Monthly Archives: November 2017

AVGater abuses antivirus software for local system takeover

A new proof-of-concept exploit, called AVGater, has found a way to abuse antivirus quarantines to attack systems and gain full control.

Security researchers described a proof-of-concept exploit that affects multiple antivirus products and can lead to a full system takeover.

Florian Bogner, a security researcher based in Vienna, disclosed the issue and named it AVGater, because, as Bogner wrote in his blog post, “every new vulnerability needs its own name and logo.”

Bogner said AVGater works by “manipulating the restore process from the virus quarantine.”

“By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations,” Bogner wrote in his blog post. “By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions.”

According to Bogner, he disclosed the AVGater vulnerability to Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software, and all of those vendors have released patches for affected products.

Bogner did not specifically mention Symantec or McAfee in his post, and neither company responded to questions at the time of this article.

Bogner suggested that keeping software up-to-date is a good way to mitigate the risk of AVGater, but also noted there are limitations to the exploit.

“As AVGater can only be exploited if the user is allowed to restore previously quarantined files, I recommend everyone within a corporate environment to block normal users from restoring identified threats,” Bogner wrote. “This is wise in any way.”

Satya Gupta, founder and CTO at Virsec Systems, an application threat software company based in San Jose, Calif., said AVGater is yet another way an attacker could manipulate “legitimate processes to launch malicious code or scripts.”

“It’s also another nail in the coffin for conventional signature-based antivirus solutions. We’ve known for a while that fileless and memory-based exploits fly under the radar of most AV systems, but now hackers can use AV tools to essentially disable themselves,” Gupta told SearchSecurity. “Hackers are relentless and will inevitably find clever ways to bypass perimeter security. The battle has to move to protecting the integrity of applications for process and memory exploits.”

 

 

via:  techtarget

How a Medical Device Vulnerability Can Compromise Privacy

Medical device cybersecurity scrutiny usually focuses on potential patient safety issues. But vulnerabilities identified in a cardiac pacemaker programming device illustrate the risks also posed to patient data privacy, says Billy Rios, a researcher who discovered the problem.

Vulnerabilities identified by Rios and his colleague, Jonathan Butts, last year while examining Boston Scientific cardiac pacemaker programming devices – the Zoom Latitude Programmer/Recorder/Monitor Model 3120 – resulted in the Department of Homeland Security recently issuing a security alert.

In its alert, DHS’s Industrial Control Systems Cyber Emergency Response Team describes how physicians use the portable cardiac rhythm management systems – or programmer – for implanted pacemakers and defibrillators. The vulnerabilities spotlighted in the alert involve the Boston Scientific device using “a hard-coded cryptographic key to encrypt protected health information prior to having data transferred to removable media.” Use of such a key significantly increases the possibility that encrypted data may be recovered. The alert also notes that the “device does not encrypt PHI at rest.”

Although that Boston Scientific cardiac programming device is not network accessible and the identified vulnerabilities are not remotely exploitable, the problems found by Rios and Butts could enable a potential attacker with physical access to the device to obtain patient data, the alert says.

More to Come?

The specific Boston Scientific PRM model that is the subject of the ICS-CERT alert is among a variety of vendors’ programming devices that Rios and Butts purchased from online auction sites for their security research, Rios explains in an interview with Information Security Media Group.

“The [vulnerable] PHI [cryptographic] key that we saw on the [Boston Scientific] programmer, that’s just the first of others to come,” Rios warns, adding that various vulnerabilities the researchers found on other vendors’ programming devices could also potentially result in additional government alerts.

“For some of the [resold] programmers, we actually found real patient data on them. So, when you look at the ICS-CERT advisory for the Boston Scientific programmer, you see that we basically have the key to decrypt the different pieces of data on [that] programmer.”

Breach Risk

The researchers’ finding of actual patients’ PHI – including names and Social Security numbers – on some of the examined resold devices suggests that there are not only weaknesses in the products’ design and features, but also point to sloppy practices by some healthcare entities that neglect to erase patient data before getting rid of the products, Rios says.

“That means anyone could have literally purchased these [used] devices and gotten this patient data off of these devices,” he says.

“So if you’re a hospital or a health delivery organization … when you go to the end of your device life cycle, when you turn the device in or dispose of it, you need to be sure your hospital’s or patients’ data is not on those devices,” he says. “If those devices end up on an auction website … or given to someone who’s not supposed to have it, and your hospital’s data is on there, that can put you at a lot of risk.”

Boston Scientific Responds

In a statement provided to ISMG, Boston Scientific says the company “rigorously” evaluates the security of its rhythm management devices through a comprehensive security risk assessment process, aligned with the Food and Drug Administration’s guidance.

“The ICS-CERT advisory highlights the importance of physical security in mitigating the risk of unauthorized users accessing patient data stored on a medical device – much like a laptop left in an open space is at risk of a security breach,” Boston Scientific says.

“The findings of the advisory do not impact patient safety, and in order to reduce risk of exploitation of protected health information, programmers and any related data storage drives should be physically secured and patient data should be removed from the device before it is retired.”

In the interview (see audio player below photo), Rios also discusses:

  • Medical device cybersecurity problems that result in patient safety versus data security risks;
  • Whether the issues the two researchers identified are common to other types of medical devices;
  • The prospect of additional security or safety alerts from government agencies resulting from the research.

Rios is the founder of information security research firm WhiteScope, based in Half Moon Bay, Calif. His previous roles included director of vulnerability research and threat intelligence for Qualys, global managing director of professional services for Cylance, and “security ninja” for Google. He’s also served as an officer in the U.S. Marines and worked as an information assurance analyst for the U.S. Defense Information Systems Agency.

 

via:  inforisktoday

Google can read your corporate data. Are you OK with that?

Some cloud providers reserve the right to scan your data for various violations, but few enterprises know if they or their employees have agreed to such terms of service.

On Halloween, Google told its Google G Suite users that “this morning, we made a code push that incorrectly flagged a small percentage of Google Docs as abusive, which caused those documents to be automatically blocked. A fix is in place and all users should have full access to their docs.”

That misfire reminded everyone that cloud providers have access to all your data. Many people worried that Google was scanning users’ documents in real time to determine if they’re being mean or somehow bad. You actually agree to such oversight in Google G Suite’s terms of service.

Those terms include include personal conduct stipulations and copyright protection, as well as adhering to “program policies.” Who knows what made the program that checks for abuse and other violations of the G Suite terms of service to go awry. But something did.

And it’s not just Google that has such terms. Chances are you or your employees have signed similar terms in the many agreements that people accept without reading.

The big concern from enterprises this week was not being locked out of Google Docs for a time but the fact that Google was scanning documents and other files. Even though this is spelled out in the terms of service, it’s uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud. 

So, do SaaS, IaaS, and PaaS providers make it their business to go through your data? If you read their privacy policies (as I have), the good news is that most don’t seem to. But have you actually read through them to know who, like Google, does have the right to scan and act on your data? Most enterprises do a good legal review for enterprise-level agreements, but much of the use of cloud services is by individuals or departments who don’t get such IT or legal review.

Enterprises need to be proactive about reading the terms of service for cloud services used in their company, including those set up directly by individuals and departments. It’s still your data, after all, and you should know how it is being used and could be used.

Typically, these terms are not negotiable, so you have to be prepared to block cloud providers whose terms are unacceptable and provide users an alternative. But cloud providers might be willing to rewrite portions of their terms of service over privacy concerns if you enterprise is large enough—so ask!

Perhaps the scariest part of this is that you typically have no way of auditing the public cloud to determine if they are checking out your data or not, whether or not their terms of service give them that right. At the end of the day, this comes down to trust. But you should at least be aware of what your providers can do, so you can decide whom to trust.

 

via:  infoworld

Good News/Bad News for Security Protection

Was the Equifax breach finally the wake-up call that organizations needed?

Varonis conducted a survey of IT decision makers in the U.S. and Europe, wondering if large breaches like Equifax are redefining security postures. What they found is a disconnect between security expectations and security reality.

Nearly nine in 10 respondents said they are confident about their cybersecurity posture and are in a position to protect their organization from an impending threat, and another 85 percent said they have changed or plan to change their security policies and procedures in the wake of widespread cyberattacks, which is good, because nearly half believe that their company will experience a major security incident within the next year.

However, you have to wonder if they are truly that confident or if they are exaggerating their security posture and their internal security skills. The report also said this:

Attackers that successfully get onto a network can move laterally if access to information is available. Yet surprisingly only 66 percent of U.S. organizations and 51 percent of EU organizations fully restrict access to sensitive information on a “need-to-know” basis. . . . As shown with the DNC and Equifax breaches, attackers can get onto a network and spend weeks or even months stealing sensitive information before anyone knows they’ve been compromised. Despite these dangers, 8 out of 10 respondents in the EU and the U.S. are confident or very confident that hackers are not currently on their network.

Unfortunately, we don’t know what they base that confidence on, and that could spell disaster if it is falsely placed.

Michael Patterson, CEO of Plixer, told me in an email comment that he sees the results of this survey as good news/bad news:

The good news from this is that these executives are asking their security teams questions relating to preparedness. The bad news from this is IT teams are often fearful to expose weakness. Unless there is a culture of openness and a willingness to invest more time, people, and money, nobody really wants to respond with anything other than “we are prepared.” IT teams are fearful that exposing vulnerabilities will reflect poorly on them. There must be a shift of attitude from the boardroom all the way to the security operations teams acknowledging that prevention is impossible.

To be truly prepared, Patterson added, organizations need to have a well-defined incident response process and access to forensic data from network traffic analytics so that when an incident does occur, organizations are able to quickly understand all of the logistics of the breach and return the company to normal functions as soon as possible.

So to answer my opening question, was the Equifax breach the wake-up called needed? I think the answer is mixed. Yes, security decision makers are forced to look more closely at their security posture, but I think there is still a long way to go to really understand how to best protect the network and data.

 

via:  itbusinessedge

U.S. will only approve AT&T-Time Warner deal if CNN is sold

The U.S. Department of Justice may block Time Warner’s sale to AT&T if it doesn’t sell CNN first, according to a report from the Financial Times. The $85.4 billion deal was proposed last year, just weeks before the U.S. presidential election.

After Donald Trump was elected, some wondered if his disdain for the cable news channel would somehow thwart the deal. The FT is now reporting that this may actually happen.

image

 

The FT report says that AT&T is opposed to selling CNN and plans to fight this in court.

The New York Times is now reporting that if AT&T doesn’t sell Turner Broadcasting, the group that owns CNN, it could be asked to sell DirecTV instead. AT&T purchased DirecTV in 2015.

AT&T CFO John Stephens acknowledged at a conference on Wednesday that the timing of the deal is “now uncertain.” It was originally expected to close by the end of the year.

In a press release following the conference, AT&T said its “discussions with the U.S. Department of Justice regarding the company’s acquisition of Time Warner are continuing. Stephens said he couldn’t comment on those discussions but that there is now uncertainty as to when the deal will close.”

 

image

 

It’s typical for large deals to undergo antitrust review to avoid unfair competition or monopolies. It’s not typical for the president to weigh in on a deal due to a personal grudge against a company.

Shortly before the election, Trump promised to block the deal if he were elected to office. At one point, he said the acquisition could “destroy democracy.” He later said “I haven’t seen any of the facts.”

In a recent post on TechCrunch, Senator Al Franken argued that that the sale of Time Warner to CNN is a “raw deal” that would be bad for consumers.

If CNN does not end up selling to AT&T, a long-time rumor is that it could sell to CBS. Earlier this year, CBS CEO Les Moonves said that he believes CNN could “enhance” CBS,  “but I don’t think that’s on the table right now.”

 

via:  techcrunch

LinkedIn and Microsoft team up for a resume building assistant in Word

LinkedIn, the social network for professionals that was acquired by Microsoft for $26.2 billion, is today rolling out the latest product in its deepening relationship with its owner. The two are unveiling Resume Assistant, a resume builder in Microsoft Word that will be powered by data from LinkedIn — letting you import information about yourself and the companies that you have worked for into your Word document, tapping into some algorithms and artificial intelligence to help suggest wording and other items to help fill out your experience.

The feature will start to go live Thursday, first to Office 365 subscribers on PC (part of the Office Insiders program) and then more widely to other Word users in future months.

The move follows several other products that have come out over the last couple of months that have seen the two companies finally working more closely together.

They have included LinkedIn integrations into Outlook to enhance contact info in your email inbox, which was the first step in a bigger strategy announced in September of this year to integrate more LinkedIn data into Office 365 products.

There are a number of areas where we have not seen collaboration, but that could be ripe areas for it — for example Cortana integration into LinkedIn’s new “smart replies” feature that suggests replies and wording to people sending messages to each other; or Skype integration into the same messaging service to allow for voice and video calling.

What’s interesting with this latest development is that it taps into pre-existing strategies for both Microsoft and LinkedIn.

On the side of Microsoft, the company has been offering templates to Word users for years already, giving them prompts to help them create prettier and more useful documents in a program that — let’s be honest — has over the ages become weighted down with so many features, that no number of Clippy iterations or help windows will help you out quickly.

This will be one of the first instances of Microsoft not only giving you help with the format of a document, but with the content that goes into it, and a resume is a pretty important and often foxing document at that.

On the part of LinkedIn, it has a long history of working on ways to essentially mimic or even replace the function of a resume for its members.

This has included trying to forge closer ties with universities and other places of learning to help users tie in these very earliest stages of their career development, and a way to allow people to apply for jobs using their LinkedIn profiles as resume proxies for people to share their resumes with each other when applying for jobs.

Although Microsoft and LinkedIn are not talking about this explicitly as an exercise in artificial intelligence, there will be some assistant-like features incorporated into Resume Assistant. They will include suggestions for how to word items in your resume.

For example, once you begin to enter information, the assistant will suggest “insights from millions of member profiles so you can see diverse examples of how professionals in that role describe their work,” notes Kylan Nieh, a product manager at LinkedIn who worked on the integration. The same will apply for what kinds of skills you can describe yourself as having: you’ll get suggestions for these based on skills “other successful professionals in your desired role and industry have, so you can add them if applicable.”

The other area where the Resume Assistant will be proactive is in, well, giving you an idea of where to target your resume in the first place. The feature reverse-engineers to read what you have in your profile to suggest job listings to you that are relevant. “Along with job openings, you’ll see details of what the job requires, helping you to tailor your resume to a specific role,” Nieh notes.

You will also be able to turn on Open Candidates, the feature that lets you signal to recruiters only that you’re open to getting approached for a job, signaling another way that the two companies are coming closer together.

imageimage

 

via:   techcrunch

Another misconfigured Amazon S3 server leaks data of 50,000 Australian employees

Another misconfigured Amazon server has resulted in the exposure of personal data – this time on 50,000 Australian employees that were left unsecure by a third-party contractor.

This is country’s second largest data breach since the information of 550,000 blood donors was leaked last year.

Records including full names, passwords, salaries, IDs, phone numbers, and some credit card data were left exposed with 25,000 of the records coming from AMP Ltd, 17,000 records belonging to Cimic Group Ltd. subsidiary UGL Ltd, 4,770 from Australian government departments, and 1,500 from Rabobank, according to iTnews.

None of the organizations impacted named the third party responsible. A Polish researcher by the moniker “Wojciech” spotted the exposed server by conducting a search for Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name, and containing specific file types like xls, zip, pdf, doc and csv.

The database backups were made in March 2016 and Wojciech told the publication most of the credit card numbers had been cancelled and that many of the records were available in duplicate. Even though the payment information may be useless, researchers warn the stolen information could still be used in conjunction with other information for social engineering attacks and to break into other sites if credentials are shared between platforms.

“In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world,” Lisa Baergen, director at NuData Security told SC Media. “Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.”

Baergen added that any personal information can be valuable to fraudsters and that everything that can be used to compile an identity will be used. To protect themselves, users should enable two factor authentication whenever possible.

 

via:  scmagazine

Facebook will teach the unemployed digital/social media skills in 30 cities

Whether it’s to “bring the world closer together” or improve its public image, Facebook today announced Community Boost. Facebook tells me it’s investing tens of millions of dollars into the program that will travel to 30 cities around the U.S. in 2018. It will teach digital job skills to the unemployed, internet literacy to those just getting online, startup methodology to entrepreneurs and customer growth to small business owners.

Unsurprisingly, though, all these skills revolve around Facebook, which Facebook clearly thinks is the key to a better life. Stops on the tour include Houston, St. Louis, Albuquerque, Des Moines and Greenville, South Carolina — which are conspicuously all red states that voted for Trump in the 2016 election. Perhaps Facebook hopes to reduce unemployment that led to the dissatisfaction with current political systems which landed us Trump.

Facebook cites research by Morning Consult indicating “62% percent of US small businesses using Facebook said having digital or social media skills is an important factor in their hiring decisions — even more important than where a candidate went to school.” Houston Mayor Sylvester Turner says that “We’re happy to welcome Facebook to Houston to boost our residents’ digital skills and make sure our vibrant community of entrepreneurs and small businesses gets more out of the internet.”

The program might be perceived as less self-serving if Facebook had concentrated on teaching skills beyond it site, like how to make a good-looking resume or handle job interviews. So while the intention behind Facebook Community Boost might be honest, it’s tough to interpret it as altruistic while Facebook is amidst congressional hearings into election interference on its platform and is toying with the entire journalism industry as it sucks out ad dollars and jobs.

Here’s a look at Facebook’s plans for the program, with the parts where people learn to better use Facebook bolded.

  • If you’re looking for a job, we’ll provide training to help you improve your digital and social media skills. According to the research, 62% percent of US small businesses using Facebook said having digital or social media skills is an important factor in their hiring decisions — even more important than where a candidate went to school.

  • If you’re an entrepreneur, we’ll have training programs on how to use technology to turn an idea into a business or show you ways to create a free online presence using Facebook.

  • If you’re a business owner we’re going to offer ways your business can expand its digital footprint and find new customers around the corner and around the globe.

  • If you’re getting online for the first time or you want to support your community, we’ll provide training on digital literacy and online safety. And we’ll also help community members use technology to bring people together, with features like Events and Groups.

All that said, it’s hard to imagine any of the other tech giants like Google, Apple or Amazon pouring resources into something so directly tied to improving people’s socioeconomic mobility. Similar to Mark Zuckerberg’s 2017 challenge to meet people from every U.S. state that finished today in Missouri, you can either see it as just publicity, or as Facebook legitimately wanting to get out and hear from its constituency. Users can request Community Boost come to their city by filling out this form.

“One of the things I’m most proud of is that 70 million small businesses use Facebook to connect with customers,” writes Zuckerberg about today’s announcement. “That’s 70 million people who now have access to the same tools the big guys have. Now we need to make it easier for people to start and build new businesses or find jobs and opportunities, and in the process strengthen their communities.”

Facebook tells me it’s invested more than $1 billion into supporting small businesses since 2011 through programs like Boost Your Business classes, which teaches social media management, and the Blueprint online learning hub that 1 million businesses have looked to for social marketing skills. Facebook also is building a digital marketing curriculum to train 3,000 Michiganders in the next two years.

[Update: Facebook contacted me after I published this story to emphasize that “Facebook Community Boost will provide more than just training on Facebook.” One way it plans to do that is through partnerships with tech training schools for adults and coding bootcamps like Grand Circus in Michigan. These could help people go beyond basic social media skills and get actual computer science education.]

It will take a lot more to convince people Facebook is a benevolent force in the world. Even though its heart is often in the right place, Facebook has demonstrated an inability to predict the misuse and negative secondary impacts of its platform or do enough preemptively to prevent these problems. But if it wants to mend the rift in U.S. society, getting more people employed is a good start.

 

via:  techcrunch

Logitech Will Be Intentionally Bricking All Harmony Link Units on March 16th, 2018

Logitech will be deliberately bricking every unit of the Harmony Link, a universal hub which allows users to control their home theater systems and a variety of other devices from their smartphones, on March 16th, 2018. According to Bleeping Computer, on that date Logitech will issue a firmware update that permanently disables the devices. As Popular Science additionally noted, the Harmony Link relies upon a cloud-based service to function that will be taken offline, ensuring that users will be locked out no matter what.

Rory Dooley, head of Logitech Harmony, told Gizmodo in a statement that the decision to turn off the devices “does not impact Logitech’s commitment to Logitech Harmony customers,” adding that those within a one-year warranty period could exchange their devices for free for an upgraded Harmony Hub. Other owners can get a “one-time discount offer” (35 percent, per Bleeping Computer) on the $100 replacement.

Dooley told Gizmodo they had discontinued support for the devices because of the expiration of a security license, and that the product only had a “small user base.”

“The technology certificate (for Harmony Link) is an encryption certification that expires in the spring of 2018, which may open the product up to potential security vulnerabilities,” Dooley added. “We’ve refocused development resources on newer technologies, and therefore, we are not updating the Harmony Link certificate.”

While Dooley said the product was last sold by Logitech in 2015, Bleeping Computer reported the company “held fire sales for Harmony Link devices in the past months, offering the universal hubs at lowered prices and with a warranty of only three months.” It also noted that users on Logitech’s forums claimed the terms “class action lawsuit” were being censored.

Discontinuing support for an aging product is pretty par for the course and more or less inevitable, given it’s impossible to expect companies to commit resources to maintaining old technology forever. Deliberately bricking those products while encouraging them to migrate to a newer model is, on the other hand, a considerably rarer thing to do—though consumers should be wary that with the rise of networked home electronics, companies can choose to turn off their tech at the flick of a button.

As Ars Technica noted, Harmony Link owners on web forums don’t seem to have noticed any significant problems with their devices and likely expected to continue using them until they stopped functioning. Them’s the breaks, apparently.

 

 

via: BleepingComputer , gizmodo

Four years later, Yahoo still doesn’t know how 3 billion accounts were hacked

In a security hearing that called both Equifax and Yahoo’s past and present executives to Washington, D.C., we’re learning a bit more about what Yahoo didn’t know about the biggest hack in history.

When pressed about how Yahoo failed to recognize that 3 billion accounts — and not 500 million as first reported — were compromised in what was later revealed to be a state-sponsored attack by Russia, former Yahoo CEO Marissa Mayer admitted that the specifics of the attack still remain unknown.

“To this day we have not been able to identify the intrusion that led to this theft,” Mayer told the Senate Commerce Committee. “We don’t exactly understand how the act was perpetrated. That certainly led to some of the areas where we had gaps of information.”

Notably, while Mayer is no longer with the company, Verizon Chief Privacy Officer Karen Zacharia, also present on the panel, did not chime in to disagree with that assessment.

Yahoo did not notice that it had been compromised in 2013 and 2014 until third-party evidence of the hack was presented to the company by law enforcement in 2016. Yahoo then began working with the Department of Justice and the FBI, and the agencies concluded that in 2014 the company was a victim of a massive Russian state-sponsored attack for which it was in no way prepared.

“Yahoo worked closely with law enforcement, including the Federal Bureau of Investigation, who were ultimately able to identify and expose the hackers responsible for the attacks,” Mayer said in her testimony. “We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo’s systems.”

According to Zacharia, Verizon obtained new details on the hack after it acquired Yahoo in June of 2017. The new parent company acted within a week to disclose the vastly widened scope of the attack, which tripled to 3 billion affected users.

“We obtained new information from a third party and reviewed it with the assistance of the same outside forensic experts that Yahoo had used previously,” Zacharia explained in her opening remarks. “Based on that review, we concluded that all accounts — and not just a subset — were impacted by the 2013 security incident.”

 

via:  techcrunch