Posts

5 tips for better cloud security

This blog post is a summary of this weeks Information Security News put together by our Security Incident Response Team (SIRT). Read more

BF-SIRT Newsletter 2018-02

Microsoft released patches for Meltdown and Spectre, but it’s important to update ones antivirus before applying the patches.

Latest WebLogic exploit caused an increase in compromised hosts being used for mining Cryptocurrencies.

F-Secure finds a new Intel AMT Security Issue which gives hackers with physical access full control of laptops in 30 seconds.

Top 5 Security Links
Police give out infected USBs as prizes in cybersecurity quiz
Wi-Fi Alliance launches WPA3 protocol with new security features
Mining or Nothing!
Anti-Virus updates required ahead of Microsoft’s Meltdown, Spectre patches
New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

Blocking cyber attacks; Why you should understand adversary playbooks

This blog post is a summary of this weeks Information Security News put together by our Security Incident Response Team (SIRT).

It’s time to get off the treadmill: Why you should understand adversary playbooks

“Flipping the equation on known adversaries by developing and deploying controls at locations on the intrusion kill chain designed specifically for these known playbooks will increase a company’s ability to block an attack. The cybersecurity industry must collaborate to identify all know adversary playbooks and share this knowledge with each other and the public.”

Read more..

 

Top 5 Security links

Security is Not a One-Person Job

Security is not a one-person job. It can’t be accomplished with one person, it can’t be accomplished with one company.

“Security is not a one-person job. It can’t be accomplished with one person, it can’t be accomplished with one company,” says Walls. “So we need partners, and we need friends in the industry to work together.” No statement could better summarize what building a culture of security looks like. Learn more about how Walls and Prime Therapeutics implemented DLP to protect highly sensitive data for millions of people.

Read more..

 

Top 5 Security links

 

BF-SIRT Newsletter 2018-32

A new method has been found to make cracking WPA/WPA2 easier

The makers of Hashcat found a simpler way to gather the Pairwise Master Key Identifier (PMKID) from WPA/WPA2-secured wifi network. Before this method was discovered an attacker would have to wait for a user to authenticate, and then steal the 4-way handshake of the user. This new method is a “client-less attack”, meaning it can gather all the information needed without anyone using the network. This can significantly speed up the process of obtaining the PMKID.

The good news is that the passwords still needs to be cracked by brute force or dictionary attack, so if you are using a secure password this is still a non-trivial process. It also only works on Pre-Shared Key (PSK), meaning using other authentication methods should be safe.

Top 5 Security links

 

BF-SIRT Newsletter 2018-31

Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally

Carrier-grade MikroTik routers are delivering potentially millions of daily cryptomining pages to the attacker.

A massive hacking campaign has been uncovered, compromising tens of thousands of MikroTik routers to embed Coinhive scripts in websites using a known vulnerability.

So far, Censys.io has reported more than 170,000 active MikroTik devices infected with the CoinHive site-key used in this campaign (the site-key is the same across infections, indicating a single entity behind the attacks). The campaign is mainly targeting Brazil – but infections are growing internationally, according to Trustwave’s Secure Web Gateway (SWG) team, indicating much larger ambitions.

“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote a posting today. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”

 

Top 5 Security Links

How to defend yourself against SamSam ransomware

Backdoors keep appearing in Cisco’s routers

Reddit breach highlights limits of sms-based authentication

Attacks on industrial enterprises using RMS and Teamviewer

Amnesty International targeted by Nation-state spyware

San Francisco Airport (SFO) at night

BF-SIRT Newsletter 2018-16

State-Sponsored Cyber Actors do State-Sponsored Cyber Actor stuff

US-CERT published a joint Technical Alert (TA) resulting from efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) providing information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. And they provide some nice concrete information that can be reacted to. The fact that this happens is not new, and there is no reason to think Russia is the only ones who does this, they are not doing anything spectacular or fancy either. Check for the indicators provided, keep calm and carry on.

 

In a separate note, Oracle announces 250 security fixes in quarterly patch update, Cisco published important and critical security advisories for Firepower, ASA and WebEx.

 

Top 5 Security links
RSA 2018 Keynote – The Five Most Dangerous New Attack Techniques
PCI Council Releases Guidelines for Cloud Compliance
Hacking charge for URL-manipulation in Canada
Drupalgeddon 2 Vulnerability Used to Infect Servers With Backdoors & Coinminers
Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

 

(Blogpost image by Andrew Choy from Santa Clara, California, “San Francisco International Airport at night“, Creative Commons Attribution-Share Alike)

BF-SIRT Newsletter 2018-15

Facebook

On Tuesday and Wednesday this week, Mark Zuckerberg took part of congressional hearings regarding Cambridge Analytica and privacy concerns regarding Facebook. There are multiple news outlets covering the story, and KrebsonSecurity also wrote an article about how one should not trust these type of quizzes and such may receive data about you and your friends when you do them (which is how Cambridge Analytica got a hold of information about more than 50 million users when they approved access to the app “This is your digital life”).

Facebook has since added a website that allows you to check if your information was leaked or not, and they have also added additional privacy information on what type of data you have uploaded to Facebook with regards to Contacts, Call and Text history if you allowed Messenger or Facebook on your mobile to do so.

Facebook has also updated their bug bounty program and now offers a $40,000 bounty if you find evidence of Data Leaks.a

 

Top 5 Security links
Finland hit by a data breach affecting over 130,000 users
Drupal CVE-2018-7600 PoC is Public
Outlook bug allowed hackers to use .rtf files to steal windows passwords
Your Windows PC can get hacked by simply visiting a website if you don’t update
PowerHammer lets hackers steal data from air-gapped computers through power lines

 

BF-SIRT Newsletter 2018-14

Intel tells remote keyboard users to delete app after critical bug found.

On Tuesday, Intel warned of a critical escalation of privilege vulnerability (CVE-2018-3641) in all versions of the Intel Remote Keyboard that allows a network attacker to inject keystrokes as if they were a local user.

The vulnerability received a Common Vulnerabilities and Exposure (CVE) score of 9.0 out of 10.

As part of the same advisory, Intel shared two additional Remote Keyboard vulnerabilities, both rated high. The bugs (CVE-2018-3645 and CVE-2018-3638) allow an “authorized local attacker to execute arbitrary code as a privileged user” and had CVE scores of 8.8 and 7.2, according to Intel.

An Intel spokesperson told Threatpost the product had already been scheduled for discontinuation, and the discontinuation is not related to the security advisory. Despite being discontinued, Intel still maintains a Remote Keyboard product page for the app and it is still available for download via Apple’s App Store and Google Play. According to Google Play, the app has been installed over 500,000 times.

 

Top 5 Security links
https://blog.cloudflare.com/announcing-1111/
https://www.elastic.co/blog/gdpr-personal-data-pseudonymization-part-1
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/
https://blog.infostruction.com/2018/04/02/feodo-banking-trojan-dropper-analysis/
https://www.commondreams.org/news/2018/04/05/not-50-million-not-87-million-facebook-admits-data-most-its-2-billion-users

 

BF-SIRT Newsletter 2018-12

Bitcoins blockchain poisoned

Researchers from the RWTH Aachen University and Goethe University, Germany, have uncovered images and links to child pornography in cryptocurrency Bitcoin’s blockchain. The analysis found that certain content, such as illegal pornography, would render the mere possession of a blockchain illegal, with data distributed to all Bitcoin participants.

Version 7 of CIS Controls released

“CIS Controls Version 7” was released Monday by the Center for Internet Security, including steps for mapping the well-known “high-priority short list” of defensive actions to the National Institute of Standards and Technology’s framework of cybersecurity standards.

 

Top 5 Security links
Pirate Websites Expose Users to More Malware, Study Finds
AMD Will Release the Patches for the Recently Discovered Flaws Very Soon
Dragonfly Compromises Core Router to Attack Critical Infrastructure
Firefox Master Password System Has Been Poorly Secured for the Past 9 Years
EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer

 

 

(Blogpost image by Stefan Krause, “Glühlampe explodiert“, Free Art License)