Tag Archive for Security

| October 11, 2019
Comments Off on How Secure are Your Printers?

How Secure are Your Printers?

How Secure are Your Printers?Printers are under the security microscope again. Printers are IoT devices that sit on the network and never get updated. I have covered some of the problems that printers cause a number of times on the Bach Seat. And now more vulnerabilities have been identified by UK-based security consultancy NCC Group in six popular enterprise printers.

Vulnerabilities in printers

NCC Group logoThe research team was made up of Daniel Romero, managing security consultant and research lead, and Mario Rivas, security consultant at NCC Group. They identified several classes of vulnerabilities in printers including:

  • Denial of service attacks that could crash printers;
  • The ability to add back-doors into printers to maintain attacker persistence on a network.
  • The ability to spy on every print job sent to vulnerable printers.
  • The ability to forward print jobs to an external internet-based attacker.

Matt Lewis, research director at NCC Group told  ComputerWeekly,

Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT.

Who to blame

There is plenty of blame to share for most of these latest vulnerabilities. Mr. Lewis says the manufacturers are causing these problems by neglecting to build security into their products.

Finger point for printer vulnerabilitesBuilding security into the development life-cycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.

End-users have to take some of the blame as well according to NCC Group

Corporate IT teams can also make small changes to safeguard their organization from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides, and regularly updating firmware.

Impacted printer models

The printers tested by the researchers were from HP, Ricoh, Xerox, Brother, Lexmark, and Kyocera.

The NCC Group found vulnerabilities in HP (HPQ) printers. The Color LaserJet Pro MFP M281fdw printers have buffer overflows, cross-site scripting (XSS) vulnerabilities, and cross-site forgery countermeasures bypass.

HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. “HP encourages customers to keep their systems updated to protect against vulnerabilities,” the company said in a statement.

Lexmark logoThe vulnerabilities in Lexmark CX310DN printers NCC Group found include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

The NCC Group found Vulnerabilities in Kyocera (KYO) Ecosys M5526cdw printers. The security holes include buffer overflows, broken access controls, cross-site scripting vulnerabilities, and lack of cross-site request forgery countermeasures.

NCC Group identified stack buffer overflows, heap overflows and information disclosure vulnerabilities in Brother (6448) HL-L8360CDW printers.

The vulnerabilities reported in Ricoh (RICOY) SP C250DN printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures, and hard-coded credentials.

https://www.xerox.comNCC Group claims the Xerox (XRX) Phaser 3320 printer vulnerabilities include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| September 28, 2019
Comments Off on Data Privacy End Run

Data Privacy End Run

Data Privacy End RunIn an attempt to end-run stricter data privacy regulation the Business Roundtable, an association of CEOs of America’s largest companies, sent an open letter to the U.S. House and Senate urging the politicians to pass a comprehensive national data privacy law. According to CircleID, the heart of the letter is the creation of federal privacy laws that the companies argue should replace various state-level laws that have already been passed.

CEOs of America's largest companiesThe CEOs want one law that governs all user privacy and data protection across the U.S., which would simplify their lives. From the letter:

Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws.

Among the items hidden deep in the CEO’s “consumer privacy framework [more here]” are some onerous provisions.

  • Private individuals should not be allowed to sue companies if those companies violate the data privacy law itself.
  • Potential pay-for-privacy schemes and
  • Overriding existing state data privacy protections already signed into law.

The Data Privacy Blog points out that in 2019, a number of states passed new and expanded data breach notification laws, including:

  • California.
  • data breach notification lawsIllinois,
  • Maine,
  • Maryland,
  • Massachusetts,
  • New Jersey,
  • New York,
  • Oregon,
  • Texas, and
  • Washington.

Also, since July 1, 2019, Delaware, New Hampshire, and Connecticut have enacted laws imposing new cybersecurity requirements on insurance companies.

ZDnet points out that many privacy advocates (and even some tech CEOs) believe the CEOs aren’t really looking after users’ interests, but their own. There’s a belief that companies are trying to aggregate any privacy lawmaking in Congress, where lobby groups can water down any meaningful user protections that may impact bottom lines. Open Secrets reports that the Business Roundtable has spent over $6.6M lobbying in D.C. so far in 2019. As followers of the Bach Seat know, money talk and citizens walk in D.C.

Among the CEOs who were involved in the end run included;

The Data Privacy Blog points out the coincidence that the CEO’s framework comes just months before the California Consumer Protection Act is set to go into effect in 2020.

throw money at the politiciansFollowers of the Bach Seat know many companies make money by selling customers’ personal or device-usage data. Privacy policies with too many teeth could prevent companies from selling your data to pay the CEO’s average salary of $17.2M. The LA Times reports that compensation for American chief executives increased by 940% from 1978 to 2018, while pay for the average worker rose only 12% over the same 40-year period.

rb-

Seems to me that the goal of this proposal of the leading CEO’s is not to protect our privacy. Their goal is to centralize the rule-making in the D.C. swamp and throw money at the politicians to do the Business Roundtable’s bidding. Then the CEOs will be able to maintain the status-quo and normalize the existing digital surveillance system that serves them well.

LobbyingThe CEO’s sudden interest in data privacy has more to do with the growing wave of real reform at the state level and the calculation that Trump will be booted from office and less business-friendly POTUS will take his place in 2020. And little to do with citizen’s privacy.

The digital rights organization Electronic Frontier Foundation supports a private right of action for any national consumer privacy law, as such a right would further enable members of the public to fight back against companies that violate the law.

The EFF wrote the best way to protect ordinary people’s privacy is action.

It is not enough for government to pass laws that protect consumers from corporations … to ensure companies do not ignore them … empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights.

Signatures from Facebook CEO Mark Zuckerberg and Apple CEO Tim Cook were notably absent from the list although both have, in the past, supported a comprehensive federal privacy law.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 7, 2019
Comments Off on $2.9M Per Minute Lost to Cybercriminals

$2.9M Per Minute Lost to Cybercriminals

Updated 10/27/2019 – On October 22, 2019, the FBI issued a warning about cybercriminals running e-skimming attacks, also known as Magecart attacks. These attacks have been happening since 2016, but have intensified during 2018 and 2019. These attacks started out by exploiting vulnerabilities in open-source e-shopping platforms. However, over the past two years, attackers evolved their attack methodology, and any online store is now susceptible to attacks, regardless if it runs on top of an open-source platform or a cloud-hosted service.

$2.9M Per Minute Lost to CybercriminalsCybercriminals cost the global economy $2.9 million every minute of 2018. This shocking statistic comes from RiskIQ‘s latest Evil Minute report. RiskIQ specializes in online attack surface management, providing threat discovery, intelligence, and mitigation. The San Francisco, CA-based firm figured that a total of $1.5 trillion was lost to cyber-criminals in 2018. Some of the more ominous info-bits they presented include:

  • RiskIQ logo$25 per minute, the cost to top companies due to security breaches.
  • $17,700: lost from phishing attacks per minute
  • $22,184: the projected by-the-minute cost of global ransomware events in 2019

Other statistics include:

  • 8,100: identifier records compromised every minute
  • 2.4: phish traversing the internet per minute
  • 0.32: blacklisted apps by-the-minute
  • 0.21: Magecart attacks detected every minute

Lou Manousos, CEO of RiskIQ said in the presser, “As the scale of the internet continues to proliferate, so does the threat landscape.

Magecart hacks

Magento .logoThe report specifically calls out attacks that target e-commerce. They focus on the Magecart hacks. Magecart hacks have increased by 20% in the last year. By some estimates, the Magecart supply chain attacks have resulted in the theft of more credit card information than more infamous breaches at Home Depot and Target. According to reports, Magecart was behind the 2018 cyber-attacks on British Airways and Ticketmaster which together compromised the info of over 425,000 of the firm’s customers.

Magecart attack is a credit card skimmer that intercepts card numbers and information when a payment card is swiped at the point of sale. Unlike gas card or ATM skimmers, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, because it takes advantage of universal code and other applications not typically related to payments.

ecommerace

Magecart is a consortium of at least six different hacking groups that target flaws in online shopping cart systems. The attackers like Magento to steal customer payment card information. Magento, an open-source e-commerce platform written in open-source PHP. At least initially attackers exploited a PHP Object Injection flaw (CVE-2016-4010) in the popular online shopping cart.

In order to run this compromise, the Magecart attacker substitutes a piece of Javascript code, either by altering the Magento source code or by redirecting the shopping cart using an injection to a website that hosts the malware to steal the credit card and user information.

Trend Micro Mirrorthief attack chainRiskIQ CEO Manousos warns;

Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies.

 

RiskIQ infographic

rb-

Firms that fall victim to attacks don’t just lose card info. They also lose time and productivity. Restoring hacked data and systems takes time and resources. The damage to a company’s reputation can cost it new and existing customers. Then there are the legal penalties from PCI, HIPAA, and the courts that come with mishandling customer information.

Like I keep saying – time to go back to the cash economy.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| August 31, 2019
Comments Off on Are Your VPNs – Virtual Pwnd Networks

Are Your VPNs – Virtual Pwnd Networks

Updated October 21, 2019 – The U.S. and U.K. spy agencies have issued separate cybersecurity advisories on 10/21/2019 urging users to patch and mitigate the VPN holes discussed below. The NSA advisory (PDF) warns that “multiple nation-states advanced persistent threat (APT) actors have weaponized” the flaws. The U.K.’s National Cyber Security Centre (NCSC) advisory is here.

Updated September 29, 2019 – SafeBreach Labs discovered a vulnerability in Forcepoint’s VPN client software. The flaw will give attackers unfettered access to its users’ Windows computers.

In its article detailing the bug, Forcepoint explained The flaw enables an attacker to insert their own executable which will run with administrative privileges, giving the attackers administrative access to the system. Forcepoint gave the bug a CVE number of 2019-6145 and a base severity score of 6.7. According to a  Forcepoint knowledge base article, the flaw is patched in version 6.6.1 of the Forcepoint VPN Client for Windows.

Updated September 10, 2019 –  ZDNet is reporting that the Chinese state-sponsored hacker group APT5 is targeting enterprise VPN servers from Fortinet and Pulse Secure since the security flaws discussed below became public knowledge last month. FireEye reports (PDF) that APT5 has been active since 2007 and has targeted multiple industries.

APT5 was reportedly one of the first to start scanning the internet and then later attempt to exploit vulnerabilities in the Fortinet and Pulse Secure VPN servers. The attackers sought to steal files storing password information or VPN session data from the affected products. These files would have allowed attackers to take over vulnerable devices.

Are Your VPNs - Virtual Pwnd NetworksEverybody loves their virtual private networks. SSL VPNs provide a convenient way for business users to connect to corporate networks while out of the office. A recent study by FlexJobs found 30% of workers have left a job because it did not offer flexible work options like remote work. Further, the report said, that 80% of staff would be more loyal to their employers if they had flexible work options and 52% of workers have tried to negotiate flexible work arrangements with their employer.

Great firewall of ChinaHackers love VPNs too

Last month VPNpro found that the majority of VPN services have close ties to China. CSO Online points out that if you are running a VPN that is developed and owned in China, then there is a serious chance that your information is not as private as you think. Every technology company that operates within China, including ISPs, are required to comply with any Chinese governmental request for data. That includes your data. The Chinese government has a long and well-documented history of hacking, favoring, and helping local businesses at the expense of foreign companies.

VPNpro also found that some Chinese firms own different VPNs split among different subsidiaries. For example, the Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove, and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.

VPN attacksChina is not the only concern

VPNpro also found that seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.

VPNpro identified a further four companies: Super VPN & Free Proxy, Giga Studios, Sarah Hawken, and Fifa VPN, which together own 10 VPN services – where the parent company, and therefore the company of origin, is completely hidden.

If that is not scary enough – There are new reports that attackers are now targeting the devices used to attach VPNs to the network. Help Net Security reports that attackers are exploiting known flaws in Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.

Flaws VPN installations

These attacks could allow attackers to steal passwords and gain full, remote access to an organization’s networks. Attackers have been targeting two vulnerabilities:

  • CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
  • CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.

Researchers Meh Chang and Orange Tsai at Taipei City, Taiwan-based consultancy Devcore reported the flaws to Fortinet on Dec. 11, 2018, and to Pulse Secure on March 22, 2019.

In an August 9, 2019 blog post the Devcore researchers recapped their Black Hat 2019 demonstration. Tsai told TechCrunch in an email, “The SSL VPN is the most convenient way to connect to corporate networks … it’s also the shortest path to compromise their intranet.

Pulse Secure VPNs

Pulse Secure logoPrivately held California-based Pulse Secure released an update on April 24, 2019, to address these flaws and urged customers to upgrade all affected products “as soon as possible.” The vendor warned that aside from patching, no workaround would protect systems, “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).

Cyber threat intelligence firm Bad Packets has warned about activity aimed at vulnerable Pulse Connect Secure endpoints. So far they have found nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 across all sectors of the U.S. This includes:

  • U.S. military networks,
  • Hospitals,
  • Electric utilities,
  • Financial institutions, and
  • Fortune 500 companies.

Fortinet VPNs

Fortinet logo

Fortinet (FTNT) released a security advisory on May 24, 2019, to address these flaws and urged customers to update their firmware to safeguard themselves. In a blog post, the Devcore researchers wrote about the flaws they’d found in Fortinet devices, “In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.”

Independent British security researcher Kevin Beaumont told BankInfoSecurity he was tracking attacks against Fortigate servers. Beaumont reported seeing “the Fortigate SSL VPN backdoor being used in the wild” against one of his honeypots.

ZDNet claims the number of vulnerable FortiGate VPNs is believed to be in the hundreds of thousands, although we don’t have an exact stat about the number of unpatched systems that are still vulnerable to attacks.

rb-

This isn’t the first time that serious flaws have been found and patched in enterprise-grade networking gear. In 2016 researchers found a vulnerability in Fortinet’s FortiGate OS – that functioned as an SSH backdoor and researchers found an authentication bypass flaw in Juniper Networks (JNPR) ScreenOS firmware.

Patch your systemsIn April 2019, U.S. Homeland Security issued a warning about vulnerabilities in many major corporate VPN applications. The VPN apps from — Cisco (CSCO), Palo Alto Networks (PANW), Pulse Secure, and F5 Networks (FFIV)— improperly store authentication tokens and session cookies on a user’s computer.

Obviously, there is no time to waste: firms should update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.

Security researcher Kevin Beaumont told BankInfoSecurity:

Lots of companies have the basics around patching Windows and Linux down, as they have vulnerability management platforms and agents … Those don’t extend to FortiOS and Pulse Secure. So they just don’t patch as they never see [vulnerabilities].

Maybe firms should get their VPN devices on a regular update schedule before they become Virtual Pwnd Networks.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| August 24, 2019
Comments Off on 8,200,000,000 Data Breaches

8,200,000,000 Data Breaches

8,200,000,000 Data Breaches2019 is on pace to be the worst year ever for data breaches. If things continue at the same pace 8.2 billion records will be exposed by the end of 2019. The threat intelligence firm Risk Based Security reports that during the first half of 2019 over 4.19 billion records were exposed in 3,813 reported breaches between January and July 2019.

Risk Based Security logoThose numbers work out to more than 20 data breaches a day. Eight mega-breaches that exposed more than 100 million records were reported. These web-based breaches were primarily the result of leaving databases accessible to third parties and failing to protect them. Forbes reports that these misconfigured databases and services accounted for 149 of the 3,813 incidents reported this year. According to Forbes, the mega-breaches exposed over 3.2 billion records and accounting for 78.6% of the total records exposed in the first half of 2019.

Largest data breaches

The 10 largest data breaches for the first half of 2019 are:

  1. Verifications.io (982 million),
  2. First American Financial (885 million),
  3. Cultura Colectiva (540 million),
  4. unknown organization in India  (275 million),
  5. unknown organization in China (202 million),
  6. Dubsmash (161 million),
  7. Canva (138 million),
  8. Justdial (100 million),
  9. Mobile Drip (80 million), and
  10. Unknown U.S. firm (80 million).

The Verifications.io, First American Financial, and Cultura Colectiva breaches are ranked among the top 10 breaches of all time based on the number of records exposed.

Database securityConsumer Affairs says the Verifications.io, an email marketing company whose misconfigured database exposed 982,864,972 names, addresses, and Facebook, LinkedIn, and Instagram accounts. The information associated with the breach includes email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, and personal mortgage amounts. As a result of the incident, Verifications.io has ceased operations.

If you’ve bought a house, particularly in California, another breach may impact you. First American Financial Corporation exposed 885,000,000 records. Consumer Affairs writes that exposed data included real estate closing transaction records that contained names, Social Security numbers, phone numbers, email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers.

Other interesting data breach infobits

  • The number of breaches also reached a new high during the first half of 2019.
  • The average number of records lost per leak was just 230.
  • The majority of breaches had a moderate to low severity score and exposed 10,000 records or less.

Thankfully RBS says more critical data was less commonly stolen during attacks.

  • Electronic recordsSocial Security numbers were stolen in 11% of attacks,
  • Addresses were stolen in 11% of attacks,
  • Account numbers were stolen in 10% of attacks,
  • Birth dates were stolen in 6% of attacks,

The sectors impacted

  • Healthcare 224 breaches,
  • Retail 199 breaches,
  • Finance and insurance 183 breaches,
  • Government and information 160 breaches each, and
  • Education 99 breaches..

Inga Goddijn, executive vice-president at Risk Based Security told ComputerWeekly.com,

It is hard to be optimistic about the outlook for the year … The number of breaches is up and the number of records exposed remains stubbornly high. Despite best efforts and awareness among business leaders and defenders, data breaches continue to take place at an alarming rate.

Phishing

Phishing

Phishing is a tried and tested first step for gaining access to systems and services, the report said. The phished data can be used to perpetuate attach. The most frequently stolen data are email addresses and passwords. These credentials are valuable to attackers because they can be used across multiple domains (because we know users don’t use unique IDs for each account) for credential stuffing. These credentials can also be changed by the attacker (or the Owner). The report points out that 70% of the known breaches included email addresses and 65% included passwords.

Phishing can also lead to other critical but less monetized data. The report said phishing can lead to the exposure of unusual or unexpected types of data, including electronic signatures, calendars, marriage certificates, and company-issued employee ID numbers, all valuable for social engineering or spear-phishing attacks.

rb-

Script babyBusinesses need to get their security act together – they were responsible for over 2/3’s of the breaches by RBS. The garden variety cyber-criminal is a script-kiddie who will run automated scripts looking for unsecured databases in order to scrape up any data they can. The big breaches make the headlines, but the everyday incidents make the money for most attackers.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
« Older Entries   Recent Entries »