January 24, 2021

Design Visionary SCIENCE

"A hero is not chosen but the opportunities make him force to take a step no matter how much it costs!"

Global Cyber Security News

Here my intention is to list the latest most important cyber security news from world wide known websites. We can follow latest known development in cyber security sector. Since there are risks and uncertainties in world due to medicine problems, there can also be some risks in pc-mobile phone security risks because of cyber technology. So we can colloborate to check the latest news in one page in favor of community. You can see the latest news rss feeds systems in one page here, then you can check the source webpages for your works. For more details you can see the source pages. Here there are simply listed!

  • New Year, new password protections in Chrome
    by Scott Westover on January 19, 2021 at 9:31 pm

    Posted by Ali Sarraf, Product Manager, ChromePasswords help protect our online information, which is why it’s never been more important to keep them safe. But when we’re juggling dozens (if not hundreds!) of passwords across various websites—from shopping, to entertainment to personal finance—it feels like there’s always a new account to set up or manage. While it’s definitely a best practice to have a strong, unique password for each account, it can be really difficult to remember them all—that’s why we have a password manager in Chrome to back you up. As you browse the web, on your phone, computer or tablet, Chrome can create, store and fill in your passwords with a single click. We'll warn you if your passwords have been compromised after logging in to sites, and you can always check for yourself in Chrome Settings. As we kick off the New Year, we’re excited to announce new updates that will give you even greater control over your passwords: Easily fix weak passwordsWe’ve all had moments where we’ve rushed to set up a new login, choosing a simple “name-of-your-pet” password to get set up quickly. However, weak passwords expose you to security risks and should be avoided. In Chrome 88, you can now complete a simple check to identify any weak passwords and take action easily. To check your passwords, click on the key icon under your profile image, or type chrome://settings/passwords in your address bar. Edit your passwords in one placeChrome can already prompt you to update your saved passwords when you log in to websites. However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).Building on the 2020 improvementsThese new updates come on top of many improvements from last year which have all contributed to your online safety and make browsing the web even easier: Password breaches remain a critical concern online. So we’re proud to share that Chrome’s Safety Check is used 14 million times every week! As a result of Safety Check and other improvements launched in 2020, we’ve seen a 37% reduction in compromised credentials stored in Chrome. Starting last September, iOS users were able to autofilll their saved passwords in other apps and browsers. Today, Chrome is streamlining 3 million sign-ins across iOS apps every week! We also made password filling more secure for Chrome on iOS users by adding biometric authentication (coming soon to Chrome on Android). We’re always looking for ways to improve the user experience, so we made the password manager easier to use on Android with features like Touch-to-fill. The new features with Chrome 88 will be rolled out over the coming weeks, so take advantage of the new updates to keep your passwords secure. Stay tuned for more great password features throughout 2021.

  • How the Atheris Python Fuzzer Works
    by Sarah O'Rourke on December 9, 2020 at 5:00 pm

    Posted by Ian Eldred Pudney, Google Information Security On Friday, we announced that we’ve released the Atheris Python fuzzing engine as open source. In this post, we’ll briefly talk about its origins, and then go into lots more detail on how it works.The Origin Story Every year since 2013, Google has held a “Fuzzit”, an internal event where Googlers write fuzzers for their code or open source software. By October 2019, however, we’d already written fuzzers for most of the open-source C/C++ code we use. So for that Fuzzit, the author of this post wrote a Python fuzzing engine based on libFuzzer. Since then, over 50 Python fuzzers have been written at Google, and countless bugs have been reported and fixed.Originally, this fuzzing engine could only fuzz native extensions, as it did not support Python coverage. But over time, the fuzzer morphed into Atheris, a high-performance fuzzing engine that supports both native and pure-Python fuzzing.A Bit of Background Atheris is a coverage-guided fuzzer. To use Atheris, you specify an “entry point” via atheris.Setup(). Atheris will then rapidly call this entry point with different inputs, hoping to produce a crash. While doing so, Atheris will monitor how the program execution changes based on the input, and will attempt to find new and interesting code paths. This allows Atheris to find unexpected and buggy behavior very effectively.import atherisimport sysdef TestOneInput(data):  # Our entry point  if data == b"bad":    raise RuntimeError("Badness!")    atheris.Setup(sys.argv, TestOneInput)atheris.Fuzz()Atheris is a native Python extension, and uses libFuzzer to provide its code coverage and input generation capabilities. The entry point passed to atheris.Setup() is wrapped in the C++ entry point that’s actually passed to libFuzzer. This wrapper will then be invoked by libFuzzer repeatedly, with its data proxied back to Python.Python Code Coverage Atheris is a native Python extension, and is typically compiled with libFuzzer linked in. When you initialize Atheris, it registers a tracer with CPython to collect information about Python code flow. This tracer can keep track of every line reached and every function executed.We need to get this trace information to libFuzzer, which is responsible for generating code coverage information. There’s a problem, however: libFuzzer assumes that the amount of code is known at compile-time. The two primary code coverage mechanisms are __sanitizer_cov_pcs_init (which registers a set of program counters that might be visited) and __sanitizer_cov_8bit_counters_init (which registers an array of booleans that are to be incremented when a basic block is visited). Both of these need to know at initialization time how many program counters or basic blocks exist. But in Python, that isn’t possible, since code isn’t loaded until well after Python starts. We can’t even know it when we start the fuzzer: it’s possible to dynamically import code later, or even generate code on the fly.Thankfully, libFuzzer supports fuzzing shared libraries loaded at runtime. Both __sanitizer_cov_pcs_init and __sanitizer_cov_8bit_counters_init are able to be safely called from a shared library in its constructor (called when the library is loaded). So, Atheris simulates loading shared libraries! When tracing is initialized, Atheris first calls those functions with an array of 8-bit counters and completely made-up program counters. Then, whenever a new Python line is reached, Atheris allocates a PC and 8-bit counter to that line; Atheris will always report that line the same way from then on. Once Atheris runs out of PCs and 8-bit counters, it simply loads a new “shared library” by calling those functions again. Of course, exponential growth is used to ensure that the number of shared libraries doesn’t become excessive.What's Special about Python 3.8+?In the README, we advise users to use Python 3.8+ where possible. This is because Python 3.8 added a new feature: opcode tracing. Not only can we monitor when every line is visited and every function is called, but we can actually monitor every operation that Python performs, and what arguments it uses. This allows Atheris to find its way through if statements much better.When a COMPARE_OP opcode is encountered, indicating a boolean comparison between two values, Atheris inspects the types of the values. If the values are bytes or Unicode, Atheris is able to report the comparison to libFuzzer via __sanitizer_weak_hook_memcmp. For integer comparison, Atheris uses the appropriate function to report integer comparisons, such as __sanitizer_cov_trace_cmp8.In recent Python versions, a Unicode string is actually represented as an array of 1-byte, 2-byte, or 4-byte characters, based on the size of the largest character in the string. The obvious solution for coverage is to:first compare two strings for equivalent character size and report it as an integer comparison with __sanitizer_cov_trace_cmp8Second, if they’re equal, call __sanitizer_weak_hook_memcmp to report the actual string comparisonHowever, performance measurements discovered that the surprising best strategy is to convert both strings to utf-8, then compare those with __sanitizer_weak_hook_memcmp. Even with the performance overhead of conversion, libFuzzer makes progress much faster.Building AtherisMost of the effort to release Atheris was simply making it build outside of Google’s environment. At Google, building a Python project builds its entire universe of dependencies, including the Python interpreter. This makes it trivial for us to use libFuzzer with our projects - we just compile it into our Python interpreter, along with Address Sanitizer or whatever other features we want.Unfortunately, outside of Google, it’s not that simple. We had many false starts regarding how to link libFuzzer with Atheris, including making it a standalone shared object, preloading it, etc. We eventually settled on linking it into the Atheris shared object, as it provides the best experience for most users.However, this strategy still required us to make minor changes to libFuzzer, to allow it to be called as a library. Since most users won’t have the latest Clang and it typically takes several years for distributions to update their Clang installation, actually getting this new libFuzzer version would be quite difficult for most people, making Atheris installation a hassle. To avoid this, we actually patch libFuzzer if it’s too old. Atheris’s setup.py will detect an out-of-date libFuzzer, make a copy of it, mark its fuzzer entry point as visible, and inject a small wrapper to allow it to be called via the name LLVMFuzzerRunDriver. If the libFuzzer is sufficiently new, we just call it using LLVMFuzzerRunDriver directly.The true problem comes from fuzzing native extensions with sanitizers. In theory, fuzzing a native extension with Atheris should be trivial - just build it with -fsanitize=fuzzer-no-link, and make sure Atheris is loaded first. Those magic function calls that Clang injected will point to the libFuzzer symbols inside Atheris. When just fuzzing a native extension without sanitizers, it actually is that simple. Everything works. Unfortunately, sanitizers make everything more complex.When using a sanitizer like Address Sanitizer with Atheris, it’s necessary to LD_PRELOAD the sanitizer’s shared object. ASan requires that it be loaded first, before anything else; it must either be preloaded, or statically linked into the executable (in this case, the Python interpreter). ASan and UBSan define many of the same code coverage symbols as libFuzzer. In typical libFuzzer usage, this isn’t an issue, since ASan/UBSan declare those symbols weak; the libFuzzer ones take precedence. But when libFuzzer is loaded in a shared object later, that doesn’t work. The symbols from ASan/UBSan have already been loaded via LD_PRELOAD, and coverage information therefore goes to those libraries, leaving libFuzzer very broken.The only good way to solve this is to link libFuzzer into python itself, instead of Atheris. Since it’s therefore part of the proper executable rather than a shared object that’s dynamically loaded later, symbol resolution works correctly and libFuzzer symbols take precedence. This is nontrivial. We’ve provided documentation about this, and a script to build a modified CPython 3.8.6. These scripts will use the same possibly-patched libFuzzer as Atheris.Why is it called Atheris? Atheris Hispida, or the “Hairy bush viper”, is the closest thing that exists to a fuzzy Python.

  • Announcing Bonus Rewards for V8 Exploits
    by Scott Westover on December 8, 2020 at 6:00 pm

    Posted by Martin Barbella, Chrome Vulnerability Rewards PanelistStarting today, the Chrome Vulnerability Rewards Program is offering a new bonus for reports which demonstrate exploitability in V8, Chrome’s JavaScript engine. We have historically had many great V8 bugs reported (thank you to all of our reporters!) but we'd like to know more about the exploitability of different V8 bug classes, and what mechanisms are effective to go from an initial bug to a full exploit. That's why we're offering this additional reward for bugs that show how a V8 vulnerability could be used as part of a real world attack. In the past, exploits had to be fully functional to be rewarded at our highest tier, high-quality report with functional exploit. Demonstration of how a bug might be exploited is one factor that the panel may use to determine that a report is high-quality, our second highest tier, but we want to encourage more of this type of analysis. This information is very useful for us when planning future mitigations, making release decisions, and fixing bugs faster. We also know it requires a bit more effort for our reporters, and that effort should be rewarded. For the time being this only applies to V8 bugs, but we’re curious to see what our reporters come up with! The full details are available on the Chrome VRP rules page. At a high-level, we’re offering increased reward amounts, up to double, for qualifying V8 bugs. The following table shows the updated reward amounts for reports qualifying for this new bonus. These new, higher values replace the normal reward. If a bug in V8 doesn’t fit into one of these categories, it may still qualify for an increased reward at the panel’s discretion. [1] Baseline reports are unable to meet the requirements to qualify for this special reward. So what does a report need to do to demonstrate that a bug is likely exploitable? Any V8 bug report which would have previously been rewarded at the high-quality report with functional exploit level will likely qualify with no additional effort from the reporter. By definition, these demonstrate that the issue was exploitable. V8 reports at the high-quality level may also qualify if they include evidence that the bug is exploitable as part of their analysis. See the rules page for more information about our reward levels. The following are some examples of how a report could demonstrate that exploitation is likely, but any analysis or proof of concept will be considered by the panel: Executing shellcode from the context of Chrome or d8 (V8’s developer shell) Creating an exploit primitive that allows arbitrary reads from or writes to specific addresses or attacker-controlled offsets Demonstrating instruction pointer control Demonstrating an ASLR bypass by computing the memory address of an object in a way that’s exposed to script Providing analysis of how a bug could lead to type confusion with a JSObject For example reports, see issues 914736 and 1076708. We’d like to thank all of our VRP reporters for helping us keep Chrome users safe! We look forward to seeing what you find. -The Chrome Vulnerability Rewards Panel

  • OpenTitan at One Year: the Open Source Journey to Secure Silicon
    by Sarah O'Rourke on December 7, 2020 at 9:29 pm

    Posted by Dominic Rizzo, OpenTitan Lead, Google During the past year, OpenTitan has grown tremendously as an open source project and is on track to provide transparent, trustworthy, and cost-free security to the broader silicon ecosystem. OpenTitan, the industry’s first open source silicon root of trust, has rapidly increased engineering contributions, added critical new partners, selected our first tapeout target, and published a comprehensive logical security model for the OpenTitan silicon, among other accomplishments. OpenTitan by the Numbers OpenTitan has doubled many metrics in the year since our public launch: in design size, verification testing, software test suites, documentation, and unique collaborators at least. Crucially, this growth has been both in the design verification collateral required for high volume production-quality silicon, as well as the digital design itself, a first for any open source silicon project.More than doubled the number of commits at launch: from 2,500 to over 6,100 (across OpenTitan and the Ibex RISC-V core sub-project).Grew to over 141K lines of code (LOC) of System Verilog digital design and verification.Added 13 new IP blocks to grow to a total to 29 distinct hardware units.Implemented 14 Device Interface Functions (DIFs) for a total 15 KLOC of C11 source code and 8 KLOC of test software.Increased our design verification suite to over 66,000 lines of test code for all IP blocks.Expanded documentation to over 35,000 lines of Markdown.Accepted contributions from 52 new unique contributors, bringing our total to 100.Increased community presence as shown by an aggregate of over 1,200 Github stars between OpenTitan and Ibex.One year of OpenTitan and Ibex growth on GitHub: the total number of commits grew from 2,500 to over 6,100.High quality development is one of OpenTitan’s core principles. Besides our many style guides, we require thorough documentation and design verification for each IP block. Each piece of hardware starts with auto-generated documentation to ensure consistency between documentation and design, along with extensive, progressively improving, design verification as it advances through the OpenTitan hardware stages to reach tapeout readiness.One year of growth in Design Verification: from 30,000 to over 65,000 lines of testing source code. Each color represents design verification for an individual IP block.Innovating for Open Silicon DevelopmentBesides writing code, we have made significant advances in developing processes and security framework for high quality, secure open source silicon development. Design success is not just measured by the hardware, highly functional software and a firm contract between the two, with well-defined interfaces and well-understood behavior, play an important role.OpenTitan’s hardware-software contract is realized by our DIF methodology, yet another way in which we ensure hardware IP quality. DIFs are a form of hardware-software co-design and the basis of our chip-level design verification testing infrastructure. Each OpenTitan IP block requires a style guide-compliant DIF, and this year we implemented 14 DIFs for a total 15 KLOC of C11 source code and 8 KLOC of tests.We also reached a major milestone by publishing an open Security Model for a silicon root of trust, an industry first. This comprehensive guidance demonstrates how OpenTitan provides the core security properties required of a secure root of trust. It covers provisioning, secure boot, device identity, and attestation, and our ownership transfer mechanism, among other topics.Expanding the OpenTitan Ecosystem Besides engineering effort and methodology development, the OpenTitan coalition added two new Steering Committee members in support of lowRISC as an open source not-for-profit organization. Seagate, a leader in storage technology, and Giesecke and Devrient Mobile Security, a major producer of certified secure systems. We also chartered our Technical Committee to steer technical development of the project. Technical Committee members are drawn from across our organizational and individual contributors, approving 9 technical RFCs and adding 11 new project committers this past year. On the strength of the OpenTitan open source project’s engineering progress, we are excited to announce today that Nuvoton and Google are collaborating on the first discrete OpenTitan silicon product. Much like the Linux kernel is itself not a complete operating system, OpenTitan’s open source design must be instantiated in a larger, complete piece of silicon. We look forward to sharing more on the industry’s first open source root of trust silicon tapeout in the coming months.Onward to 2021OpenTitan’s future is bright, and as a project it fully demonstrates the potential for open source design to enable collaboration across disparate, geographically far flung teams and organizations, to enhance security through transparency, and enable innovation in the open. We could not do this without our committed project partners and supporters, to whom we owe all this progress: Giesecke and Devrient Mobile Security, Western Digital, Seagate, the lowRISC CIC, Nuvoton, ETH Zürich, and many independent contributors.Interested in contributing to the industry's first open source silicon root of trust? Contact us here.

  • Improving open source security during the Google summer internship program
    by Sarah O'Rourke on December 7, 2020 at 6:25 pm

    Posted by the Information Security Engineering team at Google Every summer, Google’s Information Security Engineering (ISE) team hosts a number of interns who work on impactful projects to help improve security at Google. This year was no different—well, actually it was a little bit different because internships went virtual. But our dedication to security was still front and center as our intern team worked on improvements in open source software.Open source software is the foundation of many modern software products. Over the years, developers increasingly have relied on reusable open source components for their applications. It is paramount that these open source components are secure and reliable. The focus of this year’s intern projects reflects ISE’s general approach of tackling security issues at scale, and can be split into three main areas: Vulnerability research: Finding new vulnerabilities, developing infrastructure to search for known bug classes at scale, and experimenting with new detection approaches.Mitigation and hardening: Developing hardening approaches with the goal of fully eliminating specific vulnerability classes or mitigating their impact.Security education: Sharing knowledge to increase awareness among developers and to help train security engineers.Vulnerability researchFuzzing is a highly effective method of uncovering memory-corruption vulnerabilities in C and C++ applications. With OSS-Fuzz, Google provides a platform for fuzzing open source software. One of this year’s intern projects ported internal fuzz targets to OSS-Fuzz, which led to the discovery of new bugs. In this context, our interns experimented with setting up fuzzing for difficult fuzz targets such as the state machines of Memcached and Redis. Additionally, they added new fuzzers for complicated targets like nginx, PostgreSQL, and Envoy, a widely used cloud-native high-performance proxy. State-of-the-art fuzzing frameworks like AFL, libFuzzer, and Honggfuzz leverage feedback such as code coverage to guide the fuzzer. Recent academic papers suggest that symbolic execution can complement existing fuzzing frameworks to find bugs that are difficult for random mutation-based fuzzers to find. Our interns evaluated the possibility of using KLEE to augment libFuzzer and AFL. In particular, they found that adding KLEE to existing fuzzing frameworks provides benefits for fuzz targets such as sqlite and lcms. However, at this point in time, there is still work to be done before symbolic execution can be performed at scale (e.g., in OSS-Fuzz).In addition to finding memory-corruption vulnerabilities, fuzzing can help find logic vulnerabilities. This can be difficult as it requires understanding the semantics of the target application. One approach uses differential testing to find different behaviors in applications that are supposed to behave in the same way. One of our intern projects this summer looked into leveraging differential fuzzing to expose logic vulnerabilities and found a number of cases where YAML parsers handle edge cases differently.Other intern projects this summer focused on the search for application-specific vulnerabilities. Our interns aimed to discover common Google Kubernetes Engine (GKE) misconfigurations. The recently launched GKE-Auditor, created by one of our interns, implements 18 detectors to find misconfigurations in Node isolation, role-based access control, and pod security policies. Another project implemented regression tests for the Google Compute Engine (GCE) metadata server. Finally, one intern project looked into improving Visual Studio Code (VSCode), a popular cross-platform code editor that is based on Electron which combines the Chromium rendering engine and the Node.js runtime. VSCode can be vulnerable to DOM cross-site scripting attacks. For this reason, our intern’s work centered on making VSCode Trusted Types-compliant by using and contributing to the static and dynamic analysis tools to find violations. This work not only led to an improvement of VSCode, but also of Chromium.Hardening Because finding all vulnerabilities is an impossible task, we always look for ways to mitigate their impact or eliminate certain vulnerability classes completely. The main focus of this year’s hardening projects were to enable security enhancements for major web frameworks and to provide sandboxing for popular libraries written in memory-unsafe languages such as C and C++.In an effort to make the web more secure, our intern team added security enhancements including Content Security Policy (CSP), Fetch Metadata Request Headers, Cross-Origin Opener Policy (COOP), and Cross-Origin Embedder Policy (COEP) to a number of existing web frameworks (our previous post provides a good overview of these mitigations).As a result, these web security features were implemented in a number of common application frameworks, including Apache Struts [CSP, COOP/COEP], Apache Wicket [Fetch Metadata, COOP/COEP], .NET Core [CSP], Django [Trusted Types, COOP], and WordPress [Fetch Metadata, CSP]. We're looking forward to working with open source maintainers to further develop and integrate these defenses into more popular frameworks!Sandboxing Executing native code that comes from untrusted origins or processes data from untrusted sources is risky because it may be malicious or contain vulnerabilities. Sandboxing mitigates these risks by executing code in a low-privileged environment.This process often requires modifying the interfaces of third-party libraries and setting up their execution environment. Sandboxed API is a framework to help with these tasks that is used at Google. Our interns also worked on providing reusable sandboxes for popular open source libraries such as curl, OpenJPEG, LoadPNG, LibUV, and libTIFF. Now, anyone who wants to use these libraries to process untrusted data can do so safely.EducationCapture the flag (CTF) competitions are useful for transferring security knowledge and training security engineers. The kCTF project provides a Kubernetes-based infrastructure which offers a hardened environment to securely deploy CTF tasks and isolate them from each other. One intern project added a number of improvements to the documentation including enabling a version control to allow multiple authors to work on one challenge and simplifing CTF’s usage.We would like to thank all of our interns for their hard work this summer! For more information on the Google internship program and other student opportunities, check out careers.google.com/students.

  • Week in security with Tony Anscombe
    by Editor on January 22, 2021 at 4:15 pm

    ESET research analyzes the Vadokrist banking trojan – Beware smishing scams – WhatsApp postpones privacy policy changesThe post Week in security with Tony Anscombe appeared first on WeLiveSecurity

  • Why do we fall for SMS phishing scams so easily?
    by Jake Moore on January 22, 2021 at 10:30 am

    Here’s how to spot scams where criminals use deceptive text messages to hook and reel in their marksThe post Why do we fall for SMS phishing scams so easily? appeared first on WeLiveSecurity

  • Vadokrist: A wolf in sheep’s clothing
    by ESET Research on January 21, 2021 at 10:30 am

    Another in our occasional series demystifying Latin American banking trojansThe post Vadokrist: A wolf in sheep’s clothing appeared first on WeLiveSecurity

  • DNSpooq bugs expose millions of devices to DNS cache poisoning
    by Amer Owaida on January 20, 2021 at 9:12 pm

    Security flaws in a widely used DNS software package could allow attackers to send users to malicious websites or to remotely hijack their devicesThe post DNSpooq bugs expose millions of devices to DNS cache poisoning appeared first on WeLiveSecurity

  • FBI warns of voice phishing attacks stealing corporate credentials
    by Amer Owaida on January 19, 2021 at 7:38 pm

    Criminals coax employees into handing over their access credentials and use the login data to burrow deep into corporate networksThe post FBI warns of voice phishing attacks stealing corporate credentials appeared first on WeLiveSecurity

  • DDoS-Guard To Forfeit Internet Space Occupied by Parler
    by BrianKrebs on January 21, 2021 at 3:48 pm

    Parler, the beleaguered social network advertised as a "free speech" alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from its stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients -- including the Internet addresses currently occupied by Parler.

  • New Charges Derail COVID Release for Hacker Who Aided ISIS
    by BrianKrebs on January 19, 2021 at 6:39 pm

    A hacker serving a 20-year sentence for stealing personal data on 1,300 U.S. military and government employees and giving it to an Islamic State hacker group in 2015 has been charged once again with fraud and identity theft. The new charges have derailed plans to deport him under compassionate release because of the COVID-19 pandemic.

  • Joker’s Stash Carding Market to Call it Quits
    by BrianKrebs on January 18, 2021 at 7:50 pm

    Joker's Stash, by some accounts the largest underground shop for selling stolen credit card and identity data, says it's closing up shop effective mid-February 2021. The announcement came on the heels of a turbulent year for the major cybercrime store, and just weeks after U.S. and European authorities seized a number of its servers.

  • Microsoft Patch Tuesday, January 2021 Edition
    by BrianKrebs on January 13, 2021 at 1:32 am

    Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.

  • SolarWinds: What Hit Us Could Hit Others
    by BrianKrebs on January 12, 2021 at 8:50 pm

    New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the company's software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. More worrisome, the research suggests the insidious methods used by the intruders to subvert the company's software development pipeline could be repurposed against many other major software providers.

  • Friday Squid Blogging: Vegan Chili Squid
    by Bruce Schneier on January 22, 2021 at 10:19 pm

    The restaurant chain Wagamama is selling a vegan version of its Chilli Squid side dish made from king oyster mushrooms.As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.Read my blog posting guidelines here.

  • SVR Attacks on Microsoft 365
    by Bruce Schneier on January 21, 2021 at 12:31 pm

    FireEye is reporting the current known tactics that the SVR used to compromise Microsoft 365 cloud data as part of its SolarWinds operation:Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism...

  • Sophisticated Watering Hole Attack
    by Bruce Schneier on January 20, 2021 at 12:00 pm

    Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android...

  • Injecting a Backdoor into SolarWinds Orion
    by Bruce Schneier on January 19, 2021 at 12:16 pm

    Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:Key PointsSUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence...

  • Friday Squid Blogging: China Launches Six New Squid Jigging Vessels
    by Bruce Schneier on January 15, 2021 at 10:03 pm

    From Pingtan Marine Enterprise:The 6 large-scale squid jigging vessels are normally operating vessels that returned to China earlier this year from the waters of Southwest Atlantic Ocean for maintenance and repair. These vessels left the port of Mawei on December 17, 2020 and are sailing to the fishing grounds in the international waters of the Southeast Pacific Ocean for operation.I wonder if the company will include this blog post in its PR roundup.As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered...

  • Stay Alert, Joker still making its way on Google Play Store!
    by Digvijay Mane on January 22, 2021 at 2:38 pm

    We recently came across 2 malicious Joker family malware applications on Google Play Store  — the company was...The post Stay Alert, Joker still making its way on Google Play Store! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

  • Cyberattackers breaking in through COVID-19 vaccination data
    by Quickheal on January 21, 2021 at 1:18 pm

    Cybercriminals infiltrate through the roll-out of the COVID-19 vaccine! The Federal Bureau of Investigation (FBI), the United States’...The post Cyberattackers breaking in through COVID-19 vaccination data appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

  • What does WhatsApp’s new privacy policy mean for you?
    by Quickheal on January 15, 2021 at 1:14 pm

    On January 8th, 2021, internet users woke up to an update to popular messaging service WhatsApp’s privacy policy....The post What does WhatsApp’s new privacy policy mean for you? appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

  • You might get hacked before getting vaccinated
    by Ankit Vishwakarma on January 12, 2021 at 12:53 pm

    COVID-19 is a stark reminder of longstanding inequities in our societies, and how policies need to pay specific...The post You might get hacked before getting vaccinated appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

  • E-wallets are becoming prominent targets for cyberattacks!
    by Quickheal on January 5, 2021 at 1:29 pm

    It has been evident now that the COVID-19 pandemic has led to a sharp spike in digital payments....The post E-wallets are becoming prominent targets for cyberattacks! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

  • Insurers 'funding organised crime' by paying ransomware claims
    by Dan Sabbagh Defence and security editor on January 24, 2021 at 5:31 pm

    Exclusive: former cybersecurity chief calls for law change and warns situation is ‘close to getting out of control’Insurers are inadvertently funding organised crime by paying out claims from companies who have paid ransoms to regain access to data and systems after a hacking attack, Britain’s former top cybersecurity official has warned.Ciaran Martin, who ran the National Cyber Security Centre until last August, said he feared that so-called ransomware was “close to getting out of control” and that there was a risk that NHS systems could be hit during the pandemic. Continue reading...

  • Malware reportedly found on laptops given to children in England
    by Sally Weale and Richard Adams on January 21, 2021 at 8:37 pm

    Investigation launched after teachers warn of worm on devices handed out for home schoolingCoronavirus – latest updatesSee all our coronavirus coverageThe government has launched an investigation into reports that laptops it distributed to support vulnerable children during lockdown had been infected with malware connected to Russian servers.The problem was reported by staff at a school in Bradford who raised the alarm on an online IT forum. Enquiries are under way to establish how many devices are affected, where they were sourced and whether any are already in the hands of pupils. Continue reading...

  • Global cyber-espionage campaign linked to Russian spying tools
    by Andrew Roth in Moscow on January 11, 2021 at 1:31 pm

    Kaspersky investigators uncover evidence that may support US claims Moscow was behind attackA Moscow-based cybersecurity company has reported that some of the malicious code employed against the US government in a cyber-attack last month overlaps with code previously used by suspected Russian hackers.The findings by Kaspersky investigators may provide the first public evidence to support accusations from Washington that Moscow was behind the biggest cyber-raid against the government in years, affecting 18,000 users of software produced by SolarWinds, including US government agencies. Related: What you need to know about the biggest hack of the US government in years Continue reading...

  • Data breach hits 30,000 signed up to workplace pensions provider
    by Miles Brignall on December 23, 2020 at 6:40 pm

    Fraud worries as UK company Now:Pensions says ‘third-party contractor’ posted personal details of clients to online public forumAbout 30,000 customers of Now:Pensions face an anxious Christmas after a serious data breach at the pensions provider led to their sensitive personal details being posted on the internet.In an email sent to affected customers, the workplace pensions firm warned that names, postal and email addresses, birth dates and National Insurance numbers all appeared in a public forum online. Continue reading...

  • iPhones vulnerable to hacking tool for months, researchers say
    by Alex Hern on December 20, 2020 at 8:05 pm

    Analysis: NSO Group’s Pegasus spyware could allegedly track locations and access passwordsDozens of Al Jazeera journalists allegedly hacked using Israeli firm’s spyware For almost a year, spyware sold by Israel’s NSO Group was allegedly armed with a computer security super-weapon: a zero-footprint, zero-click, zero-day exploit that used a vulnerability in iMessage to seize control of an iPhone at the push of a button.That means it would have left no visible trace of being placed on target’s phones, could be installed by simply sending a message that the victim didn’t even need to click on, and worked even on phones that were running the then-latest version of iOS, the operating system for iPhones. Continue reading...

  • Happy First Birthday, NIST Privacy Framework!
    by Naomi Lefkovitz on January 14, 2021 at 12:00 pm

    Grab a cupcake or several—no judgment—and join us in celebrating the first birthday of the NIST Privacy Framework! Here at NIST, we feel like proud parents supporting the framework’s implementation over the past year, listening to all the amazing things stakeholders have to say, and learning from the organizations who are already using it. We have lots of “gifts” for you, our stakeholders, so read on to learn all about them! One Year with the Privacy Framework Like everyone, we can’t say good-bye fast enough to 2020, but there’s no doubt that the attention that the framework has been getting

  • Cybersecurity Insights Blog: Year-In-Review 2020
    by Kristina Rigopoulos on December 18, 2020 at 12:00 pm

    We can all agree that 2020 has been a year we won’t forget anytime soon. Faced with unanticipated challenges, new concerns, and constant adjustments forced by the global pandemic, we were compelled to rethink the ways in which we work, study, and socialize. In many cases, this meant transferring day-to-day activities to an online environment, which pushed organizations of every kind to re-examine their approaches to cybersecurity. A positive note is that these changes presented a prime opportunity to highlight the criticality of cybersecurity and promote increased awareness and best practices

  • Summation and Average Queries: Detecting Trends in Your Data
    by David Darais, Joseph Near on December 17, 2020 at 12:00 pm

    This post is part of a series on differential privacy. Learn more and browse all the posts published to date on the differential privacy blog series page in NIST’s Privacy Engineering Collaboration Space. In our last post, we discussed how to determine how many people drink pumpkin spice lattes in a given time period without learning their identifying information. But say, for example, you would like to know the total amount spent on pumpkin spice lattes this year, or the average price of a pumpkin spice latte since 2010. You’d like to detect these trends in data without being able to learn

  • Rounding Up Your IoT Security Requirements: Draft NIST Guidance for Federal Agencies
    by Katerina Megas on December 15, 2020 at 12:00 pm

    IoT devices are becoming integral elements of federal information systems, which is why NIST has released for public review draft guidance on defining federal IoT cybersecurity requirements, including supporting non-technical requirements. These four new documents expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems. This figure illustrates the relationships among the documents. The new documents are: SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government

  • Back to the Basics: Announcing the New NICE Framework
    by Danielle Santos on November 16, 2020 at 12:00 pm

    Three years ago, NIST published the first version of Special Publication (SP) 800-181, the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. Since then, cybersecurity has changed. In the last year the way we think about how we do work has changed, too. Drastically. In order to keep pace with these changes and increase flexibility of the NICE Framework so that it meets the needs of multiple stakeholder groups across both public and private sectors, NIST announced in 2019 a year-long effort to review and update the NICE Framework. This effort has come to a

  • Use Caution Opening Links Email Messages
    on January 22, 2021 at 5:00 am

    A common method cyber criminals use to hack into people's computers is to send them emails with malicious links. People are tricked into opening these links because they appear to come from someone or something they know and trust. If you click on a link, you may be taken to a site that attempts to harvest your information or tries to hack into your computer. Only click on links that you were expecting. Not sure about an email? Call the person to confirm they sent it.

  • Dark Web
    on January 21, 2021 at 5:00 am

    The Dark Web is a network of systems connected to the Internet designed to share information securely and anonymously. These capabilities are abused by cyber criminals to enable their activities, for example selling hacking tools or purchasing stolen information such as credit card data. Be aware that your information could be floating around the Dark Web, making it easier for cyber criminals to create custom attacks targeting you..

  • Anti-Virus
    on January 20, 2021 at 5:00 am

    Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it's so important you use common sense and be wary of any messages that seem odd or suspicious.

  • Installing Mobile Apps
    on January 19, 2021 at 5:00 am

    Only install mobile apps from trusted places, and always double-check the privacy settings to ensure you are not giving away too much information.

  • Social Media Postings
    on January 18, 2021 at 5:00 am

    Be careful: the more information you post online about yourself, the easier it is for a cyber attacker to target you and create custom attacks against you or your organization.

  • How Small Businesses Can Avoid Cyberattacks in 2021
    by Danielle Siso on January 19, 2021 at 10:43 am

    Across 2020 – and, most likely, throughout 2021 – the priority of small business owners has been weathering the storm brought on by the coronavirus pandemic. That’s understandable, given the challenges and unique threats from Covid-19. However, the danger posed by cybercriminals has not gone away; in fact, the evidence points to the contrary. The …The post How Small Businesses Can Avoid Cyberattacks in 2021 appeared first on ZoneAlarm Security Blog.

  • Best Practices for Working from Home
    by Danielle Siso on January 12, 2021 at 4:12 pm

    Working from home has become a new reality for many workers across the globe in many industries. The reality is that if your job can be done via a computer, or simply doesn’t require you to be physically present at your office in order for it to be completed, then working from home is the …The post Best Practices for Working from Home appeared first on ZoneAlarm Security Blog.

  • Cybersecurity 2020 in Review
    by Danielle Siso on December 31, 2020 at 12:40 pm

    2020 was a year we will never forget. The year where the words “COVID-19” and “corona” were being said by the entire world in every other sentence. Where takeout food, wearing a mask became the norm. And it wasn’t just the pandemic that caused the world to go into panic mode and uncertainty. The world …The post Cybersecurity 2020 in Review appeared first on ZoneAlarm Security Blog.

  • Ransomware Risks for Consumers vs. Businesses, and How to Avoid Them
    by Danielle Siso on December 17, 2020 at 9:49 am

    “Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.” ― James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology We all dread the possibility that we turn our computer on and see the following message: “Your files are encrypted.” In simple words, it means “we got you, and unless you pay …The post Ransomware Risks for Consumers vs. Businesses, and How to Avoid Them appeared first on ZoneAlarm Security Blog.

  • The Risk of Accessibility Permissions in Android Devices
    by Danielle Siso on December 9, 2020 at 1:56 pm

    Android Accessibility Services was created to help developers enhance their apps to cater to and assist individuals with disabilities in overcoming their challenges when using their smartphones. When users download these apps, they need to enable ‘Accessibility Permissions’ in order to take advantage of these benefits.   For example, if a developer is concerned that …The post The Risk of Accessibility Permissions in Android Devices appeared first on ZoneAlarm Security Blog.


Digiprove sealCopyright secured by Digiprove © 2020 Çağlar Özdemir
You cannot copy content of this page
%d bloggers like this: