Monthly Archives: September 2018

Week in review: First-ever UEFI rootkit, Apple DEP vulnerability, new tactics subvert traditional security measures

Here’s an overview of some of last week’s most interesting news and articles:

What do you mean by storage encryption?
Depending on the threat context and how you define “storage encryption,” it can be a highly effective control or a complete waste of resources.

Phorpiex bots target remote access servers to deliver ransomware
Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers.

LoJax: First-ever UEFI rootkit detected in a cyberattack
ESET researchers have discovered a cyberattack that used a UEFI rootkit to establish a presence on the victims’ computers. Dubbed LoJax, this rootkit was part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind.

Vulnerabilities and architectural considerations in industrial control systems
The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about SCADA vulnerabilities in ICS architectures.

Apple DEP vulnerability lets attackers access orgs’ resources, info
An authentication weakness in Apple’s ​Device Enrollment Program​ (DEP) may allow attackers to enroll any device into an organization’s Mobile Device Management server and, consequently, to obtain privileged access to the private resources of an organization or even full VPN access to internal systems.

Downloads of known vulnerable open source components increase 120%
Sonatype today released its fourth annual State of the Software Supply Chain Report, which reveals the widespread use of vulnerable software components by businesses around the world.

Firefox Monitor tells you whether your email was compromised in a data breach
After a few months of user testing, Mozilla has launched Firefox Monitor, a free online service that allows users to check whether their email address was involved in a publicly known data breach and to sign up to get notified if the account appears in new data breaches.

French cybersecurity agency open sources security hardened CLIP OS
After developing it internally for over 10 years, the National Cybersecurity Agency of France (ANSSI) has decided to open source CLIP OS, a Linux-based operating system developed “to meet the specific needs of the [French] administration,” and is asking outside coders to contribute to its development.

You should prepare for the next mega data breach
In the wake of widespread data breaches, many organizations have quickly increased their cybersecurity spend and embraced new identity protection protocols to protect their customers’ information. The challenge with this approach is that while technology has historically moved and evolved rapidly to support changes in business and consumer demands, the security protocols surrounding it have had difficulty keeping pace.

Researchers develop invisibly thin spray-on antennas
The promise of wearables, functional fabrics, the Internet of Things, and their “next-generation” technological cohort seems tantalizingly within reach. But researchers in the field will tell you a prime reason for their delayed “arrival” is the problem of seamlessly integrating connection technology – namely, antennas – with shape-shifting and flexible “things.” But a breakthrough by researchers in Drexel’s College of Engineering, could now make installing an antenna as easy as applying some bug spray.

A law enforcement view of emerging cybercrime threats
Cybercriminals are adopting creative new techniques to target their victims at an unprecedented pace and are constantly seeking methods to avoid law enforcement detection. To stay ahead of them, law enforcement should target cybercriminals offering “off-the-shelf” cyber-attack services or products to make it more difficult for low-level cybercriminals to carry out high-level attacks.

Security and privacy improvements in macOS Mojave
Apple has released macOS Mojave, which comes with a new Dark Mode, a redesigned Mac App Store, and many new and modified features. It also sports changes aimed at enhancing users’ privacy and security.

How organizations overcome cybersecurity hiring challenges
A strong security-focused culture and adherence to best practices helps companies attract and retain cybersecurity talent.

Cybersecurity has a diversity problem: Here’s why
Greater diversity in cybersecurity is critical to catering to a more diverse consumer base, which in turn, increases the bottom line.

Hackers are finding creative ways to target connected medical devices
Hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights.

Are you ready? A good incident response plan can protect your organization
Organizations must have conversations that lead to the generation of a custom-fit IR plan. This not only includes what to do in the event of an incident, but also how to address incidents before they occur.

Smart homes, dumb devices: Making the IoT safe
The reality is that home networks of the average, uninformed users are rarely well protected.

The state of network security in organizations with 1000+ employees
Security team size at the largest organizations does not scale with the number of overall employees, but they are more likely to include staff with specialized roles.

New tactics subvert traditional security measures and strike organizations of all sizes
Alert Logic released its latest cybersecurity analysis, “Critical Watch Report: The State of Threat Detection 2018,” which shows attackers are gaining vastly greater scale through new techniques such as killchain compression and attack automation, expanding the range of organizations under constant attack regardless of industry or size.

New infosec products of the week​: September 28, 2018
A rundown of infosec products released last week.

from Help Net Security – News

Facebook Security Bug Affects 90M Users

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.

In short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook said it was removing the insecure View As feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.

The company said it was just beginning its investigation, and that it doesn’t yet know some basic facts about the incident, such as whether these accounts were misused, if any private information was accessed, or who might be responsible for these attacks.

Although Facebook didn’t mention this in their post, one other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user. Tens of thousands of Web sites let users log in using nothing more than their Facebook profile credentials.

I have asked for clarification from Facebook on this point and will update this post when and if I receive a response. I would have expected Facebook to mention this as a mitigating factor if authorized logins at third-party sites were not impacted.

Facebook says there is no need for users to reset their passwords as a result of this breach, although that is certainly an option.

More importantly, it’s a good idea for all Facebook users to review their login activity. This page should let you view which devices are logged in to your account and approximately where in the world those devices are at the moment. That page also has an option to force a simultaneous logout of all devices connected to your account.

Check back for updates as more information becomes available. 

from Krebs on Security

Big Facebook breach: 50 million accounts affected

Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a “precautionary step”.

What’s happened?

In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September.

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the “digital keys” that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.

Rosen says the vulnerability is now fixed.

We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.

Those affected will now have to log back into Facebook, and any apps that use Facebook Login.

Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts you might not have restricted access to.

It’s still early days but Facebook says it looks like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.

Facebook says it doesn’t yet know if any accounts were misused or information was accessed.

What to do

If you’ve been logged out by Facebook then your account is one of those affected. Rosen says there’s no need for anyone to change their passwords, but out of an abundance of caution (and especially if you’ve got a weak or reused password) now is as good a time as any to change it. Pick a strong and unique one!

You can also choose to log out of all your Facebook sessions by going to Settings > Security and Login. On this page you can see a list of all the places you’re logged in. Scroll down the page until you see Log out of all sessions and click it.

from Naked Security – Sophos