Researchers find a way around once-reliable security shield

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

For a long time, hack­ers have been stymied when they get mali­cious code run­ning on a victim’s machine and have to fig­ure out where in the computer’s mem­o­ry that code has end­ed up. Now a team of Dutch researchers has found a tech­nique that under­mines that so-called address space lay­out ran­dom­iza­tion, cre­at­ing the You Are Here arrow that hack­ers need to ori­ent them­selves inside a stranger’s com­put­er. That means any of the com­mon mem­o­ry cor­rup­tion bugs found in soft­ware appli­ca­tions on a dai­ly basis could lead to a much deep­er takeover of a tar­get PC or smart­phone. Because the attack exploits hard­ware, it leaves mil­lions of devices at risk regard­less of their oper­at­ing sys­tem — and it can’t be ful­ly fixed with a soft­ware update. “This tech­nique makes bugs that weren’t exploitable exploitable again. In some sense, it takes us back to the ’90s in terms of secu­ri­ty,” says Ben Gras, a researcher at the Free Uni­ver­si­ty of Ams­ter­dam. The attack is par­tic­u­lar­ly seri­ous because attack­ers can pull it off with JavaScript alone, mean­ing that sim­ply vis­it­ing a mali­cious web­site can trig­ger it. Source: Wired

Breach damage ripples through entire organization

sh_data-breach_280Data breach­es are becom­ing more com­plex, and caus­ing more dam­age to the affect­ed orga­ni­za­tion, accord­ing to the 2017 Ver­i­zon Data Breach Digest, which found the effects spread­ing to more parts of an enter­prise, caus­ing prob­lems out­side of IT. “We find that breach­es touch every part of an orga­ni­za­tion up to and includ­ing its board of direc­tors,” said Bryan Sartin, of Ver­i­zon Enter­prise Solu­tions. “Com­pa­nies need to be pre­pared to han­dle data breach­es before they actu­al­ly hap­pen.” Source: Tech Repub­lic

Homeland Security leader warns RSA of digital attacks

sh_bomb_280America’s adver­saries are turn­ing “dig­i­tal break­throughs into dig­i­tal bombs” and launch­ing them against increas­ing­ly over­matched defens­es, the chair­man of the House Home­land Secu­ri­ty Com­mit­tee warned at a keynote address at the 2017 RSA con­fer­ence. Rep. Michael McCaul, R-Texas, said that from nation-states to ter­ror­ists to face­less hack­ers, “the com­bat­ants are every­where, and the phones in your pock­ets are the bat­tle space.” Source: FCW

Hitting a sour note in San Antonio

sh_symphony_280Com­put­er hack­ers broke into the com­put­er net­work for the San Anto­nio Sym­pho­ny, steal­ing the names, birth dates, Social Secu­ri­ty num­bers, address­es and W-2 tax forms for about 250 employ­ees. The data breach didn’t com­pro­mise data for donors, sea­son tick­et hold­ers or oth­er patrons, said sym­pho­ny Pres­i­dent David Gross. Ven­dor infor­ma­tion wasn’t tak­en either, he said. Source: Express News

Owner of a lonely heart might be the lucky one

sh_lonely-heart_280The FBI is rais­ing an alarm over the rise in “romance scams” in which vic­tims, typ­i­cal­ly women, are tar­get­ed by cyber crim­i­nals mas­querad­ing online as poten­tial roman­tic inter­ests. The scam­mers usu­al­ly tar­get old­er divorced or mar­ried women on dat­ing and social net­work­ing sites, devel­op rela­tion­ships with their vic­tims online with­out meet­ing in per­son, and even­tu­al­ly ask for mon­ey. Many crim­i­nals are mem­bers of crime orga­ni­za­tions in Nige­ria and dif­fi­cult to catch. Source: The Hill

They’ve got the meats, but maybe not the security

sh_arbys_280Arby’s Restau­rant Group is inves­ti­gat­ing a mal­ware attack on its pay­ment card sys­tem that tar­get­ed thou­sands of cus­tomers’ cred­it and deb­it cards. The fast-food chain said the breach was con­tained and mal­ware removed. The mal­ware was on point-of-sale sys­tems inside some Arby’s cor­po­rate-owned restau­rants. Source: St. Louis Busi­ness Journal

Phisher gets Florida school district information

Fol­low­ing an email phish­ing inci­dent, in which Man­a­tee, Flori­da, School Dis­trict employ­ees’ tax infor­ma­tion was sent to a scam­mer, the School Board approved the pur­chase of iden­ti­ty theft insur­ance to pro­tect the vic­tim­ized employ­ees. A pay­roll employ­ee sub­mit­ted elec­tron­ic copies of about 7,700 dis­trict employ­ees’ tax forms to a per­son false­ly claim­ing to be Super­in­ten­dent Diana Greene. Source: The Braden­ton (Fla.) Times

Apple Macintosh might be Russian hackers’ next target

sh_apple_280The Russ­ian hack­ers linked to the hack­ing of the Demo­c­ra­t­ic Nation­al Com­mit­tee, APT28, have turned their atten­tion to Apple’s Mac­in­tosh com­put­ers, releas­ing new Xagent mal­ware that cre­ates back­doors into Macs that let hack­ers steal brows­er pass­words, grab screen­shots and nab iPhone back­ups stored on the com­put­er. Apple didn’t imme­di­ate­ly respond to a request for com­ment. Source: CNet

Agency that safeguards election might be abolished

The House Admin­is­tra­tion Com­mit­tee approved the Elec­tion Assis­tance Com­mis­sion (EAC) Ter­mi­na­tion Act, a bill to abol­ish the only fed­er­al agency tasked with help­ing states with elec­tion admin­is­tra­tion. The agency sets nation­al stan­dards for new vot­ing machines, and tracks and col­lects prob­lems. In the 2016 elec­tion, 42 states used vot­ing machines that were more than 10 years old. Source: For­tune

That’s the way Yahoo’s cookie crumbles …

sh_yahoo_280Yahoo’s new­ly issued warn­ing about mali­cious hacks is relat­ed to a third data breach the com­pa­ny dis­closed in Decem­ber 2016. A warn­ing sent to some Yahoo users read: “Based on the ongo­ing inves­ti­ga­tion, we believe a forged cook­ie may have been used in 2015 or 2016 to access your account.” Forged cook­ies are dig­i­tal keys that allow access to infor­ma­tion with­out re-enter­ing pass­words. The leaked data includ­ed email address­es, birth dates and answers to secu­ri­ty ques­tions. Yahoo declined to say how many peo­ple were affect­ed. Source: CNBC

… Which might mean Verizon has room to negotiate

sh_verizon_280Ver­i­zon Com­mu­ni­ca­tions is near a rene­go­ti­at­ed deal for Yahoo’s inter­net prop­er­ties that would reduce the price of the $4.8 bil­lion agree­ment by about $250 mil­lion after the rev­e­la­tion of secu­ri­ty breach­es at the web com­pa­ny. In addi­tion to the dis­count, Ver­i­zon and the enti­ty that remains of Yahoo after the deal are expect­ed to share any ongo­ing legal respon­si­bil­i­ties relat­ed to the breach­es. Source: Bloomberg

Banks targeted by attack similar to the one that hit Sony

Cyber­se­cu­ri­ty spe­cial­ists found evi­dence sug­gest­ing that recent attacks on insti­tu­tions in Poland are part of an inter­na­tion­al hack­ing effort tar­get­ing finan­cial insti­tu­tions in the Unit­ed States, Mex­i­co and the Unit­ed Kingdom—an attack that shares traits with the 2014 attack on Sony. The hacks began late last year, installing unau­tho­rized code on web­sites belong­ing to finan­cial reg­u­la­tors, and then using those to attack com­put­ers belong­ing to a select list of glob­al finan­cial insti­tu­tions. Source: Mar­ket Watch

Blogs get bogged down in security flaw 

sh_wordpress_280A secu­ri­ty flaw in Word­Press blog­ging soft­ware let hack­ers attack and deface tens of thou­sands of sites. One esti­mate sug­gests more than 1.5 mil­lion pages on blogs have been defaced. The secu­ri­ty firm that found the vul­ner­a­bil­i­ty said some hack­ers were try­ing to use it to take over sites rather than just spoil pages. Word­Press urged site own­ers to update soft­ware. Source: BBC

Watson, come here! I need you!

IBM is putting Wat­son onto the case in the cyber­se­cu­ri­ty field. Wat­son for Cyber Secu­ri­ty takes the same core capa­bil­i­ties of Watson—the abil­i­ty to read mil­lions of doc­u­ments and ter­abytes of infor­ma­tion to derive insights a human might not spot—and puts them into a secu­ri­ty oper­a­tions cen­ter. With secu­ri­ty offi­cers at large cor­po­ra­tions some­times scan­ning sev­er­al hun­dreds of thou­sands of events hap­pen­ing over their net­works each day, IBM says it can add anoth­er line of defense by proac­tive­ly help­ing to spot breach­es and hack­ing attempts that might slip through unno­ticed, then mak­ing sug­ges­tions on the best response. Source: Forbes

Neither snow, nor rain, but a postal worker

sh_postal-mail_280A Lin­coln, Nebras­ka, postal work­er was arrest­ed in a fraud­u­lent cred­it card case. Police found doc­u­ments con­tain­ing pri­vate infor­ma­tion of 50 indi­vid­u­als. The major­i­ty of the infor­ma­tion was mail, pri­mar­i­ly change-of-address forms. Author­i­ties said they believe that Har­ris was tak­ing mail from the postal office, chang­ing address­es, and inter­cept­ing paper­work. Source: WOWT, Oma­ha

We’re all in this together, Microsoft says

Microsoft called for a Gene­va Con­ven­tion for cyber­se­cu­ri­ty, indi­cat­ing that states need to agree on dig­i­tal stan­dards that pro­tect the pri­vate sec­tor and pre­vent major cyber inci­dents. The soft­ware giant seeks that tech­nol­o­gy com­pa­nies or crit­i­cal infra­struc­ture not be tar­get­ed, assis­tance for the pri­vate sec­tor in detect­ing and respond­ing to cyber inci­dents, report­ing vul­ner­a­bil­i­ties to com­pa­nies, restraint in devel­op­ing cyber weapons, and lim­it­ing offen­sive oper­a­tions to avoid a mass event. Source: Mer­iTalk