One in every 172 active RSA certificates are vulnerable to attack

Vulnerability has been discovered in RSA certificates that could compromise one in every 172 certificates currently in active use.
On Saturday at the First IEEE Conference on Trust, Privacy, and Security in Intelligent Systems and Applications in Los Angeles, Calfornia, a team of researchers from Keyfactor presented their findings into the security posture of digital certificates, ZDNet reported.

 

In response, Michael Barragry, operations lead and security consultant at edgescan, stated:
As is generally the case with cryptographic flaws, this issue is due to a fault in the implementation rather than any weakness with the underlying mathematics. Public key certificates are one of the key pieces of infrastructure that enable various devices and servers to securely identify and trust each other. If a malicious actor can successfully spoof a certificate for a particular device, they can essentially masquerade as that device. Depending on the trust chain that it lies within, multiple further attacks may be possible.
Vendors need to be conscious of the potential upstream impact of all design decisions, as in this case it seems like an innocuous shortcut around random number generation has given rise to a much more serious flaw.

 

End-users should ensure that all devices in their infrastructure are kept patched and updated with the latest firmware. Devices of higher criticality should use multi-factor authentication for an additional layer of security.

(88)

Share

Honda exposes 26,000 customer records

Automotive company Honda has exposed approximately 26,000 vehicle owner record belonging to North American customers, due to an ElasticSearch cluster misconfigured on October 21, 2019. The publicly-accessible server, discovered by a Security Discovery researcher on December 11, was secured within hours by Honda’s security team in Japan. The server is said to have housed information such as customer names, email addresses, phone numbers, mailing addresses, and car service information. The company has said that no financial information was exposed.

You can read more here: https://www.bleepingcomputer.com/news/security/honda-exposes-26-000-records-of-north-american-customers/

Peter Draper, technical director EMEA at Gurucul comments:

“The plethora of databases (especially MongoDB and Elatsic) that have been made publicly available with no security is staggering. You would expect every company using the technologies that are constantly reported on for breaches they would actively seek out and secure their own services. But no, it’s still happening. 

Misconfiguration is one of the main reasons resources get compromised. Let’s hope that during the period mentioned that the information was not accessed by nefarious individuals other than the security researchers. 

Enterprises must be more focused on protecting users data and have the right tools, personnel and processes to do so robustly.”

(62)

Share

Cross-Site Scripting (XSS) Makes Nearly 40% of All Cyber Attacks in 2019

Cyber-attacks have targeted nearly 75 percent of large companies across Europe and North America over the last twelve months. According to PreciseSecurity.com research, almost 40 percent of all cyber-attacks in 2019 was performed by using cross-site scripting, which is hackers’ favorite attack vector globally.

Challenge and Opportunity to Learn are Main Reasons for Hacking Companies

Cross-site scripting or XSS is a type of injection attack, in which malicious scripts are injected into trusted websites. Most of the XSS attacks are performed by using a web application to send malicious code, mostly in the form of a browser side script, to a different end-user. The statistics show SQL injection is the second most used attack vector globally, followed by fuzzing.

However, the 2019 surveys revealed some interesting facts about the global hacker’s reasons for choosing the company to hack. Nearly 60 percent of them named the challenge and the opportunity to learn as the primary reason for doing cyber-attacks. Forty percent of hackers perform the attacks because they simply like the company, while 36 percent of them want to test the security team’s responsiveness.

More than 72 Percent of Hackers Attack Websites

With 72.3 percent of all cyber-attacks happening on the websites, the 2019 data indicates this is the hackers’ favorite platform to perform attacks globally. Because of its massive user-base, WordPress is one of the prime targets of hackers, and 98 percent of WP platform vulnerabilities are related to plugins.

An application program interface (API) is the second most targeted platform with a 6.8 percent share in the global hacking incidents list. The statistics show that around 7 percent of hackers choose Android mobile and operating systems for performing attacks. Attacks aiming at downloadable software and the Internet make only 3.9 percent of all hacking incidents globally.

The full story can be read here: https://www.precisesecurity.com/articles/cross-site-scripting-xss-makes-nearly-40-of-all-cyber-attacks-in-2019/

(62)

Share

267 million Facebook users IDs and phone numbers exposed online- Comment

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. In total 267,140,436 records were exposed. Each contained:
  • A unique Facebook ID
  • A phone number
  • A full name
  • A timestamp
The server included a landing page with a login dashboard and welcome note. Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info. The full report can be found here: https://www.comparitech.com/blog/information-security/267-million-phone-numbers-exposed-online/

 

Commenting on this, Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre), said Another day, another unsecured database found on the internet. With this database containing Facebook related data, its obvious to ask what role Facebook might have played in this activity. In this case, we can look to two specific areas; the Facebook API and the public settings of Facebook accounts. In both cases, the scope of data available to third parties has varied over time. This varied access model illustrates a key lesson for anyone implementing an API – build a threat model which includes malicious use of the data available from the API. In effect, if there is interesting data to be had via an API, then anyone interested in that data will eventually discover the API and either use or misuse it. In other words –  Given access to any data, people will find a way to use, and potentially misuse it.

 

This same paradigm applies to public settings like those used within Facebook – but with a twist. Where an API is targeted at developers who have security training, properly securing public settings historically has expected the end user to set them properly. In other words, companies have expected lay users to understand the privacy implications of whatever settings they provided. This is an unrealistic expectation given that the lay user has no mechanism or experience to vet the security practices of any business. They place their trust in that business to “do the right thing” with their data. Which means that any threat model around access to user data needs to incorporate what the potential reputational damage to the business might be if the default access controls are set incorrectly.”

 

Irfahn Khimji, country manager for Canada at Tripwire Inc, added “It is important for anyone using the internet to remember that anything posted online, once posted, can potentially be seen by anyone.  As we have seen in recent data breaches everything from phone numbers to health records have been made public.  Practicing due care and ensuring that only information one is comfortable with being made public should be freely posted on social media sites.” 

 

Jonathan Devaux, head of enterprise data protection at comforte AG, concluded “It seems FB is in the news every month with a cybersecurity issue.  The term “too big to fail” may not apply to Facebook, but they do seem to be failing at data security, left and right.  Even though the California Consumer Privacy Act (CCPA) is not finalized, when it does become enforceable in early 2020, it is possible that Facebook users (and ex-users) will exercise their Rights under CCPA, which could force FB to take a more serious approach to improve their security posture.”

 

(84)

Share

Don’t lose sight of visual privacy when protecting data

By Peter Barker, 3M

Information security management should include all ways in which data is shared or viewable, and that includes visual privacy. With so much focus on cyber-threats, visual privacy has maybe not been given the attention it needs, but that is changing fast, with organisations of all kinds embracing this form of physical information security into their overall security strategies.

This has partly been driven by the fact that visual privacy is implicit within the General Data Protection Regulation (GDPR), which as it is a principle-based regulation, puts the onus on organisations to think about GDPR requirements, rather than regulators given them a list of specific actions to follow. So, it does not matter whether an unauthorised data disclosure results from a hacker launching a sophisticated cyber-attack, or due to a stranger taking a picture of potentially highly sensitive data displayed on an employee’s laptop screen. As well as the GDPR, ensuring visual privacy is implicit or explicit in a variety of industry-specific guidelines or standards, including financial services, legal, healthcare education and public sector.

Compliance is not, however, the only reason that organisations are taking visual privacy more seriously. There is a growing realisation of just how easy ‘visual hacking’ or ‘shoulder-surfing’ is to achieve. The most robust security software in the world is immediately undermined should someone view or even photograph confidential information on a document or screen. Company information can be sold, identities stolen and user credentials used to hack into a corporate network.

In the Global Visual Hacking Experiment conducted in 2016 by global security specialist The Ponemon Institute and sponsored by 3M, the science-based technology company, a white hat hacker posed as a temporary officer worker in offices in eight countries (with the participating organisations’ permission). The hacks were successful in more than 90 per cent of attempts, with 49 per cent taking 15 minute or less. The hacker was only challenged in approximately a third of attempts. This shows just how easy visual hacks are to achieve: no specialist skills are required. Alarmingly, anyone can be a visual hacker.

That study was conducted inside open plan offices, but the potential risk landscape expands with people increasingly working in public spaces. According to a 2019 Quocirca survey of more than 1500 organisations, 66 per cent believe their workforces will be mobile by 2025. In the Open Spaces surveyed conducted by the Ponemon Institute, nine out of ten people questioned had caught someone looking at data on their laptops in public.

Stop visual hacks in their tracks

Fortunately, improving visual privacy is achievable through a number of methods. Here are some of the steps that banks, fintech vendors and other firms involved in the financial sector are already implementing.

1. Awareness and management support – ensure that employees are not only aware of the visual hacking risk, but also their own responsibility to keep information secure from prying eyes. Plus, as is often the case in so many initiatives, visual privacy measures are more likely to be followed if they are backed at executive level.

2. Clear it away – paper can be a visual security risk too, so make sure that confidential papers are not left where they can be observed or photographed. Likewise, make sure that mailroom, copier, printer trays and fax machines do not contain documents yet to be collected. ‘Pull printing’ is a technique built into some modern machines that ensures documents can only be collected by an authorised person. Shredding and reduction of paper usage should be routine by now.

3. Speak up – employees should feel empowered to politely confront or report anyone they do not recognise, is not displaying clear ID, or is in an unauthorised location.

4. Make it hard – angle screens away from easy viewing. In public, sit with backs to a wall. Screensavers and automatic log-ins are nothing new, but are highly effective at reducing the amount of time displays can be seen.

5. Use privacy filters – the latest generation of these are designed to be easily flipped up or down, depending on when someone wants to share their screen. When down, on-screen data is only visible straight on and at close range, so someone taking a sideways glance or from a seat in the row behind will see just a blank image. Filters can be applied to monitors, laptops, tablets and even smartphones.

Security management is a multi-faceted challenge, but reducing the risk of visual hacking is one measure that is relatively simple, fast and cost-effective. For any organisation, whether in the financial sector or not, building better visual privacy into security policies is a smart decision.

(65)

Share

LifeLabs reveals data breach, pays ransom to secure personal info of 15M people

The personal information of 15 million Canadians may have been exposed after a company that performs diagnostic, naturopathic, and genetic tests had its computer systems hacked.

LifeLabs announced the breach on its website, saying it discovered the hack through proactive surveillance.

The company says it paid a ransom in order to secure the data, including test results from 85,000 Ontarians. It says that the majority of affected customers are from B.C. and Ontario, and the breach was discovered at the end of October.

The compromised test results were from 2016 and earlier and LifeLabs says there is no evidence that results were accessed in other provinces aside from Ontario, it was reported.

In response, Javvad Malik, security awareness advocate at KnowBe4 comments:

“There are few details available at the moment, so it’s difficult to say how the breach occurred. All that we know at the moment is that an unauthorised third party managed to gain access to a large dataset of customer information. 

It looks like the criminals were successfully able to extort money from LifeLabs, but paying criminals is no guarantee they won’t re-sell the data, or use it to compromise users further. So customers should be wary of any emails they receive, particularly ones which may claim to be from LifeLabs. 

Additionally, customers should take advantage of any identity theft protection that is offered and keep an eye on their credit records. “

(52)

Share

Ring and Nest security cameras targeted by hacking groups- Comment

It has been reported that Ring and Nest security cameras are being targeted by hacking group who harass homeowners and broadcast the abuse on podcast – including a chilling ‘I’m Santa Claus’ threat to eight-year-old girl. The string of hacks are being linked back to a podcast that broadcasts the intrusions for laughs. According to a report from Motherboard, a podcast dubbed NulledCast, has been involved in a number of hacks on the Amazon-owned Ring security cameras in which hackers commandeer the device’s microphone to harass victims on the other side.

Commenting on this, Gavin Millard, VP of intelligence at Tenable, said “This week, we’ve seen a number of stories of Ring cameras being compromised. These intrusions aren’t due to vulnerabilities in the firmware but how the devices have been set up. According to a blog post from Ring, attackers are using stolen credentials from previous, unrelated breaches against Ring accounts to see if the ‘keys’ work, often referred to as credential stuffing.

“I personally use Ring for my own home, and one of the reasons I chose their ecosystem was its support of two factor authentication, although this isn’t enabled by default. This means users must select this option for themselves when installing the devices.

 

“At the moment, many IoT device manufacturers consider usability versus security for an end-user’s ‘out of the box’ experience. I’d advocate this must be reversed so we see security policies, such as two factor authentication, enabled by default. Until then, do yourself a favour and take the time to set it up – it’s a simple process that takes 30 seconds and the additional peace of mind is worth it.”  

 

(73)

Share

VISA Warns of Ongoing Cyber Attacks on Gas Pump PoS Systems

It has been reported that the point-of-sale (POS) systems of North American fuel dispenser merchants are under an increased and ongoing threat of being targeted by an attack coordinated by cybercrime groups according to a security alert published by VISA.

Three attacks that targeted organizations in this type of attack with the end goal of scraping payment card data were observed during the summer of 2019, according to the Visa Payment Fraud Disruption (PFD).

In response, Nigel Stanley, CTO at TUV Rheinland, commented:

“It’s simple – hackers follow the money and go where their return-on-hacking-investment works out best. POS and similar systems have always been an attractive target, as cybersecurity has historically been an afterthought for many POS system vendors. No doubt the pumps themselves are being eyed up by threat actors intent on getting some free fuel!”

(79)

Share

Cybereason Joined by Former Members of GCHQ, Foreign Office and Metro Police to Protect the UK General Election from Hackers

Cybereason’s Operation Blackout London Tabletop Simulation explored how territorial police services recognise and handle attempts to disrupt the election in a fictional UK city

 

Cybereason, creators of the leading Cyber Defense Platform, and former members of the British Government and the Metropolitan Police, came together on Wednesday December 11 at Operation Blackout in London. The inaugural London event was a simulation of a hack in a fictitious UK city, Adversaria.

 

During the Operation Blackout simulation, Red and Blue teams faced off in a strategic duel. The Red team, led by Yossi Rachman, Cybereason’s head of security research, and other hackers, was determined to disrupt voting on election day in the made-up British city. The Blue team, tasked with defending the city, led by Alessandro Telami, a senior director at Cybereason, also included former members of GCHQ, the Foreign Office and the Metropolitan Police.

 

The goal of the table top exercise was to examine and advance the organisational responsiveness of government entities to an anarchic group’s attempts to undermine institutions and systems of governance. To date, most other election hacking discussions and exercises focus on the mechanics and minutiae of hacking election equipment or contaminating and violating the integrity of voter rolls.

 

“Both teams performed well, and they deployed a number of tactics and techniques throughout Operation Blackout London. However, in the end, the Red Team wasn’t able to achieve its goals, and the Blue Team scored a clear victory because they were able to maintain its goals of limiting disruptions and maintaining normalcy and open and free elections. Overall, Blue communicated very effectively with public officials and publicly trusted channels to stop misinformation campaigns and greatly minimise disruptions,” said Israel Barak, Cybereason’s Chief Information Security Officer, and Operation Blackout London White Team Leader.

 

“We understood from the start what the aim was from the Red Team trying to disrupt the natural flow of the elections and used all available means to carry this out. However, with many excellent former government and law enforcement experts on my team, we were able to counter Red’s moves and maintain public trust,” said Alessandro Telami, senior director at Cybereason. and Operation Blackout London Blue Team Leader, Cybereason.

(56)

Share

Almost a Half Million Payment Cards Up for Sale on The Dark Web- Comment

More than 460,000 credit cards and accompanying information has been discovered for sale on the Dark Web by security researchers at Group-IB. The cards for sale included the expiration date, CVV code (card verification value), card number, and the name of the person on the card.

The full story can be found here: https://www.bleepingcomputer.com/news/security/batch-of-460-000-payment-cards-sold-on-black-market-forum/

Robert Capps, VP of Market Innovation for NuData Security, a Mastercard company comments:

“Many websites are suffering from Magecart-like attacks as hackers deploy malware within the merchant checkout process, in an effort to steal credit card information as it’s entered by the consumer. Once stolen, this card data, including card number, expiration date, CVV and consumer information are sold on the dark web to hackers who are amassing this stolen information for card-not-present fraud. Unfortunately, these types of attacks are not going away. Consumers should check their credit card statements frequently, and contact their bank regarding any suspicious transactions they might see. Companies need to do more to verify the legitimacy of their buyers, by also identifying consumers by their online behaviour, instead of just relying on credentials or consumer information like credit card numbers. This method allows companies to more easily identify potentially fraudulent transactions that use credit cards that have been stolen, before the transaction is completed.”

(42)

Share