Wednesday, June 24, 2015

Dear Adobe Flash, why won't you DIE, DIE, DIE?

Earlier this month, security outfit FireEye's 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not. I'm with Brian Krebs who, just the other week, wrote about how he has "spent the better part of the last month running a little experiment to see how much I would miss Adobe's buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much." C'mon folks, be honest now, do you really need Flash, do you really you it and would you really miss it? Let's all do the decent thing and shoot this sick beyond belief monstrosity in the head...

In other news, Dell brings Greek malware into view

A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.

Thursday, June 18, 2015

Samsung keyboard vulnerability exposes triple whammy mobile flaw

Researchers at NowSecure have uncovered a vulnerability in the stock keyboard that is pre-installed on 600 million Samsung mobile devices, including the new Galaxy S6, that can apparently enable a remote arbitrary code execution attack. According to the researcher Ryan Welton, the SwiftKey IME keyboard update mechanism can be manipulated by a remote attacker capable of controlling user network traffic, and can then execute code as a privileged system user on the target phone. As far as we can tell, the threat itself only actually applies to users of Samsung mobile devices which run a stock keyboard version of the SwiftKey keyboard, rather than the app which is available for download from the Apple or Google Play stores (this appears to be confirmed by the developers). Which begs the question, if the standalone download is secure what went wrong with the Samsung IME keyboard development process?

Why I'm NOT changing my LastPass master password

The news that LastPass network security has been compromised is, of course, a serious issue. That the company being breached was one that provides a password-management service ratchets up the seriousness by a notch – or ten. So why am I, someone who has built a career on writing about IT security, not pulling my hair out about it? Well beyond the fact that I have none to tug at, the LastPass “breach” isn’t as big a deal for some of us as it is for others.

Event log management: stop security threats by turning your data to detective

Log management is, without a doubt, one of the most boring subjects to set before even the most hardcore of IT admins. Seriously, just the mention of analyzing event logs is enough to send a geek to sleep. Unless, that is, the geek happens to understand that these logs have the power if not always to stop a potential security breach before it starts then certainly to stop it before it succeeds. Think of log management and the alerting capabilities that come attached as being the Agatha Christie of the server room, or perhaps more appropriately the Hercule Poirot: this is where data turns detective!

Saturday, June 13, 2015

My campervan is not a cyber security risk

Speaking to TrustedReviews this week, Alexander Moiseev, Kaspersky Europe's Managing Director, has warned that your car is at serious risk of being hacked. He is, however, wrong and I'm going to explain why. Kaspersky Lab and Mr Moiseev may well insist that the threats to the automotive industry are very real, and very much here and now; and while I don't dispute that there are concerns I do think there is a very real element of Mandy Rice-Davies Applies about the entire debate. With the demise, albeit a long and drawn out death, of desktop AntiVirus as the golden goose of the IT security industry, it should come as no real surprise when that industry looks for alternative areas to occupy. Transport is one of the much hyped, I would argue over-hyped, areas currently doing the rounds. The more the 'threat' is talked up, the more there will be a demand from consumers for 'protection' and vehicle manufacturers will turn to vendors to supply it. That is far from my campervan being hackable now, or ever, matter of fact.

OPM Breach: US Gov policy one of 'benign neglect'

As news breaks that a second breach at the federal Office of Personnel Management may have seen another set of data, potentially more valuable than that accessed during the first, Philip Lieberman, President of privileged identity management specialists Lieberman Software, has been talking about what went wrong. Here's what he had to say on the matter: The apparent US Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defence. Using technologies such as air gaps, segmented networks, encryption, privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defence, only the concept of acceptable loss.