the toolset used to solve that issue. Adding to the complexity, many of the components and the associated software used in laptops, servers and network devices are part of complex third-party supply chains –  for example, Cisco’s security advisory referenced multiple third-party software components with firmware vulnerabilities. 

Enterprise IT teams cannot afford to take these risks lightly.  The FBI has warned that high-impact ransomware attacks threaten US businesses and organizations. As part of cyber defense best practices they advise patching operating system, software, and firmware.  Unfortunately, many IT organizations have little visibility into which of their devices are susceptible to known vulnerabilities, such as those that emerged this week. Even worse, implanting attacker code in UEFI/BIOS or component firmware allows an attacker to achieve persistence that can survive a complete device re-imaging or disk replacement, as the MITRE ATT&CK framework spells out.

This surge of publicly disclosed vulnerabilities serves as a reminder that firmware is a part of the attack surface that every organization needs to manage both locally as well as in the cloud,  to ensure the hardware and firmware that critical organizational services rely on is secure. History has shown that publicly disclosed issues are only a fraction of the real attack surface and often serve as a catalyst; attackers will capitalize on them to not only weaponize published vulnerabilities but also leverage them to discover additional defects to compromise.  Effectively managing such risk requires visibility into your attack surface to identify your exposure, an understanding of the potential ability to leverage the defects against you in spite of your existing controls, and the ability to verify when vulnerabilities are addressed and the risk is reduced to acceptable levels.

Source link

The post #cybersecurity | #hackerspace |<p> Flood of New Advisories Expose Massive Gaps in Firmware Security <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | 5G & IoT: Real-World Rollouts Launch New Opportunities and Security Threats

Source: National Cyber Security – Produced By Gregory Evans

This e-book examines what service providers need to know as commercial rollouts of 5G technology begins in 2020.

The post 5G & IoT: Real-World Rollouts Launch New Opportunities and Security Threats appeared first on Radware Blog.

The post 5G & IoT: Real-World Rollouts Launch New Opportunities and Security Threats appeared first on Security Boulevard.

Source link

The post #cybersecurity | #hackerspace |<p> 5G & IoT: Real-World Rollouts Launch New Opportunities and Security Threats <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | 2020 election cybersecurity strategies | Cyber Work Podcast

Source: National Cyber Security – Produced By Gregory Evans

Bob Stevens, VP of Americas at Lookout, and Cyber Work podcast host Chris Sienko, discuss election cybersecurity strategies, tips and ramifications for 2020.

– View the transcript, additional episodes and promotional offers: https://www.infosecinstitute.com/podcast

– Join us in the fight against cybercrime: https://www.infosecinstitute.com

About the Cyber Work Podcast

Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.

Source link

The post #cybersecurity | #hackerspace |<p> 2020 election cybersecurity strategies | Cyber Work Podcast <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | 4 Steps to Managing EdTech Security Risks

Source: National Cyber Security – Produced By Gregory Evans EdTech security risks create ransomware, account takeover, and data security risks for school districts New EdTech supports innovation in teaching and enriches learning. However, that same technology can leave you vulnerable to cyberattacks. It poses risks to student privacy and safety, and increases the risks you […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | Zeus Virus AKA Zbot – Malware of the Month, November 2019

Source: National Cyber Security – Produced By Gregory Evans

When you’re named after the ancient Greek king of the gods, you’ve got a reputation to live up to. And our malware of the month — Zeus Virus, or commonly known as Zbot, Zeus Trojan, or simply Zeus Malware – doesn’t fall short. Over the past few months, we’ve profiled a few truly destructive malware types such as Kovter, Emotet, and Trickbot. Zeus though takes the cake, by cobbling together all of the crafty attributes in these malware types — stealthiness, undetectability and the ability to resiliently evolve.

What is the Zeus Virus, or Zbot?

Zeus Virus is a Trojan malware package that particularly targets Microsoft Windows. Trojan types of malware mislead users of its true intent, much like its namesake horse. Zeus made a king’s entry in 2007  attacking both top corporate houses and US government institutions with one swoop. 

Since then, it has become one of the most damaging botnets in the world, thus popularizing the Zbot moniker. Amongst its notable attacks was a $70 million heist from hacked bank accounts causing the FBI to intervene. Even more worrisome is that it has reproduced hundreds of mal-variants that are based on its code. Even though cybersecurity experts heaved a sigh of relief when its creator purportedly “retired,” the Zeus malware mafia lives on.

How does Zeus work?

Zeus’ main vectors are mail spam, malicious social engineering and by inserting itself into legitimate product downloads, also known as drive-by downloads.

Once in the victim’s machine, Zeus Virus creates a hidden “backdoor” on the computer. Backdoor malware is especially dangerous as it allows the attacker to have full access and complete control over the machine, and consequently an entry-point into the company’s network. Zeus then proceeds to steal the victim’s data including personal details, application logins, and banking information. Or, its avatar Zbot inducts infected machines into a botnet — a network of other compromised machines controlled by a master hacker. This can lead to devastating wide-scale attacks that infect the entire network of the organization.

Tips to protect your organization from Zeus Malware

  • Strengthen Authentication: Most malware attacks are the result of compromised and weak credentials. Two-Factor Authentication or Multi-Factor Authentication (MFA) are excellent gate-keepers, that prevent unauthorized access of applications. Make sure all your applications, including third-party ones, support and implement it.
  • Create Anti-Phishing Policies – Office 365 includes built-in features that protect your users from phishing attacks. Take advantage of the threat management tools in Office 365 to set up anti-phishing policies and increase your protection status. You can even create custom policies for specific users, groups, or domains. 
  • Cybersecurity Training: Phishing and social engineering are Zeus’ key vectors, as is the case with most types of malware. Hence, an essential malware prevention best practice is to conduct regular org-wide cybersecurity training. Educate colleagues about the basics of good security hygiene, such as checking the sender’s email ID, and avoiding downloading attachments or clicking URLs from unknown sources and alerting support about emails with suspicious content.
  • The Usual Protectors: Check that your anti-virus solutions are auto-updated, and that you have robust firewalls and network monitoring tools in place.

Malware attacks are on the rise. Ensure that your business, colleagues or customers are not held ransom to them, by backing up your data securely. Spanning Backup provides top-rated SaaS backup and recovery solutions for Office 365, G Suite, and Salesforce. With Spanning’s accurate, real-time data backup that you can drastically limit the damage of malware attacks, and ensure business continuity by quickly recovering lost or corrupted data with a few clicks.

Learn How Spanning Protects Office 365

Source link

The post #cybersecurity | #hackerspace |<p> Zeus Virus AKA Zbot – Malware of the Month, November 2019 <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | How to Ensure Factory Reset Protection Using Scalefusion

Source: National Cyber Security – Produced By Gregory Evans Factory Reset Protection using Scalefusion Factory reset is the most commonly used feature to delete the device data. Factory reset also clears the device of any existing applications and settings. A Factory reset literally resets the devices to the settings available on the device at the […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | Google Slurps 150 Hospitals’ Patient Data With No Consent

Source: National Cyber Security – Produced By Gregory Evans

The mysterious Project Nightingale has been revealed as a secret Google operation to store and manipulate the healthcare data of millions of patients. Nobody consented—nobody was asked.

Google claims it’s all legal. Perhaps it is, but is it ethical? And is it a good look to be found out?

It’s no wonder people don’t trust Google any longer. In today’s SB Blogwatch, we feel sick.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: diabetuhs.

Florence Looks Cross

What’s the craic? Rob Copeland reports—“‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans”:

 Google is engaged with one of the U.S.’s largest health-care systems on a project to collect and crunch the detailed personal-health information of millions of people across 21 states. [It] appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data.

Google began Project Nightingale in secret last year. … Neither patients nor doctors have been notified. … Privacy experts said it appeared to be permissible under federal law [HIPAA].

The data involved in the initiative … amounts to a complete health history, including patient names and dates of birth. [But] staffers across … Google’s parent have access to the patient information.

Google, like many of its Silicon Valley peers, has at times drawn criticism for not doing enough to protect user privacy. … Google co-founder Larry Page, in a 2014 interview, suggested that patients worried about the privacy of their medical records were too cautious.

Yikes, is that true? Natasha Singer, Daisuke Wakabayashi, Reed Abelson, and Aaron Krolik second-source the claims—“Google to Store and Analyze Millions of Health Records”:

 The partnership between Google and the medical system, Ascension, could have huge reach. Ascension operates 150 hospitals. … It is legal [but] many patients may not trust Google, which has paid multiple fines for violating privacy laws, with their personal medical details.

Google’s handling of health care data is a touchy subject. … Dozens of Google employees may have access to patient data like name, birth date, race, illnesses and treatments, according to … internal documents obtained by [us].

At least a few Ascension employees in the project have raised concerns that Google employees downloaded patient data, according to the internal documents. They have also raised concerns about whether all of the Google software involved in processing Ascension patient data complies with … HIPAA.

Busted! Google’s Tariq Shaukat quickly rushes out a PR blurb about, “Our partnership with Ascension”:

 Today, we’re proud to announce more details on our partnership with Ascension. … There’s been a good deal of speculation … so we want to make sure everyone has the facts.

Our work with Ascension is … a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers. … All of Google’s work with Ascension adheres to industry-wide regulations.

This is standard practice. … It’s understandable that people want to ask questions.

Standard business arrangement? Nothing to see here? Bogdan Petrovan concludes, “Google rushes to explain what it’s doing with all that medical data”:

 Yesterday, a bombshell report … revealed details about a partnership between Google and Ascension. … For privacy advocates, this revelation is understandably worrying.

Shaukat confirmed Google’s work with Ascension, but said there’s nothing unusual or shady about it. … Google said it merely provides Ascension with some services.

There is … little reason to doubt its claims. … That said, the fact that Google rushed out a blog post to “proudly announce” Project Nightingale speaks volumes.

Google is becoming synonymous with a disregard for privacy, perhaps not entirely unfairly. … The average consumer won’t care, and cannot be expected to know, that Google Cloud is HIPAA compliant or that hospitals have been routinely sharing data … for decades.

Fighting this perception of untrustworthiness is a huge challenge for Google, and it’s only going to get harder.

You can say that again. rnturn doesn’t buy Google’s claims of legality:

 It’s a massive violation of the protections set up under HIPPA. Or, at least, the vast majority of Americans have been led to believe it’s a violation of the law.

Most people think that HIPPA covers any and all disclosures but … employers, insurance companies, and others … aren’t covered by that aspect of the law. This is rarely, if ever, mentioned.

But Farzad Mostashari—@Farzad_MD—worries about culture (and not the sort in a petri dish):

 The perception of Google culture is that no-one curbs the curiosity of engineers. … They have to convince people that they actually have controls in place to ensure that the data is only being used for the purposes of the agreement.

The perception [is] Google’s culture makes it more likely (than at a claims clearinghouse) for an individual engineer to play around with data, not [realizing] they are breaking the terms of [an] agreement.

However, oakmad hopes privacy fears won’t trump actual healing:

 My start up is in the healthcare space. … There’s definitely a group here who think that [patients] just need to accept that their data is going be fed into models … as it will help outcomes and costs, etc.

Having seen some of the results that AI is catching out in the field I’m tending towards universal good over personal privacy – though I may regret that.

So merely a PR flub? Yasmeen Shorish—@yasmeen_azadi—says no:

 We’re out here chasing after ethics education in data science while AI applications are being deployed in secret and potentially problematic ways. The lack of disclosure to patients and doctors is completely inexcusable.

Another example of something legal, but not very ethical.

And QuietLagoon asks the obvious question:

 If the data are so useful to those who steal it from patients and beneficial to those patients, then why perform the collection surreptitiously and without the permission of … the patients?

Meanwhile, ufgrat wonders if—on paper—Google did get permission:

 If patients are being tricked into signing away their rights, the lawsuits could be… spectacular.

And Finally:

So you’ve got diabetes; but how to pronounce it?

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U. Texas at Austin

Source link

The post #cybersecurity | #hackerspace |<p> Google Slurps 150 Hospitals’ Patient Data With No Consent <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Fortress Information Security Strives to Help Protect Critical Infrastructure

Source: National Cyber Security – Produced By Gregory Evans

The agencies and businesses that make up the backbone of our critical infrastructure have a larger bullseye on their backs than an average company. When it comes to the electric utility providers that manage the power grid, the exposure to risk is exacerbated by the fact that much of the equipment, software, and services come from a limited set of vendors. Fortress Information Security just launched the Asset to Vendor (A2V) Network to mitigate these risks and improve the security posture of the power grid.

The Federal Energy Regulatory Commission (FERC) recognizes the unique threats posed to the power grid and understands that it’s crucial to address these challenges and protect the critical infrastructure. FERC has issued requirements for standardized risk assessments and mandated that electric utility providers prioritize supply chain vendors based on their relative risk. The problem is that many of the 3,000 or so electric providers are small, regional companies that don’t have the budget or resources to do this effectively on their own.

The A2V Network was launched as a joint venture between Fortress and AEP (American Electric Power) to address this challenge and help all electric utility companies collaborate to comply with the FERC regulations and improve protection of the critical infrastructure more efficiently and effectively. Organizations that join the A2V Network will be able to purchase completed vendor assessments for significantly less than it would cost them to conduct a redundant assessment of their own, and participating companies can also contribute completed assessments to build out the A2V Network library.

Reluctance to Share

I had an opportunity to chat with Alex Santos, CEO of Fortress, about the A2V Network and some of the challenges it addresses. He described the supply chain like streets in a community. Just as each person is responsible of their own home and property, but share the roads and pay taxes to share the burden and ensure the roads are taken care of, each company is responsible for itself, but they share risk exposure from the supply chain and it makes sense to collaborate and share the burden to mitigate the risk and secure the critical infrastructure.

I asked Santos for his thoughts on why businesses in general—not just electric power providers—seem so reluctant to engage in this sort of sharing and collaborative effort. The two main issues, according to Santos are that some information is very proprietary, and some information is not very good. Companies want to maintain the privacy of intellectual property and sensitive information. In some cases, there is a competitive advantage associated and sharing it is just bad for business. In other instances, organizations are reluctant to engage in sharing information because what they receive is not useful. If the information is not properly vetted and curated to ensure it is correct and relevant, it creates more problems than it solves.

Santos explained that the A2V Network strives to address both of those challenges. The A2V Network takes information about supply chain risk assessments and provides a platform to easily share it while anonymizing it and protecting the privacy of proprietary data. Part of what the A2V Network also does is to validate the information and make it actionable.

Gaining Momentum

Santos was especially grateful for having AEP as a partner for the launch of the A2V Network. He noted that even though there are 3,000 electric utility providers, only about 150 of those are large enough to be regulated by the North American Electric Reliability Corporation (NERC)—and that the top 15 largest deliver power for 75% of consumers. That leaves nearly 2,900 companies that must comply with the FERC regulation but lack the resources to do it effectively on their own.

He said that having AEP on board is huge because any new movement or initiative requires a first big company to get the ball rolling. AEP showed leadership in taking that initiative and having a company with the size and prestige of AEP involved creates a snowball effect that will entice other electric utility providers to jump on board.

The more companies get involved, the more momentum the A2V Network will have and the greater value it will provide to every participating organization. That, in turn, will attract more companies. It becomes a self-feeding cycle of momentum that will ultimately lead to a more secure critical infrastructure.

Source link

The post #cybersecurity | #hackerspace |<p> Fortress Information Security Strives to Help Protect Critical Infrastructure <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | RADIUS Server in Azure – Security Boulevard

Source: National Cyber Security – Produced By Gregory Evans

Azure® is a cloud infrastructure provider that offers compute, storage, and other infrastructure platforms, such as Office 365™. Azure introduced its own identity management solution called Azure Active Directory® (AD), but this doesn’t serve as a solution for bringing the on-prem directory service, Active Directory, to the cloud. Though Azure does not offer its own RADIUS server, RADIUS-as-a-Service solutions make it simple to level up the security of WiFi and VPN networks.

What Does Azure AD Do?

Azure AD incorporates a user management function (like authentication and authorization) for Azure services (like compute, storage, and applications). Azure AD provisions, deprovisions, and modifies user access to Azure-related services such as Windows® servers and Office 365.

It also does web application single sign-on, enabling SSO for Office 365, Salesforce®, Dropbox, and other select applications to be accessed with a singular identity.

What Azure AD doesn’t offer is an integrated, hosted, and managed RADIUS solution, making it difficult to manage access to VPNs and on-prem WiFi and forcing IT admins to leverage other mechanisms to manage user access. Often this means setting up their own RADIUS servers (i.e. FreeRADIUS or Windows NPS) to keep their networks secure.

Azure AD RADIUS Authentication Services

Because Azure AD doesn’t have native RADIUS server functionality, IT admins need to employ different methods for securing their on-prem wireless Internet access. 

For instance, admins can host a RADIUS server in Azure, either through an NPS extension or through FreeRADIUS, but this process is time consuming, requiring extensive self-implementation and potentially forcing IT admins to stray away from cloud-based services and applications that shift the heavy lifting of the infrastructure to a third party. Beyond that, admins still have to integrate the RADIUS infrastructure back into whatever core directory service they are using. 

Time Consuming

Azure AD does offer IT admins the ability to configure Azure MFA servers for RADIUS authentication through an NPS extension, or they can implement their own FreeRADIUS authentication source to be linked back to AD.

However, Microsoft’s solution is limited in that it only supports RADIUS authentication (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> RADIUS Server in Azure – Security Boulevard <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Security @ Serverless Speed – A Protego Use Case

Source: National Cyber Security – Produced By Gregory Evans Companies choose to transition to serverless computing for various reasons, mainly being faster time-to-market and reduced infrastructure costs. However, the root cause of their serverless security needs differ based on a myriad of factors. In this use case we will highlight a team struggling with traditional […] View full post on AmIHackerProof.com