itwbennett - Slashdot User

Submission + - Linux GRUB2 Bootloader Flaw Breaks Secure Boot On Most Computers and Servers (csoonline.com)

Submitted by itwbennett on Wednesday July 29, 2020 @01:03PM

itwbennett writes: Patches were announced today for a vulnerability in the GRUB2 Linux bootloader that allows attackers to bypass boot process integrity verification. Because of how Secure Boot is implemented, the flaw can also be used to compromise the booting process of Windows and other systems. ‘The vulnerability found by Eclypsium is tracked as CVE-2020-10713 and is rated 8.2 (high) in the Common Vulnerability Scoring System (CVSS), but it's not the only one,’ writes Lucian Constantin for CSO. ‘After the company privately reported the vulnerability, a security audit of the GRUB2 code base was performed by security teams from Oracle, Red Hat, Canonical and VMware, resulting in dozens of other vulnerabilities and dangerous code operations being found and fixed. Some of them also have CVE identifiers — CVE-2020-14308, CVE-2020-14311, CVE-2020-14309 and CVE-2020-14310 — but others do not.’

Submission + - SPAM: RubyGems Typosquatting Attack Hits Ruby Developers with Tojanized Packages

Submitted by itwbennett on Thursday April 16, 2020 @09:25AM

itwbennett writes: Researchers at threat intelligence firm ReversingLabs have found a typosquatting attack on the RubyGem code repository. The malicious packages, which were uploaded in February, use names similar to legitimate packages and contain a 'script that, when executed on Windows computers, hijacked cryptocurrency transactions by replacing the recipient's wallet address with one controlled by the attacker,' reports Lucian Constantin for CSO. RubyGems does use an anti-typosquatting mechanism, 'but it appears that the attacker has found patterns that the algorithm misses,' Tomislav Pericin, co-founder and chief software architect at ReversingLabs, tells CSO. 'This is the third time we've detected this actor in the RubyGems repository.'
Link to Original Source

Submission + - Bug Bounty Platforms Buy Researcher Silence, Violate Labor Laws, Critics Say (csoonline.com)

Submitted by itwbennett on Thursday April 02, 2020 @09:26AM

itwbennett writes: HackerOne, Bugcrowd have evolved into marketplaces where security researcher silence is bought and sold, to the detriment of society, their critics say. CSO's JM Porup investigated bug bounty platforms and found that they have 'turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a 'perversion'.' With bounty payouts as the 'carrot,' CFAA threats are the stick:
Sign this NDA to report a security issue or we reserve the right to prosecute you under the Computer Fraud and Abuse Act (CFAA) and put you in jail for a decade or more. That's the message some organizations are sending with their private bug bounty programs.

Bug bounty platforms are exploiting hackers, @d0tslash says.
Most egregious to me is many of us are some form of on [the autism] spectrum and we will literally work ourselves to death hunting bugs ultimately for little return on immediate efforts.

Submission + - UK Supreme Court Rules Morrisons Not Liable for Data Breach Caused by Insider (csoonline.com)

Submitted by itwbennett on Thursday April 02, 2020 @09:10AM

itwbennett writes: In what is called in this article a 'great result' for employers, the UK Supreme Court has ruled that the Morrison's supermarket chain is not liable for a data breach caused by a malicious insider because '[the employee] was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question,' Lord Reed said in a live-stream video explaining the decision. 'The case, WM Morrisons Supermarket PLC v Various Claimants, was the first in the UK to test whether companies could be vicariously liable for cybersecurity incidents caused by the actions of employees and therefore need to pay compensation to victims, and could have had costly ramifications for both the retailer and companies across the UK,' Dan Swinhoe writes for CSOonline.

Submission + - Attack Campaign Hits Thousands of MS-SQL Servers for Two Years (csoonline.com)

Submitted by itwbennett on Wednesday April 01, 2020 @09:03AM

itwbennett writes: An average of 2000 to 3000 publicly exposed Microsoft SQL servers a day are being infected with remote access Trojans and cryptominers as part of an attack campaign that has been traced back to 2018, reports Lucian Constantin in CSOonline. While the primary goal of the attack seems to be cryptocurrency mining, ‘what makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold,’ say researchers from Guardicore who investigated the attacks. The researchers also note that most machines (60%) stay infected only briefly, but ‘almost 20% of all breached servers remained infected for more than a week and even longer than two weeks,’ and 10% become reinfected. Infections from this campaign are thorough and have multiple components, and the attackers aggressively remove malware from competitors from targeted machines, says Constantin.

Submission + - Cybercriminal Group Mails Malicious USB Dongles to Targeted Companies (csoonline.com)

Submitted by itwbennett on Friday March 27, 2020 @08:03AM

itwbennett writes: Security researchers from Trustwave SpiderLabs have disclosed the first known, in the wild use of the BadUSB exploit, in which a USB dongle is 'reprogrammed so that, when inserted in a computer, it reports that it's actually a keyboard and starts sending commands that could be used to deploy malware,' writes Lucian Constantin for CSOonline. According to the researchers, such a USB device was mailed to a US company in February, packaged with the promise of a $50 gift card good for use on 'any product from the list of items presented on an USB stick.'

Submission + - APIs a Target for Credential Stuffing Attacks (csoonline.com)

Submitted by itwbennett on Wednesday February 19, 2020 @09:38AM

itwbennett writes: According to a new report from Akamai, nearly 20% of attempted credential stuffing attacks, a type of brute-force attack where criminals use lists of username and password combinations to gain access to accounts, are now done through APIs rather than user-facing login pages. And the number is higher in the financial services industry 'where the use of APIs is widespread and in part fueled by regulatory requirements,' and competition from fintech startups writes Lucian Constantin for CSO. Credential stuffing has become more of an issue in recent years because of the billions of stolen credentials that have been dumped on the internet and 'API usage and widespread adoption have enabled criminals to automate their attacks,' Akamai said in its report, adding that several problems with API development, such as the lack of rate limiting for authentication attempts, make it easier for attackers to abuse them.

Submission + - Boeing Fails at Information Security Basics (csoonline.com)

Submitted by itwbennett on Tuesday November 05, 2019 @06:20PM

itwbennett writes: Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing’s networks, email system, and website. ‘[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security,’ writes JM Porup for CSO online. The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware. For its part, Boeing says that the vulnerabilities Kubecka reported are ‘common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day’ and that the company has ‘no indication of a compromise in any aviation system or product that Boeing produces.’ What Porup’s reporting and Kubecka’s research clearly shows, however, is how poor information security practices can become aviation security risks.

Submission + - Cryptojacking Worm Infects Exposed Docker Deployments (csoonline.com)

Submitted by itwbennett on Wednesday October 16, 2019 @09:05AM

itwbennett writes: Researchers from Palo Alto Networks have discovered a self-spreading, cryptojacking botnet that has infected over 2,000 Docker Engine deployments. “This is the first time we see a cryptojacking worm spread using containers in the Docker Engine (Community Edition),” the researchers said in a report released today. The new worm, dubbed Graboid, was distributed from Docker Hub, a public repository of Docker container images. Attackers uploaded images to Docker Hub with malicious scripts that, when executed, deployed the malware to other insecure servers. The researchers found several container images associated with the attack for different stages of the infection chain. They were removed after the Docker Hub maintainers were notified of the abuse.

Submission + - Critical Remote Code Execution Flaw Fixed in Popular Terminal App for macOS (csoonline.com)

Submitted by itwbennett on Wednesday October 09, 2019 @04:32PM

itwbennett writes: iTerm2 users: It’s time to upgrade. A security audit sponsored by the Mozilla Open Source Support Program uncovered a critical remote code execution (RCE) vulnerability in the popular open-source terminal app for macOS. The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. The flaw was fixed in iTerm2 version 3.3.6,which was released today.

Submission + - Magecart Web Skimming Group Targets Public Hotspots and Mobile Users (csoonline.com)

Submitted by itwbennett on Wednesday September 25, 2019 @09:26AM

itwbennett writes: Researchers from IBM have found what appear to be test scripts developed by one of the web skimming groups that operate under the Magecart umbrella to inject payment card stealing code into websites through commercial routers like those used in hotels and airports. 'Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data,' the X-Force team said in its report. The compromise of Wi-Fi routers allows attackers to steal data when users are initially prompted to register and pay for using the internet, but also later, by automatically injecting skimming scripts into all websites accessed by users through those devices, writes Lucian Constantin for CSO. 'Unlike Magecart attacks that are tailored for one website or brand, this is a catch-all type of compromise.'

Submission + - SPAM: 6 Questions Candidates Should Ask at Every Security Job Interview

Submitted by itwbennett on Thursday September 19, 2019 @11:18AM

itwbennett writes: Most of us are well used to potential employers asking us 'culture fit' questions — trying to figure out whether we'd play well on their team, if we're likely to be prima donnas or subvert authority. But thanks to the massive skills shortage, security professionals are in the enviable position of having their pick of potential employers. And this gives them license to ask the kinds of questions that, frankly, we all should have been asking all along. In this article on CSOonline, JM Porup, highlights the questions would-be employees should be asking potential employers to find out if they'd be walking into a toxic security culture. Question number one: 'Tell me about a time when the CEO had security's back.' — you can expect stammering when the hiring manager tries to answer that one.
Link to Original Source

Submission + - Secrets of Latest Smominru Botnet Variant Revealed in New Attack (csoonline.com)

Submitted by itwbennett on Wednesday September 18, 2019 @10:39AM

itwbennett writes: Researchers from security firm Guardicore recently gained access to one of the core command-and-control servers of cryptomining botnet Smominru. The latest variant of Smominru, documented by researchers from Carbon Black in August, uses several methods of propagation, including the EternalBlue exploit, which has been known and patched since 2017. The Smominru attacks, which infected around 90,000 machines from more than 4,900 networks worldwide at an infection rate of 4,700 machines per day, don’t target specific organizations or industries, but US victims included higher-education institutions, medical firms and even cybersecurity companies, according to Guardicore. Over half of the infected machines (55%) were running Windows Server 2008 and around a third were running Windows 7 (30%). ‘This is interesting because these versions of Windows are still supported by Microsoft and receive security updates,’ writes Lucian Constantine for CSOonline.

Submission + - Misconfigured WS-Discovery in Devices Enable Massive DDoS Amplification (csoonline.com)

Submitted by itwbennett on Wednesday September 18, 2019 @09:23AM

itwbennett writes: In a report published today, Akamai researchers warn that attackers have already started abusing Web Services Dynamic Discovery (WS-Discovery or WSD), a UDP-based communications protocol used to automatically discover web-based services inside networks, as a DDoS amplification technique and are ramping up their attacks. (The researchers were able to achieve amplification rates of up to 15,300%.) WSD been used by printers, cameras and other types of devices for over a decade, including by various Windows features starting with Windows Vista. Although most automated service discovery and configuration protocols, including UPnP (Universal Plug and Play), SSDP (Simple Service Discovery Protocol), Simple Network Management Protocol (SNMP) and WSD were designed for use on local networks, many devices come with insecure implementations that expose these protocols to the internet, allowing for attackers to abuse them in DDoS reflection and amplification attacks, writes Lucian Constantin for CSOonline.

Submission + - New Spectre-like CPU Vulnerability Bypasses Existing Defenses (csoonline.com)

Submitted by itwbennett on Wednesday August 07, 2019 @08:50AM

itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO. There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Slashdot Top Deals