Tripwire on flaws found in 7-Zip archiver

Researchers have found some serious flaws in 7-Zip, an open source compression tool which is used in many products including antiviruses and security appliances. 7-Zip is known for its high compression ratio and ability to handle a large number of archive formats. The vulnerabilities in 7-Zip are caused by the lack of proper data input validation.

Craig Young, Cybersecurity Researcher for Tripwire says, “It is important for users to exercise caution when extracting files from untrusted sources using 7-zip.  Earlier this year I did my own research on 7-zip and found that the wide range of supported file formats creates a very large attack surface.  With less than an hour of fuzzing the 7z extractor late last year, I also found several exploitable memory corruption bugs.  The best advice for anyone downloading content and extracting it with 7z is to perform file extractions within an immutable virtual machine.”

(40)

Share

Researchers release data set on nearly 70,000 users of dating site without even checking with the website owners

A group of researchers has released a data set on nearly 70,000 users of online dating site, OkCupid. The information was collected by Danish researchers who never contacted OkCupid, or its clientele, about using it.

Commenting on this, Rob Sobers, director at Varonis, said: “We have to live under the assumption that, if we make data public, it can and will be scraped and collected and archived permanently. The profile data is public, so technically this is not a hack or a breach. Anyone could easily get their hands on any individual user profile that is in the dump. However, what the researchers did was compile it all into one big structured data set, which makes it easy for both good guys and bad guys to analyse.

They should have stripped the usernames from the data dump to anonymise it. It was poor judgment not to do that. They claimed they left the usernames in the dump so that they could back-fill the dataset with more information in the future. But they could have used an anonymous unique ID and kept the mapping of anonymous IDs to usernames private and it would solve that problem.

It’s helpful to create data dumps for studies. OkCupid does this themselves. They often release really interesting findings about their users based on aggregate data. But today we have to be more security and privacy conscious—publishing data dumps with PII and sensitive information without adequate de-identification isn’t a good thing.

I don’t think the researchers here were after bragging rights, it seems like they were just naïve vis-à-vis the privacy implications of compiling OkCupid’s data into an easy-to-exploit format without any prior notice to OkCupid or the people involved.”

(79)

Share

SWIFT hit by another sophisticated malware attack

News broke last week that Swift, the global financial messaging network that banks use to move billions of dollars every day, had warned of a malware attack on a commercial bank. The attack, which is the second of its kind, was similar to the one that led to February’s $81 million cyberheist at the Bangladesh central bank.

Commenting on this, Simon Crosby, CTO and co-founder at Bromium told @DFMag:

“This is yet another case of user error it seems. The challenge of course, is that users will always make mistakes, and that detection based defences are easy to bypass. But these challenges can be addressed with a new approach to endpoint security – isolation – that effectively renders all attacks harmless and automatically remediates them, using CPU based controls. Bromium has over 50 customers in the financial sector that use this approach to ensure that their endpoints are not compromised and their users can safely click on anything”.

(28)

Share

Another month, yet another healthcare breach

Earlier this month it has been reported that an employee at UnityPoint Health-Allen Hospital was accessing files without authorisation over the course of about seven years, taking in names, health insurance information, and in some cases Social Security numbers.

Commenting on this breach, David Gibson, VP of strategy and market development at Varonis told @DFMag;

“Almost every organisation is vulnerable to insider threats – disgruntled employees, rogue administrators, employees who get phished or have their credentials stolen. Employees have access to a lot of sensitive data – usually far more than they need – and most organisations don’t track how they’re using it. Or abusing it.

Look at what’s happening with ransomware – one employee gets infected and then hundreds or thousands of files across network shares get encrypted – including files the employee should never have had access to in the first place.

A poll by Varonis that reveals more than a third of healthcare IT workers’ organisations have been infected with ransomware  – the easiest insider threat to spot (the only one that promptly announces its presence). Ransomware and unfortunate incidents like the one at UnityPoint should inspire many organisations to reduce broad, unnecessary access and start monitoring and analysing what employees are doing to spot insider threats.”

(19)

Share

FTC To Study Security Update Practices in Mobile Industry

In response to the FTC’s recent announcement of its intent to study security update practices within the mobile industry, Cesare Garlati, Chief Security Strategist of the prpl Foundation, former Vice President of mobile security at Trend Micro, and current co-chair of the Cloud Security Alliance Mobile Working Group, expressed to @DFMag a degree of frustration with the scope of project.

According to Garlati, “Mobile is now just a small fraction of the devices that surround us. In the years that passed since the FTC began publicly discussing this issue in 2013, the threat landscape has changed so much to be almost unrecognizable. This effort is a good first step, but it needs to have a much wider scope in order to be effective—every connected device could pose a threat, and the hyper-focus on mobile security updates simply isn’t enough.

Every connected device needs a clear path for receiving these critical security updates. What good is it if your phone is up-to-date if your home access gateway has been exploited? What about all other consumer IoT devices? IoT is still very much in its infancy – with people eager to get their hands on the latest and greatest connected devices and manufacturers rushing to get them to market, and security is often an afterthought.”

(74)

Share

Congress blocks lawmakers from accessing Appspot and Yahoo mail

Thompson Reuters has recently reported that the U.S House of Representatives is tightening security by blocking lawmakers from accessing any software applications hosted on a Google cloud service, along with Yahoo Mail. The move comes after an increase in phishing attacks with the aim of delivering ransomware.

Commenting on this news, Rich Barger, Chief Intelligence Officer at ThreatConnect Inc. shared this with @DFMag;

“This is likely happening because lawmakers and their staff are introducing risks (such as ransomware) from their personal Google and Yahoo accounts into U.S. House of Representatives infrastructure. It is important to consider how adversaries are keen on targeting the vulnerable user versus the vulnerable asset, and how our nomadic usage of personal email services can unknowingly introduce risks into our employer’s enterprise.

An alternate theory is the U.S. House of Representatives is acting on credible reporting from the FBI. One could also consider that risks of ransomware could be an effective and timely “cover story” where the underlying issue is that the personal email accounts of legislators and their staff are also being exploited by nation state actors. We have seen Google’s “appspot.com” abused by nation state actors and leveraged as a medium for custom malware command and control (C2) for sometime now”.

(20)

Share

PhishMe Announces Simulator Small Business Edition and Releases Newly Improved CBT Training Modules  

PhishMe Inc., a provider of human phishing defense solutions, today confirmed the release of Simulator™ Small Business Edition (SBE) – a scaled version of its market-leading flagship Simulator solution. Built specifically for smaller organizations, Simulator SBE conditions employee security behavior to identify and deflect phishing attacks through proven, immersive education processes. PhishMe also confirmed new updates to their CBFree Modules, PhishMe’s free premium Computer Based Training (CBT) courses designed to deliver compliant, best-in class security awareness education.

Simulator SBE accurately mimics real-life spear phishing scenarios and provides instant learning opportunities for recipients who fall for the exercises. It includes an expanded number of pre-built templates that emulate the latest tactics and techniques used by attackers. These templates are updated continuously based on threat intelligence feeds that PhishMe subscribes to, feedback from its customer base, and information collated by its internal research team.

“Phishing attacks are a problem for organizations of all sizes,” explains Jim Hansen, Chief Operating Officer of PhishMe. “In fact, 38% of spear phishing attacks target companies with under 250 employees because, rightly or wrongly, attackers often assume smaller organizations lack the advanced technology of large enterprises. The human element behind attacks is the reason the technology approach to security is failing. The attacker, a human, is constantly inventing new ways to penetrate your existing security stack. To launch an effective defense, you have to fight fire with fire. Or in this case, human with human, and engage your entire employee base in the war against phishing attacks.”

Simulator SBE is a quickly deployed and easy to manage SaaS application and delivers such powerful key features as real-life phishing experiences, immediate education exercises to help change behavior and reporting that identifies keys areas of risk. Conditioning content featured in Simulator SBE is created to be fun and engaging, ensuring strong adoption rates among end-users as well as retention of security information.

The PhishMe SBE reporting dashboard provides company performance metrics as well as details about each employee’s review and response. These reports can be used to emphasize the ROI from user security behavior management training, tracking the effectiveness of the training over time, and identifying susceptible employees.

The newly updated CBFree Modules are designed to help global organizations satisfy auditing and compliance requirements regardless of whether the organization is a PhishMe customer or not. CBFree Modules, feature highlights include:

SCORM and 508 compliance
New audio capabilities with closed captioning
Streamlined content for fast learning
Slide interactions throughout the modules
Improved learning activities with feedback slides for knowledge retention
Finally, PhishMe customers will enjoy full access to the new PhishMe Community online portal, where users can interact with peers and PhishMe experts in an open forum to discuss products, support, access PhishMe’s exhaustive knowledge base and exchange ideas.

Jim concludes, “Effectively changing user behavior is not accomplished with lengthy, time-consuming training modules, and our content is designed with this in mind. We make our experiential content fun and interactive; addressing the immediate issues with the phishing email they reacted to while still underscoring the seriousness of the issue. The conditioning experience focuses on providing approximately 90 seconds of targeted messaging that matches the context of each scenario. This conditioning helps employees act as human sensors to greatly reduce the organization’s attack surface.”

(56)

Share

MWR’s HackFu Announces Remote Recruits Drive

MWR InfoSecurity has today confirmed that it has designed this year’s HackFu to allow an additional 100 players – from all walks of life, to participate. These remote delegates can take part virtually from anywhere around the world, providing additional support to the 100 delegates on the ground, helping teams crack puzzles and solve clues to complete the quest.

Having previously incarcerated participants in a decommissioned prison, and converted a gothic mansion in Gloucestershire into Wild West town, this year HackFu will be hosted at the fictional hapless cyber academy – The Cyber Corps!

Martyn Ruks, Technical Director at MWR expands, “HackFu is more than just a series of hacking challenges – it’s an immersive experience and attendees don’t just take part but become the characters in the story. While the main emphasis is learning the vital skills needed to deflect the blended cyber-attacks that organisations face daily, we also want it to be an enjoyable experience. This year we’re hoping to have a bit of fun with our theme and to use it to illustrate different teaching and training styles. There will also be a few twists and turns along the way and the scenario will help us with our storytelling, but we’ll be keeping those secret until the event itself.”

To ensure HackFu delivers on the events key objectives, participation at the event itself has to be restricted to 100 people. However, MWR is keen to expand beyond the physical limitations of the site hence the recruitment of remote players. Similarly to the physical event, challengers will need to compete in a series of online games and puzzles to help the teams accomplish their mission. To secure their spot on one of the remote teams all people need to do is apply, with applicants being accepted on a first come first served basis.

Martyn confirms, “The challenge to win physical places at HackFu closed this week and we’ve had an overwhelming response, with applicants twice that of last year. Having the ability to offer an additional 100 places, by introducing the new remote participation component, will mean we can include players from around the world and from all walks of life – students, those in parallel industries and generally anyone wanting to break into the industry. Those competing remotely will be organised into teams and given access to some puzzles and challenges to solve remotely. These will range from non-technical through to those with heavy technical aspects so a range of skills and capabilities will be tested and a wide range of participants can take part. Both physical and virtual players will need to collaborate and work together as a team to be successful.”

Anyone wishing to apply for a place in the remote participation component of HackFu, or to find out more information should visit: mwr.to/cybercorps

(47)

Share

Nuix eDiscovery product gets significant upgrade

 Nuix, the company recently involved in the Panama Papers investigation with Süddeutsche Zeitung and the ICIJ, announced a significant upgrade to Nuix 7.

The vendor offered @DFMag readers the following information regarding the enhancements to the product;

Global technology company Nuix today released version 7 of its patented processing engine, which extends the company’s big data capabilities to petabyte scale by giving customers the option of using Elasticsearch as the back-end database for Nuix case files. In parallel, Nuix will continue to update and support its existing architecture—which scales from the portability of a laptop to an enterprise data center—to maintain the performance and reliability customers expect.

“The biggest data challenge every organization faces, now and into the future, is how to find, analyze, and correlate critical facts from ever increasing volumes of complex data while retaining the accuracy and forensic precision they’re used to,” said Eddie Sheehy, CEO of Nuix. “With Nuix 7, we are investing in the future of our customers and our technology. We’ve built an architecture that will address their needs today, tomorrow, and in years to come.”

With Nuix 7, customers can:

Hyper-scale their processing and search capacity—scaling within a single large server or across multiple high- or low-powered machines by combining the patented Nuix Engine with Elasticsearch as a database platform.
Understand hidden relationships—using the redesigned Nuix Context interface that leverages the OrientDB graph database to connect items more efficiently.
Get ready for real time—adding the advanced capabilities of Elasticsearch positions Nuix to make the transition to real-time search and analysis in future products.
Dig deeper with greater forensic precision—going deeper into file system and forensic artifacts to assist with investigations, cybersecurity incident response, and eDiscovery.
Apply enhanced image analysis—combining facial recognition with skin-tone analysis to quickly filter down to relevant images for investigation.
Address more enterprise data—extending the power of Nuix to data in EMC Documentum document management systems and other enterprise sources.   
Combining Nuix 7 with Elasticsearch allows customers to take full advantage of the database platform’s renowned scalability, durability, and real-time searching and analysis. Customers can run tens or hundreds of Nuix workers—scaling vertically within a single server or horizontally across multiple machines—and seamlessly consolidate all that information into a single Elasticsearch index.  This greatly improves the performance of processing, searching, and exporting. It also make it possible to search and correlate information across archives of historical Nuix cases and other information and intelligence sources.

“Even petabyte-scale data sets are no longer a challenge with Nuix and Elasticsearch working together,” said Sheehy. “Our customers can confidently plan to handle much larger data sets and more advanced searching capabilities, with Nuix reliably at the center of those plans.”

Nuix has redesigned the Context investigative interface with input from specialists in digital forensics and user experience. The Context interface uses the OrientDB graph database to make connections between people, objects, locations, and events.

“Customers can use timeline analysis, context bubbles, and automatic linking to slice and dice evidence,” said Sheehy. “This makes it much easier for investigators to tell stories from large data sets and quickly understand the facts of the case, as the ongoing Panama Papers investigation has demonstrated in dramatic fashion.”

(95)

Share

Hacker skills in demand by British Businesses

Cybersecurity service provider SecureData has today released research that reveals 34% of businesses would look to the black hat community to compensate for a lack of in-house skills.
 
Almost half (43%) of those surveyed at SecureData’s annual customer event in London also reported that an industry skills shortage is affecting their ability to adopt data-driven security, which 97% now believe is a prerequisite for any modern cybersecurity strategy.
 
The survey also revealed that while 80% of organisations are responding to incidents in-house, only 8% feel they are equipped to produce contextual threat intelligence – a core component of a data-driven cybersecurity strategy. To tackle this issue, two-thirds (61%) of businesses believe outsourced skills will be needed.
 
SecureData CEO, Etienne Greeff believes it’s little wonder businesses are considering ex-hackers for in-house security roles: “The IT security skills shortage isn’t a new debate, but it has now reached a point where it’s critical for businesses to think like the bad guys to stay one step ahead”.
 
Away from the security skills saga, other prominent factors preventing organisations from adopting a data-driven approach include: lack of time and resource (67%) and c-level buy-in (25%) but, tellingly, not one respondent claimed they had no need for data-driven security.
 
“Firms are moving from reactive, device-led protection strategies, to proactive detection and response, empowered by intelligence-led visibility and control,” adds Greeff. “But a mass of information isn’t intelligence; this raw data must be transformed by people with an offensive mindset and combined with processes and technologies to yield intelligence that’s both useful and useable”.
 
However, only 14% of respondents are already implementing data-driven strategies in their organisations. Despite almost all firms (92%) planning to adopt data-driven security, a third (33%) reported that implementation is still is up to year away, while even more (36%) said five years was a realistic timescale.
 
Greeff concludes: “In a world where every business is a digital business and no industry is safe from cyber attacks, it’s unsurprising that everyone is chasing the huge benefits of smarter security. From faster attack detection and response, to a better understanding of threats, or the ability to focus resources on the risks that matter, data-driven security is our best hope for solving today’s cybersecurity deadlock, which is something that can only be achieved by security personnel in tune with the black hat way of thinking”.
 
Note:
The survey was conducted at SecureData’s annual customer event, Security Focuses in London in November 2015, with 288 responses gathered from senior IT security decision-makers both at the event and in post-event online surveys

(41)

Share