All posts by mitch tanenbaum

Well THAT Didn’t Take Long

Last Week Microsoft Announced Microsoft Azure Sentinel, a cloud based Security Information and Event Management System (SIEM) and a Threat Hunting and Analysis Service called Microsoft Threat Experts.

As Ray and I discussed on a recent video, available on Youtube, the best outcome of that announcement is if Google and Amazon make a similar announcement.

Well guess what?

One of those two made an announcement this week at RSA.

Google’s Chronicle Backstory is a direct competitor to Azure Sentinel.  Chronicle is Google’s security arm.

Chronicle says that they have tested Backstory on organizations up to 500,000 users.  For a year,  THAT is big data.

Based on work that Google’s Threat Analysis Group used internally, this system is designed to allow a company to store petabytes of data in the Google cloud,analyze it and detect threat patterns.

The tools leverage Google’s Virus Total, which analyzes millions of malware samples, probably every day,  and includes a dashboard called Nirvana.

Google says that you can upload your data –  DNS traffic, Netflow data from your firewalls, endpoint logs, proxy data, etc. and it will be indexed and analyzed.  Google SAYS that your data will remain private, but Google doesn’t have a great track record in that department.  Of course, this is a different Alphabet company, Chronicle, and they will not be ad supported.

One thing that Google did at launch that Microsoft has not done, except vaguely, is announce what they call an Index Partner program – companies that have agreed to integrate with Backstory.  They are demonstrating Carbon Black (an endpoint security product) and their integration with Backstory.  They will be demoing Backstory at booth 2251 at RSA this week.

CAVEAT:  Both of these technologies are young;  neither has announced pricing.

Still this is nothing short of wonderful for the user community.

Maybe Amazon will be next.  Surely, even with Mr. Bezos’ current personal distractions, he didn’t miss this one-two punch.

Stay tuned – closely tuned.  This is good for you and me.

Source: Medium

Facebooktwitterredditlinkedinmailby feather

Adobe Releases Emergency Patch For Cold Fusion

Adobe seems to have trouble catching a break sometimes,

Today they released an emergency patch for a vulnerability in the Cold Fusion application that Adobe bought in 2005.

The bug allows an attacker to bypass the file upload restrictions, allowing an attacker to upload a malicious executable and then get the target system to execute it, allowing the attacker total control over the infected system.

All Cold Fusion versions for all platforms are affected .

While Adobe quickly released a patch, as we saw with the Equifax breach, releasing a patch is slightly different than getting users to install it.

Many times users do not even know what the base platform that an application uses – the so called bill of  materials.

Sometimes systems were developed years ago.  The people who developed them are long gone and the people left don’t know much about them.

The end result, like at Equifax, doesn’t always turn out well.

Whether your systems and applications were internally developed, purchased from a third party or open sourced, if they are based on Cold Fusion they are vulnerable.

If history is any indicator, there will be vulnerable systems out there for years.

If you have Cold Fusion in your environment, now would be a good time to install the patch.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 1, 2019

We Don’t Need Back Doors in Crypto – We Have Enough Bugs Already!

Researchers have found three new bugs in the protocol design (as opposed to the implementation) in both 4G and 4G cellular networks.  The design flaws can be carried out by any person with a little knowledge of cellular paging protocols.

The hardware to carry out the attack can be purchased for less than $200 and all four major carriers are vulnerable since these are protocol design problems and not implementation bugs.

The good news is that since these are protocol design flaws, the networks of all of our adversaries (and our friends) are also vulnerable, which probably makes the spy-guys happy too.

There is no fix approved or planned for the security holes.  Source: Techcrunch.

Google Slipped a Microphone into your Nest Security System – Forgot to Tell Buyers.

When Google announced that the Nest security system would now support “Hey Google” with no hardware upgrade, a few geniuses figured out that there must have always been a microphone in the Nest that Google just accidentally forgot to tell people about.

Google is trying to spin down the tornado saying that yes, they just forgot to tell people that there is a microphone in there, but not to worry because it isn’t enabled by default.  They put it in there to detect breaking glass and other features, they say.

Alarm systems often have microphones, usually to detect glass breaking, but the control panel, where Google put it, might not be close enough to all of the windows in the house to detect that.  Some alarms support two way voice communications to the alarm monitoring center, but if a system has that, it is not a secret, but rather a feature, loudly announced.  More likely, Google kept it a secret so that competitors wouldn’t figure out their future plans.  Source: The Intercept.


Hacking Tools Going Mainstream

Celebrite, the Israeli company that makes tools for law enforcement (and, I think, for anyone else who’s check clears) to hack iPhones and Android phones has grown a conscience.

Used Celebrite devices are showing up on eBay for as little as $100 – and, of course, will the ex-owner’s data still intact.

Celebrite is “warning” their customers not to do that but rather to return their devices to them for destruction.  If you think they are really concerned about your security, then that makes sense.  On the other, if you believe that they would rather sell you a new one for $6,000 rather than you buying it on eBay for $100 …..

In any case, they are available and many of them still have the captured data on them.  Source: Forbes.


TSA’s Pipeline Security Team Has Five People

2.7 million miles of pipeline and five employees.

Roughly half a million miles of pipe  per person.

And none of them have cyber expertise.

Since 2010 the number of people assigned to pipeline security have ranged from a low of 1 to a high of 14.  Not very comforting.

And they don’t plan to add any cyber expertise anytime soon, instead they are relying on begging other parts of Homeland Security for help.

Given that TSA hasn’t figured this out in almost 19 years, some folks in Congress want to move the responsibility elsewhere.

In the meantime, lets hope that the terrorists do not understand how bad things are.  Source: FCW.

Facebooktwitterredditlinkedinmailby feather

What is Going to Happen in Europe Regarding Privacy?

Well, we certainly DO live in interesting times.

The UK is supposed to leave the EU at the end of March, but no one knows if they will, if there will be a deal, if they will delay Brexit, if they will have another vote.

The European Data Protection Supervisor says do not expect anything with regard to UK “adequacy” (meaning that you can freely move data between the EU and the UK) for at least a couple of years.  For folks with large operations in the UK, that could be a problem.

The Supervisor also said that it is unlikely that GDPR will be revisited for another 7-10 years; then considering the adoption process, do not assume any changes to GDPR of around 20 years.  For those hoping for relief, do not count on it.

He also told the European Parliament that Privacy Shield, the Frankenstein agreement concocted by the US and EU after the EU courts struck down Safe Harbor, is “an instrument of the past”.  He said that Privacy Shield is an interim instrument.  He said that when you look at the full scope of GDPR, Privacy Shield doesn’t make any sense.

Regarding the ePrivacy legislation that is in the works, he is hoping to get some consensus this summer, but whether that means there will be a vote-ready version, that is another story.  That, once approved, will be another set of rules for companies to adopt.

When it comes to data retention, he wasn’t happy about Italy’s law which allows people to keep data for 6 years.  Of course, in the US, there is no limit on retention.  He did, however, like the German approach, which allows retention for weeks, not years.

Suffice it to say, there is a huge gap between European desires (and their laws) and current American practices and that will likely continue to play out in the courts.  Stay tuned.  Source: IAPP (membership may be required to view).

Facebooktwitterredditlinkedinmailby feather

This is Why I am So Adamant About the Importance of Patching

Just ONE day after the announcement of the NINETEEN YEAR OLD bug in the very popular WinRAR utility, Checkpoint Software found examples of it being exploited in the wild.  Given that the vast majority of the 500 million copies  will likely NEVER be patched and the fact that the bug allows the hacker to take over full control of the system, this is a bit problematic.  The good news is that it is possible that certain parts of the attack will be blocked (today, in this version) if the user is not a local admin.

In a somewhat entertaining turn of events, the WinRAR folks can’t find the source code necessary to fix the nineteen year old bug, so the opted to just remove the infected feature completely.  Likely the loss of this feature will not be noticed by most users.

And this situation is not unusual.

Also this week, the developers at Drupal patched a critical flaw that would allow hackers to take over your web site.  It is more likely that this bug will be patched than the WinRAR bug, but I am sure that there are many web sites that will never be patched.

Drupal is open source and WinRAR is closed source, pointing out that all software is buggy and open source software is not statistically any less buggy than close source software.

So what should you be doing?

If you do not already have a complete inventory of all software installed on all user devices and all servers, that is the place to start.  This inventory needs to be updated frequently.

Once you have this inventory, you need to come up with a plan monitor all of these applications for available patches and available bugs so that you can patch these bugs quickly once patches are available and so that you can place the findings in your cyber risk register if either there is no patch or if you are making a decision not to install the patches now (or possibly ever).


As a side note,  if you choose not to follow my advice and later have a breach attributed to a missing patch (think of the Equifax breach as an example of the problem missing patches cause), make sure your lawyers are all paid up because you will be sued.

Source; The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Linkedin Messaging Used to Target Businesses

Many employees are at least curious about their next job.  That is the basis for this attack.

The attacker sends Linkedin direct messages from a  legitimate Linkedin account.

If that doesn’t appeal  to the target, the attacker sends emails to the targets business email address suggesting a job offer.

The links in the email points to web page that looks like the home page of a legitimate recruiter’s web site.

That web page will automatically download an infected Microsoft Office document.  The Office document has malicious macros in it and it will try to get the target to enable macros.

Assuming the target enabled the macros, the attacker downloaded the last stage of the attack, a piece of backdoor software called More_eggs which allowed the attacker to control the infected computer.  Forever!

Once they have control of the machine they can download whatever other payloads they want to in order to further the attack – or attack other systems.

While this attack has a lot of vectors to get the victim  to download the infected Word document, it ultimately boils down convincing the user to enable macros.

If the user won’t click on the enable macro button, the entire scheme fails.

Through simulated phishing attacks and other training, we have tried valiantly to stop users from clicking on links like the one that says enabling macros is dangerous;  only do it if you trust the sender.  And people click on them anyway.

Judging by articles I found, this attack has been working since at least 2017.  Apparently well enough for attackers to continue using it.

Users are almost always the weakest link in the security chain.  This attack is no different.

Source: Bleeping Computer.


Facebooktwitterredditlinkedinmailby feather