The authority said its servers were compromised on December 20 last year

Read More

The partnership between these two market-leading vendors enables MSSPs around the world to fast-track cutting-edge MXDR services.

AT&T, the leader in network and managed security services, and SentinelOne, the leader in next generation, autonomous endpoint protection, today announced a strategic alliance to help prevent cybercrime. The partnership focuses on providing managed security service providers (MSSPs) around the world with a clear path to providing top-tier managed extended detection and response (MXDR) capabilities for customers.

“Managed XDR is a lot different than the conventional detection and response systems in the sense that it enables members of our partner program to build solutions on the platforms their customers already use in order to make the best out of their investments,” says Rakesh Shah, Vice President of Product at AT&T Cybersecurity. “The new alliance combines AT&T USM Anywhere network threat detection capabilities with SentinelOne endpoint protection. Together, these two security platforms provide industry-leading network and endpoint threat detection and response solutions that will enable MSSPs to be successful at providing their end customers with world-class security.”

“AT&T and SentinelOne help MSSPs enter the era of XDR, protecting more surfaces at speeds and scales previously not possible with humans alone. SentinelOne’s autonomous technology coupled with AT&T’s integrated network technologies and services enables MSSPs to reduce risk and boost protection for their customers,” says Mike Petronaci, VP Product at SentinelOne.

The alliance streamlines XDR attainment for partner program members that provide manage security services for a range of organizations. An ideal customer for this MXDR solution would be an MSSP managing small-to-midsized enterprises. Those enterprises may be interested in outsourcing managed cybersecurity services because they do not have the in-house resources to deliver the security results they need. Larger enterprises that do not want to outsource their security completely but are looking for some help could also use this MXDR solution managed by one of our partners.

The tight integration this alliance brings provides MSSP partners with ready access to the award-winning USM Anywhere and SentinelOne platforms. In addition, for MSSPs that acquire SentinelOne endpoint protection through the partner program, AT&T will manage hundreds of additional indicators of compromise through a unique integration within USM Anywhere that streams uniquely tailored security telemetry from the SentinelOne Deep Visibility platform.

Read More

Every year, global security vendors use the RSA Conference (RSAC) to exhibit new products and capabilities. This year, the show returns as an in-person event (with a virtual component) in San Francisco after going all-virtual in 2021 due to the pandemic. At RSAC 2022, starting June 6, new product showcases are dominated by identity and access security, SaaS services and security operations center (SOC) enhancements. Here are some of the most interesting new products set to be shown at the show. (This list will be updated as products are announced during the week.)

To read this article in full, please click here

Read More

Russia’s state news agency said hackers were demanding a ransom

Read More

Octopus and squid genes are weird.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith” when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution.

In a statement about the changes, Deputy Attorney General Lisa O. Monaco said the DOJ “has never been interested in prosecuting good-faith computer security research as a crime,” and that the new guidelines “promote cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

What constitutes “good faith security research?” The DOJ’s new policy (PDF) borrows language from a Library of Congress rulemaking (PDF) on the Digital Millennium Copyright Act (DMCA), a similarly controversial law that criminalizes production and dissemination of technologies or services designed to circumvent measures that control access to copyrighted works. According to the government, good faith security research means:

“…accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

“Security research not conducted in good faith — for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services — might be called ‘research,’ but is not in good faith.”

The new DOJ policy comes in response to a Supreme Court ruling last year in Van Buren v. United States (PDF), a case involving a former police sergeant in Florida who was convicted of CFAA violations after a friend paid him to use police resources to look up information on a private citizen.

But in an opinion authored by Justice Amy Coney Barrett, the Supreme Court held that the CFAA does not apply to a person who obtains electronic information that they are otherwise authorized to access and then misuses that information.

Orin Kerr, a law professor at University of California, Berkeley, said the DOJ’s updated policy was expected given the Supreme Court ruling in the Van Buren case. Kerr noted that while the new policy says one measure of “good faith” involves researchers taking steps to prevent harm to third parties, what exactly those steps might constitute is another matter.

“The DOJ is making clear they’re not going to prosecute good faith security researchers, but be really careful before you rely on that,” Kerr said. “First, because you could still get sued [civilly, by the party to whom the vulnerability is being reported], but also the line as to what is legitimate security research and what isn’t is still murky.”

Kerr said the new policy also gives CFAA defendants no additional cause for action.

“A lawyer for the defendant can make the pitch that something is good faith security research, but it’s not enforceable,” Kerr said. “Meaning, if the DOJ does bring a CFAA charge, the defendant can’t move to dismiss it on the grounds that it’s good faith security research.”

Kerr added that he can’t think of a CFAA case where this policy would have made a substantive difference.

“I don’t think the DOJ is giving up much, but there’s a lot of hacking that could be covered under good faith security research that they’re saying they won’t prosecute, and it will be interesting to see what happens there,” he said.

The new policy also clarifies other types of potential CFAA violations that are not to be charged. Most of these include violations of a technology provider’s terms of service, and here the DOJ says “violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.” Some examples include:

-Embellishing an online dating profile contrary to the terms of service of the dating website;
-Creating fictional accounts on hiring, housing, or rental websites;
-Using a pseudonym on a social networking site that prohibits them;
-Checking sports scores or paying bills at work.

ANALYSIS

Kerr’s warning about the dangers that security researchers face from civil prosecution is well-founded. KrebsOnSecurity regularly hears from security researchers seeking advice on how to handle reporting a security vulnerability or data exposure. In most of these cases, the researcher isn’t worried that the government is going to come after them: It’s that they’re going to get sued by the company responsible for the security vulnerability or data leak.

Often these conversations center around the researcher’s desire to weigh the rewards of gaining recognition for their discoveries with the risk of being targeted with costly civil lawsuits. And almost just as often, the source of the researcher’s unease is that they recognize they might have taken their discovery just a tad too far.

Here’s a common example: A researcher finds a vulnerability in a website that allows them to individually retrieve every customer record in a database. But instead of simply polling a few records that could be used as a proof-of-concept and shared with the vulnerable website, the researcher decides to download every single file on the server.

Not infrequently, there is also concern because at some point the researcher suspected that their automated activities might have actually caused stability or uptime issues with certain services they were testing. Here, the researcher is usually concerned about approaching the vulnerable website or vendor because they worry their activities may already have been identified internally as some sort of external cyberattack.

What do I take away from these conversations? Some of the most trusted and feared security researchers in the industry today gained that esteem not by constantly taking things to extremes and skirting the law, but rather by publicly exercising restraint in the use of their powers and knowledge — and by being effective at communicating their findings in a way that maximizes the help and minimizes the potential harm.

If you believe you’ve discovered a security vulnerability or data exposure, try to consider first how you might defend your actions to the vulnerable website or vendor before embarking on any automated or semi-automated activity that the organization might reasonably misconstrue as a cyberattack. In other words, try as best you can to minimize the potential harm to the vulnerable site or vendor in question, and don’t go further than you need to prove your point.

Read More

Back in November 2020, in the middle of the COVID-19 pandemic, I gave a virtual talk at the International Symposium on Technology and Society: “The Story of the Internet and How it Broke Bad: A Call for Public-Interest Technologists.” It was something I was really proud of, and it’s finally up on the net.

Read More

A critical vulnerability in Atlassian Confluence Server and Data Center has been exploited in the wild by multiple threat actors. Organizations should review and implement mitigation guidance until a patch becomes available.

Background

On June 2, Atlassian published an advisory for CVE-2022-26134, a critical zero-day remote code execution vulnerability in Confluence Server and Data Center.

Frequently Asked Questions

What is Atlassian Confluence Server and Data Center?
Confluence is web-based software used for workspace collaboration. It can be deployed on-prem or as part of Atlassian Cloud.

What is CVE-2022-26134?
CVE-2022-26134 is a remote code execution vulnerability in Atlassian Confluence Server and Data Center.

How severe is this vulnerability?
CVE-2022-26134 was given a critical rating by Atlassian. At this time, there is no entry for this CVE in the National Vulnerability Database, so it has not been assigned an official CVSSv3 score. However, based on Atlassian’s severity level ratings, this puts this vulnerability between a CVSSv3 of 9.0 to 10.0.

How can an attacker exploit this vulnerability?
At the time of publication, specific details regarding how this vulnerability could be exploited were not made public. However, based on past vulnerabilities in Confluence, an attacker could exploit this flaw by sending a specially crafted request to a vulnerable Confluence Server or Data Center instance that is publicly accessible over the internet. Successful exploitation would allow an attacker to execute code remotely, which could result in full system takeover.

Has this vulnerability been exploited?
Yes, according to Atlassian’s advisory, there is known exploitation of this vulnerability against Confluence Server version 7.18.0.

Is 7.18.0 the only affected version?
No, Atlassian has since confirmed that all supported versions of Confluence Server and Data Center are affected.

We use Confluence as part of Atlassian Cloud. Are we affected?
No, Atlassian says that if you access Confluence through an atlassian.net domain, your site is not vulnerable and there is currently no evidence that Cloud sites have been targeted.

Is a patch available?
At the time of publication, a patch is not available for this vulnerability. However, Atlassian recently updated its advisory stating that a fix would be released by the end of day on June 3. This blog post will be updated once the fix is available.

What can organizations do to protect against this vulnerability?
Atlassian has provided temporary workaround instructions for customers based on their Confluence versions. They both require shutting down Confluence temporarily while applying the mitigations. For more information, please refer to the specific guidance from the Atlassian advisory:

For Confluence 7.15.0 – 7.18.0
For Confluence 7.0.0 – Confluence 7.14.2

How was this vulnerability discovered?
It has been credited to Volexity, which published a blog post about the vulnerability. According to the blog post, Volexity discovered exploitation of this vulnerability over the Memorial Day weekend during an incident response investigation.

Are there any indicators of compromise available?
Yes, Volexity shared a number of network indicators and indicators of compromise, including hunting rules to help defenders identify possible exploitation.

Do we know who is exploiting this flaw?
Volexity believes this vulnerability is being exploited by “multiple threat actors” that appear to be based out of China.

Is there a proof-of-concept (PoC) available for this vulnerability?
At the time this blog post was published, there was no PoC exploit publicly available for this vulnerability.

Does Tenable have any product coverage for this vulnerability?
While there is currently no patch available for this vulnerability, Tenable is investigating product coverage and will provide an update once we have more information to share. In the meantime, we advise organizations to review the recommended mitigation guidance from Atlassian.

Identifying affected systems

A list of Tenable plugins covering CVE-2022-26134 can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Atlassian Security Advisory for CVE-2022-26134
Volexity Blog Post for Zero-Day Exploitation of CVE-2022-26134

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

What is SSO?

Single sign-on (SSO) is a centralized session and user authentication service in which one set of login credentials can be used to access multiple applications. Its beauty is in its simplicity; the service authenticates you on one designated platform, enabling you to then use a variety of services without having to log in and out each time.

In the most common arrangement, the identity provider and service provider establish a trust relationship by exchanging digital certificates and metadata, and communicate with one another via open standards such as Security Assertion Markup Language (SAML), OAuth, or OpenID. 

To read this article in full, please click here

Read More

The growing number of internet crimes targeting senior adults is mind-blowing. 

In 2021, more than 92,000 people over the age of 60 reported losses of $1.7 billion, according to IC3, the FBI’s Internet Crime division. That number reflects a 74 percent increase in losses from 2020.  

These numbers tell us a few things. They tell us that scamming the elderly is a multi-billion-dollar business for cybercriminals. It also tells us that regardless of how shoddy or obvious online scams may appear to anyone outside the senior community, they are working. 

However, information is power. Senior adults can protect their hard-earned retirement funds and government benefits by staying informed, adopting new behaviors, and putting tools in place designed to stop scammers in their tracks. And, when possible, family, friends, and caregivers can help. 

The FBI said confidence fraud and romance scams netted over $281 million in losses.  

The top four types of scams targeting seniors: Romance scams (confidence scams), fake online shopping, false utility representatives, and government agent imposters. Here’s how to make a few shifts to mindset and your daily routine and steer clear of digital deception.   

5 Safeguards to Protect Your Retirement 

Stop. Don’t share. Often phone or internet scams targeting seniors carry distinctive emotional triggers of elation (you won), fear (you owe), or empathy (please help). For instance, a phony source might urge: “You must send admin fees immediately to access your sweepstake winnings.” Or “You must provide your social security number to stop this agency penalty.” FBI and Better Business Bureau fraud experts advise senior adults to stop and think before taking any action. Be aware of common phishing scams that include legitimate-looking email messages from a bank, federal agency, or service provider requesting you “verify” personal information. The number one rule: Never give out any personal information such as a Social Security number, bank account numbers, Medicare numbers, birthdate, maiden names, work history, or your address. 
Level up your security. Changing times call for new tools and new behaviors online. Consider adopting best practices such as installing McAfee security software, using strong passwords with Two-Factor Authentication (2FA), and knowing how to identify phishing and malware scams are fundamental components of digital literacy. For a deeper dive into cybersecurity best practices, read more.  
Discuss new scams. Scammers rapidly adjust their tactics to current events such as the pandemic, tax season, or an economic crisis to emotionally bait senior adults. If you are a senior adult, check out weekly consumer alerts from IC3 or AARP to stay on top of the types of scams you may encounter. If you are a relative or caregiver to a senior adult, stay informed, discuss these scams with your loved one, and explore other ways to help
Research all charities. Senior adults get daily calls, emails, or even Facebook messages trying to bilk them of their money. It’s essential to do your research. Before donating to a charity, you can consult Give.Org or Charity Navigator to verify the request is legitimate. 
Report all scams and scam attempts. If you’ve been a victim of an online scam or even targeted unsuccessfully, report the incident immediately. Any consumer can report online scams at the FBI’s IC3 website. Credit, debit, or bank account fraud should be immediately reported to your bank.   

Just as the seasons change in our lives, so too must our behaviors when connecting to people and information via our devices. Cybercriminals target older people because they assume they aren’t as informed about schemes or technically savvy as younger people. Senior adults and their loved ones can work daily to change that narrative. With the right mindset, information, and tools, seniors can connect online with confidence and enjoy their golden years without worrying about digital deception.  

The post Seniors: How to Keep Your Retirement Safe from Online Scams appeared first on McAfee Blog.

Read More