Tech News

Frequent security updates and a patch-as-you-go approach to software flaws have led a number of security experts to question whether the problem needs a fresh approach. Microsoft, Adobe and Oracle unveiled over 200 updates in October alone, many marked critical, backing up the notion that security patches are now an inevitable reality for the industry. Fraser Kyne, principal systems engineer at security firm Bromium, told V3 that the current approach is "akin to putting a sticking plaster over a gaping wound". "Patching itself is fundamentally flawed. It is always reactive, you can only patch for known issues, it is expensive and it is time consuming. Many organisations even find themselves in the position where they cant patch as it would break their line of business apps," he said, noting how entrenched the problem has become. "There are some unsolvable factors at play here: developers are fallible, users are gullible, and attackers are resourceful. More code simply means more vulnerabilities, and the rewards for exploiting these vulnerabilities are clear." The commercial problem As with every industry, commercial interests often collide with innovation. Richard Cassidy, EMEA technical director at Alert Logic, warned that this is a major problem facing the industry today. "Vendors are locked into the innovation battle, with consumer demands for better, faster and more capable applications, seeing code releases at an astonishing rate," he told V3. This pace of innovation has an "inevitable" outcome: software vulnerabilities. "Historically, developers will work to best practice coding from a security perspective, but all too often project deadlines and production demands will mean that the focus needed in the area of security often suffers," he said. Cassidy believes that patch management needs to evolve past its current "antiquated" state and that organisations must start thinking about other options. "In addition to an updated, agile patch management process, organisations need to implement better tools to identify when their own infrastructure is being subject to an undiscovered vulnerability so that they can respond immediately and ultimately reduce the window of opportunity provided to attackers," he told V3. Yet as fast as a business can respond it is well-known that the exploitation of security vulnerabilities is now a lucrative business for cyber criminals, meaning there is a huge community of vulnerability-sharing taking place. Bharat Mistry, cyber security consultant at Trend Micro, told V3 this has become so big because the value of these exploits can be huge. "One of the reasons why we are seeing so many patches is that there is a big underground community that trades in vulnerabilities and exploits, especially the new zero-days such as the recent Adobe flash vulnerabilities," he said. "For the discovering party it is seen as potentially easy money with relatively low cost of entry. And when you do find a new zero-day it can be sold for a significant amount of money. This has attracted significant numbers of people to look into this marketplace." These marketplaces, often underground and held on websites on the so-called dark web, act as a sort of eBay for hackers to buy and sell sophisticated zero-day vulnerabilities, malware and even denial-of-service tools. It is not just the odd hacker doing this either. A breach at Italian surveillance firm Hacking Team led to the discovery of major security vulnerabilities in software such as Flash and Windows that the company used to make its tools work.

The backdoor was being loaded via a hidden XSS attack Ciscos Web-based VPN service has been dealt a heavy blow by security researchers at Volexity which found at least two methods through which hackers installed backdoors on the service, stealing corporate accounts passwords as employees were logging into their accounts. The backdoors were loaded through different snippets of JavaScript code loaded on Ciscos ASA WebVPN service, performing a simple XSS attack on the logon.html page, right where corporate users were entering their username and password combos. Attackers are exploiting the CVE-2014-3393 vulnerability to load these JavaScript snippets, and then they were modifying the login page so they could record what users typed in the login fields. This bug was fixed in February 2015, but as we all know, not all companies like to update their services / equipment, so the hackers have exploited it long since after.

AVG has updated its privacy policys language, and in the amended document, the security firm admits that it can "make money from [its] free offerings with non-personal data." These "non-personal" info include your devices brand, language and apps in use, among other things. The company is adamant that it does not sell anything with identifying information, and the data that it does collect is anonymized and stored without anything that can link it back to you. According to the updated policy, AVG can collect data you yourself provide -- plus, it can use cookies to track your searches and your activities on websites, apps and other products. It can then use those details to "build anonymous data profiles" or create statistical information, which it can then sell. A spokesperson from the company said that AVG updated the language to be more transparent and make sure people know that it can make money off its free products using their information. The new rules will take effect on October 15th, 2015 and by continuing to use AVG after that, you already agree to the collection -- unless you take the steps to opt out. The spokesperson said that "users who do not want [the security firm] to use non-personal data in this way will be able to turn it off."

In a slip that could prove costly to manufacturers and users, the D-Link cryptography keys used to certify that software is trustworthy – and not malware – were accidentally published, according to Dutch security firm Fox-IT. The keys were made available through the companies open-source firmware package, and were not discovered for seven months. Their release could make it easier for hackers to disrupt Windows and Apple computers. The mistake was discovered by a reader for a Dutch technology website, Tweakers, who purchased a D-Link security camera and downloaded the firmware from the manufacturer. The reader found not only the private keys, but also the passphrases needed to sign into the software. Tweakers handed the problem over to Dutch security firm Fox-IT, which confirmed the findings. I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version, Fox-IT researcher Yonathan Klijnsma told security news site Threatpost.

BT has announced the global launch of BT Assure Ethical Hacking for Finance, a new security service designed to test the exposure of financial services organizations to cyber-attacks. The wealth of valuable and sensitive personal data held by financial organizations, such as retail and investor banks and insurance companies, makes them among the most attractive targets for malicious hackers and cyber-criminals. This risk has intensified in recent years as more and more retail financial services move online and electronic trading is one the rise. Assure Ethical Hacking for Finance uses mature methodologies that mimic those of black hats or malicious attackers to provide a range of tests targeted at the various entry points to a banks IT systems as well as perceived weak points of an organization. These include phishing scams, mobile devices and hardware from laptops to printers, internal and external networks, databases and complex enterprise resource planning systems. BT not only tests and verifies systems that can access the network but also checks for risks of human failure, for example by using social engineering to test how employees apply the policies in place. The new service draws on the ethical hacking expertise gained by working closely with large financial institutions in the U.S. for nearly two decades. Within the confines of strict rules of engagement, BTs ethical hackers have been able to perform database dumps of tens of thousands of social security and credit card numbers; intercept and modify mobile cheque deposit data; reverse engineer proprietary encryption streams; generate enormous, valid gift cards with payment details from other test accounts; create admin accounts by having an employee simply open an email; escape remote access sessions and get shell access to systems, including subsequent establishment of tunnels into the company; transfer funds between unauthorized test accounts or harvest complete account data for all users by attacking machine-to-machine communications. The ultimate objective is to identify vulnerabilities that would impact an organizations primary business processes and thus its brand and reputation. The new Assure Ethical Hacking for Finance will enable BT to use CREST (www.crest-approved.org) certified Simulated Targeted Attack and Response (STAR) services to help financial services firms to develop the most robust security solutions, ensuring sensitive customer data remains secure. BT was in 2014 one of the first companies in the world accredited by CREST to provide STAR services. Working alongside the Bank of England (BoE), UK Government and industry, CREST developed the STAR framework to deliver controlled bespoke, intelligence-led cyber security testing. STAR incorporates advanced penetration testing and threat intelligence services to more accurately replicate cyber security threats to critical assets. Mark Hughes, president of BT Security, said: The prospect of accessing confidential financial information is a powerful lure for hackers so few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage. While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers. We encourage all financial institutions to put themselves through a rigorous series of cyber-security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit. BT has a strong, award-winning, global team of security specialists, including ethical hacking consultants, who provide a standardized method to test systems by imitating hacker attacks, reporting identified vulnerabilities and providing clear remediation steps that customers can use to quickly patch applications and affected systems.

A bug has ben found which allows anyone in possession of an Android smartphone running Lollipop to unlock the device by bypassing the lockscreen with a very long password. The vulnerability, discovered by researchers at Texas University in Austin, potentially affects 21% of Android devices in use and requires the attacker to simply overload the lockscreen with text. The bug affects only those users with smartphones running Googles Android Lollipop using a password to protect their devices – Pin or pattern unlock are not affected. The attacker need only enter enough text into the password field to overwhelm the lockscreen and cause it to crash, revealing the homescreen and giving full access to the device, whether encrypted or not. John Gordon from Texas university said: By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilise the lockscreen, causing it to crash to the home screen. Google released a fix for the security hole on Wednesday for its line of Nexus devices, describing the bug as of moderate severity, but that it was not actively being exploited by attackers according to the companys knowledge.