Category Archives: News

CVSS 9.9-Rated Samba Bug Requires Immediate Patching

Read Time:1 Minute, 45 Second

CVSS 9.9-Rated Samba Bug Requires Immediate Patching

A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned.

Samba is a popular free implementation of the SMB protocol, allowing Linux, Windows and Mac users to share files across a network.

However, a newly discovered critical vulnerability (CVE-2021-44142) in the software has been given a CVSS score of 9.9, making it one of the most dangerous bugs discovered in recent years. Log4Shell was given only a slightly higher score of 10.0.

“All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit,” Samba explained.

“The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.”

Patches have been released, and Samba updates 4.13.17, 4.14.12 and 4.15.5 have been issued to fix the problem, with administrators being urged to upgrade to these releases or apply the patch as soon as possible. The vulnerability has not yet been exploited in the wild at the time of writing, but this is likely to change.

An additional workaround is possible if sysadmins remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.

The new vulnerability comes at a busy time for administrators, many of whom spent time over the holidays hunting for instances of vulnerable Log4j hidden in Java dependencies across their organization.

Last year was another record-setter in terms of the number of CVEs published to the National Vulnerability Database (NVD), the fifth year in a row this has happened.

Read More

5 steps to run a successful cybersecurity champions program

Read Time:45 Second

Cybersecurity champions programs nurture and encourage cybersecurity awareness within a business, combining education with peer-to-peer collaboration to embed a culture of security understanding, support, and positive behavior among a workforce. A typical program consists of individuals from different departments who act as security advocates for their function and help to shape an organization’s cybersecurity approach internally.

Growing in popularity across a wide range of industries, cybersecurity champions programs have proven so beneficial that they became integral components of some organizations’ cybersecurity awareness strategies.

An effective and productive cybersecurity champions program requires several key elements to achieve its goals and avoid being a wasted investment. Here are the advantages of running a cybersecurity champions program for CISOs with five steps to doing so, including advice from security leaders and experts who have first-hand experience in this area.

To read this article in full, please click here

Read More

Managing security in hybrid Windows 11 and Windows 10 environments

Read Time:1 Minute, 2 Second

You’ve been given the task for 2022 to start a pilot project for deploying and managing Windows 11.  Any platform is only as secure as how well you can manage it. Microsoft has stated that managing Windows 11 will be just like managing Windows 10. However, some distinct nuances in management may make you reconsider the security management tools that you’ll use for Windows 11 and possibly even Windows 10.

Many firms use a traditional Active Directory infrastructure to manage a mixture of Windows machines – for example, Group Policy to manage security settings as well as to set security settings for Windows Software Update Services or Windows Update for Business.  As a recent Microsoft blog noted, you may need to determine which ADMX templates you need to deploy in your Group Policy central store. If your firm will be staying on Windows 10 for the near future, it’s recommended that you stay with Windows 10 ADMX templates rather than installing and using the Windows 11 templates. If you will be primarily using Windows 11, even if you still have some machines on Windows 10, you’ll want to roll out the Windows 11 ADMX templates.

To read this article in full, please click here

Read More

Ninety Percent of Security Leaders Warn of Skills Shortage

Read Time:2 Minute, 8 Second

Ninety Percent of Security Leaders Warn of Skills Shortage

Most IT security decision-makers are struggling to recruit workers to address a shortage of skilled professionals, despite business backing to do so, according to new research.

Global cybersecurity recruitment firm Stott and May teamed up with venture investor Forgepoint Capital to compile the Cyber Security in Focus study. It features responses from cybersecurity directors, security operations directors and VPs of product security in EMEA and North America.

Some 87% of respondents admitted they are suffering skills shortages, with over a third (35%) claiming positions were left unfilled after a 12-week period.

As a result, in-house skills (43%) were cited as the most significant barrier to strategy execution, above budget (35%), technology (13%) and board-level buy-in (9%).

The challenges around hiring have also led to a surge in salaries: 54% of hiring managers believe that these have increased more than 11% year on year in the sector.

The study also highlighted something of a contradiction. Security is gaining board-level buy-in. Some 80% of security leaders said their business perceives the function as a “strategic priority,” up from 54% last year. In addition, 100% agree that the business feels the function plays a role in improving the overall value proposition to customers.

However, over half (51%) of respondents argued that cybersecurity investment is still not keeping pace with digital transformation.

As investments in digital increase, sourcing the right engineering-centric CISOs will be the key to success, according to Forgepoint Capital managing director William Lin.

“A lot of digital transformation is inherently going to be driven by engineering, and finding a CISO that can empower developers with knowledge, tooling and experience will enable outcomes to be achieved faster and more securely,” he argued.

Heather Paunet, SVP at Untangle, argued that closing the cyber skills gap will require the industry to promote itself to would-be recruits better.

“There also needs to be organizational change that recognizes the severity and devastation cyber-attacks can cause and makes cybersecurity a priority. Companies need to ensure this investment isn’t just in technology, but also in their current workforce with continual training, advancement opportunities and recognition,” she added.

“In addition, IT education programs need to do the profession justice and emphasize the different roles and careers available in cybersecurity.”

According to the latest ISC2 survey, global skills shortages fell for the second consecutive year in 2021 to 2.7 million, including a shortfall of 377,000 in the US and 33,000 in the UK.

Read More

Scottish Agency Still Recovering from 2020 Ransomware Attack

Read Time:1 Minute, 41 Second

Scottish Agency Still Recovering from 2020 Ransomware Attack

A ransomware attack on a Scottish regulator in 2020 continues to significantly impact operations, with the true cost of the incident still unknown, an audit has found.

The double extortion attack hit the Scottish Environment Protection Agency (SEPA) on Christmas Eve 2020, forcing IT services offline.

According to a new report from Audit Scotland, the initial attack vector appears to have been a phishing email, although it’s still not 100% clear.

Despite following best practice backup guidelines, with one copy stored offline, the “sophisticated nature of the attack” meant online copies were quickly targeted, and there was no way of accessing historical records quickly, the spending watchdog claimed.

As a result, the “majority” of SEPA’s data was encrypted, stolen or lost.

Despite claiming the agency had a “high” level of cyber-maturity, independent reviews since the attack have also made 44 recommendations for enhancing the agency’s cyber-readiness and resilience.

According to Audit Scotland, it will be particularly alarming to Scottish taxpayers that more than a year on from the attack, the agency is still reinstating some of its systems.

The auditor took the rare step of issuing a “disclaimer of opinion” on SEPA’s annual accounts for 2020/21, claiming it couldn’t access enough evidence to substantiate £42m of income from contracts.

The agency still doesn’t know the total financial impact of the cyber-attack, although it has already been forced to write off over £2m in bad debts because of records lost to the incident.

“Based on management forecasts during the year, the Scottish Government gave SEPA authority to overspend by £2.5m to cover the impact of Covid19 and the cyber-attack if required,” the report claimed.

“SEPA recognizes that the cyber-attack has increased the medium to longer-term financial pressures on the organization. Its financial strategy 2020-24 had already identified potential variability in future income and expenditure streams of up to £17.9m as a worst-case scenario.”

Read More

Me on App Store Monopolies and Security

Read Time:56 Second

There are two bills working their way through Congress that would force companies like Apple to allow competitive app stores. Apple hates this, since it would break its monopoly, and it’s making a variety of security arguments to bolster its argument. I have written a rebuttal:

I would like to address some of the unfounded security concerns raised about these bills. It’s simply not true that this legislation puts user privacy and security at risk. In fact, it’s fairer to say that this legislation puts those companies’ extractive business-models at risk. Their claims about risks to privacy and security are both false and disingenuous, and motivated by their own self-interest and not the public interest. App store monopolies cannot protect users from every risk, and they frequently prevent the distribution of important tools that actually enhance security. Furthermore, the alleged risks of third-party app stores and “side-loading” apps pale in comparison to their benefits. These bills will encourage competition, prevent monopolist extortion, and guarantee users a new right to digital self-determination.

Matt Stoller has also written about this.

Read More

Cyber-Attack on Oil Firms

Read Time:1 Minute, 50 Second

Cyber-Attack on Oil Firms

A cyber-attack has disrupted operations at two oil storage and logistics firms in Germany.

Oiltanking GmbH Group and Mabanaft Group said on Tuesday that they had launched an investigation into a cyber-incident on Saturday. 

IT systems at both companies were affected, though the full extent of the attack is still being determined. In a statement to the Associated Press, the companies said they had hired external computer forensic specialists to discover the “full scope” of the incident.

No information has been shared yet by either company regarding the nature of the attack or its perpetrators. The companies said work is being undertaken to enable them “to restore operations to normal in all our terminals as soon as possible.”

Oiltanking GmbH Group is still operating storage tank terminals for oil, gas and chemicals in all global markets. However, the attack has forced separate entity Oiltanking Deutschland GmbH, part of Mabanaft, into “operating with limited capacity” its terminals in Germany.

The statement said that Mabanaft’s German arm had “declared force majeure for the majority of its inland supply activities in Germany.”

Speaking at a conference on Tuesday, the head of Germany’s IT security agency, Arne Schoenbohm, said that while the incident was severe, it was “not grave.” 

Schoenbohm said that 1.7% of the country’s total gas stations had been impacted by the incident, making it impossible for prices to be changed or for customers to pay for gas using a credit card. Cash payments were being accepted at some of the 233 affected facilities, most of which are in northern Germany. 

German news agency dpa reported that industry officials had said that the cyber-attack on the two companies did not pose a threat to the country’s overall fuel supplies. 

“The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved,” observed Lookout’s senior manager of security solutions, Hank Schless. 

He added: “This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber-activity, which attackers do as often as they can.”

Read More

California Passes FLASH Act

Read Time:1 Minute, 55 Second

California Passes FLASH Act

The California State Senate has passed legislation to ban the transmission of unsolicited sexually explicit images and videos without the recipient’s consent – a practice called ‘cyber flashing.’

Senate Bill 53, also known as the FLASH (Forbid Lewd Activity and Sexual Harassment) Act, was passed on Monday with bipartisan support.

Introduced in February 2020 by senators Connie Leyva and Lena Gonzalez, the legislation would establish legal protections for users of technology who receive explicit sexual consent, which they have not requested.

SB 53 would give victims of cyber flashing a private right of action against any person who knows or reasonably should know that a lewd image they sent was unsolicited. The bill would entitle the plaintiff to recover economic and non-economic damages or statutory damages between $1500 and $30,000, as well as punitive damages, reasonable attorney’s fees and costs and other available relief, including injunctive relief.

“I appreciate the Senate’s support of SB 53 as we are now one step closer to finally holding perpetrators of cyber flashing accountable for their abusive behavior and actions,” Senator Leyva said. 

“This form of technology-based sexual harassment is far more pervasive than many Californians realize, so it is important that we empower survivors that receive these unwanted images or videos.”

According to the Pew Research Center, 53% of young American women and 37% of young American men have been sent unsolicited explicit material while online. Most women who received uncalled for X-rated content reported being sent this material through social media platforms, including Snapchat, Instagram, LinkedIn, Twitter and Facebook. 

Cyber flashing also occurs via dating platforms, text messages, email and through the ‘AirDropping’ of content in public spaces.

The FLASH Act has the support of the dating app Bumble, whose CEO Whitney Wolfe Herd sees a need for stronger laws to protect internet users.

“An overwhelming majority of our time is spent online and there are simply not enough laws and deterrents in place to protect us, and women and children in particular,” said Wolfe Herd.

“It falls upon us in the technology and social media space to work hand in hand with local government and legislators to isolate the problems and develop solutions just like the FLASH Act being introduced by Senator Leyva.”

Read More

Social Security Numbers Most Targeted Sensitive Data

Read Time:1 Minute, 51 Second

Social Security Numbers Most Targeted Sensitive Data

Social Security Numbers (SSN) are the type of sensitive data most commonly targeted in data breaches in the United States, according to new research published today by Spirion.

Analysis conducted against the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States revealed that 65% of all sensitive data incidents in 2021 involved SSN.

The finding was included in the data protection and privacy company’s Definitive Guide to Sensitive Data Breaches: America’s Top Leaks, Attacks and Insider Hacks. Spirion’s guide is based on the analysis of more than 1,500 data breaches involving sensitive data in the United States last year.

A total of 1,862 data compromises were reported by US organizations last year, representing a 68% increase over 2020 and making 2021 steal 2017’s title of the most prolific year on record for data breaches. ITRC data showed that 83% of the year’s incidents impacted more than 150 million individuals by exposing 889 million sensitive data records.

Personal Health Information (PHI) was the second most targeted form of sensitive data and was the focus of 41% of data incidents. The third most predated forms of sensitive data were bank account information and driver’s licenses, which were each involved in 23% of incidents.

The majority of individuals affected by sensitive data breaches in 2021 (84%) were victims of incidents in the professional and business services, telecommunications and healthcare industries. The 157 reported data breaches in the professional and business services sector impacted 52 million individuals (or 35% of total individuals). Just eight incidents in the telecommunications industry impacted 47.8 million individuals (or 32% of total individuals).

Trends identified in the guide included the emergence of supply chain and third-party attacks as a leading contributor to sensitive data compromises. 

“A total of 93 third-party attacks impacted 559 organizations, exposing more than 1.1 billion data records,” said a Spirion spokesperson. 

“Of these incidents, 83% contained sensitive data, revealing PII [personally identifiable information] for 7.2 million people.”

Another trend was experiencing multiple data breaches in one year – a fate suffered by more than two dozen US organizations in 2021. 

Read More