image
President Trump on Tuesday fired his top election security official Christopher Krebs (no relation). The dismissal came via Twitter two weeks to the day after Trump lost an election he baselessly claims was stolen by widespread voting fraud. Chris Krebs. Image: CISA. Krebs, 43, is a former Microsoft executive appointed by Trump to head the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security. As part of that role, Krebs organized federal and state efforts to improve election security, and to dispel disinformation about the integrity of the voting process. Krebs' dismissal was hardly unexpected. Last week, in the face of repeated statements by Trump that the president was robbed of re-election by buggy voting machines and millions of fraudulently cast ballots, Krebs' agency rejected the claims as "unfounded," asserting that "the November 3rd election was the most secure in American history." In a statement on Nov. 12, CISA declared "there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised." But in a tweet Tuesday evening, Trump called that assessment "highly inaccurate," alleging there were "massive improprieties and fraud — including dead people voting, Poll watchers not allowed into polling locations, ‘glitches' in the voting machines that changed votes from Trump to Biden, late voting, and many more." Twitter, as it has done with a remarkable number of the…

Source

image
Government officials and cybersecurity experts alike condemned President Trump’s firing of Christopher Krebs by tweet Tuesday, as the director of the Cybersecurity and Infrastructure Security Agency (CISA) became the latest victim of the president’s housecleaning efforts after his failed bid at a second term. Krebs was appointed by Trump in 2018 as the first director of the Department of Homeland Security’s (DHS’s) CISA. However, he challenged the president by trying to debunk false claims Trump has made suggesting that the recent 2020 presidential election was rigged against him—the reason why Krebs was sacked, observers said. In fact, the now former CISA chief—widely touted as non-partisan in how he approached his job–is widely credited with ensuring that the election was not tampered with by nation-state actors and remained secure for all voters, with the DHS last week calling it “the most secure in election history.” Krebs knew his days were numbered once election results were tallied in favor of president-elect Joe Biden. He said last week that he expected to be fired after he delivered a secure presidential election that didn’t go in Trump’s favor and then refused to support the president’s claims of election fraud. In an interview with CNN, ex-CIA director John Brennan, who served under President Barack Obama, said the firing of the “highly qualified and widely respected” Krebs was the result of a “vendetta” by a president who is “trying to steal the election back”…

Source

image
Industrial control system firms Real Time Automation and Paradox both warned of critical vulnerabilities Tuesday that opened systems up to remote attacks by adversaries. Flaws are rated 9.8 out of 10 in severity by the industry standard Common Vulnerability Scoring System. The Real Time Automation bug is traced back to a component made by Claroty. “A stack overflow vulnerability was discovered in RTA’s 499ES ENIP stack, all versions prior to 2.28, one of the most widely used OT protocols,” wrote Claroty, which publicly disclosed the bug Tuesday. Third-party code used in the proprietary Real Time Automation (RTA) component, 499ES EtherNet/IP (ENIP), can be triggered to cause a conditions ripe for a denial-of-service attack. Claroty researchers said it had identified 11 devices using RTA’s ENIP stack from six different vendors, which are likely to be vulnerable to attack. It did not identify those other vendors. Tracked as CVE-2020-25159, Sharon Brizinov of Claroty reported this vulnerability to CISA last month. RTA, which describes itself as providing industrial control systems for manufacturing and building automation, posted information regarding the vulnerability on Oct. 27. John Rinaldi, chief strategist, business development manager and CEO of RTA said in October that, “Older code in the RTA device attempted to reduce RAM usage by limiting the size of a particular buffer used in an EtherNet/IP Forward Open request. By limiting the RAM, it made it possible for an…

Source

image
Even as state and local governments begin to relax COVID-19-related stay-at-home orders, many businesses have adapted to having more people work from home. This trend is likely to continue: Among the top 20 percent of earners, the number of people that work from home is close to 70 percent, according to Brookings. The majority of these people have desk jobs and rely heavily on technology to complete their tasks. But as companies shift from pandemic-related policies to a new normal, there are some major security implications to consider. In the past (2017-2018), when only 4 percent of the population worked from home full-time, corporations were largely protected from outside cyber-threats with corporate firewalls, intrusion-detection systems and a myriad of other tools. Insider threats from employees and others given access to the network were more easily monitored because they were always connected in some capacity, and so malicious activity could be easily detected. Accessing Company Assets from Home Even while employees continue to work from home, they still require access to corporate assets to do their jobs well. Without access, some employees can’t perform their duties at all. Organizations must define long-term policies for how employees access company-owned assets, especially if they intend to allow employees to work from home indefinitely. Such policies should include restricting access by role, as well as other security measures like requiring employees to be…

Source

image
As pharmaceutical companies such as Pfizer race to develop a vaccine for COVID-19, mobile phishing gangs are swapping up their tactics in hopes to get their hands on critical research. Cybercriminals previously targeted pharmaceutical company employee credentials. However, new research shows that 77 percent of pharmaceutical mobile phishing attempts in the third-quarter of 2020 sought to deliver malware on victims’ systems. This shift, which reflects a 106 percent increase in malware delivery in mobile phishing, shows cybercriminals turning to spyware, remote access functionality and more in order to access “crown jewel” COVID-19 research data from pharmaceutical companies. “On a global scale, there have been multiple reports of foreign adversaries targeting pharmaceutical industry executives with mobile spear phishing attacks,” according to Hank Schless, senior manager of security solutions at Lookout wrote on Tuesday in an analysis of the trend. “Both the National Cyber Security Centre in the U.K. and the Cybersecurity & Infrastructure Security Agency in the U.S. issued advisories to organizations involved in the COVID-19 response to shore up their security practices. State-sponsored campaigns prove that nation-state virtual espionage is not just an issue for government entities.” As the pandemic continue to rattle the world, pharmaceutical companies in particular are under speculation as the hunt continues for an effective vaccine. Pharmaceutical giant Pfizer recently…

Source

image
Over the past two weeks, global biotech firm Miltenyi has been battling a malware attack on its IT infrastructure, the company said in a recent disclosure to its customers. Miltenyi, which has been working on treatments for COVID-19, is still wrestling with phone and email communications in the wake of the attack, it said. “Rest assured, all necessary measures have now been taken to contain the issue and recover all affected systems,” the company statement said. “Based on our current knowledge, we have no indication that the malware has been inadvertently distributed to customers or partners.” It said that it was experiencing isolated cases where order processing was impaired by malware in parts of its global IT infrastructure. Though production is back online, some communications issues persist. “We are still having issues in some countries with out email and telephone systems,” an alert on the site said, along with a link to alternative phone numbers for customers to use to inquire about delays. Based in Germany, Miltenyi has 3,000 employees worldwide, across 73 countries. The firm is currently supplying SARS-CoV-2 antigens for researchers working on treatments for COVID-19. “SARS-CoV-2 antigens offer researchers the possibility to investigate virus-specific immune responses, including antigen-specific B cells and antibodies,” according to the company site. Miltenyi has not responded to Threatpost’s request for comment, and the nature of the malware is unknown….

Source

image
Zoom has once again upped its security controls to prevent “Zoom-bombing” and other cyberattacks on meetings. The news comes less than a week after Zoom settled with the Federal Trade Commission over false encryption claims. Two of the new features allow moderators to act as “club bouncers,” giving them the ability to remove and report disruptive meeting participants. The “Suspend Participant Activities” feature is enabled by default for all free and paid Zoom users; and, meeting participants can also report a disruptive user directly from the Zoom client by clicking the top-left “Security” badge. Separately, the videoconferencing giant also rolled out an internal tool that acts as a filter, preventing meeting disruptions (like Zoom-bombing) before they happen. Removing Disruptive Participants Under the Security icon, hosts and co-hosts now have the option to temporarily pause their meeting and remove a disruptive participant or Zoom-bomber, according to a Monday Zoom blog posting. “By clicking ‘Suspend Participant Activities, all video, audio, in-meeting chat, annotation, screen-sharing and recording during that time will stop, and Breakout Rooms will end,” the company explained. “The hosts or co-host will be asked if they would like to report a user from their meeting, share any details and optionally include a screenshot.” Once the reporter clicks “Submit,” the offending user will be removed from the meeting, and hosts can resume the meeting by individually re-enabling…

Source

image
A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch. Cisco Security Manager is an end-to-end security management application for enterprise administrators, which gives them the ability to enforce various security policies, troubleshoot security events and manage a wide range of devices. The application has a vulnerability that could allow remote, unauthenticated attackers to access sensitive data on affected systems. The flaw (CVE-2020-27130) has a CVSS score of 9.1 out of 10, making it critical. “An attacker could exploit this vulnerability by sending a crafted request to the affected device,” according to Cisco, in a Tuesday analysis. “A successful exploit could allow the attacker to download arbitrary files from the affected device.” According to Cisco, the flaw stems from the improper validation of directory traversal character sequences within requests to an affected device. A path-traversal attack aims to access files and directories that are stored outside the web root folder. If an attacker manipulates variables referencing files (with “dot-dot-slash (../)” sequences), it is possible to access arbitrary files and directories stored on file system, such as application source code, or configuration and critical system files. PoC exploits for the flaw – as well as 11 other issues in Cisco Security Manager – were published online Monday by security researcher Florian Hauser. Hauser…

Source

image
An increasing number of websites are asking visitors to approve "notifications," browser modifications that periodically display messages on the user's mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters. Notification prompts in Firefox (left) and Google Chrome. When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called "push notifications" rely on an Internet standard designed to work similarly across different operating systems and web browsers. But many users may not fully grasp what they are consenting to when they approve notifications, or how to tell the difference between a notification sent by a website and one made to appear like an alert from the operating system or another program that's already installed on the device. This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company's site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet…

Source

image
Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypasses content filters and VPNs. They say it is a liability that can be exploited by threat actors to bypass firewalls and give them access to people’s systems and expose their sensitive data. A Big Sur beta user named Maxwell (@mxswd) was the first to point out the issue back in October on Twitter. Despite concerns and questions among security professionals, Apple released Big Sur to the public on Nov. 12. “Some Apple apps bypass some network extensions and VPN Apps,” he tweeted. “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.” His tweet triggered a rash of comments decrying the issue and accusing Apple, which long has touted its concern for user privacy and the overall security of its products over those of its rivals, about having a double standard when it comes to the company’s privacy policies and those of its customers and partners. Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒 — Maxwell (@mxswd) October 19, 2020 Discomfort with Apple’s choice to bypass its NEFilterDataProvider were also echoed on the Apple’s Developer Forum. 50 Apple Apps Excluded? “We found out that traffic from about 50 Apple processes is excluded from…

Source