image
LAS VEGAS – Insider threats are an ongoing top danger for companies — but when it comes to mitigation efforts, incident-response teams face an array of challenges. Discussions with various incident-response teams revealed that between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organization, according to Paul Shomo, senior security architect with OpenText. “We used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it’s because they bribed them or blackmailed them,” Shomo said, speaking at ENFUSE 2019 on Tuesday in Las Vegas. Insider threats continue to be a security thorn in companies’ sides: Just last week, the Department of Justice (DoJ) charged two former Twitter employees for allegedly accessing thousands of accounts on behalf of Saudi Arabia; also last week, Trend Micro said that a rogue employee sold the data of 68,000 customers to a malicious third party, who then used that data to target customers with scam calls. Mitigation Challenges Brian Coleman, director of forensic analysis and investigations at pharmaceutical giant Pfizer, said at ENFUSE that he faces the insider threat challenge daily when managing Pfizer’s almost 250,000 endpoints to monitor suspicious network activity and root out any potential insider threats, he. There are various methods of detection when it comes to insider threats, he said – including monitoring the log data of…

Source

image
Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today's patches. More than a dozen of the flaws tackled in this month's release are rated "critical," meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment. Perhaps the most concerning of those critical holes is a zero-day flaw in Internet ~~Exploder~~ Explorer (CVE-2019-1429) that has already seen active exploitation. Today's updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages. Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program that could let malicious macros through. Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user…

Source

image
A critical bug in a Microsoft scripting engine, under active attack, has been patched as part of Microsoft’s Patch Tuesday security roundup. The vulnerability exists in Internet Explorer and allows an attacker to execute rogue code if a victim is coaxed into visiting a malicious web page, or, if they are tricked into opening a specially crafted Office document. “An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker…could take control of an affected system,” Microsoft wrote in its advisory. Under an Office document attack scenario, Microsoft said an adversary might embed an ActiveX control marked “safe for initialization” in an Office document. If initialized, the malicious document could then directed to a rogue website, booby-trapped with specially crafted content that could exploit the vulnerability. The bug (CVE-2019-1429), first identified by Google Project Zero, is believed to be actively exploited in the wild, according to the computing giant. November Patch Tuesday Tackles Additional Critical and Important Bugs In total, Microsoft issued 75 CVEs – 11 critical and 64 important. the 10 additional critical bugs includes (CVE-2019-1457), an Excel security feature bypass which was publicly disclosed at the end of October and exploited as a zero-day. “[This] is a security feature bypass in Microsoft Office for Mac due to improper enforcement…

Source

image
More often than not, when then the internet of things (IoT) is brought up these days, it conjures images of Alexa, Siri and Cortana – personal assistants that can help users turn on a smart light bulb, flick on the oven and get you the day’s news, all in one fell swoop. However, IoT has evolved far beyond consumer-fronted devices in 2019. Increasingly, manufacturers are deploying IoT technology to better facilitate automation and help increase productivity. Car manufacturers, railways and even companies in the food and beverage space are using families of networked sensors, actuators and other devices to collect production data and feed it to the cloud to gather further insight into their system’s efficiency. For factories, Industrial IoT (IIoT) is becoming more and more embedded in ecosystems, thanks to advances in automation, big data analytics and a decrease in the cost of hardware. According to a recent market study by IoT Analytics, global spending on IIoT platforms for the manufacturing industry is predicted to grow from $1.67 billion in 2018 to $12.44 billion in 2024, with 43 percent of businesses using the technology for general process-optimization, and 41 percent for visualization. Companies like Emerson, which specializes in automation solutions, have already helped companies deploy IIoT solutions to boost their efficiency. In one scenario, it recently set up an IIoT edge computing gateway at a manufacturer. The gateway uses sensor data to judge how fast shock…

Source

image
A critical security bug in the Intel Converged Security and Manageability Engine (CSME) could allow escalation of privilege, denial of service or information disclosure. The details are included in a bug advisory that in total covers 77 vulnerabilities, 67 of which were found by internal Intel staff. The silicon giant has rolled out firmware updates and software patches to address these, which range in severity from the one critical flaw to a low-severity local privilege-escalation issue. The affected products are: Intel CSME, Intel Server Platform Services (SPS), Intel Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel Platform Trust Technology (PTT) and Intel Dynamic Application Loader (DAL). The critical flaw is a heap overflow bug with a score of 9.6 out of 10 on the CVSS v.3 severity scale (CVE-2019-0169). It exists in the subsystem in the Intel CSME, which is a standalone chip on Intel CPUs that is used for remote management. The vulnerability and could allow an unauthenticated user to enable escalation of privileges, information disclosure or denial of service via adjacent access. “Adjacent access” means that an attack must be launched from the same shared physical network or local IP subnet, or from within the same secure VPN or administrative network zone. As for the other bugs, there’s also a cross-site scripting (XSS) flaw rated as important (CVE-2019-11132). It exists in the subsystem of the Intel AMT and could allow a privileged…

Source

image
The popular e-commerce platform Magento is urging web administrators to install its latest security update in order to defend against malicious attacks in the wild that could exploit a critical remote code-execution vulnerability. While the company didn’t specify what kinds of potential attacks that websites should be concerned about (Threatpost reached out for comment on this), Magento is a common target for the Magecart association of threat groups, which compromise websites built on unpatched e-commerce platforms in order to inject card-skimming scripts on checkout pages. The scripts steal unsuspecting customers’ payment card details and other information entered into the fields on the page. The vulnerability (CVE-2019-8144), which carries a severity ranking of 10 out of 10 on the CVSS v.3 scale, could enable an unauthenticated user to insert a malicious payload into a merchant’s site through Page Builder template methods, and execute it. Page Builder allows websites to design content updates, preview them live and schedule them to be published. The bug specifically exists in the preview function. The flaw affects Magento 2.3, and was patched in in Magento Commerce 2.3.3 and with the security-only patch 2.3.2-p2, released in October. The company warned that patching will have the side effect of “blocking administrators from viewing previews for products, blocks and dynamic blocks’; but, it said it will re-enable the preview functionality as soon as possible. “We…

Source

image
Adobe Systems is warning Illustrator 2019 users that two critical memory-corruption vulnerabilities could allow for an attacker to remotely connect to a Windows machine, execute code and gain control of the targeted system. The create-suite behemoth also warned Tuesday, as part of its regular monthly patch advisories, that its Windows and macOS versions of its Adobe Media Encoder also have a critical vulnerability tied to an out-of-bounds write flaw. Adobe said none of the critical bugs, nor an additional eight vulnerabilities rated important and identified Tuesday, have been exploited in the wild. Adobe Illustrator 2019 Three security updates available for Adobe Illustrator 2019 affect version Windows 23.1 and earlier. The most serious of the bugs (CVE-2019-8247, CVE-2019-8248 ) are both remote code execution flaws. Adobe did not go into technical detail of either bug. Mitigation includes updating to the latest version (24.0) of the software, according to the bulletin. Like both critical bugs, the additional important Illustrator vulnerability (CVE-2019-7962) is also found in the Windows 23.1 and earlier versions of the software. Kushal Arvind Shah of Fortinet’s FortiGuard Labs are credited for finding both the critical bugs. Adobe Media Encoder The free application Adobe Media Encoder, used with Adobe Premiere Pro and Adobe After Effects to transcode video suitable for the web, also received a critical fix (CVE-2019-8246). Affected was the 13.1 version of the software…

Source

image
Microsoft is extending a California law aimed at protecting users privacy to all of its users in the United States, an unexpected move supporting tougher requirements to disclose exactly how the company uses the consumer data it collects. The California Consumer Privacy Act, known as CCPA, is scheduled to go into effect on Jan. 1. It demands more transparency from companies about how user data is being used and disseminated and requires them to give consumers a way to opt out of these actions. In a blog post about the move, Julie Brill, Microsoft’s chief privacy officer, praised the law and the “robust control” it gives people over their data. “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents,” she wrote in the blog post. “Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.” Though the specifics of CCPA and how companies must comply are still being ironed out, Brill said Microsoft will stay up to date on these policies and ensure it is compliant with them regarding all of its users when the law goes into effect. “Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S.,” she wrote. The company also will work with its enterprise customers to help them comply with CCPA and…

Source

image
The last 30 days has seen a renewed increase in distributed denial-of-service (DDoS) activity, according to researchers, who said that they have observed a number of criminal campaigns mounting TCP reflection DDoS attacks against corporations. Researchers at Radware said that the list of victims include a number of large companies, including Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband. The first major event in October took the Eurobet network down. Eurobet, an online sports gambling website, suffered a campaign that persisted for days and impacted several other betting networks, according to Radware. Then, later in October, amid a flurry of DDoS attacks targeting companies in nearly every vertical around the world, the firm identified another large-scale multi-vector campaign surfaced that targeting the financial and telecommunication industry in Italy, South Korea and Turkey. “This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” the researchers noted. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.” The activity is a continuation of an uptick in attackers leveraging TCP reflection attacks that began in 2018, according to the firm. These tend…

Source

image
Much has been made of the fallout that companies face after a data breach. But for public companies, shaken investor confidence adds a whole new dimension to recovery concerns. A recent study from Comparitech shows that share prices for large breached companies will hit a low point approximately 14 market days after an incident becomes public. Share prices fall 7.27 percent on average to reach that low, and they underperform the NASDAQ by -4.18 percent. Further, the firm found that finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected. And unsurprisingly, breaches that exposed credit-card and Social Security numbers saw larger drops in share price on average than companies that leaked less-sensitive data. The study analyzed stock performance for 28 very large companies listed on the New York Stock Exchange that have 33 well-known data breaches between them: Apple, Adobe, Anthem, Capital One, Community Health Systems, Dun & Bradstreet, Facebook, First American Financial, eBay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone and Yahoo. All of them resulted in at least 1 million records leaked, and some (Capital One, Equifax, Target, Yahoo) are among the largest breaches in American history. In analyzing their closing share prices…

Source