17-06-202019-06-2020

Security daily (18-06-2020)

Enabling secure remote work by embracing Zero Trust

Steve Faehl is Microsoft’s U.S. security chief technology officer, responsible for helping organizations develop strategies to reduce risk by improving their cyber defenses. One of the greatest challenges we often hear from public and private sector CIOs, when it comes to achieving a Zero Trust IT operating environment, is the question of how to tackle such a massive undertaking — and where and how to begin. If there was one lesson we learned at Microsoft as we sought to establish Zero Trust security principles internally — and we learned many lessons — it was the importance of starting with a fundamental premise: To build out assurances in places where we traditionally relied on implicit trust. That premise began at Microsoft with one of Bill Gates’ famous internal strategy memos  on “trustworthy computing.”  While the term Zero Trust hadn’t yet been coined, the concept and principles are essentially the same. They […] The post Enabling secure remote work by embracing Zero Trust appeared first on CyberScoop. (CyberScoop)

Michigan man accused in 2014 hack of medical center, sale of data on 65,000 people

Federal agents have arrested a 29-year-old Michigan man for allegedly hacking into a medical center in 2014, stealing data on more than 65,000 people and then selling it on the dark web, the Department of Justice announced Thursday. A 43-count indictment charges Justin Sean Johnson with wire fraud, aggravated identity theft and conspiracy for the hack of a database at University of Pittsburgh Medical Center (UPMC), Pennsylvania’s largest health care system. Johnson’s sale of medical center employees’ Social Security numbers and addresses led other alleged criminals to claim hundreds of thousands of dollars in fake IRS tax refunds, prosecutors said. “The health care sector has become an attractive target of cyber criminals looking to update personal information for use in fraud,” Timothy Burke, special agent in charge for the U.S. Secret Service in Pittsburgh, said in a statement. The indictment also alleges that from 2014 to 2017 Johnson sold other personally identifiable […] The post Michigan man accused in 2014 hack of medical center, sale of data on 65,000 people appeared first on CyberScoop. (CyberScoop)

Facebook sues to curb data scraping, fake Instagram likes from outside developers

Facebook is accusing a developer of collecting username and password credentials from thousands of accounts, and it is separately alleging that a European service distributed fake likes and comments throughout Instagram. In an announcement Thursday, the social media company said it is taking legal action against software developer Mohammad Zaghar and his company, Massroot8, for allegedly operating a service that compelled Facebook users to provide their personal information. Zaghar’s company would ask users for their username and password, then scrape the site for data about their friends, using a bot to sneak past Facebook’s security controls and collect vast amounts of data quickly, according to the suit. The company also said it has sued MGP25 Cyberint Services for selling automation software that produces fabricated likes and comments on Instagram. The Spanish firm made money by mimicking the Instagram app while using code that connected outsiders to actual Instagram accounts, Facebook said. Neither defendant could […] The post Facebook sues to curb data scraping, fake Instagram likes from outside developers appeared first on CyberScoop. (CyberScoop)

How hackers used malicious Chrome extensions in a mass spying campaign

A sweeping set of surveillance campaigns has hit Google Chrome users, leading to nearly 33 million downloads of malicious software in the last three months, researchers at California-based Awake Security said Thursday. The researchers believe the unidentified hackers used Chrome extensions and other malicious tools — along with domains issued by a single registrar — to spy on computer users in sectors such as oil and gas, finance and health care. The hackers “were very effective in reaching a large number of industries and subverting controls that were in place,” said Gary Golomb, Awake Security’s cofounder and chief scientist. U.S. government contractors were among those targeted, Golomb said. He declined to identify the victims. The discovery exposes another gap in web browser security despite pledges from Google and other vendors to proactively block malicious code from appearing in their official download stores. After being tipped off by Golomb’s team, Google removed […] The post How hackers used malicious Chrome extensions in a mass spying campaign appeared first on CyberScoop. (CyberScoop)

The NSA is piloting a secure DNS service for the defense industrial base

In an effort to better protect the U.S. defense industrial base from malware-based threats, the National Security Agency has launched a pilot program on securing Domain Name System use for U.S. defense contractors. The NSA’s cybersecurity directorate has been working on the pilot, called secure DNS, for six weeks, the directorate’s chief, Anne Neuberger, said during a virtual event Thursday. “Our analysis highlighted that using secure DNS would reduce the ability for 92% of malware attacks … from a command and control perspective, deploying malware on a given network,” Neuberger said. The NSA is collaborating with the Defense Digital Service on the pilot, Defense Digital Service Director Brett Goldstein told CyberScoop. DNS, is the protocol by which IP addresses are translated to access specific websites with their more familiar domain names and URLs. Attackers have long exploited DNS to deliver malware to targets or run credential-stealing campaigns, according to security researchers and the Department […] The post The NSA is piloting a secure DNS service for the defense industrial base appeared first on CyberScoop. (CyberScoop)

Bolton book could cause 'irreparable damage' to US signals intelligence, NSA director says

John Bolton’s tell-all on his time serving as President Donald Trump’s national security adviser could reveal classified information and damage U.S. signals intelligence collection if published, the National Security Agency’s director, Gen. Paul Nakasone, said Wednesday. “At the request of the National Security Council legal adviser I have reviewed a limited portion of [Bolton]’s draft manuscript, and have identified classified information in that portion of the manuscript,” Nakasone said in a signed affidavit. “Compromise of this information could result in the permanent loss of a valuable SIGINT [signals intelligence] source and cause irreparable damage to the U.S. SIGINT system.” Nakasone’s assessment of Bolton’s book was filed Wednesday in U.S. District Court in Washington alongside an emergency Department of Justice filing seeking to block the release of Bolton’s book. The Trump administration sued Bolton on Tuesday in an attempt to delay the memoir’s publication, alleging that his book contained classified information and […] The post Bolton book could cause 'irreparable damage' to US signals intelligence, NSA director says appeared first on CyberScoop. (CyberScoop)

Federal agencies recommend blocking Hong Kong-US undersea cable over national security concerns

The Departments of Defense, Justice, and Homeland Security urged U.S. regulators to block an application for an undersea cable connection between Hong Kong and the U.S. over concerns that it could expose sensitive communications to the Chinese government. The federal agencies, known as Team Telecom or the Telecom Committee, on Wednesday recommended the Federal Communications Commission deny the Pacific Light Cable Network (PLCN) undersea cable connection between the U.S. and Hong Kong amid concerns surrounding the Chinese government-linked ownership of the PLCN. A significant investor in the PLCN, Pacific Light Data Co. Ltd., is a subsidiary of the fourth largest telecommunications services provider in China, Dr. Peng Telecom & Media Group Co. Ltd., according to the Justice Department. U.S. intelligence officials have maintained that Chinese intelligence laws can make it compulsory for companies in China to comply with Beijing’s intelligence requests. “The Committee’s recommendation was based on … Dr. Peng Group’s relationship with [People’s Republic of China] […] The post Federal agencies recommend blocking Hong Kong-US undersea cable over national security concerns appeared first on CyberScoop. (CyberScoop)

Copied master key forces South African bank to replace 12 million cards

Fraudsters stole more than $3.2 million from the banking division of South Africa’s post office, after – in a catastrophic breach of security – employees printed out the bank’s master key. Read more in my article on the Tripwire State of Security blog. (Graham Cluley)

Smashing Security podcast #183: MAMILs, gameshows, and a surprise from eBay

A TV gameshow with cash prizes if you’re obeying Coronavirus lockdown rules, ex-Ebay staff charged in crazy cyberstalking case, and when the wrong cyclist was accused by the internet bearing pitchforks. All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis. (Graham Cluley)

Bundlore adware brings a new nest of risks to Mac users

A new SophosLabs report digs into the latest browser-hijacking "bundleware" targeting Mac users (Naked Security)

Microsoft promises to fix Windows 10 printer problem

Windows 10 updates released as part of last week’s Patch Tuesday appear to be making life hard for some printer users. (Naked Security)

Crypto founder admits $25 million ICO backed by celebrities was a scam

Endorsed by boxer Floyd Mayweather and DJ Khaled, the Centra Tech ICO debacle has led to the guilty plea of co-founder Robert Farkas. (Naked Security)

Adobe drops slew of critical patches

Adobe released another set of patches for its products on Tuesday, a week after dropping its first set of fixes for the month. (Naked Security)

How to Use Postenum to Gather Vital Data During Post-Exploitation

Post-exploitation is often not quite as exciting as popping the initial shell, but it's a crucial phase for gathering data and further privilege escalation. Once a target is compromised, there's a lot of information to find and sift through. Luckily, there are tools available that can make the process easy. One such tool is Postenum.

To show everything Postenum has to offer for post-exploitation, we're using Kali Linux as our local machine. As for the target, if you want to follow along and try the tool out as a white hat or penetration tester, Metasploitable 2 is a good intentionally... more (Null Byte « WonderHowTo)

Facebook Removes Trump Ad Over Nazi Hate Symbol

(News ≈ Packet Storm)

Facebook Sues Developer Over Alleged Data Scraping Abuse

(News ≈ Packet Storm)

Hackers Evade Detection By Forcing CAPTCHAs On Targets

(News ≈ Packet Storm)

Unpatched Vulnerability Identified In 79 Netgear Router Models

(News ≈ Packet Storm)

Massive Spying On Users Of Google's Chrome Shows New Security Weakness

(News ≈ Packet Storm)

Zoom Will Extend Optional End-To-End Encryption To Free Users

(News ≈ Packet Storm)

AcidBox Malware Uncovered Using Repurposed VirtualBox Exploit

(News ≈ Packet Storm)

InvisiMole Hackers Target High-Profile Military and Diplomatic Entities

Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage.

The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole's operations and the group's tactics, tools, and procedures (The Hacker News)

Google Yanks 106 ‘Malicious’ Chrome Extensions

Trojan Chrome browser extensions spied on users and maintained a foothold on the networks of financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals and government organizations. (Threatpost)

Facebook’s FTC-Mandated Privacy Committee Now in Effect

Facebook will report its privacy practices to both the committee, the FTC, and to a third-party assessor. (Threatpost)

IcedID Banker is Back, Adding Steganography, COVID-19 Theme

The malware has boosted its anti-detection capabilities in a new email campaign. (Threatpost)

Cisco Webex, Router Bugs Allow Code Execution

High-severity flaws plague Cisco's Webex collaboration platform, as well as its RV routers for small businesses. (Threatpost)

BofA Phish Gets Around DMARC, Other Email Protections

The June campaign was targeted and aimed at stealing online banking credentials. (Threatpost)

Five Password Tips for Securing the New WFH Normal

Darren James, product specialist with Specops Software, warned that password resets, for example, are a particularly vexing issue for sysadmins, as they can often lockout end-users from their accounts. (Threatpost)

Phishing Campaign Targeting Office 365, Exploits Brand Names

Attackers use trusted entities to trick victims into giving up their corporate log-in details as well as to bypass security protections. (Threatpost)

17-06-202019-06-2020

/security-daily/ 19-06-2020 23:44:23