Connect with us

Cyber Security

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Avatar

Published

on

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enables developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?” Dormann declined to elaborate on that teaser.

It could be that the timing and topic here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a heads up from the U.S. National Security Agency (NSA) stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

The NSA’s public affairs folks did not respond to requests for more information on the nature or purpose of the discussion. The invitation from the agency said only that the call “reflects NSA’s efforts to enhance dialogue with industry partners regarding its work in the cybersecurity domain.”

Stay tuned for tomorrow’s coverage of Patch Tuesday and possibly more information on this particular vulnerability.

Tags: Anne Neuberger, CERT Coordination Center, CERT-CC, crypt32.dll, microsoft, Microsoft CryptoAPI, national security agency, nsa, Patch Tuesday January 2020, Will Dormann, windows

Source: https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Cyber Security

Third-Party IoT Vulnerabilities: We Need a Cybersecurity Paradigm Shift

Avatar

Published

on


The only entities equipped to safeguard Internet of Things devices against risks are the IoT device manufacturers themselves.

The discovery of the Ripple20 vulnerabilities, affecting hundreds of millions of Internet of Things (IoT) devices, is the latest reminder of the dangers that third-party bugs pose to connected devices.

Although the estimated 31 billion IoT devices in the world perform a vast array of crucial functions — powering lifesaving medical tools, facilitating efficient transportation, and transforming critical business processes — these devices are alarmingly vulnerable to attack. In large part, that’s because OEMs rely on third-party vendors — like the Ohio software company at the center of the Ripple20 firestorm — that sell code riddled with potential entry points for malicious hackers.

Nevertheless, a recent Ponemon Institute study found that six in 10 organizations do not monitor the cyber-risks of IoT devices developed by third parties, leaving thousands of businesses and institutions accountable for supplying vulnerable products and exposed to heavy financial losses and reputational damage.

The only entities equipped to safeguard IoT devices against these risks are the IoT device manufacturers themselves, given that end users typically lack adequate security mechanisms for protecting their connected devices. Because new cyber vulnerabilities will continuously pop up, there’s no magic bullet— but by assuming accountability and protecting each individual device, manufacturers can prevent attacks and secure IoT innovation.

Proliferating Vulnerabilities
Who’s most at risk from inadequate IoT cybersecurity? Just about everyone. Take the Ripple20 case, which centers around 19 bugs found in code sold by the software company Treck. The company’s code is found in devices used by everyone from mom and pop shopkeepers to Fortune 500 companies, as researchers at JSOF, who discovered the vulnerabilities, noted. Affected industries spanned the gamut, including medical, transportation, energy, retail, and more.

News of the Ripple20 bugs came on the heels of the revelation that 26 new vulnerabilities had been discovered in the Zephyr Real Time Operating System (RTOS), which powers IoT devices and is supported by vendors including Intel, Nordic, and Texas Instruments.

In another case, the US Food and Drug and Administration announced in March the discovery of 12 additional third-party vulnerabilities known as “SweynTooth” affecting IoT medical devices — underscoring that the risk posed by cybersecurity vulnerabilities could extend beyond property and reputation to life itself, with hackers potentially able to steal sensitive medical data or stop devices such as heart monitors from working.

The takeaway from these cases: vulnerabilities within IoT devices are proliferating. So how can manufacturers meet the scale of the threat?

New Pressure on OEMs
Fortunately, the latest revelations of IoT bugs haven’t caught policymakers unaware. Regulatory measures are shifting the burden of responsibility onto device manufacturers. Case in point: a new California law took effect in January requiring IoT OEMs to equip devices with cybersecurity features that are appropriate to the specific nature of the device itself and the information it collects and transmits, while preventing unauthorized access or manipulation. The law made California the second state, after Oregon, to adopt such a law.

Meanwhile, the UK Department for Digital, Culture, Media and Sport unveiled similar regulations earlier this year, requiring manufacturers to provide a public point of contact for reporting and responding to vulnerabilities and to explicitly state the minimum duration for device security updates.

Governments across the globe should join this regulatory effort, putting pressure on OEMs to act swiftly to safeguard the devices critical to both our lives and our livelihoods. The bottom line: No IoT device should be allowed on the market if proper security isn’t installed on the device itself.

A Paradigm Shift
The goal of IoT cybersecurity shouldn’t be eradicating all vulnerabilities; that would be setting manufacturers up for failure. Vulnerabilities will always exist — so what’s needed instead is a paradigm shift in how manufacturers think about securing connected devices.

Device manufacturers cannot rely on the security of third-party vendors. As gatekeepers, OEMs themselves must implement controls to protect their clients. Effective design protection should include not only protecting the manufacturer’s code, but also securing all third-party components. This is why secure-by-design, static analysis, and even hardware security don’t fully answer IoT protection needs, as IoT network security is only one piece of the puzzle and cannot protect distributed devices.

When manufacturers do ultimately discover vulnerabilities, they should patch them — but patching shouldn’t be the focal point of their cybersecurity strategy. Instead, OEMs should seek innovative solutions that focus on preventing attacks, regardless of vulnerabilities. New techniques in cybersecurity for IoT devices make this possible. OEMs can then spend less time and money looking for vulnerabilities as they will be better equipped to stop exploitation attempts and respond immediately to incidents.

In the IoT age, each individual device serves as a potential point of entry for attackers — which is why manufacturers should ensure that cyber protection is embedded onto each device. Such solutions will be critical as IoT on 5G networks is poised to drive $8 billion in revenue for operators by 2024.

Related Content:

 

 

Register now for this year’s fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.

Natali brings over 10 years of experience, both as a researcher and a team leader, in the field of offensive cybersecurity and software development. After graduating magna cum laude B.Sc. in Computer Science at the age of 19, as part of a special program for gifted and … View Full Bio

Recommended Reading:

More Insights

Source: https://www.darkreading.com/iot/third-party-iot-vulnerabilities-we-need-a-cybersecurity-paradigm-shift/a/d-id/1338333?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Continue Reading

Cyber Security

Understand The Data

Avatar

Published

on


TF7 Episode 142




Field Chief Technology Officer, Varonis Brian Vecci joins George Rettas on Task Force 7 Radio. Understand the data, what you have, where it is, how it’s exposed, how it’s being used, how it’s accessed- when you start from the inside out you have a much better picture of what’s going on and a much better ability to build the tech and prevent.

George and Brian discuss whether or not CISOs in fact know where they’re crown jewels are and that so much of the data is actually open to anyone that plugs into the network.  That means that any insider has the key and “the doors are left wide open.”

The conversation evolves to a discussion on the distributed workforce and how universally- we were on an accelerated course towards a remote workforce in general. Borderless security has been a topic du jour for some time but that the global pandemic of course hurled us into what had been previously know as the future of work.

The threats now being experienced- are what one would expect. A focus on business continuity has left security doors wide open and presented a more friendly ground for brute force and phishing attacks. Three year role outs have turned into three week role outs and subsequently defense steps have been skipped.

Episode Overview

Brian has been in cyber security for over a decade and was an IT system architect for the preceding decade. He thinks first about data. In his opinion, the cyber security community has been focused on perimeters like endpoints, firewalls, anti virus in the past. Data has been ignored “No one is breaking into a network to get access to the network itself – they’re there for data.”

Listen Now

<iframe style=”border: solid 1px #dedede;” src=”https://app.stitcher.com/splayer/f/152784/75982685″ width=”220″ height=”150″ frameborder=”0″ scrolling=”no”></iframe>

Source: https://www.cshub.com/attacks/articles/understand-the-data

Continue Reading

Cyber Security

Amazon-Themed Phishing Campaigns Swim Past Security Checks

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Source: https://threatpost.com/amazon-phishing-campaigns-security-checks/157495/

Continue Reading
Biotechnology53 mins ago

COVID-19: Unearthing the ties that bind

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
CovId1957 mins ago

Kanye West takes first official steps towards running for US president

Biotechnology1 hour ago

Scientists discover how deep-sea, ultra-black fish disappear

Biotechnology1 hour ago

Physicists celebrate Japan collider record

Energy1 hour ago

ADOMANI Provides Palmdale with Zero-Emission Logistics Van

Esports1 hour ago

MAD Lions vs. G2 Esports is the LEC match of the week for week 5

Biotechnology1 hour ago

Rare mutation of TP53 gene leaves people at higher risk for multiple cancers

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
Esports1 hour ago

ESL One Cologne to be held online

Energy1 hour ago

Gilbarco Veeder-Root Adds Charging Station to Product Portfolio

Energy1 hour ago

Legends of Runeterra July Twitch Prime Loot: How to Claim

Biotechnology1 hour ago

Avoiding food contamination with a durable coating for hard surfaces

Energy2 hours ago

League of Legends Lillia Skins: 5 Skin Lines the Champion Should Join

Esports2 hours ago

Sage is getting hit by the nerf hammer in VALORANT Patch 1.04

Code2 hours ago

Lazy Loading Images in Svelte

Code2 hours ago

Irregular-shaped Links with Subgrid

Code2 hours ago

How to recover files from an inaccessible memory card with Disk Drill

Esports2 hours ago

Gorilla becomes first LCK player to reach 4,000 regular season assists

Biotechnology2 hours ago

Merck taps Novocure’s cancer-fighting electric fields for new Keytruda combination study

Esports2 hours ago

Evil Geniuses sign Goldenglue for one week contract

Esports2 hours ago

Team Liquid’s upcoming Brawl Stars tournament will be its largest yet

Esports2 hours ago

Call of Duty 2020 listing “The Red Door” makes another appearance

Ecommerce2 hours ago

New E-Commerce Partnership Gives U.S. Merchants Access to LATAM

Esports2 hours ago

Police called to “disturbance of peace” – it was Lacari playing Dota 2

Biotechnology2 hours ago

A comprehensive review of database resources in chemistry

Energy2 hours ago

Lightning Systems Accepting Orders for New Electric Ford F-550

Code2 hours ago

G Suite is getting an overhaul that makes Gmail your “home for work”

Cyber Security2 hours ago

Third-Party IoT Vulnerabilities: We Need a Cybersecurity Paradigm Shift

Biotechnology2 hours ago

Adagio debuts with $50M to fight COVID-19—and the next pandemic

Esports3 hours ago

Yone teased on Riot’s newest animated feature

Esports3 hours ago

Dr Disrespect finally addresses Twitch ban, claims he still doesn’t know cause

Esports3 hours ago

Clash Royale League East introduces 2020 rosters

Energy3 hours ago

Dr Disrespect Speaks Publicly For the First Time Since Mysterious Twitch Ban

Cyber Security3 hours ago

Understand The Data

Esports3 hours ago

League of Legends: Goldenglue Joins Evil Geniuses, Huni Moves to Starting Roster

Biotechnology3 hours ago

Relay passes the baton from private to public biotech, making $400M in the process

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
Esports3 hours ago

FiReSPORTS partners with BLAST for $141,000 FiRe League

Esports3 hours ago

ESL One Thailand announced for August

Code3 hours ago

92% of survey respondents report ‘some success’ with microservices

CovId193 hours ago

America Went Shopping For Clothes Again In June

Cyber Security3 hours ago

Amazon-Themed Phishing Campaigns Swim Past Security Checks

Trending