From Paul's Security Weekly
Recorded September 24, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts with ISC2 by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
- Facebook suspends tens of thousands of apps from hundreds of developers - Major cleanup of Facebook apps, which seems to be a growing trend from major providers: After the Cambridge Analytica privacy scandal in 2018, the social network giant launched a review of privacy practices. Facebook’s review of all apps on the platform aimed at determining alleged abuse of user data and violation of its privacy rules. Now Facebook announced that the suspensions of tens of thousands of apps. According to vice president of partnerships at Facebook, the suspensions are “not necessarily an indication that these apps were posing a threat to people.” They also added that some “did not respond to our request for information.”
- Privilege Escalation flaw found in Forcepoint VPN Client for Windows - SafeBreach Labs discovered a privilege escalation vulnerability, tracked as CVE-2019-6145, that affects all versions of VPN Client for Windows except the latest release. The vulnerability can be exploited by attackers to achieve persistence and evade detection. The experts discovered that the application incorrectly attempts to execute an executable from incorrect locations, allowing an attacker to run its own binaries with NT AUTHORITY\SYSTEM permissions. and patches are now available.
- WannaCry and why it never went away - WannaCry still makes people want to cry: WannaCry spreads using a security hole that was patched two months before the worm first appeared, so you’d be forgiven for assuming that it would have fizzled out by now and become little more than a museum curiosity.But a paper published recently by Sophos experts tells a very different story, with more than 5,000,000 infection attempts logged in a three-month period last year – and that’s just the ones that were detected and blocked by a Sophos product and reported by Sophos telemetry. Given that WannaCry doesn’t even bother trying to infect a computer if can see in advance that it’s patched, each one of those infection attempts was aimed at a still-unpatched device. For reference: Microsoft patched the associated vulnerability on Tuesday, 14 March 2017via security bulletin MS17-010.
- Wyoming Hospital's Services Disrupted by Ransomware | SecurityWeek.Com - Ransomeware continues to disrupt services, including hospitals: Campbell County Health contacted the appropriate authorities immediately after discovering the attack, but the investigation into the matter continues. As of Sunday, emergency medical services (EMS), the emergency department, the maternal child (OB) department, and the walk-in clinic were open, but the hospital continues to advise patients to call in advance to confirm their appointments. On Sunday, the hospital still had cancelled or rescheduled services, including surgery, respiratory therapy, cardiac rehab, radiology, and several others. The majority of its services, however, were open.
- 0patch Promises Support for Windows 7 Beyond January 2020 | SecurityWeek.Com - Microsoft will still provide support for some customers through Extended Security Updates (ESU), but the majority of systems still running Windows 7 or Windows Server 2008 will no longer receive security updates, thus remaining exposed to attacks exploiting newly discovered vulnerabilities. ACROS Security, a Slovenia-based company focused on delivering tiny fixes for vulnerabilities in popular software before official patches arrive, says it will provide support for both Windows 7 and Windows Server 2008 even after Microsoft will stop doing so. “We're going to security-adopt Windows 7 and Windows 2008 Server for those of you who want to keep them patched after their official security updates have dried out,” ACROS Security says. The company’s micro-patching service is called 0patch, and is offered both for free and in a paid form.
- Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks - a scripting-engine memory-corruption bug designated as CVE-2019-1367, can be abused by a malicious webpage or email to achieve remote code execution meaning the exploit can be executed when the user views a malicious website, or message, when using Internet Explorer. Discovery of the flaw, and its reported exploitation in the wild, was attributed to the Google Threat Analysis Group. The vulnerability is present in at least IE 9 to 11.
- Jira development and ticketing software hit by critical flaws - by exploiting the critical URL path traversal flaw in CVE-2019-14994, an attacker with access to the portal could bypass restrictions, viewing issues and making requests relating to Jira Service, Desk projects, Jira Core projects, and Jira Software projects. Independent research by security company Tenable has found 25,000 portals that are vulnerable to this issue. The other critical flaw, CVE-2019-15001, is described as an “authenticated template injection vulnerability in the Jira Importers Plugin (JIM)” through which an attacker could remotely execute code on vulnerable servers running a vulnerable version of Jira Server or Jira Data Center, which is limited to users with admin access in order to exploit.
- The FBI arrests more than 200 hackers in different countries - a few months ago the FBI’s Internet Crime Complaint Center (IC3) disclosed that the attempted email fraud, a practice known as Business Email Compromise (BEC), increased 100% over the past year, as well as economic losses arising from this activity. Through Operation reWired, authorities managed to arrest a total of 281 suspects; 167 of these arrests occurred in Nigeria, which for years has become a kind of hub for such campaigns. In addition, 74 of these arrests occurred in the U.S., 18 in Turkey, 15 in Ghana, and a few others in Japan, the United Kingdom, Italy, France and Malaysia.
- Microsoft Defender Bug Fixed with Emergency Patch - To address a previously unknown or exploited denial-of-service (DoS) vulnerability in Microsoft Defender CVE-2019-1255 was issued and describes a vulnerability discovered by researchers from F-Secure Countercept and Tencent Security Xuanwu Lab. The vulnerability exists in Microsoft Defender file handing operations. An attacker could exploit this to prevent legitimate accounts from executing legitimate system binaries according to Microsoft. To exploit the DoS vulnerability, an attacker would first require code execution on the target system. This week's patch alters the way Microsoft Defender handles files.
Expert Commentary: Grant Sewell, Preempt
Risk-based security and identity controls
Today’s retailers are continually faced with security challenges impacting both employees and customers. Behavior monitoring is one of the most critical tools retailers can use. Preventing both fraud and insider threats, while also improving the security around the customer experience (i.e., requiring additional validation/authentication from "risky" customers and purchases, or lowering the security requirements for customers and employees with less risk to make their experience better) is essential. Grant Sewell will discuss how identity is one of the more important security controls in the cloud for retailers. In this podcast, he will cover how a central tool that provides analytics around identity and users helps improve security and brings together disparate environments like the cloud, a traditional datacenter, and third parties. Implementing this solution can help security teams make better decisions and increase the overall security of a retailer. Grant will also talk about how information sharing and analysis centers and organizations (ISACs) like the Retail & Hospitality ISAC are focused on industry-wide resilience, and can assist with valuable and measurable success in enterprise risk management.