security

Keeper Security Patches Password Protection Flaw

December 19th, 2017

Google Project Zero security researcher Tavis Ormandy sent a email to Keeper Security about a new vulnerability. Company replied to Ormandy and delivered a patch within 24 hours to the users. The security issue is identified as “privileged UI injection into pages”.

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy wrote in a bug report. “I checked and, they’re doing the same thing again with this version.”

The first time Ormandy informed Keeper Security of the privileged UI injection into pages” issue was in August 2016. At that time, Ormandy explained how the flaw could simply enable an attacker to steal passwords from Keeper users.

“This is a complete compromise of Keeper security, allowing any website to steal any password,” Ormandy wrote in his new advisory.

Keeper browser extension has this particular flaw.

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper wrote in its advisory.

Google Project Zero has a 90-day disclosure policy to publicly reveal the issue. But Keeper solved the issue in 24 hours.

Keeper browser extension has already been automatically updated.

“Assume that everything is hackable,” Jeff Bohren, Chief Software Engineer at Optimal IdM suggests.

Boren mentioned that users look for a password manager which is cloud based along with two-factor authentication.

“2FA does a good job of allowing only individual account owners access to their login credentials,” Bohren said. “If hackers do succeed in guessing a password, they must still breach additional authentication steps before they can reach important data.”

 ___________________________________________________________________________________

AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted. Encrypted devices secure your data in case a device is lost or stolen.

ICS Malware

December 16th, 2017

FireEye researchers mentioned that the company’s Mandiant subsidiary is attacked by new industrial control systems(ICS) malware. The hackers shut down plant operations by targeting emergency shutdown systems.

Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers were targeted specifically. The researchers are calling the malware Triton. The operations were shut down during reconnaissance performance by attackers.

“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” the researchers wrote. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”

Russian, Iranian, North Korean, U.S. and Israeli state actors may be behind the attacks. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency,” the researchers mentioned.

Phil Neray, vice president of industrial cyber security at CyberX, mentioned that his company believes the targeted plant was in Saudi Arabia, which would likely mean that Iran was responsible for the attack.

“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs,”

Neray said. “This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary.”

Chris Morales, head of security analytics at Vectra, mentioned that an attack like this was all but inevitable. “The connectivity and integration of traditional information technology with operational technology — IT/OT convergence — is increasing exponentially,” he said.

“The IoT and IT/OT convergence is accelerated by the speed of business and the implementation of AI to drive decisions in ICS environments,” Morales added. “In addition, more ICS devices are running commercial operating systems, exposing ICS systems to a wider swath of known vulnerabilities.”

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted.

Government of Canada Plans to Set CyberSecurity Policy

November 14th, 2017

The growing trend of attacks is worrying every corner of the world. Like other parts, Canadians are also at risk from cyber attack. The Government of Canada plans to fight this battle. They are implementing various measures to stop the attacks. At the SecTor conference here, Colleen Merchant, Director General for National Cyber Security at Public Safety Canada, explained the steps taken.

Merchant mentioned that government agencies will have different responsibilities for cyber security. The Royal Canadian Mounted Police (RCMP) is tasked to handle law enforcement and related investigations. Public Safety Canada handles the Canadian Cyber Incident Response Center (CCIRC).

“CCIRC also has a responsibility for coordinating the overall national response to significant cyber events affecting critical systems in Canada,” she said.

Public Safety Canada also provides helping hands to set policy for cyber security. Merchant mentioned that the role of policy is to help assess challenges and help to formulate overall approaches that work at a national level.

The Government of Canada has released its Cyber Security Strategy manifesto in 2010 which consists of  three core pillars including: securing government systems, partnering to secure vital system outside of the federal government, and helping Canadians to be more secure online.

“From 2010 and going up to 2020 we have committed $431.5 million for investment and improvement into cyber security,” Merchant said.

Government of Canada has taken views from various entities while drafting policy for cybersecurity. Merchant said that there was the need for more privacy, collaboration and skilled cyber security personnel.

“We are recognizing that cyber-security has become a source for economic prosperity,” Merchant said.

“The Government can’t solve all problems but we can find ways to force-multiply, by providing all partners with direction and to set out national-level objectives that we can all work toward,” she said.

____________________________________________________________________________________________

AlertSec ACCESS checks for full disk encryption on PCs running Windows 7, 8, and 10 Home, Pro and Enterprise as well as Mac OS El Capitan and Sierra. AlertSec ACCESS will also verify that all smartphones running iOS and Android are encrypted before access is granted.

Data Breach at Forever 21

November 12th, 2017

Retailer Forever 21 recently suffered data breach. Affected information includes credit and debit card information at some Forever 21 locations. Third party notified the company about the breach.

“We immediately began an investigation of our payment card systems and engaged a leading security and forensics firm to assist us,” the company mentioned.

Forever 21 has encryption and tokenization solutions. It mentioned that only some point of sale (PoS) devices where affected. The company do not  know the affected location.

Obsidian Security CTO Ben Johnson mentioned that the breach is a reminder that every retailer is a target. “Holiday shoppers should be diligent in monitoring their account activity, and should consider Apple Pay or cash if they are feeling less confident about the security of the retailers’ systems,” he said.

“Retailers should understand that any areas of weakness, such as those few systems without multi-factor authentication or encryption, will eventually find themselves victim of compromise,” Johnson added. “In some ways things are improving on the defensive side, but we cannot forget that the attackers often innovate faster.”

Recent survey by SiteLock shows that there is growing concern for online shopping. The findings are as below –

Twenty seven percent worry about the information being compromised

Sixty-five percent mentioned that they will not return to the website after it got hacked

Fifty two percent say a store  which provides a secure payment network makes them confident

Another survey conducted by Paysafe has below findings –

Fifty nine percent of U.S. consumers believe fraud is an inevitable part of shopping online

Fifty eight percent said that they are willing to accept any security measures needed to eradicate fraud

Thirty nine percent of US businesses believe their customers would prefer increased security

“For years, consumers have had to overcome the apprehension that businesses know too much about them — from shoe sizes to food preferences,” Paysafe CEO Todd Linden said in a statement. “But as the payment world evolves, it is this knowledge that will make individuals more secure.”

“The evolution of big data will make payments smarter and easier and help to redress the balance between security and convenience,” Linden added. “Big data will be the ultimate key to tightening up security at PoS, online and in brick and mortar environments.”

 ___________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted. Encrypted devices secure your data even if they are lost or stolen.

Managing Privileged Passwords

November 11th, 2017

Recent survey conducted by One Identity of 913 IT security pros shows that 86 percent of IT security professionals face challenges managing privileged passwords.

As per the One Identity website – “We believe that security is much more than the practice of denial and restriction. That’s why One Identity’s design and integration philosophy is that our solutions must add agility and efficiency to an organization – regardless of size or market – as well as secure its digital assets.”

Other findings of the survey include –

Eighteen percent use a paper logbook for privileged password management

Thirty six percent manage passwords in Excel or another spreadsheet

Twenty two percent are not able to monitor or record activity performed with admin credentials

Forty percent do not change the default admin password

“Over and over again, breaches from hacked privileged accounts have resulted in astronomical mitigation costs, as well as data theft and tarnished brands,” One Identity president and general manager John Milburn said in a statement. “These survey results indicate that there are an alarmingly high percentage of companies that don’t have proper procedures in place.”

LastPass research survey shows that the average security employee is managing 191 passwords.

Twenty six and half percent of businesses has multi-factor authentication to protect their password vaults.

“While we’re seeing that a significant portion of businesses are investing in multi-factor authentication, it is not yet adopted widely enough to compensate for the shortcomings of passwords,” the report states.

Duo Labs conducted survey of 443 individuals has below findings –

Twenty eight percent of respondents use two-factor authentication (2FA)

Fifty six percent of respondents had never heard of it

Forty-five percent of those who use 2FA said they do so on all services that offer it

“This survey underscores the reality that we as a security community still have a long way to go when it comes to educating the everyday person about proper security behaviors in general and 2FA in particular,” the researchers wrote.

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted. Encrypted devices secure your data even if they are lost or stolen.

GDPR

November 8th, 2017

HyTrust conducted survey of 323 attendees at the VMworld 2017 conference in Las Vegas, Nevada. It found that only 21 percent are concerned about GDPR compliance regulations and plan to implement it. Twenty seven percent are concerned but have no plan to implement.

“If you think GDPR desn’t apply to your organization, think again,” HyTrust president and founder Eric Chiu mentioned in a statement.

“Most organizations today are very aware of their security risks, but are not as far along with technology and processes to meet the GDPR compliance requirements, despite a May 2018 deadline that has significant fines for failure to comply,” Chiu added.

Another survey conducted by Carbon Black survey of 120 business decision makers has below findings –

Eighty six percent of respondents mentioned that they are confident in their ability to comply with GDPR requirements

Fifty eight percent are not using effective risk management tools

Survey conducted by Computing Magazine stated that only ten percent have their toolsets for classifying critical data and prioritizing risk to data.

“In order to effectively identify and neutralize data breaches, it’s essential to know what constitutes normal network behaviors versus what is suspicious,” Carbon Black senior director for compliance and governance programs Chris Strand said in a statement.

“Failing to align the right data protection toolsets with people and processes, many organizations are at risk of non-compliance with the GDPR and, more importantly, putting their customers’ information in jeopardy,” Strand added.

Survey conducted by IAPP-EY survey of 548 privacy professionals worldwide shows that fully 95 percent ( 75 percent of whom are located outside the EU) say the GDPR applies to their organization.

“Even though the EU’s GDPR has yet to take effect, organizations the world over are spending money on hiring and promoting privacy staff, training employees on privacy, purchasing technology to help with GDPR compliance, and pushing privacy awareness into every corner of the firm,” the report states.

____________________________________________________________________________________________

AlertSec ACCESS checks for full disk encryption on PCs running Windows 7, 8, and 10 Home, Pro and Enterprise as well as Mac OS El Capitan and Sierra. AlertSec ACCESS will also verify that all smartphones running iOS and Android are encrypted before access is granted.

Deception Technology

October 31st, 2017

Symantec’s endpoint security product suite has latest update which uses deception technology to keep devices secured. Deception technology is first step towards this efforts in the industry.

It unveiled Endpoint Security for the Cloud Generation along with this new technology. It is used by the companies to trick hackers which makes them believe that they had gained access to the systems.

“Deception technology is a direct result of Symantec’s innovation strategy paired with more than 15 years of endpoint security expertise,” Sri Sundaralingam, head of product marketing for Enterprise Security Products at Symantec.

The technique makes hackers to waste their efforts, time and energy breaking into fake servers.

“With deception on the endpoint, customers can now utilize the threat intelligence and deception capabilities of the largest security company in the world to expose stealthy attack tactics, delay attackers, and determine attacker intent beyond what’s available through purely network-based deception technologies – all at a scale like no other in the market,” continued Sundaralingam.

SEP 14.1 also had a new add-on entity which is called Hardening. It isolates suspicious activity at applications.  It also provides behavioral analysis and machine learning to identify malware.

Symantec Advanced Threat Protection (ATP): Endpoint 3.0 employs SEP’s endpoint detection and response features combined with threat intelligence and machine learning to stop attacks.

Company also launched Skycure’s AI-enabled mobile threat defense software. Skycure was acquired by Symantec for an undisclosed amount.

“One of the most dangerous assumptions in today’s world is that iOS and other mobile devices that employees bring into the office are safe, but the apps and data on these devices are under increasing attack,” stated Symantec CEO Greg Clark at the time. “We believe that tomorrow’s workforce will be completely mobile and will demand a cyber defense solution that travels with them.”

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted. Encrypted devices secure your data even if they are lost or stolen

Funding for Averon

October 25th, 2017

San Francisco-based company Averon recently secured $8.3 million in an Avalon Ventures-led Series A round of funding. The firm is a mobile authentication startup.

Direct Autonomous Authentication (DAA) mobile identity verification standard is the brainchild of Averon. It allows smartphone users seamlessly and securely interact with services and devices. The technology allows users to interact with devices like smart locks which involves no download of dedicated app.

“Averon leverages real-time mobile network signaling and the SIM/eSIM (eUICC) chips already found in the world’s seven billion smartphones, requiring no installation, no apps, and no user involvement whatsoever,” the company explained in an Oct. 24 media advisory. “Working seamlessly in the background, it is the easiest, fastest and most secure way to provide instant, frictionless authentication.”

Wendell Brown, Averion’s CEO mentioned that his company is the solution to large scale breaches in current time.

“As we see in the news every day, cybersecurity breaches continue to grow in size and frequency, and the world is in desperate need of the next generation of online identity authentication,” said Brown, in a statement. “Averon offers a uniquely superior solution that authenticates users while relying on zero personally identifiable data and requiring zero effort on the part of consumers – Averon is the new gold standard in cybersecurity, and we’re rapidly taking it to scale.”

Many cyber security startups are getting funded. The partial list can be mentioned as below who got funding in recent times –

KnowBe4 secured a $30 million Series B round of financing the company

Contrast Security mentioned that it had completed a Series C round worth $30 million

ShiftLeft’s secured $9.3 million

Attivo Networks secured  $21 million Series C round of funding

Duo Security raised $70 million

 ___________________________________________________________________________________

AlertSec ACCESS checks for full disk encryption on PCs running Windows 7, 8, and 10 Home, Pro and Enterprise as well as Mac OS El Capitan and Sierra. AlertSec ACCESS will also verify that all smartphones running iOS and Android are encrypted before access is granted.

Breaches in US Financial Service Organizations

October 23rd, 2017

As per the 2017 Thales Data Threat Report, forty two percent of U.S. financial services organizations got affected by data breach. Survey saw participation of 1,100 senior security executives worldwide. The findings are as below:

Twenty four percent of the organizations suffered data breach in last year alone

Nineteen percent suffered data breach in 2016

Eighty-six percent of participants believe they are vulnerable to data threats.

Ninety six percent will use sensitive data in an advanced technology environment

“Data breaches continue to hit the headlines and, as recently illustrated by the Equifax breach, the financial services industry is a prime target for hackers,” Thales e-Security vice president of strategy Peter Galvin said in a statement.

“As digitization continues to transform the industry’s online infrastructures it is critical organizations implement data security solutions that follow the data — wherever it is created, shared or stored,” Galvin added.

A recent survey conducted by ISMG survey of over 250 banking and security leaders found that 38 percent have confidence in threat detection deployed by companies.

“This survey certainly shows that while consumers may shoulder many direct costs and burdens associated with fraud, institutions are also suffering substantially,” NuData Security marketing director Lisa Baergen told eSecurity Planet by email.

“The global uptick in fraud, coupled with ever-increasing amounts of PII available on the black market, makes financial institutions more vulnerable and as a result, their security investments are growing yet their confidence in them isn’t,” Baergen added.

As per Symantec’s Q2 Mobile Threat Intelligence Report: Mobility and Finance found that twenty five percent of mobile devices used by employees at financial services organizations are at risk.

“Since user behavior is such a huge factor in mobile security, user education is one of the most important things an organization can do to… minimize the threat to their organizations through mobile devices,” the report suggests.

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted. Encrypted devices secure your data in case a device is lost or stolen. AlertSec ACCESS checks all computers and smartphones and detects all encryption types.

New Funding for Contrast Security

October 20th, 2017

Contrast Security raised $30 million in a Series C round of financing which was led by Battery Ventures along with venture capital (VC) firms Acero Capital and General Catalyst. The total money raised till date is $54 million.

Company deals in technology that enables enterprises to develop and deploy “self-protecting” software. Contrast Assess and Contrast Protect are two products which integrates security elements into software development process.

“Contrast doesn’t treat the symptoms like a scanner, sandbox, or firewall.  Instead, Contrast infuses both security testing and protection directly into the application, like an immune system for applications that inoculates against vulnerabilities and attacks,” explained Williams. “Simply add Contrast to your application environment, and it starts working immediately without any code or process changes, and without needing security experts.”

Contrast takes two approaches for security.

“Contrast Assess focuses on vulnerabilities, and instantly alerts development teams so they can fix code without disrupting software development. Contrast Protect identifies and blocks attacks, rendering them ineffective,” said Williams. “Together, Contrast Assess and Protect provide organizations with a comprehensive self-protecting software solution that works in data center, cloud, and container [environments], throughout an application’s development and deployment.”

The company’s approach combines DevOps and security without affecting performance, Williams added. In terms of threats and attacks, Contrast’s technology protects against the Open Web Application Security Project (OWASP) top 10 vulnerabilities and much more.

“Contrast invented a way to combine multiple different analysis techniques in a single component that measures vulnerabilities and attacks directly from the running application. This provides an almost unfair information advantage that allows Contrast to protect against a broader range of security problems than other tools and to do it more accurately,” Williams added.

Security risks blocked by company product includes Command Injection, Cross-Site Scripting (XSS), Hard-coded Password, Insecure Encryption Algorithms, Java Reflection Injection, NoSQL Injection, SQL Injection, Weak Random Number Generation among many more. “Contrast also includes a powerful rule language that allow definition of both positive (behavior pattern is required) and negative (behavior pattern is disallowed) security rules,” Williams concluded.

____________________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted. Encrypted devices secure your data even if they are lost or stolen.