Tag Archives: Security

Mac Pro 1,1 2006 2.66ghz

Still working last time I started up. Will remove HDDs for security, has upgraded Ram think it was 12GB not sure! Quad core CPU. Upgraded graphics card think its ATI Radeon HD. Been stored away for years time to move it on. Pricing at £50 to clear it quickly. In pristine condition. Cheers

Price and currency: £50
Delivery: Goods must be exchanged in person
Payment method: Cash on colection
Location: Bristol
Advertised elsewhere?: Not advertised elsewhere…

Mac Pro 1,1 2006 2.66ghz

Mac Pro 1,1 2006 2.66ghz

Still working last time I started up. Will remove HDDs for security, has upgraded Ram think it was 12GB not sure! Quad core CPU. Upgraded graphics card think its ATI Radeon HD. Been stored away for years time to move it on. Pricing at £50 to clear it quickly. In pristine condition. Cheers

Price and currency: £50
Delivery: Goods must be exchanged in person
Payment method: Cash on colection
Location: Bristol
Advertised elsewhere?: Not advertised elsewhere…

Mac Pro 1,1 2006 2.66ghz

Mac Pro 1,1 2006 2.66ghz

Still working last time I started up. Will remove HDDs for security, has upgraded Ram think it was 12GB not sure! Quad core CPU. Upgraded graphics card think its ATI Radeon HD. Been stored away for years time to move it on. Pricing at £50 to clear it quickly. In pristine condition. Cheers

Price and currency: £50
Delivery: Goods must be exchanged in person
Payment method: Cash on colection
Location: Bristol
Advertised elsewhere?: Not advertised elsewhere…

Mac Pro 1,1 2006 2.66ghz

Critical Cisco ASA vulnerability patched against remote attacks

A new critical flaw in Cisco’s Adaptive Security Appliance software could allow dangerous remote attacks and requires a patch to mitigate.

The Cisco ASA vulnerability received the highest severity rating of 10.0 on CVSS and according to Cisco, it could “allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.”

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system,” Cisco wrote in a security advisory. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”

Kevin Beaumont, a security architect based in the UK, said on Twitter the Cisco ASA vulnerability was disclosed early and called it “one of the bigger bugs.”

According to the official advisory, the Cisco ASA vulnerability has no mitigations, and the only way to secure affected devices is to apply the patch.

Potential damage

Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team, said the Cisco ASA vulnerability could be exploited by an attacker “to harvest credentials as well as to monitor and manipulate traffic which should be protected by the VPN.”  

“The danger is further compounded by the fact that attackers can easily locate public SSL VPN terminals through services like Shodan as well as by searching certificate transparency logs for security certificates containing the word VPN,” Young told SearchSecurity. “In general, an attacker must have some degree of knowledge or control over the remote memory layout. In practical terms, this means that attackers will need to study the vulnerability and develop reliable exploit methods specific for different firmware versions. Developing these exploits would not be within reach of the average hacker as it requires rather extensive knowledge about the ASA operating system and how it manages system memory.”

Mounir Hahad, head of threat research at Juniper Networks, said described a range of attacks that could leverage the Cisco ASA vulnerability.                                       

“Typically, WebVPN is enabled on edge firewalls, which means this particular vulnerability is exploitable directly from the internet. It is fairly easy to exploit as it only requires crafting specific XML packets to a WebVPN configured device. An attacker could take full control of the firewall: they could change the running configuration of the device, allow inbound traffic that should be blocked and infiltrate the organization,” Hahad told SearchSecurity. “They could also simply launch a denial of service attack by restarting the device continuously, which will basically shutdown internet connectivity to an entire organization. For cloud services, the entire service could go offline.”

Gemalto Sentinel flaws could lead to ICS attacks

A long disclosure and remediation process between security researchers and a hardware token vendor resulted in patches for  dangerous flaws that could have led to attacks on critical infrastructure.

Researchers from Kaspersky Lab ICS CERT said they decided to investigate Gemalto Sentinel USB tokens after penetration tests showed the “solution provides license control for software used by customers and is widely used in ICS and IT systems.”

“The solution’s software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required,” Kasperksy researchers wrote in a report. “From researchers’ viewpoint, [the Gemalto Sentinel software] exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header — either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol.”

Kaspersky ICS CERT ultimately found 14 vulnerabilities in Gemalto SafeNet Sentinel tokens, the most critical of which “can be used without local privilege escalation — the vulnerable process runs with system privileges, enabling malicious code to run with the highest privileges.”

Vladimir Dashchenko, head of the ICS CERT vulnerability research team at Kaspersky Lab, told SearchSecurity this issue needs attention because “some of the ICS vendors use such license managers for SCADA software.”

“Some vulnerabilities that we found allow remote code execution, meaning an attacker can access someone else’s computing device and make their own changes. For example, vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the same privileges as the user running the application,” Dashchenko said via email. “Some vulnerabilities are denial-of-service (DoS) vulnerabilities, meaning an attacker has the ability to shut down a machine or network, making it unavailable to its intended users. DoS does not cause machine or network shutdown. It stops the vulnerable process. However in some cases it could possibly cause denial of service for the machine.”

Paul Brager Jr., technical product security leader at Houston-based Baker Hughes and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said the “potential implications and risks for ICS are not trivial.” 

“Open ports that allow remote interaction with engineering workstations or servers that run human machine interface or other process-oriented software licenses managed by this solution could lead to an impact to the software itself, the control assets that are managed by the software, or both,” Brager told SearchSecurity. “Worst case scenario is an impact to the processes that are being governed by the licensed solution — some of which could be critical operating processes. Also given the care that is required when patching, the risks could persist for some time.”

Gemalto Sentinel disclosure and patching

The timeline of the disclosure and patching and issues with communication from Gemalto caught the attention of the researchers. According to Kaspersky, the first set of vulnerabilities was reported to Gemalto in early 2017, but it wasn’t until late June “in response to our repeated requests” that Kaspersky received a reply.

Dashchenko clarified the timeline and noted that although Gemalto claimed it “notified all of its customers of the need to update the driver via their account dashboards; we were contacted by several developers of software that use this server, and it became clear they were not aware about the issue.”

“We have informed and sent to the vendor information regarding all of the identified vulnerabilities. In early 2017, we sent information about 11 vulnerabilities and in late June the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, along with a new version of the driver, could be found on the company’s internal user portal. On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. On July 21, the vendor released a private notice about a new driver version — without any mention of the vulnerabilities closed.”

Gemalto did not respond to requests for comment at the time of this post.

Dashchenko added that Gemalto Sentinel is a “very popular licensing solution,” and noted that an advisory from Siemens listed 16 solutions that need patching against these issues.

Ken Modeste, global principal engineer at Chicago-based Underwriters Laboratories, said patching ICS is complex so users may be wary of the Gemalto Sentinel issues.

The risk associated with either down time or inadvertent failures … will typically be too high for end-users to accept.
Ken Modesteglobal principal engineer at Chicago-based Underwriters Laboratories

“Factory automation and connected control systems are vetted, tested, reliable systems. Deploying patches that have not seen significant runtime and test time can cause significant issues. Most of the implemented systems have requirements around safety, reliability and uptime. Therefore, deploying a patch to software or an embedded product can affect an operational system,” Modeste told SearchSecurity. “The risk associated with either down time or inadvertent failures associated with a patch of either the inherent device or software, or its interaction with other devices and software, will typically be too high for end-users to accept.”

Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS cybersecurity company headquartered in San Francisco, said patching is especially important because “while blocking port 1947 is an option to mitigate the problem, it is also not a solution that is suited for all business processes.”

“Blocking this port could result in the cessation of integral services as well,” Carullo told SearchSecurity. “ICS operators could have strong visibility into the network by applying technologies that are able to monitor the traffic passively to detect anomalies or suspicious activities. These technologies should also be integrated with the firewall to increase the needed visibility in such scenarios.”

Brager said the risks of patching the Gemalto Sentinel issues “could be significant, given the pervasiveness of the SafeNet solution in both enterprise and OT/ICS environments.”

“Particularly concerning is the pervasiveness of the solution in control system environments, and what could potentially mean for assets that leverage the SafeNet dongle solution to operate,” Brager said. “In those instances, patching those systems can be a significant (and time consuming) undertaking. Enterprise patching may not be nearly as complex and critical, but it too comes with its own sets of risks.”

No need to rush network patching for Spectre and Meltdown

The recently discovered security threat in CPUs from nearly a dozen manufacturers poses a low risk to corporate networking gear, so operators have time to test vendors’ patches thoroughly.

That’s the take of security experts contacted by SearchNetworking following the discovery last week of the Spectre and Meltdown vulnerabilities that affect Intel, AMD and ARM chips. In response, Cisco and Juniper Networks have released patches rated medium and low risk, respectively, for a variety of products.

The low risk of Spectre and Meltdown to switches and routers means network managers have the time to thoroughly test the patches to minimize their impact on hardware performance, experts said.

“If you’re getting a firmware update, you need to patch,” said Rob Westervelt, analyst at IDC. “[But] the issue is whether you just deploy the patch or test it thoroughly and make sure you don’t break any applications or anything else.”

Roughly 20 CSOs and IT security professionals interviewed by IDC were taking a methodical approach to applying Spectre and Meltdown fixes across all systems.

“While it is top of mind, it’s not something that they’re immediately jumping on to patch,” Westervelt said. “They are using established best practices and testing those patches first.”

Network performance at risk

Westervelt warned there is the possibility network performance will suffer. “In some cases, it could be very costly.”

If you’re getting a firmware update, you need to patch.
Rob Westerveltanalyst at IDC

Indeed, Microsoft reported in a blog post patches for the PC and server versions of Windows would range from minor to significant, depending on the age of the operating system and the CPU. “I think we can expect a similar variety of performance impacts across other [vendors’] products,” said Jake Miller, a senior security analyst at IT consulting firm Bishop Fox, based in Tempe, Ariz.

Security pros expect hackers sophisticated enough to exploit the hard-to-reach vulnerabilities to target mostly servers in large data centers that host cloud computing environments. Because of the level of expertise needed to take advantage of the flaws, hackers working for nation states are the most likely attackers, experts said.

Exploiting the CPU holes would involve crafting code that takes advantage of how some processors anticipate features computer users will request next. In preparation for those requests, processors will load into memory valuable data and instructions that hackers can steal.

“The threat is significant, but currently is limited to highly sophisticated attackers and hacking groups with the means to carry out multi-staged targeted attacks,” IDC said in a research note. “Financially motivated cybercriminals are more likely to continue to use more accessible, time-tested methods to retrieve passwords and sensitive data.”

Nevertheless, even a low risk to networking gear is worth the time needed for fixing. “It’s better to be safe than sorry,” said Jonathan Valamehr, COO and co-founder of cybersecurity company Tortuga Logic Inc.

Meltdown and Spectre bugs dominate January Patch Tuesday

Administrators have their work cut out for them on multiple fronts after a serious security flaw surfaced that affects most operating systems and devices.

The Meltdown and Spectre vulnerabilities encompass most modern CPUs — from Intel-based server systems to ARM processors in mobile phones — that could allow an attacker to pull sensitive data from memory. Microsoft mitigated the flaws with several out-of-band patches last week, which have been folded into the January Patch Tuesday cumulative updates. Full protection from the exploits will require a more concerted effort from administrators, however.

Researchers only recently discovered the flaws that have existed for approximately 20 years. The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploits target the CPU’s pre-fetch functionality that anticipates the feature or code the user might use, which puts relevant data and instructions into memory. A CPU exploit written in JavaScript from a malicious website could pull sensitive information from the memory of an unpatched system.

“You could leak cookies, session keys, credentials — information like that,” said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif.

In other January Patch Tuesday releases, Microsoft updated the Edge and Internet Explorer browsers to reduce the threat from Meltdown and Spectre attacks. Aside from these CPU-related fixes, Microsoft issued patches for 56 other vulnerabilities with 16 rated as critical, including a zero-day exploit in Microsoft Office (CVE-2018-0802).

Microsoft’s attempt to address the CPU exploits had an adverse effect on some AMD systems, which could not boot after IT applied the patches. This issue prompted the company to pull those fixes until it produces a more reliable update.

Most major cloud providers claim they have closed this security gap, but administrators of on-premises systems will have to complete several deployment stages to fully protect their systems.

“This is a nasty one,” said Harjit Dhaliwal, a senior systems administrator in the higher education sector who handles patching for his environment. “This is not one of your normal vulnerabilities where you just have a patch and you’re done. Fixing this involves a Microsoft patch, registry entries and firmware updates.”

Administrators must ensure they have updated their anti-virus product so  it has the proper registry setting otherwise they cannot apply the Meltdown and Spectre patches. Windows Server systems require a separate registry change to enable the protections from Microsoft’s Meltdown and Spectre patches. The IT staff must identify the devices under their purview and collect that information to gather any firmware updates from the vendor. Firmware updates will correct two exploits related to Spectre. Microsoft plugged the Meltdown vulnerability with code changes to the kernel.

Dhaliwal manages approximately 5,000 Windows systems, ranging from laptops to Windows Server systems, with some models several years old. He is exploring a way to automate the firmware collection and deployment process, but certain security restrictions make this task even more challenging. His organization requires BitLocker on all systems, which must be disabled to apply a firmware update, otherwise he could run into encryption key problems.

“This is not going to be an overnight process,” Dhaliwal said.

How expansive is Meltdown and Spectre?

Attacks that use the Meltdown and Spectre exploit a bug with how many CPUs execute address space layout randomization. The difference between the two vulnerabilities is the kind of memory that is presented to the attacker. Exploits that use the flaws can expose data that resides in the system’s memory, such as login information from a password manager.

Microsoft noted Meltdown and Spectre exist in many processors — Intel, AMD and ARM — and other operating systems, including Google Android and Chrome, and Apple iOS and macOS.  Apple reportedly has closed the vulnerabilities in its mobile phones, while the status of Android patching varies depending on the OEM. Meltdown only affects Intel processors, and the Spectre exploit works with processors from Intel, AMD and ARM, according to researchers.

Virtualized workloads may require fine-tuning

Some administrators have confirmed early reports that the Meltdown and Spectre patches from Microsoft affect system performance.

 Dave Kawula, principal consultant at TriCon Elite Consulting, applied the updates to his Windows Server 2016 setup and ran the VM Fleet utility, which runs a stress test with virtualized workloads on Hyper-V and the Storage Spaces Direct pooled storage feature. The results were troubling, with preliminary tests showing a performance loss of about 35%, Kawula said.

 “As it stands, this is going to be a huge issue,” he said. “Administrators better rethink all their virtualization farms, because Meltdown and Spectre are throwing a wrench into all of our designs.”

Intel has been updating its BIOS code since the exploits were made public, and the company will likely refine its firmware to reduce the impact from the fix, Graham said.

For more information about the remaining security bulletins for January Patch Tuesday, visit Microsoft’s Security Update Guide.

Tom Walat is the site editor for SearchWindowsServer. Write to him at twalat@techtarget.com or follow him @TomWalatTT on Twitter.

NIST botnet security report recommendations open for comments

The Departments of Commerce and Homeland Security opened public comments on a draft of its botnet security report before the final product heads to the president.

The report was commissioned by the cybersecurity executive order published by the White House on May 11, 2017. DHS and the National Institute of Standards and Technology (NIST), a unit of the Department of Commerce, were given 240 days to complete a report on improving security against botnets and other distributed cyberattacks, and they took every minute possible, releasing the draft botnet security report on Jan. 5, 2018.

The public comment period ends Feb. 12, 2018 and industry experts are supportive of the contents of the report. According to a NIST blog post, the draft report was a collaborative effort.

“This draft reflects inputs received by the Departments from a broad range of experts and stakeholders, including private industry, academia, and civil society,” NIST wrote. “The draft report lays out five complementary and mutually supportive goals intended to dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem. For each goal, the report suggests supporting activities to be taken by both government and private sector actors.”

The blog post listed the goals for stakeholders laid out by the draft botnet security report as:

  1. Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  3. Promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior.
  4. Build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.
  5. Increase awareness and education across the ecosystem.

Rodney Joffe, senior vice president, technologist and fellow at Neustar, Inc., an identity resolution company headquartered in Sterling, Va., said NIST and DHS took the right approach in putting together the report.

“The Departments of Commerce and Homeland Security worked jointly on this effort through three approaches — hosting a workshop, publishing a request for comment, and initiating an inquiry through the President’s National Security Telecommunications Advisory Committee (NSTAC),” Joffe told SearchSecurity. “We commend the administration for working with and continuing to seek private sector advice on the best path forward.”

A good start, but… 

Experts, like Michael Patterson, CEO of Plixer, a network traffic analysis company based in Kennebunk, Maine, generally applauded the draft botnet security report as being an in-depth starting point that is missing some key features.

“The report offers a comprehensive framework for threat intelligence sharing, and utilizing NIST to work with a variety of industry groups to establish tighter security protocols and best practices while outlining government and industry transformations to protect the internet,” Patterson told SearchSecurity. “However, it is missing the required teeth to propel industry action. Without a mechanism to define a specific compliance standard, service providers will not have enough incentive to take the steps required to mitigate these risks.”

Stephen Horvath, vice president of strategy and vision for Telos Corporation. a cybersecurity company located in Ashburn, Va., applauded the draft botnet security report for balancing “high level explanations along with some technical details of merit.”

“This report will hopefully drive improvements and awareness of the issues surrounding botnets. Given a few of the more important recommendations are taken and funded, the establishment of an IoT [cybersecurity framework] profile for example, a general overall improvement across all domains should be felt in the next few years,” Horvath told SearchSecurity. “I believe stronger improvements would be possible more quickly if the recommendations included greater focus on enforcing hard requirements rather than incentives.”

Gavin Reid, chief security architect at Recorded Future, a threat intelligence company headquartered in Somerville, Mass., said NIST’s goals are “laudable and the paper takes the approach of providing as comprehensive of a solution as is possible given the transient nature of attacks.”

“It does not address how the goals and technology approach keep up with and change to match changes to the attack vectors,” Reid told SearchSecurity. “The paper also conflates all botnets with IoT botnets. Bots resulting in automated controlled attacks and toolkits are not limited to IoT but have a much wider footprint covering all IT ecosystems.”

The IoT question

Following the highly publicized botnet attacks like Mirai which preyed on insecure IoT devices, the draft report focused on these issues and even noted “IoT product vendors have expressed desire to enhance the security of their products, but are concerned that market incentives are heavily weighted toward cost and time to market.”

Luke Somerville, manager of special investigations at Forcepoint Security Labs, said the goals and actions within the draft botnet security report are “a good starting point, but the effectiveness of ideas such as baseline security standards for IoT devices will depend entirely on the standards themselves and how they are implemented.”

“Any standards would need to be backed up robustly enough to overcome the strong market incentives against security which exist at present,” Somerville told SearchSecurity. “Increasing awareness and security education is also discussed — something that has been a goal of the security industry for a long time. Ultimately, insecure systems don’t fix themselves, and nor do they make themselves insecure in the first place. By focusing on the human point of contact with data and systems — be that point of contact the developers writing the code controlling the systems, the end-users configuring the systems, or even prospective users in the process of making a purchasing decision — we can attempt to build security in throughout the design and usage lifecycle of a product.”

Botnet security report outcomes

While experts were generally favorable to the draft botnet security report, some were less optimistic about real-world changes that might come from such a report.

Jeff Tang, senior security researcher at Cylance, said he was “not convinced this report will make any significant strides towards deterring the spread of botnets.”

“Trying to develop an accepted security baseline through a consensus-based process when one of your stakeholder’s primary goal is to sell you a new shiny IoT device every year is only going to result in watered-down standards that will be ineffective. As the recent spectacle of CPU bugs has shown, speed is the enemy of security. If you’re rushing to release a new device every year, security is going to be nonexistent,” Tang told SearchSecurity. “Additionally, secure development best practices haven’t changed much in the last decade, but judging by the reports of various device vulnerabilities, manufacturers have not voluntarily adopted these best practices.”

This is not the work of a moment; this is evolution over thousands of software design lifecycles.
Pam Dingleprincipal technical architect at Ping Identity

Pam Dingle, principal technical architect at Ping Identity, an identity security company headquartered in Denver, said “changing ecosystems is difficult” and it will take a concerted effort by vendors and CISOs alike to make the change real, otherwise “the effects will likely be limited.”

“It is up to those who see the value in the recommended actions to put the manpower into participating in standards groups, collaborating with adjacent vendor spaces to make integration easier and more pattern-based, and demanding that a shared defense strategy stay high in priority lists,” Dingle told SearchSecurity. “This is not the work of a moment; this is evolution over thousands of software design lifecycles, and even then, the mass of legacy devices out there with no update capabilities will be shackles on our collective legs for a long time to come. We have to start.”

A DHS data breach exposed PII of over 250,000 people

A data breach at the U.S. Department of Homeland Security exposed the personally identifiable information of over 250,000 federal government employees, as well as an unspecified number of people connected with DHS investigations.

DHS released a statement Jan. 3, 2018, that confirmed the exposure of “approximately 246,167” federal government employees who worked directly for DHS in 2014. It also disclosed the breach of a database for the Office of Inspector General that contained the personally identifiable information (PII) of any person — not necessarily employed by the federal government — who was associated with OIG investigations from 2002 to 2014. This includes subjects, witnesses and complainants.

In its statement, the department emphasized the DHS data breach was not caused by a cyberattack and referred to it as a “privacy incident.”

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized [sic] transfer of data,” DHS said.

The DHS data breach was initially found in May 2017 during a separate, ongoing DHS OIG criminal investigation in which it was discovered that a former DHS employee had an unauthorized copy of the department’s case management system.

However, individuals affected by the DHS data breach weren’t notified until Jan. 3, 2018. In its statement, DHS addressed why the notification process took so long.

“The investigation was complex given its close connection to an ongoing criminal investigation,” the department said. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

The DHS employee data breach exposed PII that included names, Social Security numbers, dates of birth, positions, grades and duty stations of DHS employees; the DHS investigative data breach exposed names, Social Security numbers, dates of birth, alien registration numbers, email addresses, phone numbers, addresses and other personal information that was provided to the OIG during investigative interviews with its agents.

DHS is offering free identity protection and credit-monitoring services for 18 months to affected individuals. The department said it has also taken steps to improve its network security going forward, including “placing additional limitations on which individuals have back end IT access to the case management system; implementing additional network controls to better identify unusual access patterns by authorized users; and performing a 360-degree review of DHS OIG’s development practices related to the case management system.”

While the affected government employees were notified directly about the breach, DHS stated, “Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data.”

DHS urged anyone associated with a DHS OIG investigation between 2002 and 2014 to contact AllClear ID, the Austin, Texas, breach response service retained by DHS to provide credit-monitoring and identity protection services to affected individuals.

In other news:

  • A group of senators has introduced a bill to secure U.S. elections. The Secure Elections Act is a bipartisan bill that aims to provide federal standards for election security. One measure proposed in the bill is to eliminate the use of paperless voting machines, which are regarded by election security experts as the least secure type of voting machines in use in today. Paperless voting machines don’t allow for audits, which the proposed legislation also wants to make a standard practice in all elections. The idea is that audits after every election will deter foreign meddling in American democracy like Russia’s interference in the 2016 U.S. presidential election. “An attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions,” the bill states. The bill was sponsored by Sen. James Lankford (R-Okla.) and co-sponsors Sens. Amy Klobuchar (D-Minn.), Lindsey Graham (R-S.C.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Martin Heinrich (D-N.M.).
  • Attackers exploited a vulnerability in Google Apps Script to automatically download malware onto a victim’s system through Google Drive. Discovered by researchers at Proofpoint, the vulnerability in the app development platform enabled social-engineering attacks that tricked victims into clicking on malicious links that triggered the malware downloaded on their computer. The researchers also found the exploit could happen without any user interaction. Google has taken steps to fix the flaw by blocking installable and simple triggers, but the researchers at Proofpoint said there are bigger issues at work. The proof of concept for this exploit “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years,” the research team said in a blog post. “Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.” The researchers went on to note that, in order to combat this threat, “organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”
  • The United States federal government is nearing its deadline to implement the Domain-based Message Authentication, Reporting and Conformance (DMARC) tool. In October 2016, the DHS announced it would mandate the use of DMARC and HTTPS in all departments and agencies that use .gov domains. DHS gave those departments and agencies a 90-day deadline to implement DMARC and HTTPS, which means the Jan. 15, 2018, deadline is soon approaching. According to security company Agari, as of mid-December, 47% of the federal government domains were now using DMARC, compared to 34% the month before. Another requirement within this mandate is federal agencies are required to use the strongest “reject” setting in DMARC within a year. This means emails that fail authentication tests will be less likely to make it to government inboxes — i.e., be rejected. Agari reported a 24% increase in the use of higher “reject” settings in the last month. On the flip side, Agari noted that most agency domains (84%) are still unprotected, with no DMARC policy.