Vulnerability Archives - IT Security Guru

Fancy Bear Hackers rush to Exploit Flash bug

The Gurus — Fri, 20 Oct 2017 10:04:46 +0000

Russian hacking group, the Fancy Bear’s, are rushing to exploit the recently disclosed Adobe Flash bug before patches are widely used.
View Full Story
ORIGINAL SOURCE: IBTimes

The post Fancy Bear Hackers rush to Exploit Flash bug appeared first on IT Security Guru.

Flaw in Virgin Media Super Hub leaves it open to attack

The Gurus — Mon, 12 Jun 2017 09:26:49 +0000

Researchers from Context Information Security have discovered a flaw in Virgin Media wireless home routers, allowing them to gain unauthorised administrative-level access to the devices. After reverse engineering software from the Super Hub 2 and Super Hub 2AC, manufactured by Netgear, Context’s Jan Mitchell and Andy Monaghan discovered vulnerabilities in a feature allowing users to create backups of their custom configurations – such as port forwarding and dynamic DNS settings – which could be restored at a later date.
While configuration backups were encrypted, the researchers found that the private encryption key was the same across all hubs in the UK. This meant that an attacker with access to the administrative interface of a user’s hub could download a configuration file, add additional instructions to enable remote access and restore the file to the hub. Once this process was completed, the attacker could access the device remotely and monitor all internet traffic to and from devices connected to that home network such as PCs, phones and tablets.
Andy Monaghan, a principal security researcher at Context said, “The Super Hub represents the default home router offering from one of the UK’s largest ISPs and is therefore present in millions of UK households, making it a prime target for attackers. While ISP-provided routers like this are generally subject to more security testing than a typical off-the-shelf home router, our research shows that a determined attacker can find flaws such as this using inexpensive equipment.”
Upon discovering the flaw, following several weeks of research, Context immediately notified Virgin Media. After working with Context and Netgear to verify and fix the vulnerability, Virgin Media rolled out a patch at the end of last month (May 2017).
“ISPs will always be at the mercy of their hardware suppliers to some extent,” said Jan Mitchell, a senior researcher at Context. “Recent press coverage of attacks such as the Mirai worm highlights the importance to vendors of carrying out independent security testing of their products to reduce the likelihood of exploitation in production devices. Thankfully, Virgin Media was quick to respond to Context’s findings and start the remediation process.”
A detailed description of the vulnerability has been published today at: https://www.contextis.com/resources/blog/hacking-virgin-media-super-hub/

The post Flaw in Virgin Media Super Hub leaves it open to attack appeared first on IT Security Guru.

In-app security will play a key role in thwarting Cloak & Dagger vulnerability, says Promon

The Gurus — Tue, 30 May 2017 09:40:10 +0000

The recent discovery of the Cloak & Dagger attack vector, which can steal personal information by mimicking the activities of apps, is indicative of the new level of sophistication that Android-targeted malware has reached. To increase the chances of defeating attacks of this nature, in-app security needs to move to the top of the agenda for any app-focused business. This is according to app security specialist Promon.
According to researchers at the Georgia Institute of Technology, Cloak & Dagger works by using Android’s design and screen behaviours against users, hiding activities such as keystroke recording, stealthy phishing and the enabling of app permissions behind seemingly innocuous screens. To combat such a dangerous strain of malware that can be so hard to detect, Promon believes that apps have a greater need than ever to be proactively protected, both during runtime and when they are idle.
Tom Lysemose Hansen, founder and CTO at Promon, said: “Cloak & Dagger is a particularly nasty example of Android malware, given its level of sophistication in being able to effectively steal information in a way that can be very difficult for users to notice. Due to its nature, it’s also likely to inspire copycat versions, so it certainly shouldn’t be treated as an isolated case.
“While it is possible to disable the exploit by turning off the ‘draw on top’ permission in a device’s settings, the stealthy nature of Cloak & Dagger makes fast, definitive action on the part of users unlikely. Instead, app developers need to think about what they themselves can do to guard against such a threat.”
Hansen believes that runtime application self-protection (RASP) software can be particularly useful in fighting malware of this nature.
He added: “RASP software is advantageous because it proactively detects and eliminates threats while an app is running. Malware such as Cloak & Dagger works by monitoring someone’s activity while they are using an app, so it is crucial that app protection is able to thwart attacks at this point.”
With the General Data Protection Regulation (GDPR) now less than a year away from implementation, Hansen also thinks that Cloak & Dagger should shine a spotlight on the urgent need for businesses to secure their mobile apps before GDPR comes into force.
He concluded: “Mobile threats are only going to increase in sophistication. At the same time, the stipulations of GDPR mean the financial penalties for experiencing a data breach will be particularly severe. The time to act is now, while the malware threat level is high, and there is still some time left to prepare for GDPR’s arrival.”

The post In-app security will play a key role in thwarting Cloak & Dagger vulnerability, says Promon appeared first on IT Security Guru.

Apple Patches Tens of Vulnerabilities in iOS, OS X

The Gurus — Tue, 19 Jul 2016 15:23:39 +0000

OS X El Capitan 10.11.6 fixes a total of 60 security bugs affecting components such as audio, CFNetwork, CoreGraphics, FaceTime, graphics drivers, ImageIO, the kernel, the login window, OpenSSL, QuickTime, sandbox profiles, and the libxml2 and libxslt libraries.
The CFNetwork vulnerability, tracked as CVE-2016-4645, was reported to Apple by Abhinav Bansal of Zscaler. The security firm published a blog post on Monday to describe the flawthat allows unprivileged applications to access cookies stored in the Safari browser.
“This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user,” Zscaler said. “In the case of email, it could result in a malicious application getting access to all your email. Worse, it could gain access to a site that stores more personal and confidential information about you.”

Original Source: Security Week
View the full story here.

The post Apple Patches Tens of Vulnerabilities in iOS, OS X appeared first on IT Security Guru.

US gov vulnerability disclosure requires oversight, says new report

The Gurus — Tue, 21 Jun 2016 09:57:42 +0000

The US government should overhaul its policies on vulnerability disclosure according to a new report. Authored by Ari Schwartz and Rob Knake, the paper seeks to cut a middle ground between those who say that the government has the right to collect and exploit vulnerabilities and those, like Bruce Schneier, who says it does not.
It takes specific aim at the US governments disclosure mechanism.

Original Source: SC Magazine
View the full story here.

The post US gov vulnerability disclosure requires oversight, says new report appeared first on IT Security Guru.

CVE-2016-4171 – Another Flash Zero-Day exploited in targeted attacks

The Gurus — Wed, 15 Jun 2016 09:44:35 +0000

Once again Adobe Flash Player is the target of hackers in the wild. Adobe has released security updates for several of its products announcing that the fix for a critical Flash Player zero-day vulnerability (CVE-2016-4171) exploited in targeted attacks will only be issued later this week.
A security fix for the vulnerability is expected to become available starting from June 16.
The security vulnerability was reported by Anton Ivanov from Kaspersky that explained that the flaw could be exploited by hackers gain complete control of the vulnerable systems.
The Flash Player flaw CVE-2016-4171 affects versions 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS.

Original Source: Security Affairs
View the full story here.

The post CVE-2016-4171 – Another Flash Zero-Day exploited in targeted attacks appeared first on IT Security Guru.

WordPress plugin with 10,000+ installations being exploited in the wild

The Gurus — Fri, 03 Jun 2016 12:24:25 +0000

A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector, security researchers warned.
The attacks have been under way since last Friday and are mainly being used to install porn-related spamming scripts, according to a blog post published Thursday. The underlying vulnerability in WP Mobile Detector came to light on Tuesday in this post. The plugin has since been removed from the official WordPress plugin directory. As of Wednesday, the plugin reportedly had more than 10,000 active installations, and it appears many remained active at the time this post was being prepared.

Original Source: Arstechnica
View the full story here

The post WordPress plugin with 10,000+ installations being exploited in the wild appeared first on IT Security Guru.

Five most common myths about Web security

The Gurus — Tue, 24 May 2016 11:02:58 +0000

Running behind trendy APTs we tend to forget about common-sense approach and holistic risk assessment.

Almost 3 terabytes of data stolen in the Panama Gate scandal will shortly become searchable online. Mossack Fonseca, the breached legal firm behind one of the largest data leaks in the history, had numerous high-risk vulnerabilities in its front-end web applications, including its Client Information Portal. Actually, few hacking groups would spend money on expensive zero-days and complicated APTs, when the information can be easily stolen via insecure web applications. Moreover, even if your corporate website doesn’t contain a single byte of sensitive data, it’s still a perfect foothold to get into your corporate network.
Today many people, including cybersecurity professionals, underestimate the importance of web application security, focusing their attention rather on APT detection, enterprise immune systems and other activities applicable when it’s already “too late” to react to prevent the breach. A common-sense approach suggests that before installing expensive anti-burglar equipment and alarm in a house, the owner should first close the doors and the windows and probably build a fence around, otherwise you’re throwing money down the drain. Let’s have a look at five most common myths that exist today about web application security, leading to sensational data breaches, huge financial loses and CISO dismissals:
Protection of corporate crown jewels is more important than web apps
No, you cannot secure one part of your network and ignore another one. Information security shall be comprehensive and holistic: you shall analyze all threats, vulnerabilities and thus attack vectors in their integrity. Today, no cybercriminals will try to steal your crown jewels directly wherever they are [securely] stored.
Breaking in via your web applications in pair with spear phishing will probably be one of the cheapest, reliable and silent ways to get into your corporate network and bypass your defense-in-depth. When you perform a risk assessment – think like a professional cybercriminal – keep the costs and time spent [on the attack] as low as possible. When you are mapping attack vectors and vulnerabilities – the more external people that can join your brainstorming session, including law enforcement agencies and victims of data breaches from your industry – the better.
My web applications are secure – I am PCI compliant
No, even if you have successfully passed your last PCI DSS compliance audit, it cannever replace a holistic risk assessment and common-sense approach to security. Even with PCI DSS 3.2 that now requires to have a multi-factor authentication to access the Cardholder Data Environment (CDE), it does not mean that only the web applications within the CDE scope shall be properly protected. A vulnerable subdomain, spear-phishing and a $10,000 exploit-pack can lead to compromise of your technical team machines, opening any doors inside your company network, including the CDE scope (if victim’s machine is backdoored, even 2FA can be easily intercepted and compromised).
Automated vulnerability scanning is sufficient
No, unlike SSL testing for example, fully-automated vulnerability scanning is not enough for modern web applications. Recent research from NCC group compared various vulnerability scanners, and even the best of them had about 50 percent of false-positives. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory confirmed that neither humans nor Artificial Intelligence has proven successful at maintaining cybersecurity on their own, and proposed a combination of human and machine to achieve the highest results. This is why the leading cybersecurity companies that used to rely on automation, now partner with companies that develop hybrid vulnerability detection technologies. Yes, you should automate as much as you can, but you cannot automate everything.
Penetration testing is the ultimate way to test web security
No, because penetration testing is not scalable and cannot be used in a 24/7 continuous mode. Even if you can afford monthly penetration testing, nobody can guarantee that within the 30-day period no zero-days will go public, or your web developers will not make a dangerous error in the code.
Penetration testing can perfectly complement your continuous monitoring, but it can never replace it. This is why MIT folks say that the future belongs to hybrid systems that combine 24/7 continuous monitoring leveraging machine-learning, but supervised and managed by humans.
WAF can reliably protect web infrastructure
No, even being a must-have technology to prevent simple and automated attacks,WAF cannot prevent exploitation of all the vulnerabilities. Application logic, access control, chained vulnerabilities, authentication and data encryption issues are not the vulnerabilities your WAF can reliably detect and prevent.
High-Tech Bridge performed a detailed research on ModSecurity WAF to demonstrate that some complicated flaws, such as Improper Access Control and CSRF, can be patched via WAF, however it will take so much time and manual efforts that it doesn’t make sense to use WAF for this purpose. Otherwise, in the epoch of agile and JIT software development, you always have to select – either your WAF will block some of the legitimate customers and you will lose your money, or it will overlook some of the attacks allowing hackers to get in. And yes, currently fashionable RASP solutions have similar and even worse problems than WAFs.
Yan Borboën, partner at PwC Switzerland, MSc, CISA, CRISC, comments: “Cyber defense is not only a technological problem which needs to be solved by CISO. All companies’ stakeholders (Board of Directors, C-Levels) must be involved in the cyber defense in order to obtain the right mix between technologies, processes, and people measures. Moreover, in our PwC’s Global Economic Crime survey 2016, we noted that 63% of respondents have not a fully operational incident response plan, even we all know that in today’s business landscape, information security incidents are a question of “when”, not “if”. This would be also a myth that I would recommend companies to tackle. Incidents will happen at your company, so be prepared.”
Five above-mentioned myths are busted with common-sense approach and pragmatic technical analysis. Remember about them when building your corporate cybersecurity strategy and you will avoid numerous pitfalls and problems later.
You can find out more about High-Tech Bridge’s findings on this topic here

The post Five most common myths about Web security appeared first on IT Security Guru.

Uh-oh! Critical vulnerability in Symantec’s core scan engine – industry reaction

The Gurus — Wed, 18 May 2016 11:45:57 +0000

Symantec’s core scan engine has a critical vulnerability which lets attackers remotely execute code on a victim’s machine just by sending them an email or a link. The victim doesn’t even need to open it. It just has to be scanned by the AV program. The scan engine uses a filter driver to intercept I/O operations at the kernel level. In its advisory, Symantec acknowledged the existence of the flaw. It said it had been notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files.
“Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site. No user interaction is required to trigger the parsing of the malformed file,” the advisory read.
The Guru asked several security experts what they thought of this vulnerability.
Adam Vincent, CEO, ThreatConnect Inc:
“I don’t think anyone in the cybersecurity industry believes there is such a thing as a 100% hardened system, no matter how big your organisation or how talented. So, finding a vulnerability shouldn’t be news. In this case unfortunately, this is the Godzilla of vulnerabilities – making all the others seem small and insignificant.
Symantec moved quickly when this was discovered. We applaud their speed of communication and response. Instead of picking apart one particular vulnerability, we should understand the risk that comes from a vulnerability of this magnitude and admitting there are gaps in our security which allow vulnerabilities – whether Godzilla-sized or seemingly innocuous – to be exploited. The speed at which technology is evolving and the complexity of how to respond creates holes that allow attackers to get a foothold into your business.
We work with organisations of all sizes across different verticals, and we see the top performers addressing the same issue – the fragmentation of their security. They look not to just patch the latest vulnerability, but rather find ways to connect individuals across their organisation – from their GRC team and their IR team, to their supply chain partners and peers in their industry – to benefit from one another’s’ knowledge. Then, they use the intelligence derived from that collaboration to take it a step further through integration of their many tools. And, all of that leads to rapid detection and response which addresses the next vulnerability or threat found in a systematic, process-driven manner.
Gartner is predicting that by 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches. We should all be asking ourselves if we are making those investments now to close the gaps in our security and get ahead of the threats we face.”
Fraser Kyne, regional SE director at Bromium:
“The fact that AV isn’t enough to protect from modern threats has been accepted in the industry for a long time – even by the AV vendors themselves. However, the realisation that security software itself can actually introduce new vulnerabilities will be a shock to many. There is a simple rule: more code equals more vulnerabilities. When you install software, you add to the attack surface of the machine. AV is no exception. Add to this that malware detection rates are terrible, and that detection in concept is largely useless for polymorphic, targeted, 0-day malware, and it starts to question the use of AV at all. We have to reduce the attack surface of our systems and effectively isolate dangerous activity away from our important business processes. The concept that we have a trusted system that is also being used to browse the Internet and open emails forces us to take this seriously – or face the consequences. Common wisdom is to apply a layered approach of defence-in-depth. But if you do this without layers of separation/isolation and rely on detection at each layer, then you’re kidding yourself and wasting your money. Tools like microvirtualization must be considered in order to fill the gaps.”
Aftab Afzal, SVP & GM EMEA at NSFOCUS IB:
“This is a very unfortunate incident for Symantec, however no security solution is infallible, so that’s why defence in depth with multilayered controls is always the recommended approach. Attack vectors continue to evolve, and this is clearly not the first time we have seen antivirus being reversed engineered. The endpoint is last in the line, therefore putting in place cloud, perimeter or sandbox environments will limit the impact. Using the latest vulnerability & threat intelligence, whilst working with a diverse range of vendors, can reduce the risk. Smart vendor selection will meet most all budgets.”
Federico de la Mora, VP EMEA at Lastline:
“Antivirus tools offer limited benefits, if any. The email service supplier or a signature-based email gateway are likely to stop almost all the known viruses or Malware before it reaches the email client. However, signature based AV is likely to miss most zero-days and targeted attacks hiding within email attachments and URL links. Ironically, web browsers are another door for Malware to enter the organisation. However, modern browsers are very capable at blocking Web sites based on a black list for instance to warn users when accessing Web sites used for phishing attacks. Based in my conversations with some customers, there is some frustration within the end user community about the limitations of signature based solutions and the need for automated detection and protection against zero-day and targeted attacks.”

The post Uh-oh! Critical vulnerability in Symantec’s core scan engine – industry reaction appeared first on IT Security Guru.

Nuix: Cybersecurity Industry “Fighting the Wrong Battle for 20 Years"

The Gurus — Wed, 13 Apr 2016 11:19:13 +0000

Chris Pogue of Nuix has penned a whitepaper that argues that the security industry has been “fighting the wrong battle” using the wrong tools for 20 years. He cites the human vulnerability as the factor behind this assertion.
“In the more than 2,500 data breaches I have investigated, I can count exactly zero that were caused by non-human-initiated system failure—like it or not, people are the problem,” said Pogue, Nuix’s Senior Vice President, Cyber Threat Analysis.
The white paper examines five cognitive biases—“bugs in our brain software”—that cause people to make poor decisions. It examines how other industries have learned to deal with these biases by concentrating on changing human behavior, and applies these lessons to the fight against cybercrime.
The abstract for the whitepaper reads: “Over the past 20 years, organizations have expended billions of dollars’ worth of time, energy, and intellectual property pursuing the elusive “next big thing” in cybersecurity. At countless security conferences around the world, vendors have touted their technological achievements and proposed their solutions to scores of hopeful attendees. Despite the collaborative efforts of the entire cyber-industrial machine, very little progress has been made. In fact, by all accounts, the threat landscape has actually gotten worse.”
Effectively it’s arguing that humans are the foot cause of all the flaws and attacks that have led to data being compromised, services being brought down and people in general being duped by cyber criminals. Is this why we’re still seeing huge breaches take place on a regular basis? Read the full whitepaper and decide for yourself.

The post Nuix: Cybersecurity Industry “Fighting the Wrong Battle for 20 Years" appeared first on IT Security Guru.