Monthly Archives: July 2018

HP Launches Printer Bug Bounty Program

HP Launches Printer Bug Bounty Program

Bugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.

HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program.

Bugcrowd is heading up HP’s new private bug bounty program, with award amounts based on the severity of the flaws. A recent report from Bugcrowd shows an increase of 21% in vulnerabilities discovered in printers.

Printers often get overlooked as potential attack vectors. But with rising threats targeting other Internet of Things (IoT) devices and printers getting outfitted with more advanced functions, they’re becoming a more attractive weak link.

“Like the PC, printers have become incredibly powerful devices, increasing in storage and processing power. However, we haven’t reached awareness to secure print devices, and all the good security practices that are employed to protect PCs and other important nodes in the network are not being deployed with consistency to printers,” says Shivaun Albright, chief technologist for printing security at HP. “HP’s goal is to continually improve and help our customers manage their devices.”  

HP previously had worked directly with researchers who discovered flaws in its printers. “We’ve always actively encouraged researchers to report vulnerabilities,” Albright says.

Its new printer bug bounty program calls for researchers to root out firmware flaws, such as cross-site request forgery (CSRF), remote code execution (RCE), and cross-site scripting (XSS). “Bugcrowd and HP have worked with one researcher to physically send [to them] an enterprise grade A3 printer to fully assess all components from the outside in,” Albright says.

The program initially is for HP LaserJet Enterprise printers and HP PageWide Enterprise printers and MFPs (A3 and A4 formats).

While IoT devices have received a lot of attention security-wise of late, printers have not. “There’s a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily,” Albright says. “That said, printers may be the most common IoT device an individual uses.”  

The Mirai botnet attack in 2016 was a big wake-up call: “[It] took down the Internet in a major way. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix,” she says.

Printers often get lost in the shuffle when it comes to enterprise security. “There is currently a gap in discussions between decision-makers and those implementing the technology,” Albright notes. “We’re also seeing mismanagement in the deployment of printers leaving critical ports and settings open. This makes it easy for attackers to remotely access the device.”

HP recommends that printer customers work closely with their channel partners to use managed print services programs, and that remote workers avoid printing via unsecure Wi-Fi networks, for example.

Related Content:


 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2AsuQNr
via IFTTT

DHS Establishes Center For Defense of Critical Infrastructure

DHS Establishes Center For Defense of Critical Infrastructure

Center foundational to new government-led ‘collective defense’ strategy for sharing and responding to cyberthreats, DHS secretary says.

The US Department of Homeland Security has established a new National Risk Management Center to facilitate cross-sector information sharing and collaborative responses to cyber threats against critical infrastructure.

At a cybersecurity summit in New York City on Tuesday, DHS Secretary Kirstjen Nielsen described the center as the foundation of a new collective defense strategy led by the US government to respond more forcefully to threats against US interests in cyberspace. The center will bring together security experts from government — including those from intelligence and law enforcement agencies — and security experts from the private sector.

“We are facing an urgent, evolving crisis in cyberspace,” Nielsen said in a keynote address to cybersecurity leaders from government, the private sector, and academia at the DHS-led summit. “Our adversaries capabilities are outpacing our stove-piped defenses,” to the point where virtual threats now pose an even bigger threat to national security than physical threats, she said.

Nielsen, a senior Trump Administration official, used the event to warn foreign adversaries against continuing hostile activities against US interests noting that the country is fully prepared to take a range of deterrent actions to stop them. She pointedly called out Russia’s cyberattacks on the US energy grid and its “brazen campaign” to interfere in the 2016 Presidential election as examples of hostile state-sponsored activity against the US.

“Our intelligence community had it right. It was the Russians,” Nielsen said, referring to Russia’s role in the US elections. “We know that. They know that. It was directed from the highest levels.” Such attacks will not be tolerated going forward, she said.

The goal in establishing the new risk management center is to provide a focal point for information sharing between government and private industry as well as between organizations across different industry sectors.

Operators of critical infrastructure, most of who are in the private sector, often have a lot of the threat information that must be pieced together for a more complete understanding of cyber threats. But because the data is siloed, government and the private sector have hard a hard time putting cyber threats into proper context and understanding their full implications and effects, Nielsen said.

“The private sector can help us contextualize threats,” she noted. “We will look to their expertise to help us understand how the pieces work together,” in order to develop actionable responses to those threats.

Unlike previous attempts at fostering closer collaboration between government and the private sector, the new National Risk Management Center’s mission is not just about enabling better information sharing. The center will also facilitate 90-day sprints, when organizations from different critical sectors will conduct joint tabletop exercises and other threat operations to identify common vulnerabilities.

Sprints for Security

The center will assemble a national risk registry that will identify and prioritize the most critical threats across industry so they can be remediated quickly. The first of the 90-day sprints will involve organizations from the energy, financial services, and communications sectors. Representatives attending the summit from these industries expressed support for the DHS plan.

“This was an obvious thing to do for a decade but it didn’t happen,” said John Donovan, CEO of AT&T Communications. Organizations that are in a defensive posture in cyberspace cannot rely on attacks and threats playing out exactly the way they might have prepared for them, he said.

In the future, “resilience is going to be a function of our ability to understand and share experiences,” across sectors, he said. Each organization in critical infrastructure sectors has a piece of what it takes to solve a larger threat puzzle and true threat mitigation can happen only through collective information-sharing.

Tom Fanning, CEO of gas and electric utility Southern Company, said that previous tabletop exercises have shown big vulnerabilities exist at the points of intersection with other sectors. A collective approach to cybersecrity of the sort that is being enabled by the new risk center is vital because of the interdependencies between organizations in different sectors, he said.

“When we do our biggest tabletop exercises, one of the things we learn very quickly is that as resilient as we think we may be, we can always be better,” he said.

A collective effort is also critical because attackers often are looking for the weakest link that provides a way to the strongest, said Ajay Banga, CEO of MasterCard. When an organization gets attacked, it does not always happen because the entity belongs to a specific industry, but because of the access they might provide to other organizations that are of interest to an attacker, Banga said.

But for truly collective defense to happen, government will need to change regulations to the point where organizations feel comfortable to say something if they see something without fear of legal repercussions, he said.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2O0wkQS
via IFTTT

Hundreds of Registry Keys Exposed to Microsoft COM Hijacking

Hundreds of Registry Keys Exposed to Microsoft COM Hijacking

Experts believe there could be thousands more in the wild.

Microsoft Component Object Model (COM) hijacking is an old type of cyberattack getting a new spin as attackers find stealthy ways to maintain persistence and evade detection.

The Microsoft COM is a system integrated into Windows to facilitate interaction between software components through the operating system. COM is managed in the Windows registry, which contains keys that reference Phantom COM objects. These objects could refer to files that no longer exist on the hard drive and include old applications or obsolete programs.

Even if files are gone, registry keys will continue to refer to them. If an attacker hijacks a phantom COM object ID of a trusted application and instead uses it for a malicious file, he can load and execute the file onto the OS. So long as the COM object ID (CLSID) has been registered as a legitimate object, the malicious file will appear legitimate and bypass security tools.

Security tools often miss COM hijacking because hundreds of CLSIDs are available and are all connected to common Windows processes, such as explorer.exe, chrome.exe, svchost, and iexplore. New ones appear each day, making it tough for systems to keep up.

COM hijacking is now gaining popularity as attackers seek new ways to maintain persistence without autorun entries, which are easy to map, explains Cyberbit research director Meir Brown, in a new report on the attack vector. Researchers found hundreds of registry keys are vulnerable to COM hijacking, far more than was first believed.

“We knew COM hijacking was used for persistence and have seen some of this used for injection, but didn’t know the scale of this phenomenon – how many entries there are in the registry which are vulnerable to COM hijacking,” Meir explains. The tactic is commonly referred to as a persistence mechanism, but it’s also one of the most effective ways to achieve stealth.

Hunting Registry Keys Online
Researchers ran a proof-of-concept experiment in which they put themselves in the attackers’ shoes and sought out Phantom COM objects to take over. They mapped registry keys that failed to find and load a file, and tried to use those keys to load a fake dynamic link library (DLL).

The trial was a “troubling” success, says Brown, as researchers were able to load and run their DLL within the context of valid applications. The Windows machine loaded all of their objects without any side effects.

As they hunted for keys online, researchers found multiple samples using these keys in the wild. Hundreds of keys are vulnerable to COM hijacking and Phantom COM objects loading, they concluded. The process is easy for attackers to implement and doesn’t require them to leverage code injection, a technique more frequently picked up by detection platforms.

COM hijacking is considered dangerous because it runs using legitimate user privileges, doesn’t require reboot, and does reveal suspicious activity to the target, Meir says. It’s gaining popularity; organizations should be aware and monitor the registry.

Researchers believe the scope of this issue goes far beyond the hundreds of potential vulnerabilities they found and could potentially reach into the thousands. Further, while COM hijacking is used in the wild, it remains less common than registry run key and injection tactics.

Related Content:


 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2OtOTh8
via IFTTT

Unified Security Data: A Simple Idea to Combat Persistent, Complex Cyberattacks

Unified Security Data: A Simple Idea to Combat Persistent, Complex Cyberattacks

Do you know what happens to your data when it’s not in use? If the answer is no, you need to fix that.

When cyberattacks take place in enterprises, the resulting data lives in various siloes: security information and event management (SIEM) systems, emails, ticketing systems, intel feeds, security devices, and more. Data flows in and out of these systems, and security teams react to the data as best they can in order to address threats as they arise. But what happens to the data once it’s not in use? Where does this data live long term, and how can it be applied to future threats? Unifying data across an entire security architecture provides the intelligence and context necessary to activate data on demand and use it to identify and resolve persistent threats.

For example, a phishing email is the most common and pervasive attack vector that leaves a trail of data throughout the security architecture. The 2017 Verizon Data Breach Report found that 90% of data breaches are the result of phishing or social engineering. A 2015 Intel report reveals that 97% of people around the world are unable to identify a sophisticated phishing email; while Symantec reports that an astounding one in 131 emails contains malware.

A typical phishing email is detected by an email security gateway and/or reported directly to the security team by a recipient. Data identified by the device is directly reported and searchable in the SIEM but lacks much of the critical information contained in the email itself. The raw email provides critical contextual information and lives in a system outside of those processing security alerts, making it not searchable in a SIEM. This makes the data very difficult to correlate and creates a process that relies on point-in-time analysis requiring advanced knowledge of what data to look for before it can be found. This leaves the analyst piecing together an incident without any way of knowing what he or she might be missing.

Figure 1. The typical analyst workflow for a phishing investigation

Source: Uplevel Security

Source: Uplevel Security

After a security analyst is done cobbling together the attack elements, the following questions remain:

  • Has there been related, unusual traffic?
  • Was the company compromised?
  • Did the attacker send other phishing emails in the past?
  • Is the attack an evolution of a previous attack?

Unifying security data helps answer all of these questions within a specific environment. To achieve unification, a dynamic data hub should be established that captures all data that flows throughout an architecture. Once a hub is established, information such as historical data not only has a place to reside but can also be activated as new data is ingested. Security teams then have the ability to identify the secondary characteristics that distinguish the malicious instance versus the false positive. For example, similar emails from the same sender were both flagged as malicious based on the existing alerting rules, but only one was actually malicious.

Figure 2. A unified security architecture would capture all historical data, adding more context to an alerting rule

Source: Uplevel Security

Source: Uplevel Security

Alerting rules are refined based upon the new indicators, making the resulting future alerts more useful. This reduces the amount of investigation needed, surfaces details that might otherwise go undetected and allows security teams to focus on what matters — effectively and efficiently resolving the threat.

Despite the significant benefits of unifying data, many organizations struggle with achieving it in practice or think they have achieved it using standard technologies. Some rely too heavily on SIEMs and, in turn, adjust data ingestion and analysis based on a SIEM’s capabilities. This results in reliance on static rules, vendor-specific correlation, and the elimination of data streams due to cost. Others try to piece together SIEMs, point solutions, and response platforms, but instead of creating a unified data architecture, this usually results in the scenario outlined above in which data related to the same threat ends up dispersed throughout multiple systems and must be manually pieced together.

If questions are continuously left unanswered at the end of a mitigation process, then it’s time to take a serious look at how security data is being captured and applied to safeguard enterprises.

Related Content:


Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info


Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2OAZEhY
via IFTTT

Yale Discloses Data Breach

Yale Discloses Data Breach

The university discloses that someone stole personal information a long time ago.

Yale University has just disclosed that it suffered a data breach including names, Social Security numbers, dates of birth, and, in some cases, email addresses and physical addresses of certain individuals. And that is nearly as specific as the disclosure from the university gets.

According to Yale, sometime between April 2008 and January 2009 someone gained access to a database and exfiltrated information. The database was purged of personally identifiable information in 2011, but it wasn’t until June 2018 that the university discovered a breach had taken place.

The university says that, due to the time that has passed, there is no way of knowing who the attacker was. The school has, it says, notified all affected individuals and offered credit monitoring to U.S. residents on the list.

Read herehttp://bit.ly/2v3ENvs more.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2v4J0ix
via IFTTT

10 More Women in Security You May Not Know But Should

10 More Women in Security You May Not Know But Should

The second installment in a series highlighting women who are driving change in cybersecurity but may not be on your radar – yet.

Previous

1 of 11

Next

Kelly Jackson Higgins contributed to this article.

The gender disparity plaguing cybersecurity – and the tech industry as a whole – isn’t new, but it is particularly discouraging when the few women in the space aren’t recognized for their work.

Women make up 11% of cybersecurity professionals around the world, researchers report, and even fewer hold leadership positions. Change in the industry has been slow-going, and it doesn’t help that most male security pros believe women have the same opportunities for career advancement as they do. About half of women feel the same way, data indicates.

However, women can take steps to raise their visibility in the security industry – a sector in which most women are underpaid compared with their male colleagues and are more likely to face discrimination in the workplace. Raising awareness of the problem, embracing their roles as security experts, and serving as mentors to younger women are among the best practices.

The industry can also do more to support them. Plenty of women in the industry are making moves and changing cybersecurity for the better. Earlier this summer, for example, former Twistlock strategy officer and Forrester vice president Chenxi Wang debuted the first female-led cybersecurity venture capital firm, Rain Capital, a product of her security expertise and interest in investing in early-stage startups.

Wang isn’t the only woman who is driving change in cybersecurity. In an effort to acknowledge the work women are doing to shape the industry, Dark Reading is publishing a series of articles about women who are making key contributions but aren’t quite as well-known (yet), and who we think will make a difference in the future.

The first installment was published earlier this year, putting the spotlight on 10 women across all sectors of security. In this second installment, 10 more women were chosen based on research and recommendations from industry peers, experts, and colleagues. (Their profiles are in no particular order.) 

We are always looking to learn about women in cybersecurity whose work is poised to make a difference. If you know someone who belongs on this list, please send their names and any information about them and their work to [email protected].

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Previous

1 of 11

Next

More Insights

from Dark Reading – All Stories https://ubm.io/2NY1TL2
via IFTTT

Mimecast Snaps Up Solebit for $88 Million

Mimecast Snaps Up Solebit for $88 Million

Purchase of threat detection firm closely follows company’s acquisition of security training platform Ataata.

Email and data security firm Mimecast has agreed to buy threat detection company Solebit for approximately $88 million in cash, the two announced today.

Solebit, headquartered in San Francisco, was founded in 2014 by a team of cybersecurity experts who graduated from elite technology units in the Israeli Defense Force. Its focus is on helping users detect advanced threats without signatures or sandboxes, instead recognizing malicious code embedded within active content and data files.

Mimecast already uses Solebit threat detection in its Targeted Threat Protection products. It appears this is the latest in a series of acquisitions intended to protect clients against phishing: According to research from Mimecast and Vanson Bourne, more than 80% of businesses have seen the number of targeted and untargeted phishing attempts stay the same or increase over the past year. Mimecast also recently bought security awareness and training platform Ataata.

Read more details here.

 

 

 Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2OyddPh
via IFTTT