Monthly Archives: February 2017

Multiple Groups Cooperated in Shamoon Attacks: Symantec

The recent attacks involving the notorious disk-wiping malware Shamoon, aka Disttrack, may have been carried out by multiple groups working together under the command of a single entity, Symantec said on Monday.

A total of three Shamoon 2 attack waves were observed recently, including two in November 2016 and one on January 23. The attacks, believed by many to be the work of Iran, targeted organizations in the Persian Gulf, particularly Saudi Arabia.

Experts have identified connections between apparently different threat groups and the Shamoon attacks. First, Symantec reported that an actor tracked by the company as Greenbug may have helped obtain credentials used in the Shamoon operation.

Later, Palo Alto Networks published a report on Magic Hound, a campaign targeted at energy, government and technology sector organizations that are located or have an interest in Saudi Arabia. The operation involved domains and a RAT linked by IBM to Shamoon attacks.

Researchers also found connections between the Magic Hound attacks and two other Iran-linked advanced persistent threat (APT) actors: Charming Kitten (Newscaster) and Rocket Kitten. Symantec tracks the group behind Magic Hound as Timberworm, and SecureWorks has named it COBALT GYPSY.

Symantec said Timberworm apparently facilitated the January 2017 Shamoon attacks. The group, similar to Greenbug, gained access to the targeted organizations’ systems weeks or months before Shamoon was deployed in order to conduct reconnaissance, harvest credentials and establish persistent remote access.

Timberworm used spear-phishing emails and weaponized documents to gain a foothold in each organization’s network. The attacker then leveraged custom malware, hacking tools and legitimate sysadmin applications to achieve its goals. The use of legitimate tools can help avoid detection and makes attribution more difficult.

Both Greenbug and Timberworm penetrated the systems of many organizations – not only in Saudi Arabia – but the Shamoon worm was only deployed against specific targets.

“Timberworm appears to be a much larger operation, infiltrating a much broader range of organizations beyond those affected by the recent Shamoon attacks. Similarly, Greenbug targeted a range of organizations in the Middle East beyond those affected by Shamoon, including companies in the aviation, energy, government, investment, and education sectors,” said Symantec researchers.

“While both groups leveraged two distinct toolsets, their targets, tactics, and procedures align very well and in close proximity to the coordinated wiping events,” they added.

The evidence suggests that the groups worked together and their activities may have been orchestrated by a single entity, experts said.

 

via:  securityweek

Google Discloses Unpatched Flaw in Edge, Internet Explorer

Google Project Zero has disclosed a potentially serious vulnerability in Microsoft’s Edge and Internet Explorer web browsers before the tech giant could release patches.

The details of the flaw and proof-of-concept (PoC) code were made public last week by Google Project Zero researcher Ivan Fratric after Microsoft failed to meet the 90-day disclosure deadline.

The security hole, tracked as CVE-2017-0037, has been described as a high severity type confusion. The vulnerability can be exploited to cause the web browsers to crash, but arbitrary code execution could also be possible.

This is the second unpatched vulnerability in a Microsoft product disclosed by Google Project Zero this month. Earlier, Mateusz Jurczyk released the details of a medium severity information disclosure flaw tracked as CVE-2017-0038.

In addition, there is an unpatched denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.

Microsoft only released patches for Adobe Flash Player this month after postponing its February 2017 updates to March 14 due to an unspecified “last minute issue.” It’s possible that the three vulnerabilities affecting Windows and the browsers were supposed to be fixed by the delayed security updates.

Microsoft claimed last month that the security mechanisms in Windows 10 can block the exploitation of zero-day vulnerabilities even before patches are made available. As an example the company provided two flaws exploited in sophisticated attacks against organizations in South Korea and the United States before fixes could be released.

 

via:  securityweek

Google Achieves First-Ever Successful SHA-1 Collision Attack

sha1-hash-collision-attack

SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack.

SHA-1 was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like other hashes, SHA-1 also converts any input message to a long string of numbers and letters that serve as a cryptographic fingerprint for that particular message.

Collision attacks appear when the same hash value (fingerprint) is produced for two different messages, which then can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1.
The explanation is technologically tricky, but you can think of it as attackers who surgically alters their fingerprints in order to match yours, and then uses that to unlock your smartphone.

The researchers have been warning about the lack of security of SHA1 from over a decade ago, but the hash function remains widely used.

In October 2015, a team of researchers headed by Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in the Netherlands had published a paper that outlined a practical approach to creating a SHA-1 collision attack –Freestart Collision.


At that time the experts estimated that the cost of an SHA-1 collision attack would cost between $75,000 and $120,000 using computing power from Amazon’s EC2 cloud over a period of a few months.

The Collision Attack ‘SHAttered’ the Internet

sha1-hash-collision-attack

The Google approached the same group of researchers, worked with them and today published new research detailing a successful SHA1 collision attack, which they dubbed SHAttered and costs just $110,000 to carry out on Amazon’s cloud computing platform.
As proof of concept, the new research presents two PDF files [PDF1, PDF2] that have the same SHA1 hash, but display totally different content.

According to researchers, the SHAttered attack is 100,000 faster than the brute force attack.

“This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations,” the researcher explains.

“While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.”

90-days for Services to Migrate to Safer Cryptographic Hashes

Despite declared insecure by researchers over a decade ago and Microsoft in November 2013, announcing it would not accept SHA1 certificates after 2016, SHA1 has widely been used over the Internet.

So, it’s high time to migrate to safer cryptographic hashes such as SHA-256 and SHA-3.
Google is planning to release the proof-of-concept (PoC) code in 90 days, which the company used for the collision attack, meaning anyone can create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

Therefore, an unknown number of widely used services that still rely on the insecure SHA1 algorithm have three months to replace it with the more secure one.

Meanwhile, Google and researchers have released a free detection tool that detects if files are part of a collision attack. You can find both the tool and much more information about the first collision attack at shattered.io.

 

via:  thehackernews

Best Password Managers 2017

With a password manager, you won’t need to remember unique, long, complex passwords for every online account. The software will remember it for you, strengthening your password security and minimizing your risk the next time there’s a massive data breach. You need to remember only a single “master” password to the password manager itself.

Based on our extensive testing of seven services, focusing on ease of use, platform support, security and overall performance, the best overall password manager is LastPass, which offers an ideal combination of ease of use, convenience and security.

LastPass Password Manager

$12/year LastPass

Dashlane was a close runner-up, thanks to its nifty ability to reset all your passwords at once.

Dashlane Password Manager

$40/year Dashlane

We also liked True Key’s forward-looking biometric authentication, Keeper’s simplicity and Sticky Password’s user-friendliness, although each lacked features we consider essential.

Two other password managers are best suited for niche segments: 1Password for Mac users, and KeePass for tech-savvy users of Linux and other open-source software.

What to Look For

All seven password managers we’ve reviewed secure your data, both on your machine and in the cloud, with the toughest form of encryption in wide usage today. All have software for Windows, Mac OS X, Android and iOS. All have free options, though only KeePass is entirely free. All can be installed on an unlimited number of devices for a single (usually paid) account, and most can store an unlimited number of passwords.

All of the password managers we reviewed can also generate new, strong passwords for you (though not always on the mobile version), and some will alert you to the latest data breaches. Most offer a two-factor authentication option for master passwords. Many offer to save your personal details, credit-card numbers and other frequently used information so that they can quickly fill out online forms for you. Finally, none can recover your master password for you if you forget it, although some let you reset that password to something else.

Cloud vs. Local Management

1Password and KeePass primarily store the user’s “vault” of passwords and other sensitive information locally, i.e. on one of the user’s own devices. There’s a security advantage to that, as none of the data has to ever reach the internet, but it can be a hassle to synchronize the vault with other devices.

Far more convenient are cloud-based password managers, which include LastPass, Dashlane, Keeper and True Key. These services keep encrypted copies of your vault on their own servers and make sure all your devices are always synced.

The risk, although it’s small, is that one of the services could be compromised and your passwords released out into the wild. (The seventh password manager, Sticky Password, can work as either a device-based or cloud-based manager, and there’s a somewhat pricey cloud-based subscription option available for 1Password.)

How We Tested

We installed and used all seven password managers on a Windows 8 laptop, an iPad Mini and a Samsung Galaxy S6 Android smartphone. Additional testing was done on an iPhone 6s Plus, a OnePlus One Android smartphone and a Windows 10 laptop.

We took into consideration each service’s ease of use, variety and usefulness of features, and its security practices, especially concerning two-factor authentication. Design was noted, but did not factor into our rankings, and price was considered only when two or more premium password managers were otherwise roughly equal.

LastPass

EDITOR’S CHOICE

 

LASTPASS

Editor’s Choice

9/10

SUPERIOR

REVIEW

$12/YEAR LastPass

LastPass is our Editor’s Choice among password managers because of its ease of use, support for all major platforms, feature-rich free version, variety of configurations and very affordable ($12 per year) premium subscription. As of late 2016, the free version syncs across an unlimited number of devices. You don’t even need to install an application on your computer to use LastPass; instead, the software can live entirely in browser extensions and in a full-featured web interface.

Dashlane

 

DASHLANE

8/10

TOTALLY WORTH IT

REVIEW

$40/YEAR Dashlane

Dashlane has a truly killer feature: It can reset all your passwords at once, saving you time and worry in the event of a major data breach. It’s also well-designed, easy to use and possibly the best at filling out your personal information in online forms. Dashlane’s only drawbacks are its relatively high premium price ($40 per year) and its read-only web interface, which prevents you from making any changes to your vault while away from your primary computer.

True Key

 

TRUE KEY

8/10

TOTALLY WORTH IT

REVIEW

$20/YEAR True Key

Intel’s True Key ($20 per year for a premium subscription) is the password manager of the future. It offers six different factors of authentication, including fingerprint and facial recognition, and just added Microsoft Edge support. It’s pretty cool to log in by looking into your laptop or smartphone’s camera and shaking your head. The impressive selection of authentication factors also makes it possible to easily reset the True Key master password if you lose it. We just wish True Key filled in personal information and let users securely share passwords.

Keeper

 

KEEPER

7/10

VERY GOOD

REVIEW

$30/YEAR Keeper

Keeper ($30 per year for premium service) is fast, full-featured, has a robust web interface and can store files and documents of any kind. But it doesn’t let you create a PIN to quickly access the mobile app. If your phone doesn’t have a fingerprint reader, you’ll have to enter the full master password every time.

Sticky Password

 

STICKY PASSWORD

7/10

VERY GOOD

REVIEW

$30/YEAR Sticky Password

Sticky Password looks out-of-date with its full-color interface and amateurish-looking website. But it’s a full-featured password manager that gives you the option of syncing locally or in the cloud, manages desktop logins as well as online passwords, and even offers a lifetime premium subscription option for $150. (Otherwise, that’s $30 per year.) Sticky Password recently added true two-factor authentication, but its web interface is pretty bare-bones.

KeePass

 

KEEPASS

7/10

VERY GOOD

REVIEW

FREE KeePass

KeePass is the oldest password manager here, one of the most powerful, and definitely the hardest to use. It’s a long-running free and open-source project with several spinoffs, dozens of ports to other platforms (KeePass originated on Windows) and nearly endless customization options — you can even carry the software and its vault around on a USB thumb drive. The downside is that you have to do everything yourself, from syncing your devices to just learning how to use the software at all. If you’re a tech-savvy person, KeePass may be for you, but it’s certainly not for everyone.

1Password

 

IPASSWORD

6/10

WORTH CONSIDERING

REVIEW

FREE/MOBILE iTunes

1Password started on Mac and added Windows and Android versions only in 2014. Its Windows version lags behind the Mac one, and while the iOS app is full-featured, the Android one is almost useless. 1Password’s pricing structure is complicated, and certain configurations require you to sync your own data, but if you have a family of Mac users, its subscription plan ($5 per month, or $48 per year) lets up to five users share one cloud-synced account with individual logins and premium software on all devices. 1Password also has great form-filling abilities, though it lacks true two-factor authentication.

 

via:  tomsguide

Hacker Shows How Easy It Is To Hack People While Walking Around in Public

evil-twin-wifi-hacking

Wi-Fi enabled devices — widely known as the Internet of Things (IoT) — are populating offices and homes in greater and greater numbers.

From smartphones to connected printers and even coffee makers, most of these IoT devices have good intentions and can connect to your company’s network without a problem.

However, as the Internet of Things (IoT) devices are growing at a great pace, they continue to widen the attack surface at the same time, giving attackers a large number of entry points to affect you some or the other way.

The attackers can use your smart devices to gain backdoor entry to your network, giving them the capability to steal sensitive data, such as your personal information, along with a multitude of other malicious acts.

An interesting attack scenario has recently been demonstrated by one of the renowned hackers, Jayson Street, who said all it is needed is to walk around with the right device to get into someone’s device.

Before we jump into the technical details of the attack, let’s watch out a video showing that how easy it is to hack smartphones and laptops in a crowded place by setting up an EvilAP (malicious access point).

 

 

Here’s How the Attack Works:

 

Street used a simple penetration testing device and an internet connection to pwn people around him.

Technically, Street hacking device automatically set up an ‘Evil Twin Attack,’ in which an attacker fools wireless users into connecting their smartphones and laptops to an evil (malicious) hotspot by posing as a legitimate WiFi provider.

 

Once connected, all of the victim’s information flows directly into the attacker’s device, allowing cybercriminals to secretly eavesdrop on the network traffic and steal passwords, financial and other sensitive data and even redirect you to malware and phishing sites.

How to Prevent Evil Twin WiFi Attacks

Pwnie Express released its yearly industry report: Internet of Evil Things, providing insight on products that the IT professionals should be wary of.

Using the report and additional information from security researchers at Pwnie, we have listed five quick steps you can implement in order to prevent yourself or your workplace from being compromised.

1. Turn your WiFi Off: Turn off Wi-Fi devices when you are not using them, especially on the weekends — it saves energy and minimizes your exposure to hackers.

2. Use it or Lose it: Once the product is in your office, turn off the functions you aren’t using. Enabled functionality usually comes with increased security risks.
Also, make sure you review the products before you bring them into the workplace. If it is already there, do not be shy about calling customer service and walking through the steps required to shut down any unused functions.

3. Change Your Passwords: It is important never to use the default credentials. Set up strong, secure passwords to secure your devices.

4. Research Your Purchase: Before you even buy a product, always research what you’re buying and make sure you know how to update any software associated with that device.
Look for devices, systems, and services that make it easy to upgrade the device and inform the end user when updates are available.

5. Trust and Verify Every Device: Be aware of any device from brands known to have more security issues than others. The personalization of corporate hardware, including mobile hotspot vendors, is one of the top threats to network security.

 

via:  thehackernews

User education is first line of defense against ransomware

Ransomware has yet again reared its ugly head and despite various security websites issuing warning notices, people are still falling foul of it. 

Ransomware is, in essence, a method of extorting money from an unsuspecting individual or organization, most frequently by denying them access to their files through encryption of their data or hard drive.

One ransomware attack vector is via phishing or spam emails as the unsuspecting individual may inadvertently open an attachment or follow what they perceive to be a bona fide web link.  The act of clicking on the suspicious attachment or web link results in the initiating of a malware download, which then encrypts the user’s files or hard drive. Once completed, this then requires the user to pay.

Payment is often demanded in Bitcoin to unlock an organization’s files or hard drive. It has been widely reported by victims that despite paying this “ransom”, they have still been unable to access the encrypted files or hard drive. So it is clear that prevention is better than cure when dealing with ransomware.

Depending on the type and version of ransomware that has been installed, there is a possibility that the user’s files or hard drive have not actually been encrypted, but a small piece of software has been installed that gives the impression that encryption has taken place.

This relies heavily on the emotional response of the victim and the fear that they could be compromised; such a fear is enough to prompt a response and, potentially, payment.

It is impossible to tell from the ‘splash screen’ that appears whether or not it is a genuine ransomware payload and only an attempt to use or recover the user’s files will clarify this.

Numerous strategies

There are numerous strategies for safeguarding against ransomware. The first, and by far the most effective, is user awareness and education, because ransomware does not install itself. For the malware to be downloaded successfully, it needs some form of user interaction, whether via phishing emails or by fraudulent websites that serve up ‘drive-by’ malware.

Ensure that all your staff, including management, recognize phishing and spam and so do not open suspicious emails or follow links to other websites unless they can be sure they are bona fide links. All users should also be cautious or even suspicious of attachments, pictures or graphics received unexpectedly from known persons, because the sender’s email account may have been compromised.

If in doubt, do not open any email without first confirming its origin by contacting the sender. It is also recommended to switch off any email preview window within a mail program because this may trigger the ransomware download.

Also, spear phishing might be used for a targeted ransomware attack on a specific user. This might make the malicious email hard to spot.

Scan all attachments

Secondly, ensure that any antivirus email program or software is up to date and scheduled to scan all email traffic to identify spam emails or emails that may contain known threats. This software should also be configured to scan all attachments or pictures embedded within emails or instant messaging attachments.

Thirdly, all hardware and software should be correctly patched and updated to the latest version to ensure that all known weaknesses or vulnerabilities have been addressed by the relevant supplier.

Finally, a good back-up regime is essential in this ever-changing virtual and internet-based environment. Remember, it is not sufficient just to make backups because they need to be tested to ensure they actually work.

In the event of your system being infected with ransomware, don’t give up hope or pay any ransom. There are various products available that can help to recover your files.

It is imperative that organizations take the threat of ransomware seriously. Once infected, the inability to access files or systems may affect other services offered by the organization. An organization’s ability to recover quickly from any ransomware infection will be greatly enhanced by having effective business continuity mechanisms available and free from infection.

 

via:  computerweekly

This Ransomware Malware Could Poison Your Water Supply If Not Paid

Ransomware has been around for a few years, but in last two years, it has become an albatross around everyone’s neck, targeting businesses, hospitals, financial institutions and personal computers worldwide and extorting millions of dollars.


Ransomware is a type of malware that infects computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data.

 
It turned out to be a noxious game of Hackers to get paid effortlessly.

Initially, ransomware used to target regular internet users, but in past few months, we have already seen the threat targeting enterprises, educational facilities, and hospitals, hotels, and other businesses.


And now, the threat has gone Worse!

This PoC Ransomware Could Poison Water Supply!

scada malware

Researchers at the Georgia Institute of Technology (GIT) have demonstrated the capability of ransomware to take down the critical infrastructure our cities need to operate, causing havoc among people.

 
GIT researchers created a proof-of-concept ransomware that, in a simulated environment, was able to gain control of a water treatment plant and threaten to shut off the entire water supply or poison the city’s water by increasing the amount of chlorine in it.

 
Dubbed LogicLocker, the ransomware, presented at the 2017 RSA Conference in San Francisco, allowed researchers to alter Programmable Logic Controllers (PLCs) — the tiny computers that control critical Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) infrastructure, like power plants or water treatment facilities.

 
This, in turn, gave them the ability to shut valves, control the amount of chlorine in the water, and display false readouts.


Sounds scary, Right?

 
Fortunately, this has not happened yet, but researchers say this is only a matter of time.

 

The simulated attack by researchers was created to highlight how attackers could disrupt vital services which cater to our critical needs, like water management utilities, energy providers, escalator controllers, HVAC (heating, ventilation and air conditioning) systems, and other mechanical systems.

Over 1500 PLC Systems Open To Ransomware Attack

LogicLocker targets three types of PLCs that are exposed online and infects them to reprogram the tiny computer with a new password, locking the legitimate owners out and demanding ransom while holding the utility hostage.

 
If the owners pay, they get their control over the PLC back. But if not, the hackers could malfunction water plant, or worse, dump life-threatening amounts of chlorine in water supplies that could potentially poison entire cities.

 
GIT researchers searched the internet for the two models of PLCs that they targeted during their experiment and found more than 1,500 PLCs that were exposed online.

“There are common misconceptions about what is connected to the internet,” says researcher David Formby. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.”

Targeting industrial control and SCADA systems is not new, cybercriminals and nation-state actors are doing this for years, with programs like Stuxnet, Flame, and Duqu, but ransomware will soon add a financial element to these type of cyber attacks.

 
Therefore, it is inevitable that money-motivated criminals will soon target critical infrastructure directly. Additionally, the nation-state actors could also hide their intentions under ransomware operators.

 
So, it is high time for industrial control systems and SCADA operators to start adopting standard security practices like changing the PLCs default passwords, limiting their connections by placing them behind a firewall, scanning their networks for potential threats, and install intrusion monitoring systems.

 

via:  thehackernews

New MacOS Malware linked to Russian Hackers Can Steal Passwords & iPhone Backups

Security researchers have discovered a new Mac malware allegedly developed by APT28 Russian cyber espionage group who is believed to be responsible for 2016 presidential election hacking scandal.

 
A new variant of the X-Agent spyware is now targeting Apple macOS system that has previously been used in cyber attacks against Windows, iOS, Android, and Linux devices.
The malware is designed to steal web browser passwords, take screenshots of the display, detect system configurations, execute files and exfiltrate iPhone backups stored on the computer.

The X-Agent malware is tied to Russian hacking group known as APT28 — also known as Fancy Bear, Sofacy, Sednit, and Pawn Storm — that has been operating since at least 2007 and is allegedly linked to the Russian government.

“Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation,” Bitdefender reported in a blog post published.

“For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel.”

Like variants for other platforms, the Mac version of X-Agent spyware is also act as a backdoor with advanced cyber-espionage capabilities that can be customized depending on the objectives of an attack.

Moreover, X-Agent is being planted by exploiting a vulnerability in the MacKeeper software installed on the targeted computers and known malware dropper Komplex — a first-stage trojan that APT28 uses to infect machines.


Abovementioned evidence indicates that the newly discovered Mac version of X-Agent is also created by the same
Russian hacking group.

Once successfully installed, the backdoor checks for the presence of a debugger and if it finds one, it terminates itself to prevent execution. But if not, the backdoor waits for an Internet connection to communicate with the command-and-control servers.

“After the communication has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains,” Bitdefender researchers said.

“Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands.”

The Research is still ongoing and Bitdefender security researchers right now only have the Mac malware sample and not a full picture of how an attack works.

 
APT28 is one of the two Russian-linked cyber-espionage groups that have been accused of hacking into the U.S. Democratic National Committee’s email server last year and interfering with the 2016 presidential election.


You can read BitDefender’s previous analysis on the APT28 hacking group here [
PDF].

 

via:  thehackernews

Hackers Can Intercept Data From Popular iOS Apps

Dozens of popular iOS applications are affected by vulnerabilities that allow man-in-the-middle (MitM) attackers to silently intercept data from connections that should be protected by TLS, a study has found.

The developers of verify.ly, a service designed for finding security issues in iOS apps, analyzed applications in the Apple App Store and identified hundreds that are likely vulnerable to data interception. Experts have tested each of them on an iPhone running iOS 10 and confirmed that 76 had been vulnerable.

According to Will Strafach, iOS security expert and developer of verify.ly, the affected applications have been downloaded more than 18 million times. The vulnerability is considered high risk in the case of 19 of the 76 applications, as they expose financial or medical service credentials or session authentication tokens.

The medium risk category includes 24 iOS apps, which also expose login credentials and session authentication tokens. The names of the high and medium risk apps have not been disclosed in order to give vendors time to patch the flaws.

Researchers identified 33 low risk applications, which allow attackers to intercept only partially sensitive information, including analytics data, email addresses, and login credentials that would only be entered on a trusted network. The list includes banking, VPN, entertainment, news, stock trading, chat, and Snapchat-related apps.

“This sort of [MitM] attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” Strafach explained. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”

Applications are vulnerable to these types of attacks due to the way their developers implement network-related code, which means only the developers can properly address the issue. However, end-users can protect themselves against potential attacks by utilizing the affected applications only over a cellular data connection, which is much more difficult to intercept compared to Wi-Fi.

An automated analysis of Android apps conducted back in 2014 by CERT/CC showed that thousands of applications were vulnerable to MitM attacks, and many of them are still vulnerable today.

 

via:  securityweek

Too many high-risk vulnerabilities leave CISOs scrabbling to patch

Too many critical flaws are given high priority, leading to a patch overload that CISOs cannot keep up with, according to F-Secure.

IT security company F-Secure has warned that there is too much hype surrounding zero-day vulnerabilities.

In its State of Cyber Security 2017 report, the anti-virus security company noted: “The website, CVEDetails.com, shows an average vulnerability score of 6.8 across all known vulnerabilities and on all known platforms.”

Of the more than 80,000 known vulnerabilities in the CVE database, 12,000 (around 15%) of them are classified as high-severity, said F-Secure.

F-Secure said high-severity vulnerabilities are generally considered the top priority. “They get handled in well-run organizations. High-severity vulnerabilities get a lot of visibility and, because of this, they’re patched on the spot.

“Your CISO is probably more worried about phishing and upstream attacks than internal network misconfigurations and unpatched internal systems. As an IT admin, taking care of infrastructure is your biggest concern.”

As such, applying every patch to every piece of software on every system on the corporate network, as the patch is released, is just not feasible. F-secure said admins rely on periodic patch cycles to fix low severity vulnerabilities, if they patch at all.

“Taking time out of their day to understand the implications of every newfound vulnerability out there is too much ask for most IT admins,” the report noted.

“In many cases, they simply don’t bother,” it said, adding that the challenge for CISOs is prioritizing what to patch first.

The company said most users are ill-prepared for a world where information on the internet is never forgotten.

The report stated: “People say they understand the internet, and maybe in a technical sense they do. But most users are in the dark when it comes to grasping the significance of technologies that log and track everything.

“Very few people fully comprehend the fact that their data isn’t going to disappear, so defenders need to protect it. That protection cannot depend completely on the idea that security plans – no matter how good they are – are foolproof.”

 

via:  computerweekly