Monthly Archives: May 2018

Signal Patches Code Injection Bug that Enabled Remote Code Execution

Signal patched a code injection vulnerability that by some means of exploitation enabled attackers to achieve remote code execution.

The security team for the encrypted communications app, a program which has been available for both Android and iOS since November 2015, published a fix for the bug just hours after first being contacted by a group of security researchers.

Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo with assistance from Javier Lorenzo Carlos Smaldone accidentally discovered the vulnerability on 10 May. They were passing XSS payloads back and forth when one of the packages triggered in Signal’s desktop version. Further investigation confirmed that the weakness worked on different platforms including Linux, Windows and macOs.

Iván Ariel Barrera Oro shared additional details about the vulnerability in a blog post:

We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. Inside iframes, everything was possible, even loading code from an SMB share!. This enables an attacker to execute remote code without caring about CSP. Juliano worked on this with Alfredo, along with trying to get a manageable segmentation fault.


Shortly after publishing the above Twitter notification on 11 May, the security researchers reached out to Signal. The encrypted messaging app’s security folks confirmed they were working on a patch two hours later. It took just another hour more for Signal’s security team to release a patch.

Iván Ariel Barrera Oro was surprised at how quickly Signal released the fix, especially given its size. He therefore decided to have a look at the patch file’s history. It’s then that he discovered that the messaging app had previously created the fix but had removed it on 10 April to fix an linking issue.

The security researcher admitted he still has his doubts about the patch file:

I’m still not convinced about that regex and I’m afraid someone might exploit it, specially those resourceful three-letter agencies….

Signal users should consider updating their software as soon as possible.


via:  tripwire

Chili’s Restaurants Suffered Payment Card Data Security Incident

Some Chili’s restaurant locations suffered a data security incident that might have compromised customers’ payment card details.

Brinker International, a Dallas-based multinational hospitality industry company which operates 1,600 Chili’s restaurants, said it learned of the incident on 11 May. It provided additional details about the event in a press release:

…We believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018….

The parent company further explained that Chili’s does not store customers’ Social Security Numbers, dates of birth or other pieces of sensitive information.

To address the incident, Brinker revealed it’s currently working with third-party forensic experts. It articulated its hopes that their analysis will reveal how the instance of unauthorized access on Chili’s payment systems occurred as well as how many many Chili’s locations and customers the incident affected. Additionally, the company pledged to cooperate with law enforcement, which it notified of the incident.

In the meantime, the hospitality organization made public that it’s working to set up identity theft and credit monitoring services for affected Chili’s customers. It also said that it will post any new information of which it learns to its incident disclosure notice.


Customers who used their payment cards at a Chili’s restaurant between March and April 2018 should consider monitoring their bank and credit card statements closely. If they detect any suspicious transactions, they should notify their financial institution and/or card issuer as soon as possible along with local police and the FTC. They might also consider placing a security freeze or fraud alert on their credit reports.

News of this incident places Chili’s on a growing list of restaurants that have suffered data security incidents affecting customers’ payment cards. Those victims include Applebee’s, Shoney’s and Arby’s.

To help protect themselves against similar security events, organizations should consider how they can strengthen the security of their point-of-sale (POS) systems.


via:  tripwire

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.

Four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.

In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone “within seconds” by using data obtained from the country’s largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart.

The story blew up because a former police sheriff snooped on phone location data without a warrant, according The New York Times. The sheriff has pleaded not guilty to charges of unlawful surveillance.

Yet little is known about how LocationSmart obtained the real-time location data on millions of Americans, how the required consent from cell user owners was obtained, and who else has access to the data.

Kevin Bankston, director of New America’s Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn’t restrict disclosure to other companies, who then may disclose that same data to the government.

He called that loophole “one of the biggest gaps in US privacy law.”

“The issue doesn’t appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this,” he said.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have “direct connections” to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. It’s less accurate than using GPS, but cell tower data won’t drain a phone battery and doesn’t require a user to install an app. Verizon, one of many cell carriers that sells access to its vast amounts of customer location data, counts LocationSmart as a close partner.

The company boasts coverage of 95 percent of the country, thanks to its access to all the major US carriers, including US Cellular, Virgin, Boost, and MetroPCS, as well as Canadian carriers, like Bell, Rogers, and Telus.

“We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration,” said a case study on the company’s website.

“With these location sources, we are able to locate virtually any US based mobile devices,” the company claimed.

A person’s precise location can be returned in as little as 15 seconds, according to another case study, and data is usually not cached for longer than two minutes.

Other companies then buy access to LocationSmart’s data — or the data is obtained by a customer of LocationSmart, like 3Cinteractive, which is said to have supplied location data to Securus.

But LocationSmart hasn’t said how it ensures its corporate customers protect the location data to prevent abuse and misuse. A spokesperson for LocationSmart did not return an email with several questions sent prior to publication.

Companies buy into LocationSmart’s location data for many reasons. Sometimes it’s to help locate a nearby store, or to send a marketing text message when a person visits a rival store. Location data can even be used by companies to track deliveries or shipments, or by banks to fight fraud, such as if a person is making card transactions miles apart within just a few minutes of each other.

In any case, the company requires explicit consent from the user before their location data can be used, by sending a one-time text message or allowing a user to hit a button in an app.

LocationSmart also said it allows some customers to obtain “implied” consent, used on a case-by-case basis, when “the nature of the service implies that location will be used.” The company said one example could be when a stranded motorist calls roadside assistance, and the event implies the person is “calling to be found.”

The company even has its own “try-before-you-buy” page that lets you test the accuracy of its data. With a colleague’s consent, we tracked his phone to within a city block of his actual location.

(Screenshot: ZDNet)

The data aggregator said it has access to carrier network location data “because privacy is built into its cloud-based platform.”

While that may be true, the requirement to obtain a person’s consent collapses if a search warrant for that data is issued. That’s exactly how companies like Securus can reveal location data without asking a person’s permission.

According to a Nebraska state government document, an application “can also be configured — with carrier approval and appropriate warrant documentation — to retrieve location data without the user opting-in.” Securus was able to return real-time location data on users without their consent because the system required a valid order be submitted first.

However, as the The New York Times reported, Securus never verified orders before spitting back results.

We reached out to the four major US carriers prior to publication. We asked how each carrier obtains consent from customers to sell their data and what safeguards they put in place to prevent abuse.

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data “only with customer consent or in response to a lawful request such as a validated court order from law enforcement.”

The company’s privacy policy, which governs customer consent, said third-parties may collect customers’ personal data, “including location information.”

Sprint said the company’s relationship with Securus “does not include data sharing,” and is limited “to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities.”

When asked the same questions, Verizon spokesperson Rich Young provided a boilerplate response regarding Securus and would not comment further.

“We’re still trying to verify their activities, but if this company is, in fact, doing this with our customers’ data, we will take steps to stop it,” he said.

AT&T spokesperson Jim Greer said in a statement: “We have a best practices approach to handling our customers’ data. We are aware of the letter and will provide a response.” Our questions were also not answered.

A spokesperson for T-Mobile did not respond by our deadline.

“It’s important for us to close off that potential loophole and that can easily be done with one line of legislative language,” said Bankston, “which would also have the benefit of making every other company careful about always getting consent before disclosing your data to anyone.”

Ron Wyden, a Democratic senator from Oregon, called on each carrier to stop sharing data with third parties. Wyden argued the sharing “skirts wireless carriers’ legal obligation to be the sole conduit by which the government may conduct surveillance of Americans’ phone records.”

In a blog post, Electronic Frontier Foundation (EFF) said law enforcement may be violating the law by not seeking data directly from the phone carriers. “Law enforcement shouldn’t have unfettered access to this data, whether they get it from Securus or directly from the phone companies,” said the EFF.

Wyden has also called on the FCC to investigate the carriers for allegedly not obtaining user consent.

The FCC has not said yet if it will investigate.


via:  zdnet

NATO Exercise Tests Skills of National Cyber Defenders

More than 1,000 experts from nearly 30 countries have tested their ability to protect IT systems and critical infrastructure networks at NATO’s Locked Shields 2018 live-fire cyber defense exercise.

A total of 22 Blue Teams took part in the exercise, including representatives of NATO, the European Union, the United States, the United Kingdom, Estonia, Finland, Sweden, Latvia, France, the Czech Republic, and South Korea.

Locked Shields, organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) since 2010, took place on April 23-26 in Tallinn, Estonia, and it was won by a 30-member team representing NATO. Teams from France and the Czech Republic finished in second and third place, respectively.

The exercise tested not only the technical abilities of national cyber defense teams when faced with a severe attack, but also their decision-making skills, including cooperation with other teams.

The drill was based on a scenario involving a fictional country named Berylia, which got hit by a number of hostile events and coordinated cyberattacks targeting a civilian Internet services provider and a military airbase. The attacks disrupted the power grid, drones, 4G public safety networks, and other critical infrastructure.

Locked Shields involved 4,000 virtualized systems and over 2,500 attacks. Participants were tasked with maintaining complex IT systems while completing a wide range of tasks, including reporting incidents, making strategic decisions, and conducting forensic investigations.

“The exercise serves as a valuable platform for senior decision-makers to practice the coordination required to address complex cyber incidents, both internally and internationally. In the strategic game of Locked Shields Blue Teams had to determine at what level the information should be shared, who has the authority to make a decision and give guidelines, what are the potential legal implications,” said Cdr. Michael Widmann, chief of the NATO CCDCOE Strategy Branch.

“Overall the exercise was a success. Teams coordinated in a complex and dynamic environment and addressed key issues necessary to endure intense cyber attack,” Widmann added.


via:  securityweek

All About Peerlyst, a Thriving Online Platform for Cybersecurity Professionals

Great article from Kim Crawley about a platform I like a lot.



I am very proud to contribute to both Tripwire’s the State of Security and to be a regular Peerlyst poster. Peerlyst is a very important online platform for cybersecurity professionals.

It’s my pleasure to speak with Limor Elbaz, Peerlyst’s CEO and founder. She shared with me some excellent insight about what inspired her to start Peerlyst and what makes the platform stand out from the crowd.

Kim Crawley: What inspired you to establish Peerlyst?

Limor Elbaz: My entire career was in security, from the Israeli army through starting Sansa Security, which delivered a crypto engine that is now embedded on every iPhone and Samsung phone, through starting the virus lab at Finjan and creating new products in alliances with companies like McAfee and Trend Micro. In my last gig, I was VP of corp dev at Imperva/Incapsula.

In all these roles, I’ve watched the challenge of security professionals learning, sharing knowledge, consulting with peers and the inherent conflict between security professionals and vendors. Security products are vital for the work of protecting an organization, yet most of the threat education comes from companies making those products or companies paid by them. I wanted to create a place where security professionals (and later, more IT people) will be able to share knowledge, educate and get educated, do a better job, and of course advance their career.

Along the way, we learnt that we can help vendors too by giving them a focused stage for education while keeping the quality high and not harming the users’ experience. We’re also learning that we can help recruiters fill security jobs without spending hours on interviewing irrelevant candidates.

KC: What’s the story of Peerlyst?

LE: We started by building a comprehensive algorithm to detect product names and the security taxonomy (security tags). We launched a prototype at the end of 2014 at Black Hat in Vegas, making a call to users to come and discuss products by writing reviews. Very quickly, dozens of users asked us to blog on Peerlyst’s behalf, and we realized that security professionals want to talk not only about products but also about many security topics.

The format became less rigid, and users started to create blogs and discussions, resources and even tools. In March 2016, we launched a comprehensive new site, using a new stack (Meteor.JS, MongoDB, React.JS). Users now have rich profiles, reputation building, the ability to follow anything (companies, products, people, tags), and sophisticated feeds of content.

Peerlyst now hosts an enormous amount of how-to’s that were co-created by the community, training, panels, meetups around the world and a comprehensive security calendar, all maintained by the community. A typical user would follow topics of interest, people, companies and products, and they would get a very personalized feed of content generated by the community as well as several external news. Users get invited to posts related to their expertise and interests as well as to relevant jobs.

This makes more than half a million of security professionals come to Peerlyst regularly, with a high engagement rate, long sessions and a healthy dynamic of crowdsourcing content. Users on Peerlyst are now creating thousands of security wikis. They even created ebooks that are a collaborative effort of up to a dozen users each, and they are being offered on Peerlyst, as well as Amazon (The Beginner’s Guide to Information Security, Essentials of Cybersecurity, Essentials of Enterprise Network Security, The complete WarBerryPi and more).

Next, we created Secure Drop, which is a system based on Freedom of the Press where users on Peerlyst can drop information completely anonymously, and we’re one of the first organizations to expose the 200 million breached Equifax records. This initiative evolved into, where all this breach data is hosted in one database and users can look for records containing their data, and act on it.

KC: How does Peerlyst benefit the cybersecurity community?

LE: We’re addressing a few problems that block security professionals from doing their job and advancing their career:

  1. Inefficient knowledge flow. Vendors and analysts are good at creating educational content because they have research teams, yet not every organization can afford a subscription with an analyst firm.
  2. Formal security education and certifications are quite expensive. Peerlyst offers free peer-based training, as well as an extensive mentoring program.
  3. Security people don’t get to talk to their peers often enough. Physical events, like conferences and round tables, are not enough.

Peerlyst eliminates the barriers of information flow, enabling anyone to learn and advance their career, by accessing thousands of crowd-sourced resources, connecting with the top experts without barriers and discovering the latest trends without checking dozens of resources. Peerlyst also gives everyone an opportunity to demonstrate their own expertise in their own way and at their own pace. Thus advancing everyone’s reputation and career.

KC: What types of posts are really well received?

LE: The best posts on Peerlyst are resources, which are posts that teach a skill or guide others. For example, how to perform a security task, how to acquire a specific cybersecurity role, or how to get a certification or skill. Peerlyst often creates a placeholder post, and the community builds it out. Check out this for example, a resource that was used over 50,000 times: How To Build And Run A SOC for Incident Response – A Collection Of Resources.

KC: How can companies benefit from partnering with Peerlyst?

LE: We partner with several types of companies:

  1. We syndicate content to external magazines that give our authors the credit and link.
  2. We partner with excellent writers to create awesome content for the community.
  3. Vendors can partner with Peerlyst by becoming members of our vendor community. A vendor membership sponsors the site but also allows the vendor to create a listing for the product and promote content to users in a way that is based on actual interests. (Vendors cannot buy impressions on Peerlyst. Content is distributed based on interest only to make sure that the user experience is intact.)

We welcome more ideas, wishes and feedback. Peerlyst was truly made by the community in most aspects. We are only the facilitators.


via:  tripwire

Verizon stealthily launched a startup offering $40-per-month unlimited data, messaging and minutes

Earlier this year, Verizon quietly launched a new startup called Visible, offering unlimited data, minutes, and messaging services for the low, low price of $40.

To subscribe for the service, users simply download the Visible app (currently available only on iOS) and register. Right now, subscriptions are invitation only and would-be subscribers have to get an invitation from someone who’s already a current Visible member.

Once registration is complete, Visible will send a sim card the next day, and, once installed, a user can access Verizon’s 4G LTE network to stream videos, send texts, and make calls as much as their heart desires.

Visible says there’s no throttling at the end of the month and subscribers can pay using internet-based payment services like PayPal and Venmo (which is owned by PayPal).

The service is only available on unlocked devices — and right now, pretty much only to iPhone users.

“This is something that’s been the seed of an idea for a year or so,” says Minjae Ormes, head of marketing at Visible. “There’s a core group of people from the strategy side. There’s a core group of five or ten people who came up with the idea.”

The company wouldn’t say how much Verizon gave to the business to get it off the ground, but the leadership team is comprised mostly of former employees, like Miguel Quiroga the company’s chief executive.

“The way I would think about it.. we are a phone service in the platform that enables everything that you do. The way we launched and the app messaging piece of it. You do everything else on your phone and a lot of time if you ask people your phone is your life,” said Ormes. The thinking was, “let’s give you a phone that you can activate right from your phone and get ready to go and see how it resonates.”

It’s an interesting move from our corporate overlord (Verizon owns Oath, which owns TechCrunch), which is already the top dog in wireless services, with some 150 million subscribers compared with AT&T’s 141.6 million and a soon-to-be-combined Sprint and T-Mobile subscriber base of 126.2 million.

For Verizon, the new company is likely about holding off attrition. The company shed 24,000 postpaid phone connections in the last quarter, according to The Wall Street Journal, which put some pressure on its customer base (but not really all that much).

Mobile telecommunications remain at the core of Verizon’s business plans for the future, even as other carriers like AT&T look to dive deeper into content (while Go90 has been a flop, Verizon hasn’t given up on content plans entirely). The acquisition of Oath added about $1.2 billion in brand revenue (?) to Verizon for the last quarter, but it’s not anywhere near the kind of media juggernaut that AT&T would get through the TimeWarner acquisition.

Verizon seems to be looking to its other mobile services, through connected devices, industrial equipment, autonomous vehicles, and the development of its 5G network for future growth.

Every wireless carrier is pushing hard to develop 5G technologies, which should see nationwide rollout by the end of this year. Verizon recently completed its 11 city trial-run and is banking on expansion of the network’s capabilities to drive new services.

As the Motely Fool noted, all of this comes as Verizon adds new networking capabilities for industrial and commercial applications through its Verizon Connect division — formed in part from the $2.4 billion acquisition of Fleetmatics, that Verizon bought in 2016 along with Telogis, Sensity Systems, and LQD Wifi to beef up its mobile device connectivity services.

Meanwhile, upstart entrants to challenge big wireless carriers are coming from all quarters. In 2015, Google launched its own wireless service, Project Fi, to compete with traditional carriers and Business Insider just covered another would-be wireless warrior, Wing .

Founded by the team that created the media site Elite Daily, Wing uses Sprint cell-phone towers to deliver its service.

David Arabov and co-founder Jonathan Francis didn’t take long after taking a $26 million payout for their previous business before getting right back into the startup fray. Unlike Visible, Wing isn’t a one-size-fits-all plan and it’s a much more traditional MVNO. The company has a range of plans starting at $17 for a flip-phone and increasing to an unlimited plan at $27 per month, according to the company’s website.

As carriers continue to face complaints over service fees, locked in contracts, and terrible options, new options are bound to emerge. In this instance, it looks like Verizon is trying to make itself into one of those carriers.


via:  techcrunch

$23 kids’ book selection, in its first physical Prime book service

Along with the higher price that Amazon is introducing to Prime this month, the company is also bringing another first to its membership service: physical books. The company now has a new product called Prime Book Box, a subscription service for children’s hardback books, selected by Amazon editors, sold as part of its Prime tier. You can register now for an invite for when it starts to ship later this year, starting in the U.S.

Pricing is $22.99 per box, which Amazon says works out to 35 percent below the cumulative list price for the books, and you can subscribe for books to come in one-, two- or three-month intervals. Books are divided up by age groups of baby-two years, three-five years, six-eight years and nine-12 years, with sample titles including If Animals Kissed Good Night, A Sick Day for Amos McGee, The Willoughbys, and Arlo Finch in the Valley of Fire.

All books are hardcover, and you can opt either for four board books for kids aged two and younger, or two picture books or novels for older children.

“These books include classics that have stood the test of time as well as hidden gems that our Editors couldn’t put down—stories that your reader can enjoy again and again. We will also use your recent purchase history to avoid including a book you have already purchased on,” Amazon notes in its FAQ about the service.



Prime already has a reading service called Prime Reading, but it is focused around Kindle e-books, along with selected digital magazines and travel guides.

The idea of bringing out a physical book service specifically for children is notable. Parents are more likely to buy (and get gifted) physical picture books and young adult novels rather than e-books as presents, and so kids often build up libraries of these. It also could be a helpful fillip to those of us out there who are trying to figure out engaging ways of reducing screen time for offspring.

“We want to help Prime members discover great children’s books that will inspire a love of reading,” a spokesperson told TechCrunch.

It’s also a clever way of introducing younger people to using Amazon, and also for Amazon to start developing reading profiles for others in your household besides you the Amazon account holder.

This is not an insignificant data play in that regard: today, Amazon can only make approximations about which books and products are for whom in a household, and even then can only vaguely guess as to who else lives at your address and orders using your account. This is a way for the company to start building more specific profiles, and doubtless the company already has extensive algorithms to suggest what other kinds of products a reader of, say, Madeline L’Engle, might also like to be recommended.

For now, though, the more immediate impression I have here also is that Amazon is not quite giving up on physical books just yet.

Some details that you might not see on the landing page but are notable for how this will work: customers will be able to review each box before it ships and tailor it by swapping books from a curated list, which is one way of avoiding duplicates of books you might already have.

Although books are a very common gift for children, currently you won’t be able to gift Prime Book Box subscriptions, “but we’re always innovating on behalf of customers,” the spokesperson said, so this could be something the company plans to explore down the line.


via:  techcrunch

Danish Capital Area Bikes System Goes Down due to Hacking Attack

The computer system for the Danish capital area city bikes program went offline as a result of a malicious hacking attack.

On 5 May, the administrators of Bycyklen posted a statement informing the public of a hack that occurred sometime over the previous evening:

Everything was erased and our entire system went down as a result of the malicious action. Since the hacking, we have been working hard to solve the problem, but unfortunately, it’s not something we can fix with a snap of the fingers.

According to the program’s “How to” page, Bycyklen enables residents living in Copenhagen, Frederiksburg and surrounding areas to create an account online or on the Android tablet of one of the program’s 1,860 bikes. They can then authenticate themselves at a station with their username and PIN to rent a bike for an hourly fee. Once they’ve finished using the bike, members of the public must return it to an approved Bycyklen station.

Bycyklen issued two updates regarding the hacking attack on its Facebook page the following day. The first revealed that officials needed to go to the docking stations, manually update each affected bike and then charge them up before members could ride them again. The second urged users to report bikes not located in a docking station in exchange for one hour of free riding time.

After having the weekend to investigate the incident, Bycyklen confirmed in an update posted to its website that the hacking attack had not affected users’ data. Administrators of the program clarified this point by sharing how Bycyklen doesn’t store payment information and records only users’ email addresses, phone numbers and PIN codes protected using “salted password hashing,” a method of encryption which helps keeps passwords secure.

Even so, Bycyklen is urging all users to update their PINs as soon as possible just to be safe.

All bikes operating under Bycyklen were back up and running on 9 May, according to a third announcement made on Facebook.


via:  tripwire

VERT Threat Alert: May 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s May 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-777 on Wednesday, May 9th.

In-The-Wild & Disclosed CVEs


This privilege escalation vulnerability affecting Win32k could allow an attacker to execute code in kernel mode. According to Microsoft, the newest OS releases aren’t affected, but this is being actively exploited on Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Microsoft has rated this as a 4 on the Exploitability Index (Not affected).

Note: Microsoft has rated this as a 0 (Exploitation Detected) on older software releases.


A vulnerability in VBScript could allow attackers to execute code in the context of the logged in user. This vulnerability could be exploited via certain web browsers or Microsoft Office documents, Microsoft has reported active exploitation of this vulnerability.

Microsoft has rated this as a 0 on the Exploitability Index (Exploitation Detected).


A privilege escalation vulnerability affecting Windows 10 versions 1703 and 1709 as well as Windows Server, version 1709 has been publicly disclosed. A malicious application could take advantage of a flaw in the way the Windows kernel image handles objects in memory in order to execute code with higher privileges.

Microsoft has rated this as a 1 on the Exploitability Index (Exploitation More Likely).


According to Microsoft, this vulnerability only impacts Windows 10 Version 1709 and Windows Server version 1709. It could lead to information disclosure. While this vulnerability alone will not allow for system compromise, it could provide useful information that would further enable compromise.

Microsoft has rated this as a 4 on the Exploitability Index (Not affected).

Note: Microsoft has rated this as a 2 (Exploitation Less Likely) on older software releases.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.


Other Information

In addition to the Microsoft vulnerabilities included in the May Security Guidance, a security advisory was also made available.


Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-16. This includes a fix for CVE-2018-4944.



via: tripwire

FBI Has Received Over Four Million Internet Crime Complaints Since 2000

The FBI has received a total of more than four million Internet crime complaints from users since the year 2000.

According to its Internet Crime Complaint Center (IC3) 2017 Internet Crime Report, the Bureau received its four millionth Internet crime complaint on 12 October 2017. Users submitted tens of thousands of additional reports in the first five months of 2018. As of 7 May 2018, this activity increased the total number of complaints collected by the IC3 since its founding in 2000 to 4,063,933 at an average of 284,000 per year or more than 800 per day.

2017 surpassed those averages. Over the course of the year, the FBI acquired 301,580 complaints. Reported losses stemming from those filings exceeded $1.4 billion.

2017 Internet Crime Report page 17

Breaking down those figures, some crime types were more costly than others. Business email compromise (BEC) scams, for example, led the pack at $676,151,185. In so doing, it was more expensive than the six crime types that followed: confidence fraud/romance ($211,382,989), non-payment/non-delivery ($141,110,441), investment ($96,844,144), personal data breach ($77,134,865), identity theft ($66,815,298) and corporate data breach ($60,942,306).

Those crime types also varied in the number of victims they claimed. Non-payment/non-delivery, instances where goods are shipped out but never paid for or where payment is received but goods and services aren’t delivered, ranked on top at 84,079 victims. It was followed by personal data breach and the most common types of phishing (including vishing, smishing and pharming) at 30,904 and 25,344, respectively.

The FBI received 90 percent more filings of tech support fraud in 2017 than it did the previous year. Over the same period, it received 1,783 complaints of ransomware, which was down from 2,673 in 2016.

The Bureau re-articulated its stance in the report that organizations should never fulfill ransomware attackers’ demands:

The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved.

Given that perspective, users and organizations alike should instead take steps to prevent a ransomware infection as well as to detect BEC scams and other threats.


via:  tripwire