Home Tags Tripwire

Tag: Tripwire

iPhone, Mac owners: How to stymie hackers extorting Apple, threatening to...

Hackers claiming to have hundreds of millions of iCloud credentials have threatened to wipe date from iPhones, iPads and Macs if Apple does not fork over $150,000 within two weeks."This group is known for getting accounts and credentials, they have ...

Survey Finds Many Enterprises Lack Tools, Skills to Protect Networks

By Don Reisinger  |  Posted 2016-12-12                   Tripwire Survey Finds IT Pros Lack Tools, Skills, to Defend Networks A Tripwire survey finds that just 25 percent of IT professionals believe their organizations have the security technology and skills to detect network breaches. A Minority of Companies Have Means to Detect, Respond to Breaches However, just 25 percent of IT professionals say they have the ability to detect and respond to threats. Another 5 percent of respondents said they couldn’t answer the question because “technology is changing so quickly.” Many Companies Have Only Some Technology A larger number of companies—32 percent—say they have the required technology to detect breaches, but don't have the means to properly respond to alerts about suspicious behavior on there their networks. Surprisingly, 9 percent of companies say they have no technology that would allow them to detect a possible data breach on their networks. Most Respondents Aren't Prepared to Respond to a Breach Detecting a data breach is only one side of the equation; being able to respond to them is the other. And on that front, just 25 percent of companies say they can respond to a data breach. All the others—75 percent—say they cannot respond to a serious data breach in any way. Most Companies Don't Have Integrated Security Tools Enterprise security tools need to be integrated so they can exchange data during a breach. However, just 3 percent of companies say all their security tools are integrated and can exchange information. Another 20 percent of respondents say more than half of their tools have that capability. Some Companies Can’t Exchange Data A sobering fact from the Tripwire survey: 10 percent of companies say they have no ability whatsoever to integrate security tools and exchange data between those tools to respond to data breaches. Another 19 percent of companies say less than 10 percent of their tools have that capability. Many Companies Can't Property Interpret Alert Data Security teams need to be able to correlate data and security alerts from security tools to respond to possible threats. However, only 60 percent of companies engage in that behavior, with 40 percent of companies having limited to no ability to correlate data and security alerts. Real-Time Responses Are Essential Responding in real time can mean the difference between shutting down a data breach when it happens and allowing hackers to run amok on a network. However, just 21 percent of companies say they can correlate data and security alerts in real time to respond to threats. It Takes too Long to Get Security Alert Details Other companies aren’t as lucky to get actionable information in real time, according to Tripwire. Instead, the security firm says that 39 percent of companies are able to get the correlated data and security alerts, but it can take them days or weeks to get that information—long after hackers are gone. A Small Number Outsource Security Breach Response According to Tripwire, 3 percent of IT professionals say they outsource their security response efforts to experts whenever they experience a breach. Apparently they believe they don’t have the requisite knowledge internally to address possible breaches. More than Half Say They Face a Skill Shortage In a statement, Tripwire said that 65 percent of IT professionals believe there’s a skills shortage that prevents them from delivering an appropriate incident response. If they had the right people with the right skills, companies say, they might be able to respond more effectively to threats. Hackers are having a field day in the enterprise. By attacking poorly secured networks, unsuspecting employees and unpatched servers, hackers are finding multiple points of entry into corporate networks running amok. But a new study from security firm Tripwire and conducted by Dimensional Research suggests the problem isn't going to get better anytime soon. According to the report, only a quarter of companies have the ability to detect and effectively respond to data breaches. Furthermore, in a large number of cases, they don’t have the necessary technology that would allow their network components to send out alerts about suspicious behavior that might signal a possible data breach. Perhaps worst of all, many companies report that a skills gap limits their ability to adequately protect their networks. This slide show will delve deeper into the Tripwire study, which includes responses from 500 IT professionals, to shed light on just how worrisome corporate network security has become. Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis' Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.

The new Mirai malware strain has gone beyond Deutsche Telekom

The latest strain of Mirai, the malware that’s been infecting internet routers from Germany’s Deutsche Telekom, has spread to devices in at least 10 other countries, according to security firm Flashpoint. The company has detected the new Mirai strain infecting internet routers and modems across the globe, including in the United Kingdom, Brazil, Iran, and Thailand. It’s still unclear how many devices have been infected, but Flashpoint estimates that as many as five million devices are vulnerable. “If even a fraction of these vulnerable devices were compromised, they would add considerable power to an existing botnet,” Flashpoint said in a Tuesday blog post. The malware grabbed headlines on Monday when Deutsche Telekom reported that close to a million customers experienced internet connection problems from the new Mirai strain infecting their routers.

Although Deutsche Telekom has offered a software update to stop the malware, security experts worry that the hackers will continue to upgrade Mirai’s source code to infect additional devices. The original version of Mirai became notorious for quickly enslaving poorly secured IoT devices, such as DVRs and surveillance cameras.

This new strain infects routers from a company called Zyxel, using a known flaw with the product’s SOAP (Simple Object Access Protocol) to take them over. The goal of Mirai is to form a botnet, or an army of enslaved computers that can be used to launch massive distributed denial-of-service attacks that can shut down websites.
In October, Mirai botnets were blamed for doing just that in a disruption that slowed internet access across the United States.    Flashpoint said it's already found this new strain of Mirai creating a botnet to launch “small-scale” DDoS attacks on an IP address in Africa and a cloud hosting provider.

The attacks, which lasted between a few minutes and to more than an hour, occurred on Monday and Tuesday. Hackers have been exploiting the Mirai malware ever since its source code was released on a forum in late September.

The developers of this new strain probably wanted to make their Mirai botnet bigger, Flashpoint said. However, the spread of the new Mirai strain appears to be slowing down, according to Craig Young, a security researcher at Tripwire. On Monday, he estimated the malware was attempting to infect devices at a rate of one every 90 seconds.

But as of Tuesday morning, that rate had slowed to about one every six minutes, he said. Young said the Deutsche Telekom attack was in one sense a failure.

The hackers probably never intended to disrupt Deutsche Telekom customers' Internet connections, but simply to secretly infect their routers to grow the botnet, he said. The way the Mirai strain took over the routers drew too much attention, provoking the German carrier to quickly issue a security patch. “The malware may have been too demanding on the routers, and overloaded them, so they wouldn’t be able to operate,” Young said. He expects the hackers to keep upgrading Mirai. “Someone will fix the bugs in the code,” he said. “People will also incorporate more exploits related to routers.”

Hackers Make New Claim In San Francisco Transit Ransomware Attack

The San Francisco Municipal Transport Agency said by Sunday it had contained a ransomware attack that occurred Friday which impacted its internal computer and payment systems. The public transit system is facing new, unsubstantiated claims on Monday however that the group responsible for launching the attack is holding hostage 30GB of the agency’s data. “On Nov. 25, the SFMTA was a victim of a ransomware attack,” a statement issued Sunday by the San Francisco Municipal Transport Agency (SFMTA) reads, “The situation is now contained, and we have prioritized restoring our systems to be fully operational.” Hackers managed to disable its payment system as part of the attack, according to the SFMTA. A report filed Sunday with the San Francisco Examiner said that attackers were demanding 100 bitcoins, roughly $73,000, to restore the computer system. Over the weekend a message – “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27[@]yandex.com)ID:681 ,Enter” – was displayed on the screens of some SFMTA systems. In an email exchange on Monday, attackers claiming responsibility for the SFMTA hack told Threatpost that if the transit system doesn’t contact them, they will release 30GB of sensitive data, including databases and employee information. In an email exchange the attacker wrote: “We Don’t live in USA but I hope Company Try to Fix it Correctly and We Can Advise Them But if they Don’t , We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!” The attackers said they would only release the SFMTA data if the agency didn’t contact them or neglected to fix “the vulnerability.” Paul Rose, a San Francisco Municipal Transportation Agency spokesperson told Threatpost in a statement that the attackers’ allegations are false and that no customer privacy or transaction information was compromised. “We have never considered paying ransom and don’t intend to. The attack did not penetrate our firewalls and we are able to restore systems through the work of internal staff,” Rose said. He added that transit service, like bus, streetcar and cable cars service, were never impacted and rider safety was never at risk. The SFMTA made the decision to open the fare gates for customers as a “precaution to minimize any possible impacts to customers making transactions,” Rose said. He declined to comment further citing an ongoing investigation. Security experts are skeptical that attackers are in possession of any exfiltrated SFMTA data and suggest the claim is simply a ploy to keep the heat on the SFMTA to pay something. “It’s all about the money. If the transit system has its system back online, then the attackers are going to try to get money out of them another way, such as threatening to release data,” said Matthew Gardiner, cybersecurity strategist at Mimecast. “I haven’t seen any indication that they have taken data,” said Javvad Malik, security advocate at AlienVault. “In the absence of being able to provide any data samples we are forced to take the attackers’ word. And given the ethics of the people we are talking about I’m highly skeptical.” The attackers purportedly used the ransomware HDDCryptor, also known as Mamba, to carry out the attack. The ransomware is unique, in the sense that it encrypts a target’s hard drive rather than individual files. A researcher at Morphus Labs told Threatpost in September that once Mamba infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive. The attack against the SFMTA infected 2,112 of 8,565 computers owned by the SFMTA, according to San Francisco Examiner. According to reports by the Examiner the attack impacted not only the payment system, but also the scheduling and email systems. “It’s always concerning when a cyberattack has operational impact on the physical world. That’s something that is happening more in recent years and something we need to be paying more attention to,” said Tim Erlin, senior director of IT risk and security strategy at Tripwire. Erlin said large municipal transit systems are used to dealing with outages from a wide variety of circumstances. “They are often not malicious computer attacks. In this case the SFMTA had systems in place that allow them to quickly return to normal under a variety of different circumstances including this type of significant interruption to its computer systems,” he said. While the risk to passenger safety was never an issue in this attack, Erlin said he expects an increase in the number of cyberattacks that impact the physical world. “We are inching closer to cyberattacks actually jeopardizing human safety,” he said Monday. Over the past year there have been several warning of cyberattacks impacting physical safety. St. Jude Medical is facing fresh allegations its heart implant devices are vulnerable to cyberattacks. In July, Cyber Risk Management published a report which warned that hospitals are prime targets for hackers who see internet-connected healthcare equipment as low-hanging fruit whether it’s making a quick buck by stealing medical records or carrying out a ransomware attack on life-saving healthcare equipment.

Microsoft Patches Zero Day Disclosed by Google

Microsoft followed through and today patched a zero-day vulnerability being exploited in public attacks that was disclosed by Google researchers nine days ago. The victims have yet to have been identified, but Microsoft did accuse the Sofacy APT gang of carrying out the attacks.
Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks. Google’s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks. Adobe patched the Flash vulnerability with an emergency update released on Oct. 26, but Microsoft failed to publicly acknowledge the bug until only after Google publicly disclosed it.

Google’s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited. Google said the vulnerability is a local privilege escalation in the Windows kernel that leads to a sandbox escape. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” Google’s Neel Mehta and Billy Leonard said in their disclosure. The attackers chained this bug and the Flash zero day in order to get on targeted computers.

The sandbox escape allows the attacker to run code in kernel mode. “Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component,” Microsoft said in its bulletin, MS16-135. “These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.” MS16-135 also patched two other elevation of privilege vulnerabilities in the Windows kernel (CVE-2016-7215 and CVE-2016-7246), as well as an information disclosure bug in the kernel that opens the door for a kernel ASLR bypass (CVE-2016-7214), and a separate information disclosure bug in the Windows browser.sys kernel-mode driver (CVE-2016-7218). Six of the 14 bulletins put out by Microsoft today are rated critical. One, MS16-132, included another vulnerability under attack in the Windows Graphics Component. Microsoft said a remote code execution Open Type Font vulnerability was patched in the Windows font library. That bulletin patched three other flaws, including an information disclosure flaw in Open Type Font, specifically in the ATMFD component, which leaks enough information to carry out a further compromise.

Also addressed was a remote code execution memory corruption vulnerabilities in Windows Animation Manager and Windows Media Foundation. Microsoft also provided cumulative updates for its browsers, Edge and Internet Explorer.

The Edge update, MS16-129, patched 17 vulnerabilities, most of which lead to remote code execution.

Two of the flaws, CVE-2016-7209 and CVE-2016-7199, were publicly disclosed, Microsoft said, but not used in in-the-wild attacks.

The second disclosed bug was also patched in the Internet Explorer update, MS16-142, which patched seven CVEs. MS16-130 patched three critical Windows bugs, a remote code execution flaw in the way Windows’ image file loading handles malformed image files, along with two elevation of privilege flaws in Windows IME and Windows Task Scheduler. Another remote code execution vulnerability was addressed in MS16-131 in the Microsoft Video Control component.

The remaining critical bulletin is the Adobe Flash Player update for IE and Edge; Adobe released an update today for Flash Player patching nine remote code execution flaws in the software. Though rated important by Microsoft, an Office bulletin, MS16-133, also merits attention because it patches a dozen vulnerabilities including 10 that lead to remote code execution. None of the Office bugs are being publicly attacked, Microsoft said. Microsoft also patched SQL Server, addressing a half-dozen elevation of privilege and information disclosure vulnerabilities in MS16-136.

Three of the EoP bugs are in the SQL Server RDBMS engine, along with a cross-site scripting flaw in SQL Server MDS, an information disclosure issue in SQL Analysis Services, and another EoP issue in the SQL Server Engine Server Agent. “The top priority for most administrators will be to quickly deploy fixes for browsers, graphics components, and Office.

All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,” said Craig Young, security researcher at Tripwire. “These are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.” The remaining bulletins are also rated important: MS16-134 patches 10 elevation of privilege flaws in the Windows Common Log File System (CLFS) MS16-137 patches three vulnerabilities in Windows NTLM, Virtual Secure Mode and Local Security Authority Subsystem Service MS16-138 patches four elevation of privilege vulnerabilities in the Windows Virtual Hard Disk Driver MS16-139 patches a local Windows kernel elevation of privilege flaw in how the Windows Kernel API enforces permissions MS16-140 patches a security feature bypass in the Windows Secure Boot component; an attacker could disable code integrity checks and allow test-signed executables and drivers to be loaded.

DMCA Exemptions Lift Hacking Restrictions

White hat hackers can breathe a little easier for the next two years because of a temporary removal of restrictions imposed on hacking of everything from cars, medical devices, to smart home appliances. Last week the U.S. Copyright Office temporarily removed certain restrictions imposed by the Digital Millennium Copyright Act (DMCA) that had long prevented researchers from circumventing protections, such as encryption, that restricted access to copyright protected material. The move was met with applause by the research community that has long argued more cooperation is needed between device manufacturers and researchers. “Obviously, adversaries don’t abide by regulations, so their ability to reverse engineer and figure out how to get into a device and find ways to exfiltrate data has been successful,” said Anthony James, CMO with research firm TrapX. “In terms of opening up new opportunities for researchers, this is only good for the industry,” James said. “As an industry we wait for an attacker to exploit a vulnerability that they have the time, resources and energy to discover. This allows researchers to be more proactive when it comes to building defenses.” The exemption lifts the longstanding “prohibition against circumvention of technological measures that effectively control access to copyrighted works,” according to the U.S. Copyright Office and Library of Congress exemption of the DMCA Section 1201 issued on Oct. 28. The exemption applies to a wide range of research including automobiles, medical devices and consumer IoT devices and also allows the sharing of research data without fear of being sued. That said, there are still restrictiosn on how far the research can go. For example, researchers can reverse engineer medical devices, but are restricted from accessing the Internet services used by those devices. Researchers can also tinker with a variety of IoT devices, but are restricted from accessing a computer they don’t own. The exemption allows car hacking, but excludes breaking protections related to vehicle telematics and entertainment systems. In addition, researchers are also faced with a “good-faith restrictions” that if deemed in violation of, researchers could still face prosecution under the Computer Fraud and Abuse Act, said Craig Young, researcher at Tripwire. “There are still some restrictions that give me pause,” Young said. “However, from the perspective of a researcher, it’s a good step forward. But whether it’s gone far enough is the question.” He said even with these exemptions, researchers walk a fine legal line. “There are still some legal gray areas that exist. Maybe it’s a tool for breaking the encryption on a firmware installation in a car or medical device or a tool for analyzing the traffic that goes through the CAN bus of a car.” The exemption to DMCA’s Section 1201, despite its flaws, said the Electronic Frontier Foundation, “will promote security, innovation, and competition – and also help the next generation of engineers continue to learn by taking their devices apart to see how they work.” “Reverse engineering and modifying software for security research purposes is something that’s going to happen, DMCA exemption or not,” said Corey Thuen, senior security consultant with IOActive, “With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole.” Thuen said the exemptions would help projects such as the Open Garages vehicle research labs thrive. “Supporting the end-users’ ability to modify and alter their car is an interesting development in the ongoing conflict of ‘owning’ software vs ‘licensing’ software,” he said. The rule change met resistance from several companies and industry trade associations such as the Auto Alliance, Global Automakers, GM, John Deere, The Software Alliance, Intellectual Property Owners Association, and the National Association of Manufacturers. The exemptions are set to expire after two years, after which there will be a comment period for stakeholders to argue for an extension of the exemption to DMCA’s Section 1201.

Democralypse Now? US election first battle in new age of cyberwarfare

CIA said to blame Russia for voter database hacks Hacking attempts against more than 10 US state election databases have increased fears about Russian efforts to disrupt or influence the 2016 presidential election. Cyberattacks against voting databases in Arizona, Illinois and at least eight other states have only heightened concerns in the wake of the hack and subsequent leak of emails from the Democratic National Congress. The US government has not shied from pointing the finger of blame firmly towards Moscow as previously reported.

The Russian government "directed the recent compromises of emails from US persons and institutions," the Department of Homeland Security and the Office of the Director of National Intelligence alleged earlier this month. US security agencies are publicly accusing Russia of trying to interfere with the election process after allegedly escalating from cyber-espionage to cyber-sabotage. Federal officials suspect Russian hackers tried to breach a contractor for Florida's election system, exposing voters' personal information in the process, CNN reports. Amid these heightened tensions, the CIA is reportedly preparing for cyberwar against Russia, or at least looking into scenarios for a conflict largely fought in the arena of public opinion, where leaks of sensitive information on rival political elites are the weapons of choice. Spin cycle Accusations are flying left, right, and centre as experts urge calm assessment and caution.

Tod Beardsley, senior research manager at Rapid7, likened attempts to hack the election system to the routine scanning and probing of corporate networks. “There is wide speculation around the current ‘probing’ activity directed at online voter registration sites,” he said. “In isolation, this might seem alarming. However, all online systems are ‘probed’ all the time.

Automated and routine vulnerability scans of internet assets is a normal part of online weather, is sourced from all over the world, and is well understood by experienced IT security practitioners.” Even if voter record databases were corrupted then the effect would be disruptive rather than disastrous, according to Beardsley. “If online voter registration records are vandalised on election day in order to deregister otherwise legitimate voters, polling places can and will fall back to the paper-based provisional balloting system guaranteed by the Help America Vote Act of 2002 (HAVA).
So, while an outage of voter registration records would certainly be inconvenient, it would not prevent the election from taking place.
It just wouldn't be worthwhile in terms of effort, cost, and risk to attack elections this way, given the ease of local recovery through provisional balloting." Vote early, vote often The presidential election is now only two weeks away and this has served to heighten speculation – present during every recent election cycle – over the possibility of someone "hacking the election". Hackers have been threatening to steal voting results data as well as voters’ personal information.

The MIT Technology Review concludes that “voter registration information” is more at risk than your ballot. Tim Erlin, senior director of product management at Tripwire, said the 2016 US presidential elections are the “first major election where foreign cyberattacks have been discussed as a material threat”, something he expects to become the norm. “There’s no more business as usual when it comes to cybersecurity and US elections,” Erlin said. “The United States is going to have to come to grips with a future where electronic interference in elections by foreign powers is standard operating procedure.” Even apparently minor problems in election systems need to be scrutinised closely. “The information security community has learned over and over that the first discovery of a breach never uncovers the full scope,” Erlin warned. “We should apply that lesson to any election related compromises as well.

There’s likely more to uncover here as well.” Robert McFarlane, head of labs at Head London, commented: “The levels of hysteria and hyperbole have been the highest of any US election in living memory, but it’s certainly not inconceivable that we could see some high-stakes hacking. However, I’d suggest the underlying reasons behind this would be geopolitical: these elections have made the US look weak on the global stage and Putin desperately needs to deflect from the Syrian campaign.

As such, a Russian-sponsored hack would serve to humiliate and destabilise an already shaky America. “Of course, it also doesn’t help that Trump’s babbling rhetoric actively appears to invite outside interference to help secure his victory – or at the very least call a defeat into question.

There are, clearly, a great many ways a hack could backfire on Trump, as well as the sponsor – whether that’s external or domestic.
In fact, being able to point the finger of blame at the Russian Federation (or any state they don’t like) would be a convenient win for the Yanks by further isolating the perpetrator as an aggressive opponent of democracy.” Democralypse Now? Rapid7’s Beardsley has published a detailed blog on the hacking threats facing the US election system here. The US election system is “massively complex” and “appears to embody the absolute worst practices when it comes to information security”, he writes. There are cleartext, internet-based entry points to the voting system.

There is an ageing installed base of voting machines running proprietary, closed-source code, produced by many vendors.

And there is a bizarrely distributed model of authority over the election, where no one actually has the power to enforce a common set of security standards. Despite this assessment, Beardsley is inclined to downplay the widely discussed hacking threat against voting machines. “It is possible that foreign hackers could infiltrate voting machine software, and therefore cause votes cast for one candidate to be counted for another,” Beardsley said. “However, such an attack is literally incredible.
Voting machines in the US are never [as far as we are aware] directly connected to the internet on Election Day, which means the attacker would need to get at the machines well before November 8, while the software is being written or loaded on to the machines. “While this sort of infiltration is possible, such a campaign would require formidable espionage assets, have a high risk of being detected before the election, and the effects would be noticeable in bizarrely inaccurate exit polling during and after the election.”®

VU#396440: MatrixSSL contains multiple vulnerabilities

MatrixSSL contains multiple vulnerabilities Original Release date: 11 Oct 2016 | Last revised: 12 Oct 2016 Overview MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities. Description CWE-122: Heap-based Buffer Overflow - CVE-2016-6890 The Subject Alt Name field of X.509 certificates is not properly parsed.

A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution.CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-6891The ASN.1 Bit Field is not properly parsed.

A specially crafted certificate may lead to a denial of service condition due to an out of bounds read in memory.CWE-590: Free of Memory not on the Heap - CVE-2016-6892The x509FreeExtensions() function does not properly parse X.509 certificates.

A specially crafted certificate may cause a free operation on unallocated memory, resulting in a denial of service condition.The CVSS score below describes CVE-2016-6890.

For more information about these vulnerabilities, contact the vendor at support@matrixssl.com or refer to the vendor release notes and the researcher's blog. Impact By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack. Solution Apply an updateThe vendor has released version 3.8.6 to address these issues.

Developers of embedded devices using MatrixSSL should provide firmware updates implementing the fix. Users in general should update to the latest release. Vendor Information (Learn More) Vendor Status Date Notified Date Updated MatrixSSL Affected 26 Aug 2016 11 Oct 2016 ACCESS Unknown 11 Oct 2016 11 Oct 2016 Alcatel-Lucent Unknown 11 Oct 2016 11 Oct 2016 Apple Unknown 11 Oct 2016 11 Oct 2016 Arch Linux Unknown 11 Oct 2016 11 Oct 2016 Arista Networks, Inc. Unknown 11 Oct 2016 11 Oct 2016 Aruba Networks Unknown 11 Oct 2016 11 Oct 2016 AT&T Unknown 11 Oct 2016 11 Oct 2016 Avaya, Inc. Unknown 11 Oct 2016 11 Oct 2016 Barracuda Networks Unknown 11 Oct 2016 11 Oct 2016 Belkin, Inc. Unknown 11 Oct 2016 11 Oct 2016 Blue Coat Systems Unknown 11 Oct 2016 11 Oct 2016 Brocade Communication Systems Unknown 11 Oct 2016 11 Oct 2016 CA Technologies Unknown 11 Oct 2016 11 Oct 2016 CentOS Unknown 11 Oct 2016 11 Oct 2016 If you are a vendor and your product is affected, let us know.View More »CVSS Metrics (Learn More) Group Score Vector Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal 7.8 E:POC/RL:OF/RC:C Environmental 5.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References Credit Thanks to Craig Young of Tripwire for reporting these vulnerabilities. This document was written by Joel Land. Other Information Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.

Raucous Ruckus router ruckus roundly rumbles: Infosec bod says Wi-Fi kit...

Web UI bugs found, patches due to arrive Enterprise wireless hotspots from Ruckus can be trivially crashed and their login systems bypassed, Tripwire researchers warn. Ruckus confirmed there are flaws in its access points while playing down the seriousness of the bugs. Tripwire followed up a 2014 study into the insecurity of Ruckus routers with a new investigation into the vendor's enterprise-focused wireless routers.

Three blunders involving an authentication bypass, a denial-of-service weakness, and an information disclosure flaw were discovered during an audit of the widely used Ruckus H500 access point: Authentication bypass: All requests to the router's web-based user interface containing a particular string received "200 OK" responses.

By creatively adding this string to other requests, it was possible to get back webpages from the user interface intended only for authenticated users. Denial of service: There is a particular page accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable.

This is a serious issue, since the product relies on HTTP when used as a hotspot, Tripwire warns. Information disclosure: The device's serial number is exposed by the HTTP server. Organizations using Ruckus devices may be at risk for compromise, particularly when the access points are used to provide their customers with Wi-Fi access, according to Tripwire bod Craig Young. Ruckus disputes these findings.

The California-based vendor admits that the bugs in the web interface are real but says they are not usually accessible to the public, including hackers.

The internal web server is typically tucked away out of reach, we're told: Multiple vulnerabilities were found in the WebGUI interface of Ruckus APs.

These vulnerabilities were first reported by Tripwire and Ruckus acknowledges them.

The vulnerabilities can be broadly classified into two categories: 1) CSRF exposure, 2) Unauthenticated command injection and information retrieval sometimes causing denial of service attack on AP. However Ruckus would like to state that these vulnerabilities are only exploitable when AP IP & Web interface are accessible from external hosts. Most of Ruckus APs are deployed in managed environment where there is WLAN controller that is managing the APs.
In this mode of operation the Web interface is not enabled, and in most cases even the IP address of the AP is not reachable from external sources.

This prevents these vulnerabilities from getting exploited. Tripwire contends that intruders to a Ruckus system could run man-in-the-middle attacks against users on the wireless network, opening the door to a wide spectrum of potential attacks. Ruckus contends that the possible harm is limited to crashing systems with externally facing interfaces. "We do acknowledge that in deployments where AP IP and Web interface are accessible from external sources, these vulnerabilities can be exploited causing disruption of service," Ruckus explained. The biz said it was "actively working to close these vulnerabilities with high priority" through patches and updates, offering various workarounds in the meantime. More details on Tripwire's research can be found in a blog post, here. ® Sponsored: Global DDoS threat landscape report

BlackBerry snips Alcatel label off a midrange biz ‘Droid, sells it...

While baking in extra security BlackBerry today took the wraps off its first phone of the year, the cryptically named DTEK50.

As rumoured, BlackBerry has based its second Android phone on a reference design from TCL, which owns Alcatel, and "security hardened" it with BlackBerry's Android. BlackBerry also confirmed that a monoblock QWERTY Android was on the roadmap. The DTEK50 is basically Alcatel Idol 4, a well-specced phone from Shenzhen-based manufacturing giant TCL, which snapped up the Alcatel brand a decade ago (Alcatel also owns the Palm brand). "It's priced to be a broadly adopted product," said BlackBerry's senior VP of global device sales, Alex Thurber.

BlackBerry has treated the back, so it's not strictly identical. BlackBerry is hoping to bypass consumer apathy by selling through enterprise and security value-added resellers.

Thurber was channels sales guy for security and wireless at Cisco, and had stints at security companies Tripwire and CloudWatch. After years of releasing devices that only used its home-grown system software, BlackBerry launched its first Android device, the "Priv by BlackBerry" last November.

The price of this eye-catching QWERTY slider was too high, at US$699 (£579), company executives later admitted.
In the second quarter of this year, BlackBerry sold fewer phones than it did in the same period last year – before it had an Android in its portfolio.
So value is something the DTEK50 attempts to fix. The lightweight 135g DTEK50 is priced at US$299 (£275) with a $60 battery pack thrown in.
It packs a midrange Snapdragon 617 3GB of RAM/16GB of storage, and a 5.2-inch HD display.

The 2610 mAh non-removable battery supports rapid charging.

There's a convenience key that can be programmed to an app, such as the camera, or action. Spot the difference: BlackBerry DTEK50 (left) and Alcatel Idol 4 (right) BlackBerry's value add comes in two parts: security and productivity features.

The former includes using a security-hardened Linux kernel with "improved random number" generation (which we hope BB hasn't screwed up) and certificate pinning, plus proprietary hardware that creates a "root of trust." This presumably means baked-in crypto-keys that are used to provide a secure boot sequence, which cryptographically checks all the system components are legit and are untampered. All data is stored encrypted, and the device has yet to be rooted.

BlackBerry also offers "rapid" security patches to close up bugs, "There's a misconception that iOS is better at security.

Three times more vulnerabilities have been posted to the National Vulnerability Database for iOS than for Android," said David Kleidermacher, BlackBerry chief security officer. Adding in breaches of iMessage and iCloud for good measures. "And it took three months for the vulnerability to be corrected." On top of that, BlackBerry packs its Hub email client-cum-notifications aggregator, a unified device search, its distinctive soft keyboard, and a few user level apps: its own Calendar, Contacts, Tasks, and Notes, along with a Password store and BlackBerry's DTEK security manager, which was repurposed for the phone name.

DTEK is supposed to alert you when an app unexpectedly starts taking photos or videos, switches on the microphone, sends text messages, accesses your contacts and files, or requests your physical location. At launch, the Priv ran hot, and couldn't take advantage of Marshmallow's security features, but it is steadily improving. You can get an idea from these screengrabs of the default Priv. So. Why the cryptic name? "It's a reflection of our commitment to securing the BlackBerry experience," according to the company's head of design, Scott Wenger. Shipments begin on August 9, and we should have a real hands-on in the next day or two. ® Sponsored: 2016 Cyberthreat defense report

Hackers steal millions from ATMs using ‘just their smartphones’

Cyber-robbers flee Taiwan with swag swiped from 'malware-infected machines' Authorities in Taiwan are trying to work out how hackers managed to trick a network of bank ATMs into spitting out millions. Police suspect that two Russian nationals wearing masks cashed out dozens of ATMs operated by Taiwan's First Bank on Sunday and left the country the following day.

The crooks stole an estimated T$70m ($2.2m) hours after a typhoon battered the region around Taipei, the Taiwanese capital. The two (or perhaps at least three) crooks behind the theft didn't use bank cards, judging from security camera footage.
Instead, the cybercriminals appeared to gain control of the machines with a "connected device," possibly a smartphone, according to police. Targeted ATMs were made by German manufacturer Wincor Nixdorf, which admits some of its machines in Taiwan were hacked as part of a "premeditated attack." Three different (unspecified) strains of malware were found on the compromised machines. First Bank and other Taiwanese banks suspended withdrawals from their ATMs as a precaution following the attack, pending inspections to determine whether any cyber-tampering took place. Security experts have already come up with some theories to explain how the systematic hack might have been pulled off. Craig Young, a security researcher in the Vulnerability and Exposures Research Team at security tools firm Tripwire, said: "It may be that attackers have found another ATM jackpotting technique like the ones demonstrated by Barnaby Jack at Black Hat USA 2010.

These attacks used malware to reprogram the machine so that a button sequence would dispense cash. "Some ATMs have network management systems with well-known default passwords, and in many cases thieves access USB ports to load malware from a flash drive.

From the description, it sounds like these thieves likely had installed malware ahead of time, enabling a wireless connection to 'jackpot' the ATMs.
It is also possible that a vulnerable wireless service could allow unauthorized access from hackers." ® Sponsored: 2016 Cyberthreat defense report

Unpatched Software and the Rising Cost of Breaches: Security Reports

Reports released this week found that outdated versions of Flash and Java are common, mobile apps are still insecure and data breaches hurt consumer confidence. This past week was another busy week for security research and statistical reports covering a diverse array of topics including phone fraud, patching levels, mobile apps and distributed denial-of-service (DDoS) costs. Duo Security in a May 10 report found that 25 percent of all Windows devices are running outdated and unsupported versions of Internet Explorer.

Examining the update status for the major browsers, Duo Security found that Google's Chrome browser is the best, with 82 percent of users up-to-date.
In contrast, only 66 percent of Firefox browser users are running the latest version, which is still better than Microsoft's Edge and Internet Explorer 11 users at a 58 percent update rate. Beyond just the browser, plug-ins are also out-of-date on the majority of systems.

Duo Security reported that 72 percent of the systems it surveyed were running an outdated version of Java, while 60 percent were running an out-of-date version of Flash. IT Confidence Tripwire in a May 11 study examined IT professional confidence in data breach detection skills.

The report reveals contradictory results about how IT professionals view their security response readiness for a potential incident. Somewhat aligned with Duo Security's findings, Tripwire's research showed that not all organizations are patching all systems quickly.
In fact, 40 percent of organizations polled admitted to applying less than 80 percent of patches successfully. Tripwire found that 92 percent of respondents indicated that their organization's vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on the network.

That said, 77 percent, admitted that they can only automatically discover 80 percent or less of the devices on their networks, which means there is a visibility gap. Additionally, 29 percent of organizations are unable to detect all file access attempts that are made without the appropriate privileges, according to Tripwire. Security Costs A number of studies looked at security-related costs due to vulnerabilities and breaches.

FireEye released its data breach cost report on May 10, revealing that 76 percent of respondents would likely take their business away from a vendor that had demonstrated negligent data handling practices. The study also found that more than half (52 percent) of consumers would consider paying a premium for a product or services in order to get better data security.

The same percentage of consumers also noted that security is an important buying consideration for products and services. Emerson Network Power in a May 12 report provided insight into DoS-related costs.

The report found that from 2010 to 2015, DoS attack frequency increased by 59 percent.

For 2015, Emerson Network Power reported that a total outage DoS attack had an average cost of $610,300 while attacks that did not result in a total outage had an average cost of $36,800. Pindrop in a May 10 report examined the state of phone fraud and its related costs.

Among the top findings of the reports is that in 2015 an average of $0.65 was lost to fraud per call.

As such, Pindrop estimates that a call center that receives 40 million calls per year could lose as much as $27 million a year from phone fraud. Mobile App Security Mobile security vendor Wandera published a report this past week on the security of 10 top enterprise apps.
Shockingly, Wandera found that all 10 of the top 10 apps analyzed were vulnerable to at least three of the OWASP (Open Web Application Security Project) top 10 mobile risks. In summary, out-of-date versions of Flash and Java are still common, phone fraud is a costly problem, mobile apps are still insecure and data breaches impact the confidence of consumers. Most of the results weren't surprising, given the trends that have been common in the past few years, but once again, seeing data provides a degree of validation that the trends are real. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.