Tripwire Patch Priority Index for June 2018

Tripwire’s June 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe.First on the patch priority list this month are patches for Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS. These Adobe Flash patches address type confusion, integer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities. Note that Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild and has been used in targeted attacks against Windows users.Next on the patch priority list this month are patches for Microsoft Browsers, Edge, and Scripting Engine. The patches for Internet Explorer resolve a security feature bypass vulnerability and two Memory Corruption vulnerabilities. The patches for Edge resolve memory corruption, information disclosure, and security feature bypass vulnerabilities. Finally, the patches for Microsoft Scripting Engine address three memory corruption vulnerabilities, one of which is rated as a 1 on the Microsoft Exploitability Index (Exploitation More Likely).Up next are patches for Microsoft Excel, Office, and Outlook. These patches address three elevation of privilege vulnerabilities along with an information disclosure vulnerability and a remote code execution vulnerability.Next are patches for Microsoft SharePiont that resolve two elevation of privilege vulnerabilities.Next are patches for Microsoft Windows. The June patch drop for Microsoft Windows contained patches for 23 vulnerabilities spread across Cortana, HIDParser, HTTP.sys, Media Foundation, NTFS, Webdav, Win32k, Windows wireless network profile service, Hyper-V, GDI, DNSAPI, Kernel, and Desktop Bridge. These included elevation of privilege, denial of service, memory corruption, information disclosure, and remote code execution vulnerabilities.Last for the month are patches for Microsoft Device Guard, which resolve seven security feature bypass vulnerabilities.To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), click here.

Cyber Security Roundup for June 2018

Dixons Carphone said hackers attempted to compromise 5.9 million payment cards and accessed 1.2 million personal data records. The company, which was heavily criticised for poor security and fined £400,000 by the ICO in January after been hacked in 2015, said in a statement the hackers had attempted to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. The statement confirmed 1.2 million personal records had been accessed by the attackers. There are no details released to explain how the hackers were unable to get access to such large quantities of personal data, just a typical cover statement of “the investigation is still ongoing”.  It is likely this incident occurred before the GDPR law kicked in at the end of May, so the company could be spared the new more significant financial penalties and sanctions the GDPR gives the ICO, but it is certainly worth watching the ICO response to a repeat offender which had already received a record ICO fine this year. The ICO (statement) and the NCSC (statement) both have released statements about this breach.

Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK’s National Cyber Security Centre said it was monitoring the situation.

TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.

Trezor Wallet Phishing Incident

The team behind the Trezor multi-cryptocurrency wallet service has discovered a phishing attack against some of its users that took place over the weekend. The Trezor team says “signs point toward DNS poisoning or BGP hijacking” as the means attackers hijacked legitimate traffic meant for the official wallet.trezor.io domain but redirected these users to a malicious server hosting a fake website. An investigation is still underway to determine the exact cause. Tim Helming, Director of Product Management at DomainTools commented below.

Pass-The-Salt 2018 Wrap-Up Day #3

The day three started quietly (let’s call this fact the post-social event effect) with a set of presentations around Blue Team activities. Alexandre Dulaunoy from CIRCL presented “Fail frequently to avoid disaster” or how to organically build an open threat intelligence sharing standard to keep the intelligence community free and sane! He started with a nice quote: “There was never a plan. There was just a series of mistakes”.  After a brief introduction to MISP, Alex came back to the history of the project and explained some mistakes they made. The philosophy is to not wait for a perfect implementation from the beginning but to start small and extend later. Standardisation is required when your tool is growing but do not make the mistake to define your own new standard. Use the ones already existing. For example, MISP is able to export data in multiple open formats (CVS, XML, Bro, Suricata, Sigma, etc). Another issue was the way people use tags (the great-failure of free-text tagging). They tend to be very creative when they have a playground. The perfect example is how TLP levels are written (TLP:Red, TLP-RED, TLP:RED, …). Taxonomies solved this creativity issue. MISP is designed with an object-template format which helps organisations to exchange specific information they want. Finally, be happy to get complaints about your software. It means that it’s being used! The next slot was assigned to Thomas Chopitea from Google who presented FOSS tools to automate your DFIR process. As you can imagine, Google is facing many incidents to be investigated and their philosophy is to write tools for their own usage (first of all) but also to share them. As they use the tools they are developing, it means they know them and improve them. The following tools were reviewed:
  • GRR
  • TimeSketch
  • dfTimeWolf
To demonstrate how they work, Thomas prepared his demos with a targeted attack scenario based on a typo-squatting. All tools were used one by one them investigation was performed via dfTimeWolf which is a “glue” between all the tools. Turbinia is less known. It’s an automation of forensic analysis tools in the cloud. Note that it is not restricted to the Google cloud. It was an excellent presentation. Have a look at it if you’re in the process to build your own DFIR toolbox. After a short coffee break, a set of sessions related to secure programming started. The first one was about LandLock by Mickaël Salaün from ANSSI. Landlock is a stackable Linux Security Module (LSM) that makes it possible to create security sandboxes. After a short demo to demonstrate the capabilities, the solution was compared to other ones (SELinux seccomp-bpf, namespaces). Only Landlock has all features: Fine-grained control, embedded policy and non-privileged use. Then Mickaël dived into the code and explained how the module works. The idea is to have user-space hardening:
  • access control
  • designed for unprivileged use
  • apply tailored access controls perprocss
  • make it evolve over time

This is an ongoing research that is not yet completely implemented but it’s still possible to install and play with it. It looks promising. Then, Pierre Chifflier (@) presented “Security, Performance, which one?

Dark Markets’ Weakness? Cashing out the Bitcoin to USD!

Over the years there has been an on-going battle between law enforcement and those who use technology-based anonymity to perform their illegal deeds.  Some of the FBI’s tricks to break through the anonymity have created interesting challenges, such as the “Operation Pacifier” case, where the FBI used court orders to allow them to use hacking tricks to expose the true locations of members of a child sexual exploitation site with 150,000 members, leading to 350 US arrests and 548 international arrests.  In that case the FBI deployed “Network Investigative Techniques” (NITs) to learn the IP addresses of top members of a TOR protected .onion server.  To clarify the legality of that situation, Rule 41 of the Federal Rules of Practice and Procedure was amended in 2016 under some controversy, as we blogged about in “Rule 41 Changes: Search and Seizure when you don’t know the Computer’s location.”

In the current case, “Operation: Dark Gold”, perhaps as a demonstration that the old “Follow the Money” rule can work even in these modern times, law enforcement posed as cryptocurrency exchangers, offering attractive conversion rates to USD even for those clearly involved in criminal activity.  After Alexander Vinnik’s BTC-e exchange was shuttered, with the owner accused of facilitating the laundering of $4 Billion in illicit funds, Dark Market vendors had a real problem!  How do you turn a few million dollars worth of Bitcoin into money that you can spend in “the real world?”

Who is mining on your server?

According to observations from our experts, ransomware is on the decline, and a new menace has taken its place at the top of the threat charts: Malicious cryptocurrency mining is on the rise. The total number of users who encountered miners rose from 1,899,236 in 2016–2017 to 2,735,611 in 2017–2018. And with increasing frequency — and greater danger to victims — miners are switching to business targets.

Is your sector taking cyber security seriously?

The frequency and severity of cyber attacks and data breaches has risen significantly in the last few years, as attacks increase in volume and variety. This exponential growth of the cyber threat is confirmed by figures from Business Continuity Institute (BCI), which have revealed that 53% of UK firms now consider a cyber attack as the main threat facing them in the near future.

Four Reasons to Use Security Ratings Before Your Next Acquisition

For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but due to limited time resources, or the ability to parse out qualitative responses during M&A from real performance, there wasn’t a great deal of importance placed on it.  Very few transactions would be prevented due to cyber security practices today, however each M&A does require a financial business case created regardless. This may be as simple as assessing integration costs.

Data Requests Under GDPR to Push Cost to Public Sector Past £30 million

New research released today shows that public sector organisations face increased financial pressure as a result of the recently implemented General Data Protection Regulation (GDPR), to the tune of £30million per year. The NHS is expected to be hit hardest by the influx in data requests, given that before the introduction it cost the NHS £20.6million per year to retrieve customer data.

The Winners of The Europas Awards 2018 show Europe’s startup power

Yesterday The Europas, the European Tech Startup Awards and Unconference once again held its annual jamboree in London, throwing together an afternoon of deep-dive panel discussions on the hottest topics in tech, a “Pitch Roulette” session of early-stage startup pitches, and a glittering Awards ceremony, honouring the hottest startups, unicorns founders, investors and blockchain projects in the European ecosystem.

Vuln: Multiple Cisco Products CVE-2018-0227 SSL Certificate Validation Security Bypass Vulnerability

Vulnerable: Cisco Firepower Threat Defense Software 6.1Cisco Firepower Threat Defense Software 6.1.0.5Cisco Firepower Threat Defense Software 6.0.1.4Cisco Firepower Threat Defense Software 6.0Cisco FirePOWER 9300 ASA Security Module 0Cisco Firepower 4110 Security Appliance 0Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches 0Cisco ASA Services Module for Cisco 7600 Series Routers 0Cisco ASA 5500-X Series Next-Generation Firewalls 0Cisco ASA 5500 Series Adaptive Security Appliances 0Cisco Adaptive Security Virtual Appliance (ASAv) 0Cisco Adaptive Security Appliance (ASA) Software 9.6.3Cisco Adaptive Security Appliance (ASA) Software 9.4.4Cisco Adaptive Security Appliance (ASA) Software 9.6.3.17Cisco Adaptive Security Appliance (ASA) Software 9.6.2.9Cisco Adaptive Security Appliance (ASA) Software 9.6.2.21Cisco Adaptive Security Appliance (ASA) Software 9.5.3.9Cisco Adaptive Security Appliance (ASA) Software 9.5.3.7Cisco Adaptive Security Appliance (ASA) Software 9.5.2.8Cisco Adaptive Security Appliance (ASA) Software 9.5.2.7Cisco Adaptive Security Appliance (ASA) Software 9.4.4.13Cisco Adaptive Security Appliance (ASA) Software 9.4.3.2Cisco Adaptive Security Appliance (ASA) Software 9.4.3.1Cisco 3000 Series Industrial Security Appliance (ISA) 0