Home Tags Access Control

Tag: Access Control

VU#491375: Intel Active Management Technology (AMT) does not properly enforce access...

Technologies based on Intel Active Management Technology may be vulnerable to remote privilege escalation,which may allow a remote,unauthenticated attacker to execute arbitrary code on the system.

Open source JavaScript, Node.js devs get NPM Orgs for free

NPM Inc.'s NPM Orgs tool, which has been available as a paid service for JavaScript and Node.js development teams collaborating on private code, is now available for free use by teams working on open source code.The SaaS-based tool, which features capabilities like role-based access control, semantic versioning, and package discovery, now can be used on public code on the NPM registry, NPM Inc. said on Wednesday.

Developers can transition between solo projects, public group projects, and commercial projects, and users with private registries can use Orgs to combine code from public and private packages into a single project. [ Use JavaScript in your dev shop? InfoWorld looks at 17 JavaScript editors and IDEs and 22 JavaScript frameworks ready for adoption. | Keep up with hot topics in programming with InfoWorld's App Dev Report newsletter. ]"The only difference in functionality [between private and open source use] is that you can mark packages as private if you're a paid organization," NPM Inc.

CEO Isaac Schlueter, said.

For developers collaborating with a team of people on private packages, Orgs costs $7 per user.To read this article in full or to leave a comment, please click here

Build your own sharing system, with help from Google engineers

Engineers at Google have unveiled Upspin, an experimental open source project for creating file-sharing infrastructure that works "securely, uniformly, and globally." It isn't yet competition for the likes Box or Dropbox.

But in time, its creators hope it could serve as the underpinnings for just such an offering.[ Docker, Amazon, TensorFlow, Windows 10, and more: See InfoWorld's 2017 Technology of the Year Award winners. | Cut to the key news in technology trends and IT breakthroughs with the InfoWorld Daily newsletter, our summary of the top tech happenings. ]A place for everyone's stuff From the outside, Upspin -- not an official Google offering, just one created by some of its employees -- looks like a shared file system with namespaces for each user.

But its real value, according to its creators, is "a set of interfaces, protocols, and components from which an information management system can be built, with properties such as security and access control suited to a modern, networked world."To read this article in full or to leave a comment, please click here

Google Upspin Secure File-Sharing Released to Open Source

New file-sharing protocols and interfaces called Upspin have been released to open source.

Built by Google, Upspin returns access control and data security to the user.

Cisco Secure Access Control System XML External Entity Vulnerability

A vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. The vulner...

Cisco Secure Access Control System Cross-Site Scripting Vulnerability

A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system. The...

Cisco Secure Access Control System Information Disclosure Vulnerability

A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information. The vulnerability is due to the inclusion of sensitive informa...

Cisco Secure Access Control System Open Redirect Vulnerability

A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.   The vulnerability is due to improper input vali...

Features of secure OS realization

There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles.

The problem with passwords: UK workers waste more than two days...

17% spend more than five minutes logging in to work apps each day A quarter must log in to five different apps and systems Nearly one in five write down passwords to remember them Nottingham, UK, 25 January 2017 – Poor password practices leave some UK workers potentially wasting more than two days each year using multiple credentials to log in to essential systems, according to network security experts Hypersocket Software.Research published in Hypersocket’s whitepaper Work smarter, not harder: solving password problems with Single Sign-On shows that 60 per cent of workers spend up to five minutes logging in to work apps each day, while a frustrated 17 per cent tap their fingers for more than five minutes before they can get down to work. Lee Painter, CEO Hypersocket Software This means that UK office workers could be wasting between 7½ and 19 hours a year waiting for systems to get up and running – or between one and two and a half working days annually. Multiple systems equals multiple loginsJust under two-thirds of respondents told Hypersocket they must log in to between two and five different apps and systems before they can get started for work, whilst just over a quarter (26 per cent) log in to more than five systems. The findings highlight that the majority of employees are juggling multiple logins and credentials, despite the fact that technology like Single Sign-On, which automatically populates users’ passwords and logs them into their web apps with one-click is well established.
In fact, only 9 per cent of those surveyed are able to use just one set of credentials across systems. Password security risksMultiple passwords not only open the door for hackers to enter the system, there are obvious knock-on implications for how strong and secure these passwords might be. With so many different systems to access, almost 40 per cent of employees admitted to using techniques to remember their passwords that pose a potential security risk to their business. Nearly one in five people (19 per cent) admitted to writing their passwords down to remember them.

A further 21 per cent routinely use obvious, easy to guess passwords such as their children’s or spouse’s names. Just 6 per cent use a password manager to store and organise passwords and then access them using one master password. Lee Painter, CEO of Hypersocket Software comments: “Tough access control requirements mean that, understandably, most enterprise systems require a password to grant users access and our findings highlight the password problem employee’s face in juggling multiple logins and the obvious knock on effect on security and productivity.” He adds: “But it’s a problem with a straightforward solution.
Implementing Single Sign-On technology can mean the difference between breach and security, inefficiency and productivity.

For employees one-click sign in is the difference between inconvenience and accessibility, working harder or working smarter.” The pain of password resetsThe research also shows there is more pain for those who forget their passwords. Over one third (36 per cent) of people have work applications they don’t bother to use anymore because they have forgotten the password.

And while 63 per cent of respondents use a password self-service system for password resets, a quarter (25 per cent) still have to contact an IT help desk to reset their passwords. Concludes Lee: “Whatever the future with trends such as biometric passwords, it’s probable that the traditional password will remain a key security layer for the foreseeable future and so continue to create pain points for employees. Poor password practices and weak management of identities will continue to make enterprises vulnerable and create a route for hackers and malicious insiders to breach systems.” For more insight into the challenges that arise for employees and enterprises from the use of multiple passwords and the benefits of Single Sign-On technology, download Hypersocket’s whitepaper: Work smarter, not harder: solving password problems with Single Sign-On. Ends Notes to Editors About Hypersocket SoftwareHypersocket Software provides enterprise level network security and access management software to help businesses of all sizes create more secure IT environments.
Its flagship Hypersocket Prime solution is a free and easy to use network security platform that consists of Virtual Private Networking, Single Sign-On and Managed File Transfer products. Prime offers a complete package to enable businesses to manage access to applications, remotely access applications and transfer files in and out of company networks – all at zero cost.

By using its expertise to create a free and easy to use solution that focuses on areas where security is paramount, Hypersocket Software gives businesses the tools they need to tackle the IT security challenges they face every day. Organisations including IBM, Cisco, HP, Xerox, Ericsson, Apple, Oracle, AT&T, Fujitsu and Hitachi already trust Hypersocket’s security credentials and use its appliances and software components in their daily operations. ResearchSurvey of 115 full-time employees undertaken in August 2015 on behalf of Hypersocket Software by Survey Monkey. Press contactsStephanie DobsonLumiere PR LimitedDirect: + 44 (0)7831 623 533Stephanie@lumierepr.com Majid LatifHypersocket SoftwareMajid@hypersocket.com

Hadoop, CouchDB Next Targets in Wave of Database Attacks

Insecure Hadoop and CouchDB installations are the latest targets of cybercriminals who are hijacking and deleting data. Last week, security researchers said 28,000 MongoDB and Elasticsearch installations were hacked in a new wave of attacks against unprotected open source data management platforms. On Friday, security researchers Victor Gevers, who has been both monitoring MongoDB and Hadoop database attacks, said so far 126 Hadoop and 452 CouchDB installations have been hacked. Like with MongoDB and Elasticsearch, attackers are taking advantage of default installations of Hadoop and CouchDB where either no credentials or easy-to-guess credentials allow for simple attacks. “A core issue is similar to MongoDB, namely the default configuration can allow ‘access without authentication.’ This means an attacker with basic proficiency in (Hadoop Distributed File System) can start deleting files,” wrote Fidelis Threat Research Team, also tracking the database attacks. Interestingly, unlike MongoDB breaches where an attacker asked victims to pay a ransom to retrieve stolen data, with Hadoop, breached data is simply destroyed.

A note, in the form of a crude directory name is left behind. With CouchDB, Gevers said, attacks are identical to MongoDB and Elasticsearch; where a ransom note is left behind demanding money for data retrieval.

As with MongoDB and Elasticsearch, data is most likely destroyed and those who pay the ransom do not retrieve their data back. Mike Olson, chief strategy officer and co-founder of Cloudera, one of several firms that provides Apache Hadoop-based software, said the problem has nothing to do with security of these platforms. “This is a problem that has to do with deployment and operations discipline.” Olson said Hadoop has a bevy of  security and data protection capabilities. “You can encrypt all the data that’s on the platform, you can separate the key management from the system and you can take advantage authentication, access control and user enroll-based rights to the data.

The systems that have been attacked have not taken advantage of these features,” he said. Cloudera customers are reminded of those safety and security provisions every step of the way during installation, according to Olson. Gevers said he began tracking attacks on Tuesday that first targeted Hadoop installations and then CouchDB installations.

The latest Shodan scan (conducted Friday afternoon) reveals 5,160 unprotected Hadoop installations and 4,530 open CouchDB. Gervers said it appears that most Hadoop attacks are being performed manually. However, with CouchDB, the attacks have become automated, just as they have with MongoDB and Elasticsearch. He said a hacker with the handle “Kraken0” has added CouchDB to a ransomware kit for sale on the Dark Web that specifically targets open databases such as MongoDB, Elasticsearch and now CouchDB. “We are going to see more instances of these types of attacks,” Gevers told Threatpost. “Sadly, there some people who want to see the world burn.

Destroying insecure databases is turning into a huge problem, primarily because it can be done so easily.”

Pwn2Own 2017 Expands Attack Surface Beyond the Web Browser

10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers. Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.HPE sold its TippingPoint division, which includes ZDI, for $300 million to Trend Micro in 2016 and the Pwn2own event that year was hosted as a joint effort between the two companies. By the end of the two-day event in 2016, $460,000 in prize money was awarded to researchers that demonstrated a total of 21 zero-day vulnerabilities.The Pwn2Own 2017 event is co-located at the CanSecWest conference in Vancouver, Canada, set for March 15-17. The 2017 event is sponsored by Trend Micro and unlike past Pwn2Own events, is not focused on web browsers.Among the targets this year are Virtual Machines, including both VMware and Microsoft Hyper-V systems. Researchers will need to execute a virtualization hypervisor escape from the guest virtual machine, to run arbitrary code on the underlying host operating system. ZDI will pay a $100,000 reward to the security researcher that is able to successfully execute a Virtual Machine escape. "We're always considering new targets for each year," Brian Gorenc, senior manager of vulnerability research with Trend Micro, told eWEEK. Outside of the Pwn2Own event, ZDI is in the business of acquiring security vulnerabilities from researchers. Gorenc added that ZDI is actively acquiring virtual machine escapes through its' program."Hopefully Pwn2Own will raise awareness among researchers, so we see even more of these reports," Gorenc said.While virtual machines are on the target list for Pwn2Own, Docker containers are not. Gorenc noted that containers weren’t really a consideration for this year's contest. Linux Pwn2Own has targeted Apple's macOS and Microsoft Windows based technologies for the past decade, but in 2017, the open-source Linux operating system has finally made the target list.Pwn2Own researchers will specifically be able to target the Ubuntu 16.10 Linux operating system in a pair of separate challenges, one for privilege escalation, the other for server-side web host exploitation.Researchers that target Linux will be awarded $15,000 if they can leverage a kernel vulnerability to escalate privileges. The same feat on Windows will earn a researcher $30,000, while a macOS escalation of privilege will be rewarded with $20,000.Ubuntu Linux systems can be secured with an additional layer of mandatory access control security known as 'AppArmor' that in some cases would limit the risk of a local user privilege escalation exploit. Gorenc noted that for the Pwn2Own contest, ZDI is not setting up any AppArmor profiles for this year's event.On the server side, the ZDI will award a successful exploit against the open-source Apache Web Server running on Ubuntu 16.10 Linux with a $200,000 prize. Web Browsers Once again web browsers are a key target at Pwn2Own, with successful exploitation of Microsoft's Edge browser or Google Chrome worth $80,000. A successful exploit of Apple's Safari will be rewarded with a $50,000 prize.After not being part of the 2016 event, Mozilla's Firefox web browser is back on the Pwn2Own target list of 2017. A successful exploit of Firefox will earn $30,000."Mozilla improved their security enough for us to warrant their re-inclusion in the contest," Gorenc said.Additionally the 2017 Pwn2Own event will award researchers $50,000 for each successful exploit of Adobe Reader, Microsoft Office Word, Excel and PowerPoint. The total prize pool available for researchers is more than any other Pwn2Own event has ever offered."Much of the final tally will depend on how many entries we have," Gorenc said. "We're definitely over $1 million, which is our largest Pwn2Own ever."After 10 years of running Pwn2Own events, it's likely that the hacking challenge will continue for many more years to come."While it would be great to live in a world with perfect security, we know this isn’t really practical," Gorenc said. "A lot of great research has been through the contest and inspired by the contest – research which ended up improving security for everyone."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.