Monthly Archives: October 2017

Popular ‘Circle with Disney’ Parental Control System Riddled With 23 Vulnerabilities

The makers of the popular parental control system called Circle with Disney patched 23 vulnerabilities over the weekend. The bugs ran the gamut from memory corruption and denial of service, to SSL validation vulnerabilities and impact all devices managed on a network.

Circle with Disney is a $90 device made in partnership by Disney Interactive and Circle Media, introduced last year. It pairs wirelessly to a home Wi-Fi network and allows parents to manage devices on the network such as tablets, TVs or laptops. The affected model is Circle with Disney 2.0.1. Users are urged to patch devices, however Circle said patches were pushed out to connected devices over this past weekend.

User use iOS or Android apps to manage networked devices. However, it isn’t clear whether the iOS and Android devices running the apps are also vulnerable to attack.

“Through these exploitable vulnerabilities, a malicious attacker could gain various levels of access and privilege,” wrote Cisco Talos researchers who worked with Circle Media to mitigate against the near two-dozen vulnerabilities.

Of those flaws, one vulnerability (CVE-2017-12087) received a CVSS score of 10, the highest you can get. That was for a Tinysvcmdns Multi-label DNS Heap Overflow Vulnerability, according to Cisco Talos.

“An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability,” researchers wrote.

Another bug, a command injection vulnerability (CVE-2017-2917), has a CVSS rating of 9.9. “An exploitable vulnerability exists in the notifications functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability,” according to a Cisco Talos researcher.

One particularly menacing vulnerability (CVE-2017-12085), in the Circle Media with Disney software, could allow hackers to effectively use the Circle cloud infrastructure to attack other customer devices.

In total, 17 of the 23 CVSS scores were ranked 9.0 or higher. Successful attacks could of given adversaries the “ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device,” Cisco Talos researchers.

“If an attacker were to gain access, a family’s online activity could be monitored and controlled from a malicious outside source, potentially putting the family’s personal information at risk,” wrote researchers.

Vulnerability disclosures by Cisco Talos to Circle Media occurred over several months this summer. The coordinated public disclosure was Oct. 31. Many Cisco Researchers are credited for finding the bugs including Marcin Noga, Cory Duplantis, Yves Younan, Claudio Bozzato, Lilith Wyatt, Aleksandar Nikolic and Richard Johnson.

from Threatpost – English – Global – thr… http://bit.ly/2gYs9Ko
via IFTTT

North Korea Faces Accusations of Hacking Warship Builder Daewoo

North Korea Faces Accusations of Hacking Warship Builder Daewoo

North Korea suspected by South Korea of stealing warship blueprints from Daewoo Shipbuilding & Marine Engineering.

South Korea’s Ministry of Defense alleges a recent security breach of Daewoo Shipbuilding & Marine Engineering’s database was committed by North Korea, according to a Reuters report.

The defense ministry believes copies of Daewoo’s warship blueprints were taken in the breach, which occured in April, states the Reuters report.

South Korea’s investigators claim the hacking techniques used on Daewoo were similar to ones North Korea is believed to have used in other attacks, a South Korean opposition lawmaker told Reuters.

North Korea hackers allegedly stole a cache of South Korea’s classified military documents, including operational plans from the US-Korean War, the report states.

Read more about the Daewoo breach here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2z2psMB
via IFTTT

North Korea Faces Accusations of Hacking Into Warship Builder Daewoo

North Korea Faces Accusations of Hacking Into Warship Builder Daewoo

North Korea suspected by South Korea of stealing warship blueprints from Daewoo Shipbuilding & Marine Engineering.

South Korea’s Ministry of Defense alleges a recent security breach of Daewoo Shipbuilding & Marine Engineering’s database was committed by North Korea, according to a Reuters report.

The defense ministry believes copies of Daewoo’s warship blueprints were taken in the breach, which occured in April, states the Reuters report.

South Korea’s investigators claim the hacking techniques used on Daewoo were similar to ones North Korea is believed to have used in other attacks, a South Korean opposition lawmaker told Reuters.

North Korea hackers allegedly stole a cache of South Korea’s classified military documents, including operational plans from the US-Korean War, the report states.

Read more about the Daewoo breach here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2zTOJYv
via IFTTT

Office 365 Missed 34,000 Phishing Emails Last Month

Office 365 Missed 34,000 Phishing Emails Last Month

Nearly 10% of emails delivered to Office 365 inboxes were spam, phishing messages, and known or zero-day malware.

Microsoft Office 365 missed 9.3% emails containing spam, phishing, and malware from the beginning of September through early October, report Cyren researchers, who analyzed 10.7 million messages.

The threat intelligence firm gauges clients’ email security with its Email Security Gap Analysis tool. Inbound emails are processed by its email security system, and all messages that go on to users’ inboxes are BCC’d to Cyren’s system for automated analysis.

“It’s a standard engagement we have with clients,” says Pete Starr, Cyren’s director of field engineering. “But occasionally we get some interesting nuggets of information.” Researchers were curious about how Office 365 was performing, which led to evaluating its security.

During the month of September, Cyren analyzed 10.7 million emails forwarded by Office 365 to user mailboxes for companies tested during that time frame. Of the messages evaluated, 9.75 million (90.7%) were found to be clean. This included 4.6 million newsletter emails, which made up nearly half of legitimate email traffic.

Nearly one million (9.3% of) messages were spam or malicious emails missed by Office 365, says Cyren, noting that the standard Office365 email service has Exchange Online Protection (EOP) to protect against malware and spam. The “false negatives” should not have made it to inboxes.

Researchers found 957,039 emails, or 8.93% of all email traffic, turned out to be spam. Usually, these messages are filtered out through content scanning or pattern detection applied to elements of the email message or its distribution pattern.

Spam aside, 34,077 emails delivered to Office 365 users were phishing messages. Of these, 18,052 were financial phishing emails requesting banking details or account access, 5,424 were password phishing emails, and 10,601 were general phishing emails.

“The biggest shock was just how much was coming through,” says Starr. “Yes, the majority of it is spam, but quite a lot is something you don’t want.”

He refers to the malware attachments found on 3,900 emails delivered to users. While a tiny percentage (0.04%) of all emails delivered, it’s also the most dangerous. Of those malware emails, 1,438 were zero-day attachments with no previously known malware signatures. However, malware attached to 2,462 emails was known and should have been detected.

“What really surprised me was the two-and-a-half thousand samples of known malware,” Starr says. “Stuff caught by basic, signature-based detection. You expect that kind of stuff to be filtered out.”

Is the customer at fault, or is Microsoft? Starr puts some blame on both parties. “Your average Office 365 customer is less well-configured; they perhaps don’t have the best policies on average,” he explains.

However, he continues, Microsoft’s solution is particularly reliant on reputation-based filtering, meaning the extent of their knowledge is only as good as their database. Today, with the rise of distributed attacks involving malware, phishing, spam, and botnets, many machines involved are fresh IPs. There’s a good chance they won’t exist inside an IP reputation database, he says.

“Being able to track new IPs is very, very difficult,” says Starr. “You find out about them when it’s too late.”

For businesses hoping to improve their email security, he advises being more sensible about whitelists, noting that many organizations are too broad when adding domain names to their whitelists and letting potentially harmful messages in.

Another mistake is not appreciating how much valid email exists in other languages, like Chinese or Russian. “People either completely block, or completely allow them,” he adds, suggesting users take full advantage of email features to set more specific filters.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2zWgAr8
via IFTTT

Apple Patches KRACK Vulnerability in iOS 11.1

Apple has patched iOS, macOS and other products to protect against the KRACK vulnerability recently disclosed in the WPA2 Wi-Fi security protocol.

KRACK, short for key re-installation attack, allows an attacker within range of a victim’s Wi-Fi network to read encrypted traffic with varying degrees of difficulty.

Many vendors had patched KRACK in their respective products prior to the Oct. 16 public disclosure. Researcher Mathy Vanhoef of Belgium found and privately disclosed to numerous organizations starting in July and helped coordinate disclosure.

Apple was among the holdouts to repair its offerings until today; the update is part of iOS 11.1 and includes patches for 13 bugs in Webkit, and other fixes in the kernel, iMessages, and elsewhere. Apple also patched KRACK in macOS High Sierra, Sierra and El Capitan, all of which were updated today, as well as in tvOS and watchOS

Given that KRACK is a protocol-level bug, it had many experts on edge in its early days. Since then, some of the anxiety has eased given the varying degrees of ease of exploit and conditions that must be in place for an attack to be successful.

Since KRACK cannot be exploited remotely and an attacker must be in range of the Wi-Fi network, this somewhat blunts the severity of the issue. Also, VPNs and TLS connections add layers of encryption to communication from home and business networks to the internet. Enterprises are likely most in the line of fire when it comes to the KRACK bug.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” Vanhoef wrote in an advisory published Oct. 16. “Therefore, any correct implementation of WPA2 is likely affected.”

More details are available in a research paper called a “Key Resinstallation Attacks: Forcing Nonce Reuse in WPA2,” scheduled to be formally presented tomorrow at the Computer and Communications Security (CCS) conference and at Black Hat Europe.

The vulnerability surfaces in the four-way handshake carried out when clients join WPA2-protected networks. A pre-shared network password is exchanged during this handshake, authenticating the client and access point. It’s also where a fresh encryption key is negotiated that will be used to secure subsequent traffic.

It is at this step where the key reinstallation attack takes place; an attacker on the network is able to intercede and replay cryptographic handshake messages, bypassing a mandate where keys should be used only once. The weakness occurs when messages during the handshake are lost or dropped—a fairly common occurrence—and the access point retransmits the third part of the handshake (re-using a nonce), theoretically multiple times.

An attacker sniffing the traffic could replay it offline and piece together enough information to steal secrets.

“By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged,” Vanhoef said. “The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”

from Threatpost – English – Global – thr… http://bit.ly/2hsRAAG
via IFTTT

Who Says Brilliant Security Engineers Can’t Be Amazing People Managers?

Who Says Brilliant Security Engineers Can’t Be Amazing People Managers?

Don’t let midcareer stagnation be an exit ramp from the cybersecurity industry. Use it as an opportunity to explore and to deepen your enthusiasm.

Many of us, for most of our lives, have heard about the necessity of “climbing the ladder of success.” When you reach a certain age, the expectation is that you naturally will have progressed into middle or upper management. In the security industry, I’ve seen quite a few incredibly talented and passionate individuals burn out or leave their jobs due to the lack of a clear, authentic path for career progression. Even for those of us who have remained, there can be a lingering sense of confusion or a lack of motivation if we are uncertain about the road ahead as we achieve a certain level of seniority.

This is a fairly new industry, which means there are fewer identifiable “next steps” as far as careers go. Many of us seem to fly by the seat of our pants and take whatever position that sounds appealing rather than be directed by specific goals. And when that no longer works, some feel it necessary to get out of the industry entirely.

Another complication is that the sorts of job transitions into management that might be sensible in other industries are less applicable in tech and information security. The skills needed to configure a corporate network or code a complex widget are significantly different from getting a group of unpredictable hominoids to do your bidding. As a result, it becomes perfectly acceptable (and often more efficient) to hire people into management positions who are less technically savvy but better at motivating a group of technical subject-matter experts.

That’s not to say that brilliant engineers can’t be amazing people-managers. These skill sets can and often do overlap. Plus, there are ways to improve your management skills, if this is something you want to pursue. On the other hand, if you find you’ve achieved your “highest level of incompetence” in management, it does not have to be a career-limiting maneuver if you decide to go back to a technical trajectory.

Considering the Options
There is usually a short list of things people are after when they think about “climbing the corporate ladder”: money, intellectual enrichment, and respect. While joining the C-suite is certainly one way to achieve that, it’s not the only way. Here are a few suggestions to help you find a career path in line with your abilities and interests:

Focus on technology. Many higher-level positions revolve around technology management rather than people. Think of these as architect-type positions where you plan or design research and development projects rather than direct the people implementing them. These are often higher-paying positions, if more money is your objective.

If this is too far removed from the nitty-gritty, consider two alternative directions. The first is to explore laterally: are there projects or subjects you’d be interested in investigating? Sometimes a departmental “exchange program” can be an interesting change of pace. The second is to specialize: Can you get a much more in-depth knowledge of your area of interest? Specialist roles may also allow you to command a higher salary. While this choice carries some risk — all areas of specialization eventually will go extinct — if you’re willing to move laterally, it need not be a dead end.

Find inspiration. Sponsorship and mentorship are great ways to get ahead once you’ve decided on a pathway, as is having a peer who is on a similar career expansion journey. Having someone who can amplify your voice as well as your insight can make your own trek seem less overwhelming. And don’t be deterred by the people who express concern about their ability to attract mentors and sponsors when they don’t get the reflected glory of having a protégé climbing the ranks. It’s certainly possible to find people who are intrinsically motivated to offer assistance. But performing well at a high-profile project can also offer extrinsic motivation.

Inspire others. It’s also very possible to act as a leader without having official management responsibilities. “Thought leadership” can raise the profile of individuals and their organizations by giving others the benefit of expert experience. Team leaders can raise the skill level of a single mentee, a group, or a whole organization. And, as with mentorship and sponsorship, this type of leadership can provide both extrinsic and intrinsic motivation.

With an ever-growing skills gap, we can scarcely afford to lose any talent, much less people with significant experience. Don’t let career stagnation be an exit ramp. Use it as an opportunity to explore and to deepen your enthusiasm.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2xGdxSY
via IFTTT

Trump Administration to Craft New Cybersecurity Plan

Trump Administration to Craft New Cybersecurity Plan

Strategy will mirror President Trump’s cybersecurity Executive Order.

White House Homeland Security Adviser Tom Bossert said today that the Trump administration will establish a new cybersecurity strategy that draws from the president’s Executive Order signed in May.

“As soon as we’re prepared to put forward a strategy that will be beneficial to the government and the nation, we’ll do so,” Bossert said, according to a DefenseOne report.

Bossert said the strategy will encompass the themes of the EO, including beefing up security in federal agency networks and critical infrastructure, and adoption of security best practices. 

The EO specifically called for the adoption of the National Institute of Standards and Technology’s cybersecurity risk framework of best security practices.

Read about Bossert’s comments here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2A4kj6z
via IFTTT