Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices.
The vulnerability, dubbed Devil’s Ivy, was identified by researchers at Senrio, who singled out high-end security cameras manufactured by Axis Communications.
Those companies are part of the ONVIF Forum, an unofficial international consortium of hardware vendors.
Researchers believe bad code used in a software library responsible for the bug originated from the ONVIF Forum, which is responsible for maintaining software and networking protocols used by members.
Next, researchers say, the adversary can send a specially crafted payload of data that allows a remote unauthenticated user to execute code on vulnerable devices.
The attacker then sends the specially crafted payload that triggers the buffer stack overflow which leads to custom code execution,” said M. Carlton, VP of research with Senrio, in an interview with Threatpost.
With some other security devices and other general applications of gSOAP it may not be as big of a problem,” Tanji said.
A scan of the internet using Shodan had revealed 14,700 of Axis’s cameras vulnerable to Devil’s Ivy.
Senrio recommends patching, but also keeping security devices off the public internet and behind a firewall.
However, security experts have long warned the amount of insecure software tied to reused third-party libraries is staggering.
Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices.
For the 18th year in a row, the VA could not avoid having cybersecurity designated a material weakness, but a recent inspector general’s report details how the department has made clear and significant progress on improving its security posture.
“VA has made progress developing policies and procedures but still faces challenges implementing components of its agencywide information security continuous monitoring and risk management program to meet” the requirements of the Federal Information Security Modernization Act (FISMA) of 2014, the report from the VA’s Office of Inspector General states.
The VA says it has made progress on all of the recommendations and is asking the IG’s office to close 18 of them, Federal News Radio reports.
Additionally, the VA has continued to put in place IT governance, risk, and compliance tools to improve processes for assessing, authorizing, and monitoring the security posture of VA systems.
The agency has also put in place an enhanced audit log collection and analysis tool, the report notes.
VA also needs to continue to address deficiencies that exist within access and configuration management controls across all facilities.” More Security Progress Is Needed at VA Despite the progress, the report still found “continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.” VA has not fully put in place security standards on all servers, databases, and network devices, resulting in weaknesses in access and configuration management controls, the report found.
VA Deputy Inspector General Linda Halliday told Federal News Radio that her office will continue to review the department’s progress in improving its cybersecurity.
“When the OIG receives evidence of appropriate corrective action, we will generally close that recommendation,” she said.
“As VA provides documentation to support the corrective actions taken on any recommendation, we will review it and make the determination on whether we can close that recommendation.
Further, we continue to assess VA’s progress in implementing corrective actions and their ability to sustain improvements impacting VA information security posture during our annual FISMA review in the following year.”
Here’s a quick guide to the deep web, the dark web, and what you’ll find when you get there.
What is the dark web?
There are basically three parts to the world wide web: surface web, deep web, and dark web.
The surface web is everything that’s publicly available and accessible through search or typing a URL into your browser.
The dark web, however, is a totally different beast—a tiny fraction of the web that is only accessible through specialized software such as the Tor browser.
Who uses the dark web?
The website was shut down in 2013 and its founder is serving a life sentence in prison.
The most famous tool to get on the dark web is the Tor browser.
These are websites that are exclusively available on the dark web and can’t be accessed through normal browsers.
Screenshot via Tor Project Tor enables you to access all the other surface and deep websites with the added benefit that it anonymizes your browser traffic by encrypting it and deflecting it across several computers—called Tor nodes—before sending it to its destination.
These 10 US states have the highest rate of malware infections in the country.
Does where you live have anything to do with how likely you are to experience a malware attack?
A new look at more than 1.5 million malware infections in the US compares rates of infection for the first six months of 2017—and found significant differences across the 50 states.
Computer users in New Hampshire are most at risk—its rate of malware infections was 201% higher than the national average—according to the report, released by Enigma Software Group (ESG), who, it should be noted, make anti-malware programs.
Here are the 10 US states with the highest malware rates, and the % higher than the national average: New Hampshire (201%) Colorado (143%) Virginia (80%) New Jersey (64%) Oregon (25%) New York (24%) Montana (24%) Missouri (23%) Arizona (18%) Maine (17%) The report looks at several forms of malware, including adware, rogue, anti-spyware, ransomware—which, although highly damaging, only accounted for 1% of malicious programs in 2016, according to a recent report—and nuisance-ware, which is not as severe as other malware, but can impede workplace productivity by installing unwanted programs and slowing down computer speeds.
Some general trends emerge from the report.
The good news?
Overall, malware infections have dropped every month since the beginning of the year, with infections in June 2017 31% lower than in January.
SEE: Information Security Certification Training Bundle (TechRepublic Academy) “Regardless of where you live, it’s always important to stay vigilant for infections all the time,” said ESG spokesperson Ryan Gerding in a press release.
Overall malware infections have dropped every month since the beginning of the year, with infections in June 2017 31% lower than in January.
But when Kilbride investigated the security behind those features, he found vulnerabilities that an attacker could exploit to bypass the hoverboard’s safety protections from afar, and take control of the device. “I was surprised that the exploits were as accessible as they were.
Easy Access The Segway MiniPro app uses Bluetooth to connect to the vehicle itself.
While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn’t being used for authentication at every level of the system.
He also discovered that the hoverboard’s software update platform didn’t have a mechanism in place to confirm that firmware updates sent to the device were really from Segway (often called an “integrity check”).
This meant that in addition to sending the scooter commands, an attacker could easily trick the device into installing a malicious firmware update that could override its fundamental programming.
In this way an attacker would be able to nullify built-in safety mechanisms that prevented the app from remote-controlling or shutting off the vehicle while someone was on it. “The app allows you to do things like change LED colors, it allows you to remote-control the hoverboard and also apply firmware updates, which is the interesting part,” Kilbride says.
The GPS feature known as “Rider Nearby” acted as a sort of social platform for finding other MiniPro owners, but it’s easy to see how publicly available, persistent location tracking could be abused.
As part of addressing Kilbride’s findings Segway discontinued the feature.
Trump Hotels Hit With Data Breach.
News The hits just keep on coming for our new president—he’s only been on the job around six months now—and the newest one focuses on his line of hotels.
Data exposed, according to reports, included credit card numbers with expiration dates, and standard identifiers like names, addresses and phone numbers.
Interestingly, the breach didn’t have much to do with Trump International Hotels itself; rather, it was focused on the Saber Hospitality Solutions system used by not only Trump, but also 32,000 separate properties worldwide.
As for why Trump’s hotels have been attacked so frequently, several potential explanations have been brought forth.
That makes the potential payoff from seizing the data of these highly-visible entities better in the process.
While the exact motivation may be unclear, it is clear that Trump hotel visits might be a bit more dangerous than the ordinary lately.
So for those planning a trip involving a stay at one of the President’s fine properties, be sure to take a few extra precautions.
Watch your credit card bills carefully, or consider reducing the amount of cash kept in the account linked to the debit card used to pay for the stay.
Simple precautions go a long way toward helping here.
Ashley Madison Offers £8.5m To Data Breach Victims.
The fund will be available for anyone with a “valid claim” for being affected by the 2015 breach The parent company of adult dating site Ashley Madison has offered to pay an $11.2 million (£8.5m) settlement to users affected by the mass data breach which exposed 36 million accounts.
Many users have since sued the company for providing inadequate levels of data security and Ruby Life has been attempting to strike a deal with those involved.
On Friday it claimed that an agreement to settle multiple class action lawsuits had been reached and that the £8.5m fund would be available to those who “submit valid claims for alleged losses resulting from the data breach”.
In a statement, Ruby Life said: “While ruby denies any wrongdoing, the parties have agreed to the proposed settlement in order to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers.” In December of last year Ruby was ordered to pay US regulators $1.6 million (£1.3m) for lacking basic security practices and Ashley Madison’s founder and CEO Noel Biderman stepped down in the immediate wake of the cyber attack.
Users also reported receiving blackmail letters after the stolen data had been made public by the hackers, as scammers reacted quickly to the extremely high-profile news.
Ashley Madison is not the only dating website to have been targeted by hackers over the last couple of years.
For example, in 2016 BeautifulPeople.com suffered a data breach where the personal details of 1.1 million users were leaked online.
Are you a security pro?
Try our quiz!
Iran state media accuses Saudis of planting false news story.
(CNN)A state-run Iranian news agency has accused Saudi hackers of planting a fabricated news story on its Twitter account, as a crisis in the Gulf centered around Qatar deepens.
The tweet, if it were true, would likely inflame tensions in the region between Qatar and a quartet of countries led by Saudi Arabia, which has frozen trade and diplomatic ties with Qatar, claiming it supports terror organizations.
Saudi Arabia has no diplomatic ties with Iran or Israel, and it sees Iran as a key rival.
In a statement issued Monday, Alalam said: “Alalam News Network categorically denies spurious and bogus stories which are published via its hacked Twitter account.” “Saudi news agencies and websites, though fully aware of the fact that Alalam’s Twitter account has been hacked, publish these false news stories immediately, designating their collusion with the hackers,” the statement said.
Alalam said in its statement that it had been under a series of cyber-attacks for days.
Last week, it published a story accusing Saudi hackers of breaking into its Twitter account.
The Twitter account is still under the control of hackers, the news agency has said.
But Qatar said that the Washington Post report proved its version of events, that its websites were hacked and that quotes were fabricated and published.
Newcastle City Council Data Breach Exposes Details Of Adopted Children.
ICO investigates after sensitive information was sent out in a spreadsheet Newcastle City Council is under investigation by the Information Commissioner’s Office (ICO) for a data breach that saw details about adopted children and their parents sent out in an email by mistake.
Names, addresses and birth dates of 2,743 adopted children, alongside details of parents, social workers and former adoptees, were included in a spreadsheet attached to the city’s annual adoption summer party.
The council has said the mistake was caused by human error and that it has taken steps to mitigate the leak, contact all those involved, and to ensure it doesn’t happen again.
A helpline has been set up for those who think they may have been affected, while staff training has been involved.
“I am truly sorry for the distress caused to all those affected,” said Newcastle City Council’s director of people, Ewen Weir.
The council takes data protection and confidentiality very seriously and has acted swiftly to understand what happened and who has been affected.
“The email and attachment were sent to 77 people.
This attachment contained personal details relating to 2,743 individuals, comprising current and former adoptees, parents and social workers who had been involved with these families.
Quiz: Are you a privacy expert?
The average cost of a data breach is $3.62 million globally, a 10% decline from $4 million in 2016, according to a study sponsored by IBM Security and conducted by Ponemon Institute.
This is the first time since the global study was created that there has been an overall decrease in the cost.
According to the study, these data breaches cost companies $141 per lost or stolen record on average.
However, many regions experienced an increased cost of a data breach – for example, the cost of a data breach in the United States was $7.35 million, a five percent increase compared to last year.
Organizations in the Middle East, Japan, South Africa, and India all experienced increased costs in 2017 compared to the four-year average costs.
Analyzing the 11 countries and two regions surveyed in the report, IBM Security identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach.
European countries saw% decrease in the total cost of a data breach over last year’s study.
Healthcare data breaches cost organizations $380 per record, more than 2.5 times the global average across industries at $141 per record.
The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost $17 per record.
Having an incident response team in place resulted in $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record).