Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Cyber Security

Top Cyber Attacks of 2020

Top Cyber Attacks of 2020

With so much of the world transitioning to working, shopping, studying, and streaming online during the coronavirus pandemic, cybercriminals now have access to a larger base of potential victims than ever before.

“Zoombomb” became the new photobomb—hackers would gain access to a private meeting or online class hosted on Zoom and shout profanities and racial slurs or flash pornographic images. Nation-state hacker groups mounted attacks against organizations involved in the coronavirus pandemic response, including the World Health Organization and Centers for Disease Control and Prevention, some in an attempt to politicize the pandemic.

Even garden-variety cyber attacks like email phishing, social engineering, and refund theft took on a darker flavor in response to the widespread economic precarity brought on by the pandemic.

“Hackers were mostly trying to take advantage of people’s fear by offering medical equipment like thermometers and masks for cheap, low-rate loan offers and fake government emails,” said Mark Adams, a cybersecurity analyst and subject matter expert for Springboard’s new Cyber Security Career Track. “You know, the kinds of emails that say you owe X amount in back taxes and you will be arrested if you do not respond to this email today!”

Here’s a closer look at some of the biggest cyberattacks of 2020.

Attack 1: Fraudulent unemployment claims rise in response to the pandemic

Unemployment claims soared to a record high of nearly 23 million claims filed in May, shortly after most U.S. states instituted lockdowns to prevent the spread of the coronavirus. Two months later, the FBI reported a spike in fraudulent unemployment claims from hackers who had stolen taxpayers’ personally identifiable information and filed for unemployment insurance while impersonating the victim.

“Tax scams tend to rise during tax season or during times of crisis, and scam artists are using the pandemic to try stealing money and information from honest taxpayers,” IRS Commissioner Chuck Rettig said in a statement.

Criminals steal this information in different ways, such as purchasing stolen personal data on the dark web, sending email phishing scams, cold-calling the victims in an impersonation scam by pretending to be an IRS agent or bank representative, or accessing the data from a previous data breach or computer intrusion.

Each year, the IRS publishes a list called the Dirty Dozen, enumerating tax- and non-tax-related scams taxpayers should watch out for. In January, a U.S. resident was jailed for using information leaked through a data breach at a payroll company to file a fraudulent tax return worth $12 million.

For national security reasons, government agencies tend to be less forthcoming about data breaches than private companies, said Adams.

“If people think your agency is vulnerable then more people will try [to hack you],” said Adams. “It only takes one massive event to make it look like you don’t have your act together.”

Attack 2: T-Mobile breach exposes sensitive customer data—twice

In December, T-Mobile revealed that it had been hacked once again, the fourth incident in three years.

Companies that are repeat offenders for weak cybersecurity infrastructure often make a conscious choice to forgo extra protections because it’s more cost-effective to pay the fines levied by the Federal Trade Commission in the event of a breach, according to Adams. It’s unclear if T-Mobile is one of them.

“Some companies, including banks, do a cost/benefit analysis,” he said. “In some cases, it’s cheaper to take the hit. Slap us on the wrist so we can move on.”

The first T-Mobile attack of 2020 was confirmed in March 2020, when a cybercriminal gained access to employee email accounts and stole data on T-Mobile employees and some of its customers. For some users, “social security numbers, financial account information and government identification numbers” were stolen, while others simply had their account information seized.

The second attack was limited to what the FCC regards as “customer proprietary network information,” such as phone numbers, the number of lines associated with the account, and information about calls placed. T-Mobile was careful to mention that the breach affected just 0.2% of its 100 million-strong customer base, which still equates to about 200,000 people. Stealing customer metadata (information about a customer’s transaction history that doesn’t personally identify them) does not enable a hacker to steal your identity or seize money from your bank account, but they can use this information in conjunction with another scheme.

For example, they can launch coordinated phishing attacks and phone scams. Social engineering refers to the practice of using verbal manipulation to coerce a victim into divulging their personal information. These methods become more convincing when a hacker has detailed information on you, such as your transaction history, making them seem like a legitimate call center representative.

Attack 3: Hackers try to meddle with the coronavirus pandemic response

In April, hackers targeted top officials who were working on the global response to the pandemic. While the World Health Organization itself wasn’t hacked, employee passwords were leaked through other websites. Many of the attacks were phishing emails to lure WHO staff into clicking on a malicious link in an email that would download malware onto their device.

Users of internet forum 4chan, which is now a breeding ground for alt-right groups, circulated over 2,000 passwords they claimed were linked to WHO email accounts, according to Bloomberg. Details spread to Twitter and other social media sites, where far-right political groups claimed the WHO had been attacked in a bid to undermine the perceived veracity of public health guidelines.

“There is definitely a political aspect to many [cyberattacks] and they will sometimes do it to gain a political advantage or send a message to an adversary,” said Adams. “Or maybe it’s just to put that adversary on the defensive to see how they behave.”

In another example of hackers seizing upon the pandemic zeitgeist, some sent phishing emails impersonating the WHO and urging the general public to donate to a fictitious coronavirus response fund, not the real COVID-19 Solidarity Response Fund.

Attack 4: The FireEye attack that exposed a major breach of the U.S. government

When California-based cybersecurity company FireEye discovered that over 300 of its proprietary cybersecurity products had been stolen, it uncovered a massive breach that had gone undetected for an estimated nine months.

That breach extended to over 250 federal agencies run by the U.S. government, including the U.S. Treasury Department, Energy Department, and even parts of the Pentagon.

But the breach didn’t start with FireEye. The attack began when an IT management software company called SolarWinds was hacked, causing some of its most high-profile customers to be breached, including Fortune 500 corporations like Microsoft, Intel, Deloitte, and Cisco. This domino effect is known as a “supply chain” attack, where the infiltration of one company’s cybersecurity defenses renders all of its customers vulnerable to attack.

Hackers also monitored the internal emails of the U.S. Treasury and Commerce departments, according to Reuters, which broke the news of the cyberattack in mid-December. Government officials and cybersecurity experts say that Russia’s Foreign Intelligence Service, known as SVR, is behind the attacks. Investigators are still piecing together the details of the breach to surmise the hacker’s intentions.

Software companies are prime targets for cyberattacks for two reasons. First, they’re under immense pressure to release new iterations and updates ahead of their competitors, which can mean cutting corners on cybersecurity protections.

“This is something that has plagued the software industry in general for the last twenty to thirty years,” said Adams. “If there are delays in getting that next product or update out it just doesn’t look good because that’s revenue sitting on the table.”

Secondly, attacking a software company enables hackers to breach more victims than if they targeted a single company or government entity. When a software company is hacked, and the breach goes undetected, hackers need only infect a new software update or patch to breach the company’s customers. When the company unwittingly ships the infected software, all of its customers who download it inadvertently install the hacker’s malware onto their systems.

With Springboard’s comprehensive Cyber Security Career Track, you’ll work 1:1 with an industry-mentor to learn key aspects of information technology, security software, security auditing, and finding and fixing malicious code. Learning units include subject-expert approved resources, application-based mini-projects, hands-on labs, and career-search related coursework. Learn more about Springboard’s Cyber Security Career Track here.

Source link

New Docker Container Escape Bug Affects Microsoft Azure Functions

New Docker Container Escape Bug Affects Microsoft Azure Functions

Cybersecurity researcher Paul Litvak today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them.

The findings come as part of Intezer Lab‘s investigations into the Azure compute infrastructure.

Following disclosure to Microsoft, the Windows maker is said to have “determined that the vulnerability has no security impact on Function users, since the host itself is still protected by another defense boundary against the elevated position we reached in the container host.”

password auditor

Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that allows users to run event-triggered code without having to provision or manage infrastructure explicitly while simultaneously making it possible to scale and allocate compute and resources based on demand.

By incorporating Docker into the mix, it makes it possible for developers to easily deploy and run Azure Functions either in the cloud or on-premises.

Since the trigger code is an event (e.g., an HTTP request) that is configured to call an Azure Function, the researchers first created an HTTP trigger to gain a foothold over the Function container, using it to find sockets belonging to processes with “root” privileges.

From there, one such privileged process associated with a “Mesh” binary was identified to contain a flaw that could be exploited to grant the “app” user that runs the above Function root permissions.

While the Mesh binary in itself had little to no documentation to explain its purpose, Intezer researchers found references to it in a public Docker image, which they used to reverse engineer and achieve privilege escalation.

In the final step, the extended privileges assigned to the container (using the “–privileged” flag) were abused to escape the Docker container and run an arbitrary command on the host.

Intezer has also released a proof-of-concept (PoC) exploit code on GitHub to probe the Docker host environment.

“Instances like this underscore that vulnerabilities are sometimes out of the cloud user’s control,” Intezer Labs researchers said. “Attackers can find a way inside through vulnerable third-party software.

“It’s critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment. This Zero Trust mentality is even echoed by Microsoft.”

Source link

Warning Issued Over Hackable ADT’s LifeShield Home Security Cameras

Warning Issued Over Hackable ADT’s LifeShield Home Security Cameras

Newly discovered security vulnerabilities in ADT’s Blue (formerly LifeShield) home security cameras could have been exploited to hijack both audio and video streams.

The vulnerabilities (tracked as CVE-2020-8101) were identified in the video doorbell camera by Bitdefender researchers in February 2020 before they were eventually addressed on August 17, 2020.

LifeShield was acquired by Florida-based ADT Inc. in 2019, with Lifeshield’s DIY home security solutions rebranded as Blue as of January 2020. The company’s products had a 33.6% market share in the U.S. last year.

password auditor

The security issues in the doorbell camera allow an attacker to

  • Obtain the administrator password of the camera by simply knowing its MAC address, which is used to identify a device uniquely
  • Inject commands locally to gain root access, and
  • Access audio and video feeds using an unprotected RTSP (Real-Time Streaming Protocol) server

The doorbell is designed to periodically send heartbeat messages to “cms.lifeshield.com,” containing information such as the MAC address, SSID, local IP address, and the wireless signal strength. The server, in return, responds with an authentication message that can be trivially bypassed by crafting a fake request by using the device’s MAC address.

LifeShield Home Security Cameras

“The server seems to ignore the token and checks only the MAC address when sending a response,” the researchers noted, adding “the password for the administrator can be obtained by decoding the base64 authorization header received in this request.”

Armed with this admin access to the camera’s web interface, the attacker can leverage an HTTP interface that’s vulnerable to command injection and obtain root access.

Lastly, the researchers also found that an unsecured RTSP server sans any credentials could be exploited to access the video stream at “rtsp://10.0.0.108:554/img/media.sav” using any media player such as VLC.

While patches have been applied to the production servers and all the 1,500 affected devices, with no easy way to confirm if the camera users installed the firmware updates, Bitdefender chose to delay public disclosure by more than five months.

“Customers have security choices when it comes to securing their smart homes or small businesses,” the researchers said.

“Carefully researching IoT vendors for security update policies to their products, changing default passwords, separating IoTs into different subnetworks, and even regularly checking for firmware updates are only a handful of practical and hands-on security tips that anyone can adhere to.”

Source link

New Attack Could Let Remote Hackers Target Devices On Internal Networks

New Attack Could Let Remote Hackers Target Devices On Internal Networks

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research.

Detailed by enterprise IoT security firm Armis, the new attack (CVE-2020-16043 and CVE-2021-23961) builds on the previously disclosed technique to bypass routers and firewalls and reach any unmanaged device within the internal network from the Internet.

First disclosed by security researcher Samy Kamkar in late October 2020, the JavaScript-based attack relied on luring a user into visiting a malicious website to circumvent browser-based port restrictions and allow the attacker to remotely access TCP/UDP services on the victim’s device, even those that were protected by a firewall or NAT.

password auditor

Although partial mitigations were released on November 11 to thwart the attack in Chrome 87, Firefox 84, and Safari by preventing connections on port 5060 or 5061, Armis researchers Ben Seri and Gregory Vishnipolsky revealed that “NAT Slipstreaming 2.0” puts “embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet.”

Vulnerable devices that could be potentially exposed as a consequence of this attack include office printers, industrial controllers, IP cameras, and other unauthenticated interfaces that could be exploited once the NAT/firewall is tricked into opening network traffic to the victim device.

“Using the new variant of the NAT Slipstreaming attack to access these types of interfaces from the Internet, can result in attacks that range from a nuisance to a sophisticated ransomware threat,” the researchers said.

Google, Apple, Mozilla, and Microsoft have all released patches to Chrome (v87.0.4280.141), Safari (v14.0.3), Firefox (v85.0), and Edge (v87.0.664.75) browsers to address the new attack.

Using H.323 Packets to facilitate NAT Slipstreaming

Put simply, NAT Slipstreaming allows a bad actor to bypass NAT/firewall and remotely access any TCP/UDP service bound to a victim machine as a result of the target visiting a malware-infected website specially crafted for this purpose.

Particularly, the malicious JavaScript code running on the victim’s browser extracts the internal IP address and takes advantage of TCP/IP packet segmentation to create large TCP/UDP beacons and subsequently smuggle a Session Initiation Protocol (SIP) packet containing the internal IP address inside an outbound HTTP POST request via TCP port 5060.

“This is achieved by carefully setting the [Maximum Segment Size] value of an attacker controlled TCP connection from the victim browser to an attacker’s server, so that a TCP segment in the ‘middle’ of the HTTP request will be entirely controlled by the attacker,” the researchers explained.

As a consequence, this causes the NAT application-level gateway (ALG) to open arbitrary ports for inbound connections to the client’s device via the internal IP address.

NAT Slipstreaming 2.0 is similar to the aforementioned attack in that it uses the same approach but relies on H.323 VoIP protocol instead of SIP to send multiple fetch requests to the attacker’s server on H.323 port (1720), thereby allowing the attacker to iterate through a range of IP addresses and ports, and opening each one of them to the Internet.

“A long lasting solution, unfortunately, would require some [overhaul] of the Internet infrastructure we’re accustomed to,” the researchers concluded.

“It is important to understand that security was not the principal agenda for the creation of NATs, rather it was mainly a by-product of the potential exhaustion of IPv4 addresses. Legacy requirements such as ALGs are still a dominant theme in the design of NATs today, and are the primary reason bypassing attacks are found again and again.”

Source link

Beware — A New Wormable Android Malware Spreading Through WhatsApp

Beware — A New Wormable Android Malware Spreading Through WhatsApp

A newly discovered Android malware has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign.

“This malware spreads via victim’s WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app,” ESET researcher Lukas Stefanko said.

The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website.

Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack.

password auditor

Specifically, it leverages WhatApp’s quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically.

Besides requesting permissions to read notifications, the app also requests intrusive access to run in the background as well as to draw over other apps, meaning the app can overlay any other application running on the device with its own window that can be used to steal credentials and additional sensitive information.

The functionality, according to Stefanko, is to trick users into falling for an adware or subscription scam.

Furthermore, in its current version, the malware code is capable of sending automatic replies only to WhatsApp contacts — a feature that could be potentially extended in a future update to other messaging apps that support Android’s quick reply functionality.

While the message is sent only once per hour to the same contact, the contents of the message and the link to the app are fetched from a remote server, raising the possibility that the malware could be used to distribute other malicious websites and apps.

“I don’t remember reading and analyzing any Android malware having such functionality to spread itself via whatsapp messages,” Stefanko told The Hacker News.

Stefanko said the exact mechanism behind how it finds its way to the initial set of directly infected victims is not clear; however, it’s to be noted the wormable malware can potentially expand from a few devices to many others incredibly quickly.

“I would say it could be via SMS, mail, social media, channels/chat groups etc,” Stefanko said.

If anything, the development once again underscores the need to stick to trusted sources to download third-party apps, verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.

But the fact the campaign cleverly banks on the trust associated with WhatsApp contacts implies even these countermeasures may not be enough.

Source link

Using the Manager Attribute in Active Directory (AD) for Password Resets

Using the Manager Attribute in Active Directory (AD) for Password Resets

Creating workflows around verifying password resets can be challenging for organizations, especially since many have shifted work due to the COVID-19 global pandemic.

With the numbers of cyberattacks against businesses exploding and compromised credentials often being the culprit, companies have to bolster security around resetting passwords on user accounts.

How can organizations bolster the security of password resets for remote workers? One security workflow might involve having manager approval before IT helpdesk technicians can change a remote worker’s password. In this way, the user’s manager is involved in the process.

Additionally, some organizations might opt to allow managers themselves the ability to change end-user passwords. How can this be configured in Active Directory? Also, is there a more seamless solution for requiring manager approval for password resets?

Why password reset security is critical

This past year has undoubtedly created many IT helpdesk staff challenges, including supporting a workforce containing mainly remote workers. One of the difficulties associated with remote employees is a security challenge surrounding password resets.

Cybercriminals are increasingly using identity attacks to compromise environments. It often provides the “path of least resistance” into an environment. If valid credentials are compromised, this is often the easiest means to attack and compromise business-critical data and systems.

With employees working remotely, IT helpdesk technicians supporting account unlock and password changes no longer have a face-to-face interaction with employees working “inside” the on-premises environment.

Organizations may be large enough that IT technicians may not personally know each employee who may be working remotely. It introduces the possibility of an attacker impersonating a legitimate employee and social engineering helpdesk staff to reset a legitimate account password.

Additionally, a compromised end-user client device can lead to illegitimate password resets of end-user accounts.

Recognizing new identity threats facing organizations today, IT admins may want to get managerial approval for employee account password resets. This task may even be delegated to managers of end-users working in their departments. How can password resets by department managers quickly be configured using built-in features in Active Directory?

Delegating password reset permissions in Active Directory

Microsoft Active Directory contains a feature that allows delegating permissions to certain users or groups to carry out very granular tasks. These tasks include password resets. To configure delegation of password reset permissions, you can following the process below.

Beginning to configure the Delegate Control options in Active Directory
Beginning to configure the Delegate Control options in Active Directory

It launches the Delegation of Control Wizard, which first allows choosing a user or group you want to assign permissions. Here you click Add… to add a user or group. We have already added the group shown below – DLGRP_PasswordReset, a domain local group created in Active Directory. As a best practice, it is always better to use groups for managing permissions delegation. It allows quickly and easily adding or removing specific users without having to go through the permissions delegation wizard each time.

Choose the users and groups who will assume the permissions
Choose the users and groups who will assume the permissions

On the Tasks to Delegate screen, under Delegate the following common tasks, choose Reset user passwords and force password change at the next logon option. Click Next.

Choosing the Reset user passwords and force password change at next logon option
Choosing the Reset user passwords and force password change at next logon option

Finish out the delegation of control wizard.

Complete the Delegation of Control Wizard
Complete the Delegation of Control Wizard

Assigning managers to reset passwords

Using the process shown above, administrators can add managers to the group delegated the reset passwords permission. It allows pointing to a specific user or group for delegating permissions to reset passwords.

As mentioned, it is always best practice when creating a permissions delegation in Active Directory to assign this to a group, even if you are delegating permissions to one user. Doing it this way makes the lifecycle management of the permissions delegation much more manageable.

However, the Active Directory group resource is fairly static in this context. Outside of Microsoft Exchange Server and dynamic distribution groups, Active Directory does not have a native way built-in to create dynamic security groups that are populated based on Active Directory attributes.

Is there a way to have dynamic security groups in Active Directory by using a scripted approach? Yes, there is. Using PowerShell and the get-aduser cmdlet and a few other Active Directory related PowerShell cmdlets, you can effectively query Active Directory for users containing specific characteristics and then add or remove those users from specific groups.

You can create custom PowerShell scripts to accomplish this. However, a couple of resources can quickly get you up to speed with a customized PowerShell script to adding and removing users from security groups based on user location, attributes, and other features.

Let’s think about a use case related to managerial approval for password resets. Suppose you wanted to grant managers the permissions to reset passwords. In that case, you could do some PowerShell scripting in conjunction with the delegation wizard and have an automated process to add and remove managers from Active Directory into a group configured for password resets.

Notice the following PowerShell resources for this:

Below is an example based on the Windows OSHub code of how you could use PowerShell and search for “Manager” in the title attribute.

CODE

You could schedule the above PowerShell script to run at scheduled intervals with a scheduled task to add or remove users from the group delegated password reset permissions dynamically.

Specops uReset – A better approach to password reset manager approvals

Specops Software provides a much better automated approach to enable manager approval for password resets. Specops uReset is a fully-featured self-service password reset (SSPR) solution that allows end-users to reset their passwords securely.

Also, with Specops uReset, you can add the ability for Manager Identification. When a user authenticates with Manager Identification, the authentication request sends to their manager in the form of a text message or email communication. The manager of the user must then confirm the user’s identity for approving the password reset request.

It dramatically enhances the security of password reset functionality since two people are involved. It also helps to provide a change control workflow for password reset requests and an audit trail.

There are two requirements needed by Specops to use the manager approval:

  • Each user account must have a manager assigned to them in Active Directory.
  • Each manager account must have an email address/mobile phone number associated with their account in Active Directory, to be able to receive authentication requests from users.

To assign a manager using PowerShell to all the Active Directory group members, you can use the following Powershell code.

get-aduser -filter “department -eq ‘Accounting’ -AND samaccountname | set-aduser -manager jdoe

In the Specops uReset administration Identity Services configuration, you can configure Manager Identification. You can select between email and text notifications.

Configuring Manager Identification in Specops uReset
Configuring Manager Identification in Specops uReset

Wrapping Up

Securing password resets is a critical area of security organizations need to address for securing remote end-user accounts. While you can use a scripted PowerShell approach to create dynamic Active Directory security groups, it can be problematic to maintain and doesn’t scale very well.

Specops uReset provides an easy way to implement self-service password resets (SSPR) with additional security checks such as manager approval. Using Specops uReset, businesses can easily require managers to approve password reset requests for end-users.

Learn more about Specops uReset self-service password resets with manager approval features.

Source link

2021 Top Action Items on Zero Trust

We’re now in a reality that has bad actors coming in through code updates and then moving laterally. Zero Trust began as hype (as all technology does) and evolved to the plateau of productivity in Q4- also cited in the report– with 20% at least at first step adoption. 2021 is the year that Zero Trust is simply a must for corporate enterprise.

 

Realize The Promise Of Zero Trust Network Access Through Zero Trust Network Architecture

“The promise is application level access so you don’t need to provide VPN access into your network which says, “This is your permission,” and hope they don’t move laterally. It is truly containment within an application. That means we can eliminate those things that introduce greater risk. We have vendors who connect to technology. And that’s hard to do securely without zero trust technology.”

Per CSHub the 2020 Q4 Cyber Security Spend & Trends Report, 75% of cyber security executives are operating with a VPN as their front door. Supply Chain Partners and/or 3rd Party Vendors connect through that front door. Once through the front door, lateral movement is a cinch. 

Zero Trust Must Not Be A Hurdle For Enablement

“You need a good user experience. So zero trust is actually quite a complex problem once you start digging into that fine granularity and how you actually react to it. There are additional layers and levels you need to get into. And some of it ends up being back in the customer’s journey. You need to ensure that the user can do what the user needs to do.” 

If all they see is hurdles, the business is going to get angry. Before step one- do due diligence. Know how connections of users to their resources occur. Know who needs what. Get your personas straight and get sign off on that perceived reality from the business leaders in the organization. 

 

Zero Trust Must Not Be A Hurdle For Technology Interoperability 

“To implement it holistically within your environment, you actually might break things such as legacy applications that don’t support these new concepts and principles. You might break business processes that are not necessarily expecting to have these new additional checks and controls prompts throughout the lifecycle of a connection.”

Although most CISOs are extremely familiar with the current tech stack, Zero Trust ‘treats’ technology differently. Know what will happen, fix points of confluence before they break.

 

Step One of Zero Trust For The Enterprise

“Part of it is dependent upon funding of course. There are things we’d like to do and other things that may not be possible. Some of the things that we know we’re going to pursue are around adaptive authentication. We’re in a more remote work environment. It is imperative to write policies that make it not cumbersome for your users but allow for an appropriate scaling up of the level of authentication based upon behavioral type of analysis, geolocation, etc. We do have some licensing for zero trust application layer access, so we’re going to be dipping our first toe in the water in that technology. We bought a small quantity of licenses just to go through some use cases and justify that with the business.”

Take the Zero Trust step that can be taken with the current budget. Ensure a scale-up of user authentication coupled with ease of use. 

Next Step For Zero Trust For The Enterprise

“If you get Zero Trust matured, it’s going to help you in so many other ways. It’ll eliminate some of your current threats and mitigate others. If access to data is privileged and based on identity, lateral movement becomes much more difficult.”

The next step is closing the doors that are open. And opening only the doors that need opening by the people that need to be opening them. This establishes a perimeter of one, confining lateral movement.

 

Maturing Zero Trust For The Enterprise

There are different levels of maturity within Zero Trust and Zero Trust solutions. We all should be assuming that a bad is already inside your organization. We all should be understanding that we are operating in an untrusted ecosystem, both inside and outside. So the best solution from a Zero Trust perspective, has to be detecting all anomalies, all signals that are coming from the devices, the assets, the applications, and the users. The chosen solution has to understand the status of the network and gain a very dynamic threat assessment prior to granting access to the data or to the infrastructure.”

The task is not an easy one. Find an overtly dynamic yet light-weight solution which enables business while providing heightened security with current system interoperability within a realistic budget.

One last action point, join us at our Secure Access Summit or Secure Access Summit APAC!

Source link

Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild

Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild

Apple on Tuesday released updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that it says may have been actively exploited in the wild.

Reported by an anonymous researcher, the three zero-day flaws — CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 — could have allowed an attacker to elevate privileges and achieve remote code execution.

The iPhone maker did not disclose how widespread the attack was or reveal the identities of the attackers actively exploiting them.

password auditor

While the privilege escalation bug in the kernel (CVE-2021-1782) was noted as a race condition that could cause a malicious application to elevate its privileges, the other two shortcomings — dubbed a “logic issue” — were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871), permitting an attacker to achieve arbitrary code execution inside Safari.

Apple said the race condition and the WebKit flaws were addressed with improved locking and restrictions, respectively.

hacking

While exact details of the exploit leveraging the flaws are unlikely to be made public until the patches have been widely applied, it wouldn’t be a surprise if they were chained together to carry out watering hole attacks against potential targets.

Such an attack would involve delivering the malicious code simply by visiting a compromised website that then takes advantage of the aforementioned vulnerabilities to escalate its privileges and run arbitrary commands to take control of the device.

The updates are now available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation), as well as Apple TV 4K and Apple TV HD.

News of the latest zero-days comes after the company resolved three actively exploited vulnerabilities in November 2020 and a separate zero-day bug in iOS 13.5.1 that was disclosed as used in a cyberespionage campaign targeting Al Jazeera journalists last year.

Source link

TikTok Bug Could Have Exposed Users’ Profile Data and Phone Numbers

TikTok Bug Could Have Exposed Users’ Profile Data and Phone Numbers

Cybersecurity researchers on Tuesday disclosed a now-patched security flaw in TikTok that could have potentially enabled an attacker to build a database of the app’s users and their associated phone numbers for future malicious activity.

Although this flaw only impacts those users who have linked a phone number with their account or logged in with a phone number, a successful exploitation of the vulnerability could have resulted in data leakage and privacy violation, Check Point Research said in an analysis shared with The Hacker News.

TikTok has deployed a fix to address the shortcoming following responsible disclosure from Check Point researchers.

password auditor

The newly discovered bug resides in TikTok’s “Find friends” feature that allows users to sync their contacts with the service to identify potential people to follow.

The contacts are uploaded to TikTok via an HTTP request in the form of a list that consists of hashed contact names and the corresponding phone numbers.

The app, in the next step, sends out a second HTTP request that retrieves the TikTok profiles connected to the phone numbers sent in the previous request. This response includes profile names, phone numbers, photos, and other profile related information.

tiktok security flaw

While the upload and sync contact requests are limited to 500 contacts per day, per user, and per device, Check Point researchers found a way to get around the limitation by getting hold of the device identifier, session cookies set by the server, a unique token called “X-Tt-Token” that’s set when logging into the account with SMS and simulate the whole process from an emulator running Android 6.0.1.

It’s worth noting that in order to request data from the TikTok application server, the HTTP requests must include X-Gorgon and X-Khronos headers for server verification, which ensures that the messages are not tampered with.

But by modifying the HTTP requests — the number of contacts the attacker wants to sync — and re-signing them with an updated message signature, the flaw made it possible to automate the procedure of uploading and syncing contacts on a large scale and create a database of linked accounts and their connected phone numbers.

This is far from the first time the popular video-sharing app has been found to contain security weaknesses.

In January 2020, Check Point researchers discovered multiple vulnerabilities within the TikTok app that could have been exploited to get hold of user accounts and manipulate their content, including deleting videos, uploading unauthorized videos, making private “hidden” videos public, and revealing personal information saved on the account.

Then in April, security researchers Talal Haj Bakry and Tommy Mysk exposed flaws in TikTok that made it possible for attackers to display forged videos, including those from verified accounts, by redirecting the app to a fake server hosting a collection of fake videos.

Eventually, TikTok launched a bug bounty partnership with HackerOne last October to help users or security professionals flag technical concerns with the platform. Critical vulnerabilities (CVSS score 9 – 10) are eligible for payouts between $6,900 to $14,800, according to the program.

“Our primary motivation, this time around, was to explore the privacy of TikTok,” said Oded Vanunu, head of products vulnerabilities research at Check Point. “We were curious if the TikTok platform could be used to gain private user data. It turns out that the answer was yes, as we were able to bypass multiple protection mechanisms of TikTok that lead to privacy violation.”

“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions.”

Source link