latest

now browsing by tag

 
 

#bumble | #tinder | #pof Is maskfishing the latest dating trend we don’t need? | romancescams | #scams

Blue-stalling: When two people are dating and acting like a couple, but one person in the partnership states they’re unready for any sort of label or commitment (despite acting in […] View full post on National Cyber Security

#hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020

Source: National Cyber Security – Produced By Gregory Evans

New web targets for the discerning hacker

Global awareness of hackers continued to ramp up throughout the month of February, with the launch of new and improved bug bounty programs and the realization that some heroes wear… black hoodies.

That was the feeling, at least, in the French city of Lille, which hosted a two-day live hacking event as part of the 2020 Forum International de la Cybersécurité, an annual security conference and trade show.

The event saw 100 hackers finding bugs in the systems of The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.

“Bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems,” Rodolphe Harand, manager of YesWeHack, the bug bounty platform that hosted the live hacking competition, told The Daily Swig.

Not long after the event, French cyber awareness site Cybermalveillance.gouv.fr announced that it was going public with its bug bounty program, one that it had been running privately on the YesWeHack platform since December 2019.

Bounties awarded for high risk and critical flaws are also set to double under the program’s public scope, The Daily Swig reported this month, alongside an interview with the Belgium-based platform intigriti, which has its sights set on global expansion.

If you’re interested in bug bounty market news, February was full of statistics related to payouts and hacker insights, as Facebook highlighted the $2 million it paid out to security researchers through its bug bounty program in 2019.

Dropbox also patted itself on the back, having doled out $1 million in cash to security researchers since its vulnerability rewards program began in 2014.

In related news, HackerOne published its 2020 Hacker Report, which found that although bug bounty payouts across the platform continue to rise, nearly two-thirds of security researchers (63%) have withheld the disclosure of security vulnerabilities on at least one occasion.

The reasons behind this were multifaceted, but the factors that stood out were fear of reprimand, lack of a clear reporting channel, and organizations being unresponsive to previous bug reports.

“I think we really need to disambiguate what people mean by the term ‘bug bounty’,” Casey Ellis, founder of Bugcrowd, told The Daily Swig in a recent chat about the uptake of IoT bug bounty programs.

“They are usually thinking about a public bug bounty, which definitely is the last line of defense.”

Read the full interview with Bugcrowd founder Casey Ellis.

The latest bug bounty programs for February 2020

February saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Celo

Program provider: HackerOne

Program type: Private bug bounty

Max reward: $15,000

Outline: Celo, an open banking platform, puts forward a private bug bounty program, with four of its domains in scope.

Notes: Quick responses to bug submissions and rewards based on the Common Vulnerability Scoring Standard are among Celo’s promises.

Visit the Celo bug bounty page at HackerOne for more info

Evernote

Program provider: HackerOne

Program type: Private bug bounty

Max reward: Undisclosed

Outline: The task management app has launched a private bug bounty program with few details aside from an expanded list of vulnerabilities it considers out of scope.

Notes: Evernote pitches itself as uber responsive, with plans to triage bugs within 10 business days of a successful report submission.

Visit the Evernote bug bounty page at HackerOne for more info

Google API Security Rewards Program

Program provider: HackerOne

Program type: Public bug bounty

Minimum reward: $50

Outline: Google has added another bug bounty program to its repertoire. Security researchers can now report vulnerabilities found in third-party applications accessing OAuth Restricted Scope.

Notes: “Developers of OAuth apps using restricted scopes, with more than 50,000 users, are automatically enrolled into the program after they have passed the security assessment requirement,” outlines the program. Theft of insecure private data through unauthorized access reaps a $1,000 reward. Vulnerabilities must be reported to the relevant app developer first.

Visit the Google API Security Rewards Program at Hackerone for more info

Kindred Group

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Online gambling operator Kindred Group has entered the bug bounty scene with HackerOne, putting its two platforms, which host brands like Unibet, bingo.com, iGame, and MariaCasino, in scope.

Notes: Remote code execution, SQL injection, and other critical bugs pay $2,500. Less severe vulnerabilities, such as Flash-based reflective XSS or captcha bypass, generate a $150 reward.

Visit the Kindred Group bug bounty page at HackerOne for full program details

Microsoft Azure – enhanced

Program provider: Independent

Program type: Public bug bounty

Max reward: $40,000

Outline: Microsoft’s established Azure Bounty Program has expanded its scope to include Azure Sphere to run alongside the general release of the IoT security platform.

Notes: “The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft says. Many low-severity issues are out of scope.

Visit the latest Microsoft blog post for full program details

Microsoft Xbox

Program provider: Independent

Program type: Public bug bounty

Max reward: $20,000

Outline: Awards range from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services, although Redmond says higher payouts are possible.

Notes: In-scope vulnerabilities include all the regular suspects with full PoC exploit: cross-site scripting, cross-site request forgery, insecure direct object references, insecure deserialization, code injection flaws, server-side code execution, significant security misconfiguration (when not caused by user), and exploits in third-party components.

Visit the Xbox bug bounty page for full program details

Monolith

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $10,000

Outline: Ethereum-based banking alternative Monolith has linked with HackerOne to let hackers find bugs in its smart contract wallet and the internet-facing Monolith platform.

Notes: “The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet,” Monolith says.

Visit the Monolith bug bounty page at HackerOne for full program details

TokenCoreX

Program provider: Independent

Program type: Public bug bounty

Max reward: $10,000

Outline: Developers at imToken, a popular cryptocurrency wallet, have launched a new bug bounty program covering the TokenCoreX library that underpins the application.

Notes: The program is a partnership with blockchain security specialists SlowMist, and covers defects in the implementation of the core encryption algorithm, along with vulnerabilities in chain-related logic code or the wallet application layer. Rewards are paid in Tether cryptocurrency, with critical vulnerabilities amounting to issues that result in an attacker stealing crypto-assets.

Visit the latest imToken blog post for more info

Visma

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Business software provider Visma wants security researchers to break their domains, with payouts ranging from $100 for low impact bugs to $2,500 for those defined as critical.

Notes: Critical exploits include RCE and SQL injection. Low-rated vulnerabilities such as open redirect or application level denial-of-service also warrant payouts. “Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma,” the company adds.

Visit the Visma bug bounty page at HackerOne for more info

Other bug bounty and VDP news

  • Katie Moussouris, quite possible the Queen of the bug bounty, spoke on the Threatpost podcast about the challenges in implementing successful programs
  • The Hacker News ran an interview with the Open Bug Bounty project, a non-profit that’s demonstrated significant growth over the past year.
  • Bug hunter Alex Chapman published a blog post on his transition from pen tester to full-time bounty hunter.
  • Hyatt expanded its public bug bounty program on its one-year anniversary last month with HackerOne, widening its scope with  higher bounties.
  • Marriott is running a vulnerability disclosure program (unpaid) with HackerOne, as are mobile banking providers bunq, Canadian banking provider Koho, photo video editing app PicsArt, and Belgium-based REM-B Hydraulics.
  • Bugcrowd also saw the SoundCloud bug bounty program increase its rewards last month, now offering a maximum $4,500 for high priority bugs.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line. Read more bug bounty news from The Daily Swig.

RELATED Bug Bounty Radar // January 2020

Source link

The post #hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020 appeared first on National Cyber Security.

View full post on National Cyber Security

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Source: National Cyber Security – Produced By Gregory Evans

chrome browser software update

Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days.

The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities, all of which have been marked ‘HIGH’ in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild.

The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows:

  • Integer overflow in ICU — Reported by André Bargull on 2020-01-22
  • Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
  • Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google’s Threat Analysis Group on 2020-02-18

The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities — CVE-2020-6407 and CVE-2020-6418 — were identified by experts from the Google security team.

Google has said CVE-2020-6418, which stems from a type confusion error in its V8 JavaScript rendering engine, is being actively exploited, although technical information about the vulnerability is restricted at this time.

The search giant has not disclosed further details of the vulnerabilities so that it gives affected users enough time to install the Chrome update and prevent hackers from exploiting them.

A successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system.

It’s recommended that Windows, Linux, and macOS users download and install the latest version of Chrome by heading to Help > “About Chrome” from the settings menu.

The Original Source Of This Story: Source link

The post Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#comptia | #ransomware | Check Point report highlights latest cyber-threats worldwide

Source: National Cyber Security – Produced By Gregory Evans

Check Point Research has published its 2020 Cyber Security Report.

The report highlights the main tactics cyber-criminals are using to attack organisations worldwide across all industries and gives cybersecurity professionals and C-Level executives the information they need to protect their organisations from today’s fifth-generation cyber-attacks and threats.

The 2020 Security Report reveals the key attack vectors and techniques observed by Check Point researchers during the past year.

Highlights include:

Cryptominers still dominate malware landscape – Even though cryptomining declined during 2019, linked to cryptocurrencies’ fall in value and the closure of the Coinhive operation in March, 38% of companies globally were impacted by crypto-miners in 2019, up from 37% in 2018.

This is because the use of cryptominers remains a low-risk, high-reward activity for criminals

Botnet armies surge in size – 28% of organisations globally were hit by botnet activity, an increase of over 50% compared with 2018.

Emotet was the most common bot malware used, primarily because of its versatility in enabling malware and spam distribution services.

Other botnet actions such as sextortion email activity and DDoS attacks also rose sharply in 2019.  

Targeted ransomware hits hard – While the number of impacted organisations is relatively low, the severity of the attack is much higher – as seen in 2019’s damaging attacks against US city administrations.

Criminals are choosing their ransomware targets carefully, with the aim of extorting the maximum revenue possible.

Mobile attacks decline – 27% of organisations worldwide were impacted by cyber-attacks that involved mobile devices in 2019, down from 33% in 2018.

While the mobile threat landscape is maturing, organisations are also increasingly aware of the threat, and are deploying more protection on mobiles.

The year Magecart attacks became an epidemic – These attacks which inject malicious code into e-commerce websites to steal customers’ payment data hit hundreds of sites in 2019, from hotel chains to from commerce giants to SMBs, across all platforms.

Rise in cloud attacks – Currently more than 90% of enterprises use cloud services and yet 67% of security teams complain about the lack of visibility into their cloud infrastructure, security, and compliance.

The magnitude of cloud attacks and breaches has continued to grow in 2019.

Misconfiguration of cloud resources is still the number one cause for cloud attacks, but now we also witness an increasing number of attacks aimed directly at cloud service providers. 

“2019 presented a complex threat landscape where nation states, cybercrime organisations and private contractors accelerated the cyber arms race, elevating each other’s capabilities at an alarming pace, and this will continue into 2020,” says Check Point Software Technologies major intelligence officer Lotem Finkelsteen.

“Even if an organisation is equipped with the most comprehensive, state-of-the-art security products, the risk of being breached cannot be completely eliminated. Beyond detection and remediation, organisations need to adopt a proactive plan to stay ahead of cybercriminals and prevent attacks.

“Detecting and automatically blocking the attack at an early stage can prevent damage. Check Point’s 2020 Security Report shares what organisations need to look out for, and how they can win the war against cyber-attacks through key best practices.”

Check Point’s 2020 Security Report is based on data from Check Point’s ThreatCloud intelligence, the largest collaborative network for fighting cybercrime which delivers threat data and attack trends from a global network of threat sensors; from Check Point’s research investigations over the last 12 months; and on a brand new survey of IT professionals and C-level executives that assesses their preparedness for today’s threats.

The report examines the latest emerging threats against various industry sectors, and gives a comprehensive overview of the trends observed in the malware landscape, in emerging data breach vectors, and in nation-state cyber-attacks.

It also includes analysis from Check Point’s thought leaders, to help organisations understand and prepare themselves for today’s and tomorrow’s complex threat landscape.

Source link

The post #comptia | #ransomware | Check Point report highlights latest cyber-threats worldwide appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability

Source: National Cyber Security – Produced By Gregory Evans

NSA discloses a Windows security flaw that leaves more than 900 million devices vulnerable to spoofed digital certificates

The National Security Agency (NSA) isn’t exactly known for wanting to share information about vulnerabilities they discover. In fact, they kept the Microsoft bug known as Eternal Blue a secret for at least five years to exploit it as part of their digital espionage. (At least, you know, until it was eventually discovered and released by hackers).

But maybe they’ve had a change of heart. (If you truly
believe that, I have a bridge to sell you.)

The NSA, in an uncharacteristic show of transparency, recently announced a major public key infrastructure (PKI) security issue that exists in Microsoft Windows operating systems that’s left more than 900 million PCs and servers worldwide vulnerable to spoofing cyberattacks. This vulnerability is one of many vulnerabilities Microsoft released as part of their January 2020 security updates. Maybe they didn’t want a repeat of the last incident. Whatever the reason, we’re just glad they decided to disclose the potential exploit.

This risk of this vulnerability boils down to a weakness in
the application programming interface of Microsoft’s widely used operating
systems. But what exactly is this Windows 10 vulnerability? How does it affect
your organization? And what can you do to fix it?

Let’s hash it out.

What’s the Situation with This Windows 10 Vulnerability?

Windows 10 has been having a rough go of things these past several months in terms of vulnerabilities. In the latest Window 10 vulnerability news, the NSA discovered a vulnerability (CVE-2020-0601) that affects the cryptographic functionality of Microsoft Windows 32- and 64-bit Windows 10 operating systems and specific versions of Windows Server. Basically, the vulnerability exists within the Windows 10 cryptographic application programming interface — what’s also known as CryptoAPI (or what you may know as the good ol’ Crypt32.dll module) — and affects how it validates elliptic curve cryptography (ECC) certificates.

What it does, in a nutshell, is allow users to create websites and software that masquerade as the “real deals” through the use of spoofed digital certificates. A great example of how it works was created by a security researcher, Saleem Rashid, who tweeted images of NSA.com and Github.com getting “Rickrolled.” Essentially, what he did was cause both the Edge and Chrome browsers to spoof the HTTPS verified websites.

Although humorous, Rashid’s simulated attacks are a great
demonstration of how serious the security flaw is. By spoofing a digital
certificate to exploit the security flaw in CryptoAPI, it means that anyone can
pretend to be anyone — even official authorities.

CryptoAPI is a critical component of Microsoft Windows operating systems. It’s what allows developers to secure their software applications through cryptographic solutions. It’s also what validates the legitimacy of software and secure website connections through the use of X.509 digital certificates (SSL/TLS certificates, code signing certificates, email signing certificates, etc.). So, basically, the vulnerability’s a bug in the OS’s appliance for determining whether software applications and emails are secure, and whether secure website connections are legitimate.

So, what the vulnerability does is allow actors to bypass
the trust store by using malicious software that are signed by forged/spoofed ECC
certificates (doing so makes them look like they’re signed by a trusted
organization). This means that users would unknowingly download malicious or
compromised software because the digital signature would appear to be from a
legitimate source.

This vulnerability can cause other issues as well, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):

This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”

Does This Mean ECC Is Not Secure?

No. This flaw in no way, shape, or form affects the
integrity of ECC certificates. It does, however, cast a negative light on
Windows’ cryptographic application programming interface by shining a spotlight
on the shortcomings of its validation process.

Let me reiterate: This is a flaw concerning Windows
CryptoAPI and does not affect the integrity of the ECC certificates themselves.

If you’re one of the few using ECC certificates (you know, since RSA is still
the more commonly used than ECC), this doesn’t impact the security of your certificates.

The patch from Microsoft addresses the vulnerability to
ensure that Windows CryptoAPI fully validates ECC certificates.

What This Windows 10 Vulnerability Means for Your Organization

Basically, this cryptographic validation security flaw
impacts both the SSL/TLS communication stream encryption and Windows
Authenticode file validation. Malicious actors who decide to exploit the CryptoAPI
vulnerability could use it to:

  • defeat trusted network connections to carry out man-in-the-middle (MitM) attacks and compromise confidential information;
  • deliver malicious executable code;
  • prevent browsers that rely on CryptoAPI from validating malicious certificates that are crafted to appear from an unauthorized hostname; and
  • appear as legitimate and trusted entities (through spoofing) to get users to engage with and download malicious content via email and phishing websites.

The NSA press release states:

NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Steps to Take to Mitigate This Bug

Wondering what you should do to mitigate the threat on your
network and devices? The NSA has a few recommendations:

Get to Patchin’ ASAP

The NSA recommends installing a newly-released patch from Microsoft for Windows 10 operating systems and Windows Server (versions 2016 and 2019) as soon as possible on all endpoints and systems. Like, right now. Get to it! As a best practice, you also can turn on automatic updates to ensure that you don’t miss key updates in the future.

According to Microsoft’s Security Update Guide:

After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.”

Here at The SSL Store, we’ve already rolled out the patch to ensure that all of our servers and endpoint devices are protected. (Thanks, Ross!) Rolling out these kinds of updates is something you don’t want to wait around to do because it leaves your operating systems — and everything else as a result — vulnerable to spoofing and phishing attacks using spoofed digital certificates.

Prioritize Your Patching Initiatives

But what if you’re a major enterprise that can’t just get it
done with a snap of the fingers? (Yeah, we know how you big businesses
sometimes like to do things.) In that case, they recommend prioritizing
patching your most critical endpoints and those that are most exposed to the
internet. Basically,
patch your
mission-critical systems and infrastructure, internet-facing systems, and
networked servers first.

Implement Network Prevention and Detection Measures

For those of you who route your traffic through proxy
devices, we have some good news. While your endpoints are getting patched, your
proxy devices can help you detect and isolate vulnerable endpoints. That’s
because you can use TLS inspection proxies to validate SSL/TLS certificates
from third parties and determine whether to trust or reject them.

You also can review logs and packet analysis to extract
additional data for analysis and check for malicious or suspicious properties.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/

Source link

The post #cybersecurity | #hackerspace |<p> NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Privileged Access Abuse at the Heart of Latest Malicious Insider Incidents

Source: National Cyber Security – Produced By Gregory Evans While many companies spend a lot of energy protecting their business from external threats, security events initiated by insiders can be just as costly. Malicious insiders not only have intimate knowledge of corporate systems and infrastructure, but they also have something far more powerful: legitimate privileged […] View full post on AmIHackerProof.com

#deepweb | Stellar Indian American Engineers Among the Latest Group of IEEE Fellows | Global Indian

Source: National Cyber Security – Produced By Gregory Evans The Institute of Electrical and Electronics Engineers recently announced its 2020 IEEE Fellows, with numerous Indian American and South Asian-origin engineers making the cut. IEEE Fellowships are conferred by the IEEE Board of Directors upon a person with an outstanding record of accomplishments. The total number […] View full post on AmIHackerProof.com

#school | #ransomware | Latest Louisiana news, sports, business and entertainment at 1:20 a.m. CST

Source: National Cyber Security – Produced By Gregory Evans

METAIRIE, La. (AP) — Authorities in Louisiana say a woman has been arrested for pretending to be an attorney and stealing $2 million from a client with special needs. Kristina Galjour was arrested Thursday and charged with bank fraud, computer fraud, theft valued over $25,000, exploitation of the infirm and illegally practicing law without a license. The 57-year-old victim has a developmental disability and inherited a trust fund after his parents died. Jefferson Parish Sheriff’s Capt. Jason Rivarde says Galijour coerced the man into thinking she was an attorney and over a three-year period she emptied his $2 million trust fund. The investigation is ongoing. It’s unclear whether Galijour has an attorney.

Source link

The post #school | #ransomware | Latest Louisiana news, sports, business and entertainment at 1:20 a.m. CST appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Here’s how you can enable native WhatsApp dark mode on latest stable build with root

Source: National Cyber Security – Produced By Gregory Evans Bringing a consistent form of dark mode is not an easy task, as the existing implementations are very much fragmented. Even the apps from Google don’t have a standard way to toggle the color scheme – some rely on underlying system settings while others sport a […] View full post on AmIHackerProof.com