Monthly Archives: January 2016

Accounts protected by two-factor authentication may face a greater risk of being hijacked by a newly updated Android malware, IT News reported Tuesday (Jan. 12).

The capabilities of the malware, which was originally discovered by Symantec back in 2014 and is called Android.Bankosy, were updated to steal the time-sensitive codes that are typically sent out as an added security measure when attempting to log into mobile applications with two-factor authentication. In most cases, the one-time passcodes are sent via SMS or delivered through an automated phone call.

While many online banking applications have moved to using the call-based passcodes, since SMS messages can be captured by some malware, Android.Bankosy now has the ability to forward the calls directly to hackers.

“Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device,” Dinesh Venkatesan of Symantec explained in a blog post. “If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.”

“Once the unconditional call forwarding is set on the victim’s device, the attacker — who has already stolen the victim’s credentials (the first factor in two-factor authentication and authorization) — can then initiate a transaction,” Venkatesan continued.

The malware also has the ability to disable and enable the silent mode on a mobile device, as well as lock a device so that the victim is unaware when an incoming call takes place.

Symantec recommends users adhere to best practices, like keeping software up to date and refraining from downloading apps from unfamiliar websites, in order to help mitigate the threat of malware on their mobile devices.

Via: pymnts

Great information from Nick Santora.

——

I spent quite a while on the road while working at NERC for about seven years. I believe at one point I had over 130+ nights stayed during a single year. One of the many roles I had while at NERC was as a compliance program auditor for NERC CIP audits and compliance investigations. I picked up some common mistakes I have seen from entities across the entire country and would like to share them with you.

1) BE POLITE AND PATIENT

When an auditor asks for information, they are usually just trying to get an understanding of your environment. This isn’t a court hearing. The audit team is just trying to gain an understanding of the entire picture because they don’t know your environment as well as you do.

They may also not be familiar with certain acronyms, diagrams and other procedures at your organization. Take your time and explain them, since they will help tell your story of compliance.

2) NOT REWARDING YOUR STAFF

Let’s face it – no matter how prepared you are for an audit, it’s still a very intense process. Your staff is stressed out, and have been looking to find evidence in every nook and cranny of the past several years. Give them a break, reward them with a day off if possible or something fun to do as a thank you for all of the hard work they put in.

3) LISTEN TO CIP AUDITORS ADVICE

I have worked with the CIP audit and compliance teams in every region across North America. Your auditors, in fact, have a lot of experience. They have seen more implementations, configurations, environments and procedures than you could ever imagine.

Listen to them if they talk about best practices or advise on some thoughts for additional approaches towards demonstrating compliance. Sometimes it can really help open your eyes to a different point of view.

4) ARGUING OVER EVERY WORD IN THE STANDARD

During CIP Version 3 audits, I have seen words like significant, annual and other non-defined terms used in every possible way you could imagine. Of course, some of that has been cleaned up for CIP V5, but you get the point. If you do have an undefined term, ensure you define it somewhere in your internal documents to show the audit team what you mean.

5) ARGUING DURING THE EXIT PRESENTATION

Act professional – there is a big difference between arguing and disagreeing. Whether you disagree with a finding or not, the time and place is not during the exit presentation. Many times I would see entities yell at the auditors during the exit presentation, and say they’re wrong.

6) SCRAMBLING FOR DOCUMENTATION

A perfect example here was during training and awareness records. The CIP training standards dictate that authorized staff with unescorted physical or electronic access to BES Cyber Assets, otherwise known as BCAs, must go through a NERC CIP compliance training program.

Any of your staff, contractors, vendors, and even cleaning crew might fall into scope of this requirement. Make sure you have records of all of this going back during the audit scope, so you are not scrambling during the audit.

7) KNOW YOU’RE GOING TO BE AUDITED

You will be audited. I cannot believe how many times I would walk into an entity and find out they had never performed a mock audit with their staff. They didn’t know the types of questions they would be asked, the evidence to produce, or the responses they should prepare for.

8) SHOW YOUR WORK

A lot of times I would see an entity provide evidence of results. Sometimes you will hear auditors ask to see how you got to your results. A great example here is a Cyber Vulnerability Assessment or CVA.

One time, I remember hearing an entity perform their CVA, and get a pile of results/action items to fix. They then showed a piece of paper that said “Results” and had a completed check mark. When the auditors asked how they completed some of these tasks, or if they could see the steps they went through to get this result, the entity had no answers. They couldn’t even confirm that all of the CVA findings were fixed because they didn’t have documentation for themselves.

9) SPEAKING THROUGH LAWYERS

While having lawyers is very important for any dispute, settlement, or compliance program process, they aren’t always the best to be the front line on answering questions. For example, you don’t want your corporate attorney to answer technical questions on how your ESP are designed and configured.

10) REDACTING DOCUMENTATION AND EVIDENCE

The goal of the auditor is to help your entity demonstrate compliance to the NERC CIP standards, not to find areas of non-compliance.

I have been on audits where the entity would not even allow the auditors to view evidence by themselves – it had to be on an entity-owned machine with limited access and documents that were mostly blacked out information. All this did was extend the audit another week, and created a starting point for more questions.

Please help the auditors by making evidence accessible and useful.

Via: tripwire

Failure to update to the latest version of Internet Explorer by 12 January 2016 could put users at risk, Microsoft warns.

Microsoft has warned that failure to upgrade to its new Edge browser or Internet Explorer version 11 by 12 January 2016 will expose users to various risks.

The software company announced that it will stop technical support for all older browsers on that date, which includes security updates.

There will also be no more non-security updates, free or paid assisted support options or technical content updates.

Only Internet Explorer 11 will continue to receive security updates, compatibility fixes and technical support on Windows 7, Windows 8.1 and Windows 10.

“Without critical browser security updates, your PC may become vulnerable to harmful viruses, spyware and other malicious software which can steal or damage your business data and information,” warned Microsoft.

Users who fail to upgrade could also face a lack of independent software vendor (ISV) assistance because many no longer support older versions of Internet Explorer.

Microsoft notes that Office 365 takes advantage of modern web standards and runs best with the latest browser.

Failure to upgrade could also put users at risk of compliance failure. Businesses that are governed by regulatory obligations are advised to conduct due diligence to assess whether they are still able to satisfy compliance requirements using unsupported software.

Users of Windows 10 will automatically be using Microsoft Edge, which is Microsoft’s new browser. Microsoft Edge can launch Internet Explorer 11 for sites that need better backward compatibility. For this reason, Microsoft will continue to support IE 11 on Windows 10.

Microsoft advised large organisations with more than 500 employees to contact company representatives to access the available technical resources, tools and guidance on managing Internet Explorer or to consult online guides.

Small to medium-sized enterprises (SMEs) with fewer than 500 employees can get the latest version easily by using Automatic Updates.

“Those with dependencies on existing web applications can locate a Microsoft Certified Partner to understand the best options to meet their business needs,” said Microsoft.

Microsoft expects most home users to have Automatic Updates turned on, and to have already upgraded to Internet Explorer 11.

Home users who have not turned on Automatic Updates yet are advised to do so by clicking the Check for Updates button on the Windows Update portion of the control panel.

According to Microsoft, Internet Explorer 11 will be supported for the life of Windows 7, Windows 8.1 and Windows 10. The support lifecycle dates for all operating systems can be found in Microsoft’s Support Lifecycle Database.

Via: computerweekly

Some consolidation in the world of gaming and specifically e-sports. Activision Blizzard
confirmed that it has acquired Major League Gaming, a specialist in live gaming events as it vies to become the “ESPN of e-sports.”

The news follows reports over the weekend that Activision would be buying MLG for $46 million and shuttering the business. In the event, Activision is only partly confirming these details. Perhaps most importantly for the gaming world, it’s issued a clear statement that it plans to keep the entire business going, specifically the MLG.tv, MLG Pro Circuit and GameBattles platforms. “All of MLG’s e-sports businesses will continue to operate,” a spokesperson says.

No word from Activision Blizzard on price — although eSports Observer published an excerpt from the term sheet detailing the numbers.

Activision will also continue to organize MLG’s physical, live events with partners and the spokesperson confirmed that MLG’s entire staff is coming over as part of the deal. We have reached out to Activision to ask and will update as we learn more.

If the price is accurate, this is not a great outcome for MLG. The startup, based out of New York and co-founded by Sundance DiGiovanni and Michael Sepso, had raised at least $69 million in venture funding from backers that included Oak Investment Partners and Treehouse Capital.

Sepso was a shareholder too, although he left MLG for Activision and is now SVP of the company’s media networks e-sports division (one likely bridge that helped broker the deal), while DiGiovanni had been running MLG as the CEO (and is now apparently stepping down).

“Sundance and I founded MLG to highlight the incredible talent of competitive gamers all over the world,” Sepso said in a statement. “Activision Blizzard’s esports leadership, incredible intellectual property and long history in competitive gaming create a perfect home for MLG’s capabilities. The acquisition of MLG’s business is an important step towards Activision Blizzard Media Networks’ broader mission to bring esports into the mainstream by creating and broadcasting premium esports content, organizing global league play and expanding distribution with key gaming partners.”

MLG, founded 12 years ago, was an early mover in e-sports. By way of MLG Pro Circuit, it claimed to have the longest-running e-sports league in North America, and it said that GameBattles is the largest online gaming tournament system across consoles, PC and mobile platforms. Here’s a crowd packing in to watch a session of Starcraft 2 back in 2012:

But as more publishers have built their own e-sports businesses (not just Activision, but others such as EA), this has put more pressure on MLG as a standalone business. Ars Technica reported that MLG had taken out a $6 million loan to run the business.

Activision Blizzard, meanwhile, is hoping to tap deeper into the growing professional gaming business, which it says currently has 100 million unique viewers globally and is projected to go up to 300 million by 2017. The idea is that the extra assets will give it a further leg up to develop its own e-sports games as well as those of other publishers to compete against the likes of EA, Valve and so on. It positions itself much like another popular broadcast network:

“Our acquisition of Major League Gaming’s business furthers our plans to create the ESPN of e-sports,” Bobby Kotick, CEO of Activision Blizzard, said in a statement. “MLG’s ability to create premium content and its proven broadcast technology platform –- including its live streaming capabilities -– strengthens our strategic position in competitive gaming. MLG has an incredibly strong and seasoned team and a thriving community. Together, we will create new ways to celebrate players and their unique skills, dedication and commitment to gaming. We are excited to add Sundance and the entire MLG esports team to our competitive gaming initiatives.”

Via: techcrunch

Summary

By creating a failure condition in the 2.4 GHz radio frequency band, the Comcast XFINITY Home Security System fails open, with the base station failing to recognize or alert on a communications failure with the component sensors. In addition, sensors take an inordinate amount of time to re-establish communications with the base station, even if their “closed” state is switched to “open” during the failure event.

Product Description

The Comcast XFINITY Home Security system is a remote-enabled home security system, consisting of a battery-powered base station and one or more battery-powered sensors, all using the open standard ZigBee wireless communication protocol.

Credit

This issue was discovered by Phil Bosco of Rapid7, Inc.

Exploitation

By causing a failure condition in the 2.4 GHz radio frequency band, the security system does not fail closed with an assumption that an attack is underway. Instead, the system fails open, and the security system continues to report that “All sensors are in-tact and all doors are closed. No motion is detected.”

There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. In addition, the sensors take a significant amount of time to re-establish communication with the hub when the radio failure subsides.

To demonstrate the issue, the researcher placed a paired window/door sensor in tin foil shielding while the system is in an ARMED state. While armed, the researcher removed the magnet from the sensor, simulating a radio jamming attack and opening the monitored door or window.

Once the magnet is removed from the sensor, the sensor was unwrapped and placed within a few inches from the base station hub that controls the alarm system. The system continued to report that it is in ARMED state. The amount of time it takes for the sensor to re-establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours.

There are any number of techniques that could be used to cause interference or deauthentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based deauthentication attacks on the ZigBee protocol itself.

Mitigations

There are no practical mitigations to this issue. A software/firmware update appears to be required in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can re-establish communications with the base station.

Disclosure Timeline

This vulnerability advisory was prepared in accordance with Rapid7’s disclosure policy.

• Mon, Sep 28, 2015: Issue discovered by Phil Bosco of Rapid7
  
• Wed, Sep 30, 2015: Internal review by Rapid7
  
• Mon, Nov 02, 2015: Attempted to contact the vendor
  
• Tue, Nov 23, 2015: Details disclosed to CERT, VU#418072 assigned
  
• Tue, Jan 05, 2016: Public disclosure
  

Via: rapid7

Amazon this week took its enterprise-aimed email and calendaring service called WorkMailout of preview mode. The product, which first debuted a year ago, is based on Amazon Web Services and is meant to sub in for legacy solutions, like Microsoft Exchange.

However, instead of competing with client software like Microsoft Outlook, WorkMail integrates with it, as it does with Apple Mail and other email clients that use the Microsoft Exchange ActiveSync protocol including iPhone, iPad, Kindle Fire, Fire Phone, Android, Windows Phone and BlackBerry 10.

There’s also a web application for WorkMail available, the company says.

The product fits alongside other solutions designed for the corporate crowd, like WorkDocs (previously Zocalo), an enterprise storage and sharing service; and Amazon WorkSpaces, a managed desktop computing service that lets IT provision cloud-based desktops for end users. And like the others, WorkMail is about leveraging the power of Amazon Web Services to more directly serve the needs of a business’s end users, rather than being just a back-end solution.

WorkMail offers enterprise IT an email product that includes security features like encryption, messaging scanning for spam and viruses, and regional data control – meaning customers choose where mailboxes are stored. That’s something that may appeal to European customers in the post-Snowden era.

Amazon also lists a host of other features that rolled out during its preview period, including integration with KMS (AWS Key Management Service); compliance with ISO 27001, ISO 27017, and ISO 27018 certifications; resource creation (e.g. booking meeting rooms and equipment); a migration tool to move from Exchange to WorkMail; and more.

The company additionally touts an easier setup process as the product becomes generally available. In conjunction with Simple AD, setup is generally 10 minutes, says Amazon. And it works on clients that run on OS X, including Apple Mail and Outlook.

However, there are a number of features that Amazon is still working on, like support for a single Global Address Book, the ability to access free/busy information across both environments, and an email journaling feature.

With the public release, Amazon WorkMail continues to be priced competitively at $4 per user per month, which includes 50 GB of mailbox storage. Customers can also pay $2 more per user to tack on Amazon WorkDocs as well, which offers 200 GB of cloud storage per user.

WorkMail is generally available in three AWS regions: U.S. East (Northern Virginia), U.S. West (Oregon), and Europe (Ireland).

Via: techcrunch

Credit and finance management platform Credit Karma, known best as the startup that offers free, no-strings-attached credit scores, has made its first acquisition. The company has acquired the makers of the mobile application Snowball, with plans to leverage the team’s expertise in mobile notifications. Terms of the deal were not disclosed, and the Snowball app will be pulled from the Google Play app store in the near future.

Snowball was founded by Anish Acharya and Jeson Patel, who had sold their first company, a mobile social games publisher SocialDeck, to Google in 2010. They began work on Snowball back in spring 2014. The idea with the original version of Snowball was to offer a way to connect the different mobile messaging apps on users’ Android devices – that is, something of a universal inbox for all your incoming chats.

That app grew to 250,000 downloads, but didn’t really take off the way they hoped. This summer, the team pivoted to building a “priority inbox” for all of Android’s notifications.

Though Snowball’s next version never topped half a million installs, the process of building the app itself was something of a technical feat, as the team figured out how to take over the entire pull-down notifications interface on Android, as well as the full notification swipe itself.

It’s this kind of expertise that Credit Karma is now interested in bringing onto its team as it rolls out further enhancements to its own set of mobile applications in the near future, explains Credit Karma CTO Ryan Graciano.

“We’re seeing a huge movement of consumers toward mobile, particularly in younger demographics. Android is a key platform for us,” says Graciano. “And these guys have really amazing experience on Android, in particular.”

Many of Credit Karma’s over 45 million total users access the service on mobile devices today. But those who do tend to be in the lower to middle credit bands – a demographic group that tends to skew more toward Android, which is why it makes sense for Credit Karma to invest in building out its Android team.

Graciano says that what Credit Karma found particularly interesting about Snowball was how they converted mobile notifications into something actionable – which ties into Credit Karma’s larger plans for mobile.

“We have tens of thousands of data points on a particular customer at any time, so there’s this constant inflow of things we could be telling you,” notes Graciano. “But sorting through all that…is a very tricky thing to do – especially in a way where you’re not overwhelming the user with spurious notifications.”

Five members of Snowball’s team of six will join Credit Karma, including CEO Anish Acharya, who will become Credit Karma’s Senior Director of Product Management.

Acharaya declined to say why Snowball decided to exit, but it’s likely that the product was still not growing at the pace they desired, and that could have impacted the startup’s plans to raise more capital. Snowball had previously raised a $2.3 million seed round from Felicis Ventures, Golden Venture Partners, Google Ventures, Metamorphic Ventures, and Wesley Chan.

Credit Karma, meanwhile, raised $175 million this summer at a $3.5 billion valuation.

“For the Snowball team, it was all about the people and mission. We had a great existing relationship with ex-Googler and Credit Karma CPO Nikhyl Singhal, and as we got to know Ryan and the rest of the leadership team, we were blown away by their caliber, culture and the commitment to the mission,” says Acharya about Snowball’s acquisition.

“As we learned more about the company’s focus on improving people’s financial health at scale, it became apparent this opportunity was a unique combination of meaningful mission, significant scale and a mobile-first product focus. It is the most interesting problem, with the most interesting people, for us to solve next,” he adds.

The acquisition, which is described as an “acqui-hire,” will not involve Credit Karma utilizing any of Snowball’s IP. Instead, the Snowball app will be removed from the Google Play store, but maintained for three months. Afterward, the app will be shut down and all data will be deleted.

Via: techcrunch

Fancy earning $100,000? Of course, you do.

Well, now there’s an opportunity to earn a huge reward if you can demonstrate how Adobe Flash can be exploited.

Sounds good right? Well, here’s the bad news for the rest of us: it’s not Adobe offering the money in the form of a bug bounty.

Less than a month ago, Adobe proudly announced a series of security enhancements it had made to bolster the defences of Flash, following a year’s worth of collaboration with security researchers at Microsoft and Google’s Project Zero team:

One example of a larger scale collaboration is our heap isolation work. This project initially started with a Project Zero code contribution to help isolate vectors. Based on the results of that release and discussions with the Microsoft research team, Adobe then expanded that code to cover ByteArrays. In last week’s release, Adobe deployed a rewrite of our memory manager to create the foundation for widespread heap isolation which we will build on, going forward. This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities for exploitation.

Considering how many computers continue to run Flash Player, and the regularity with which criminals attempt to exploit vulnerabilities in its code, Adobe’s announcement sounded like positive news.

But there are, inevitably, people keen to bypass the heap isolation defence now built into the latest versions of Adobe Flash.

And thus it was perhaps not surprising to see controversial vulnerability broker Zerodium make an announcement offering a significant financial reward via its Twitter account:

There’s a big problem with all of this, of course. And that’s that unless you have piles of cash in the bank, Zerodium hsa no intention of sharing details of any exploit (and how to protect against it) with you. In fact, there’s every likelihood that Zerodium will not be sharing it with Adobe either.

And if Adobe don’t get told about the vulnerabilities in Flash, they’re not going to get patched.

Instead, Zerodium believes that it will be able to make a healthy profit selling details of the $100,000 vulnerabilities to whoever is prepared to stump up a considerable amount of cash. Likely buyers include intelligence agencies who might use the code to spy upon foreign governments, military contractors and overseas companies.

And it’s obviously not in the interest of such purchasers to make details of any zero-day flaw public, as it would warn their intended targets of the potential threat.

We all know that Adobe Flash has been plagued with security problems over the years. Whatever advances Adobe makes, Flash will continue to be probed and dissected by those keen to find vulnerabilities and ways of exploiting them.

The sad news is that Adobe may not be told about flaws which are found – which can only be bad news for the rest of us, left without protection.

Via: tripwire

The company said it was recently notified by the FBI that the email accounts of 320,000 of its customers nationwide may have been compromised by thieves.

Time Warner Cable is advising 320,000 of its customers to change their email account passwords because hackers may have gained access to them.

The cable television giant said it was recently notified by the FBI that “some of our customers’ email addresses, including account passwords, may have been compromised.”

“Our understanding is that the compromise had nothing to do with TWC’s systems or processes,” the company said in an email to potentially affected customers this week. “TWC has found no evidence of a breach in its systems that operate and secure email accounts for our customers.”

Nathalie Burgos, a spokeswoman for the company, said only customers with Roadrunner email addresses are potentially impacted. Roadrunner email addresses include the letters “rr” in the domain name.

Burgos said the company has not determined how its customers’ email addresses and passwords may have been obtained. However, they possibly could have been stolen through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable customer information, including email addresses, she said.

Phishing attacks occur when people are sent emails that direct them to a website that asks them to “update” personal information, such as email passwords and credit card accounts. The sites, which resemble those of legitimate companies but are not, may also download malware that can collect personal information from a person’s computer.

Customers throughout Time Warner’s nationwide service territory who potentially had their email accounts compromised were notified this week and advised to change their passwords by going to http://twc.com/emailpassword and following the instructions.

Burgos said criminals can use stolen passwords to access private information, potentially including financial data, from people’s emails.

Customers with questions may call the company at 1-844-899-8913. Time Warner Cable Business Class customers may call 1-866-892-4249.

Via: syracuse

Communication hubs will provide free public Wi-Fi, voice and video calls, device charging and tablets for internet browsing, access to city services, maps and directions.

New York City has begun rolling out a communications network that will replace more than 7,500 public phones across the city’s five boroughs with new structures called Links.

The LinkNYC project is a partnership between the City of New York and CityBridge, a NYC-based consortium that includesIntersection, Qualcomm and CIVIQ Smartscapes.

Each Link will provide superfast, free public Wi-Fi, voice and video calls, emergency 911 calls, device charging and an Android tablet for internet browsing, access to city services, maps and directions.

Although the project is expected to cost $200m, the services will be free of charge because they will be funded through digital advertising displayed on video screens on each unit, which is expected to generate more than $500m in revenue.

LinkNYC is described as “the biggest, fastest public Wi-Fi project involving hundreds of miles of brand-new, purpose-built fibre-optic cable to provide unprecedented Wi-Fi access at gigabit-speed to more than eight million people”.

Although installation of the Links has begun, LinkNYC says only 510 will be up and running in the project’s beta phase.

Starting in Manhattan, LinkNYC wil have to install 10 Links a day across two sections of Manhattan, the South Bronx, Jamaica Queens, Staten Island and Flatbush Avenue in Brooklyn to reach the target for the beta phase by July 2016.

The beta phase is aimed at giving New Yorkers an opportunity to try out the Links’ features and provide feedback to help improve the user experience.

More apps and services will be rolled out over the next few months and over the next decade, according to LinkNYC.

When the project is complete, LinkNYC plans to have Links within 150 feet of each other, even though each will have a signal radius of up to 400 feet and will be able to handle up to 500 users simultaneously, reports Gizmodo.

Like any Wi-Fi network, LinkNYC will remember devices, enabling users to have instant Wi-Fi access whenever they are in the city, even after an extended absence, the report said.

LinkNYC does not mention anything on its website about security, but according to US reports, the network offers encryption and CityBridge says the privacy policy forbids sharing users’ personal data with any third party.

Security experts say all Wi-Fi connections should use strong encryption, such as the WPA2 encryption standard.

Without strong encryption, there is a threat that if an attacker gains access to a wireless network, they can cause a lot of damage, such as intercepting usernames/passwords, taking control of computers on the network, changing browsing to websites that deliver malware or capture credentials, or using the network to perform various anonymous or illegal activities.

Via: computerweekly