Want to block two billion known breached passwords from being used at your company? It’s easy with Specops Password Policy tools

Read Time:24 Second

Graham Cluley Security News is sponsored this week by the folks at Specops. Thanks to the great team there for their support! With the help of live attack data, Specops Software’s Breached Password Protection can detect over 2 billion known breached passwords in your Active Directory. Using the Specops database, you can block commonly used … Continue reading “Want to block two billion known breached passwords from being used at your company? It’s easy with Specops Password Policy tools”

Read More

Tenable Capture the Flag 2022: The Results Are In!

Read Time:1 Minute, 6 Second

It’s time to crown the winners of this year’s Capture the Flag Event!

This event presented a series of security-related challenges in a Jeopardy-style format. Challenges ranged in difficulty and topics including Web App, Reverse Engineering, Crypto, Stego, OSINT, Forensics, Code and more.

There was stiff competition but the following teams captured the titles, earning 1st, 2nd, and 3rd place respectively.

And now – the moment you’ve all been waiting for…

Congratulations for your superior performance in the 2022 Tenable CTF:

1st Place

Team: bootplug

Score: 8600

Winning Team: klarz, unblvr, feynman137, poiko, zup

2nd Place

Team: View Source

Score: 6300

Winning Team: vs1, vs0, Sheep, rik

3rd Place

Team: Corax

Score: 5900

Winning Team: langemyh, Corax, Shirajuki, varcella, nicw

A HUGE thank you to all those who participated. The response from the community was overwhelming and we look forward to seeing you at next year’s Capture the Flag Event in 2023!

Here are the final Capture the Flag stats:

Check out the CTFtime page to view some of the community’s write ups.

That’s a wrap on the first Tenable Capture the Flag event!

Thanks for making the 2022 Tenable Capture the Flag Event a huge SUCCESS! We hope you all had as much fun competing as we had putting it together!

Read More

Attacking the Performance of Machine Learning Systems

Read Time:1 Minute, 34 Second

Interesting research: “Sponge Examples: Energy-Latency Attacks on Neural Networks“:

Abstract: The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While such devices enable us to train large-scale neural networks in datacenters and deploy them on edge devices, their designers’ focus so far is on average-case performance. In this work, we introduce a novel threat vector against neural networks whose energy consumption or decision latency are critical. We show how adversaries can exploit carefully-crafted sponge examples, which are inputs designed to maximise energy consumption and latency, to drive machine learning (ML) systems towards their worst-case performance. Sponge examples are, to our knowledge, the first denial-of-service attack against the ML components of such systems. We mount two variants of our sponge attack on a wide range of state-of-the-art neural network models, and find that language models are surprisingly vulnerable. Sponge examples frequently increase both latency and energy consumption of these models by a factor of 30×. Extensive experiments show that our new attack is effective across different hardware platforms (CPU, GPU and an ASIC simulator) on a wide range of different language tasks. On vision tasks, we show that sponge examples can be produced and a latency degradation observed, but the effect is less pronounced. To demonstrate the effectiveness of sponge examples in the real world, we mount an attack against Microsoft Azure’s translator and show an increase of response time from 1ms to 6s (6000×). We conclude by proposing a defense strategy: shifting the analysis of energy consumption in hardware from an average-case to a worst-case perspective.

Attackers were able to degrade the performance so much, and force the system to waste so many cycles, that some hardware would shut down due to overheating. Definitely a “novel threat vector.”

Read More

LSN-0087-1: Kernel Live Patch Security Notice

Read Time:27 Second

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did
not properly handle the removal of stateful expressions in some situations,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.(CVE-2022-1966)

Ziming Zhang discovered that the netfilter subsystem in the Linux kernel
did not properly validate sets with multiple ranged fields. A local
attacker could use this to cause a denial of service or execute arbitrary
code.(CVE-2022-1972)

Read More

API security: 12 essential best practices to keep your data & APIs safe

Read Time:5 Minute, 41 Second

This blog was written by an independent guest blogger.

If you don’t think API security is that important, think again. Last year, 91% of organizations had an API security incident. The proliferation of SOAP and REST APIs makes it easy for organizations to tailor their application ecosystems. But, APIs also hold the keys to all of a company’s data. And as data-centric projects become more in demand, it increases the likelihood of a target API attack campaign. 

Experts agree that organizations that keep their API ecosystem open should also take steps to prevent ransomware attacks and protect data from unauthorized users. Here is a list of 12 tips to help protect your API ecosystem and avoid unnecessary security risks. 

Encryption

The best place to start when it comes to any cybersecurity protocol is encryption. Encryption converts all of your protected information into code that can only be read by users with the appropriate credentials. Without the encryption key, unauthorized users cannot access encrypted data. This ensures that sensitive information stays far from prying eyes. 

In today’s digital business environment, everything you do should be encrypted. Using a VPN and Tor together runs your network connection through a secured server. Encrypting connections at every stage can help prevent unwanted attacks. Customer-facing activities, vendor and third-party applications, and internal communications should all be protected with TLS encryption or higher. 

Authentication

Authentication means validating that a user or a machine is being truthful about their identity. Identifying each user that accesses your APIs is crucial so that only authorized users can see your company’s most sensitive information. 

There are many ways to authenticate API users:

HTTP basic authentication
API authentication key configuration
IdP server tokens

OAuth & OpenID Connect

A great API has the ability to delegate authentication protocols. Delegating authorizations and authentication of APIs to an IdP can help make better use of resources and keep your API more secure. 

OAuth 2 is what prevents people from having to recall from memory thousands of passwords for numerous accounts across the internet and allows users to connect via trusted credentials through another provider (like when you use Facebook, Apple, or Google to log in or create an account online).

This concept is also applied to API security with IdP tokens. Instead of users inputting their credentials, they access the API with a token provided by a third-party server. Plus, you can leverage the OpenId Connect standard by adding an identity layer on top of OAuth. 

Audit, log, and version

Without adequate API monitoring, there is no way organizations can stop insidious attacks. Teams should continuously monitor the API and have an organized and repeatable troubleshooting process in place. It’s also important that companies audit and log data on the server and turn it into resources in case of an incident. 

A monitoring dashboard can help track API consumption and enhance monitoring practices. And don’t forget to add the version on all APIs and depreciate them when appropriate. 

Stay private

Organizations should be overly cautious when it comes to vulnerabilities and privacy since data is one of the most valuable and sought-after business commodities. Ensure error messages display as little information as possible, keep IP addresses private, and use a secure email gateway for all internal and external messaging. Consider hiring a dedicated development team that has only necessary access and use an IP whitelist and blacklist to restrict access to resources. 

Consider your infrastructure

Without a good infrastructure and security network, it’s impossible to keep your API secure. Make sure that your servers and software are up to date and ensure that regular maintenance is done to consolidate resources. You should also ensure that third-party service providers use the most up-to-date versioning and encryption protocols. 

Throttling and quotas

DDOS attacks can block legitimate users from using their dedicated resources, including APIs. Restricting access to the API and application organizations can ensure that no one will abuse your APIs. Setting throttling limits and quotas is a great way to prevent cyberattacks from numerous sources, such as a DDOS attack. Plus, you can prevent overloading your system with unnecessary requests. 

Data validation

All data must be validated according to your administrative standards to prevent malicious code from being injected into your API. Check every piece of data that comes through your servers and reject anything unexpected, significantly large, or from an unknown user. JSON and XML schema validation can help check your parameters and prevent attacks. 

OWASP Top 10

Staying up on the OWASP (Open Web Application Security Project) Top 10 can help teams implement proactive measures to protect the API from known vulnerabilities. The OWASP Top 10 lists the 10 worst vulnerabilities according to their exploitability and impact. Organizations should regularly review their systems and secure all OWASP vulnerabilities. 

API firewalling

An API firewall makes it more difficult for hackers to exploit API vulnerabilities. API firewalls should be configured into two layers. The first DMZ layer has an API firewall for basic security functions, including checking for SQL injections, message size, and other HTTP security activities. Then the message gets forwarded to the second LAN layer with more advanced security functions. 

API gateway management

Using an API gateway or API management solution can help save organizations a lot of time and effort when successfully implementing an API security plan. An API gateway helps keep data secure with tools to help monitor and control your API access. 

In addition to streamlined API security implementation, an API management solution can help you make sense of API data to power future business decisions. Plus, with the help of creative graphic design, many API management solutions and gateways offer a simple UI with easy navigation. 

Call security experts

Although cybersecurity positions are popping up worldwide, many organizations are having difficulty finding talented experts with the right security credentials to fill in the security gaps. There are ways to attract cybersecurity professionals to your company, but cybersecurity can’t wait for the right candidate. 

Call the security experts at AT&T cybersecurity to help you manage your network and API security. Plus, you can use ICAP (Internet Content Adaptation Protocol) servers to scan the payload of your APIs. 

Final thoughts

As digital tools and technologies continue to evolve, so will hackers’ attempts to exploit crucial business data. Putting some basic API security best practices in place will help prevent attacks in the future and contribute to a healthy IT policy management lifecycle. 

The best way to ensure that your APIs are safe is to create a company-wide mindset of cyber hygiene through continuous training and encouraging DevSecOps collaborative projects. However, organizations can secure their digital experiences and important data by following these simple tips to enhance their API security. 

Read More

Location data poses risks to individuals, organizations

Read Time:35 Second

The market for you and your device’s location is enormous and growing. That data is collected by your network provider, by apps on your smart devices, and by the websites with which you engage. It is the holy grail of marketing, and infosec’s nightmare. 

Companies that produce location-tracking algorithms and technological magic are riding the hyper-personalized marketing rocket, which continues to expand at breathtaking speed. In the fall of 2021, Grandview Research estimated the U.S. market alone to be approximately $14 billion USD and expected it to expand at a compound annual growth rate (CAGR) of 15.6% from 2022 to 2030.

To read this article in full, please click here

Read More

We don’t need another infosec hero

Read Time:56 Second

There’s this belief among a lot of security professionals that we are special, in that we are the defenders of our companies.  We like to think we hold ourselves to a higher standard of care than our coworkers.  If not for us, the thinking goes, our companies would crash and burn in horrible ways.  Breaches would run rampant.  Data would be stolen left and right. Cloud environments would be filled with adversaries.  Enterprise systems would be locked up by ransomware.  Without our heroic efforts, those things would be happening all the time!  We are the defenders!

Except we aren’t the defenders.   We might be defenders, but we aren’t the only ones.  Our DevOps teams defend reliability all the time.  Our lawyers protect us from liability.  Our product managers and sales teams protect our paychecks (maybe they’re the real heroes).  In setting ourselves apart in our own minds, we set ourselves apart in practice.  While we like the heroic feeling it gives us to be the defenders, it has a lot of downsides.

To read this article in full, please click here

Read More