Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: cyber security news

Tag Archives: cyber security news

Home » Tag: cyber security news

Software maker Citrix hacked, business documents removed

Acting on a tip from the FBI, Citrix has investigated and confirmed that its network has been penetrated and data had been exfiltrated by an outside force.

Neither the extent of nor the specifics of what has been removed has been determined, but in a statement Citrix said business documents have been accessed and downloaded by malicious actors. The FBI contacted Citrix on March 6 advising the company that the agency had reason to believe the company had been attacked. Citrix said it immediately hired an outside security firm to conduct an investigation which found the FBI was correct.

“The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised,” the company said.

The company has not released what kind of data was removed during the data breach.

The FBI told the company the attacker may have used a brute force attack to discover and exploit any weak passwords in Citrix’s systems. Once inside the attackers moved laterally through the network finding and removing files.

Citrix makes and touts the security of enterprise class Workspace as a Service software. In its About Us section the company states, “At Citrix, our mission is to power a world where people, organizations, and things are securely connected and accessible. A place where all business is digital business. A world where our customers are empowered to make the extraordinary possible. We will accomplish this by building the world’s best integrated technology services for secure delivery of apps and data ⎯ anytime, anywhere.”

Minnesota man admits to hacking government databases

  • A man from Minnesota, Cameron Thomas Crowley, admitted on March 7, 2019, that he hacked state government databases in 2017.
  • Crowley also admitted that he hacked databases belonging to the Minnesota government, a second university, and an unnamed school district.

What is the issue – A man from Minnesota, Cameron Thomas Crowley, admitted on March 7, 2019, that he hacked state government databases in 2017.

He disclosed that he hacked government databases as an act of retaliation after the vindication of an officer who shot Philando Castile during a 2016 traffic stop.

Why it matters – Crowley apologized in the US District Court for his actions which included one count of intentional unauthorized access. As a plea agreement, four other counts will be dismissed.

What data was involved – Crowley also admitted that he hacked databases belonging to the Minnesota government, a second university, and an unnamed school district and compromised information that included victims’ names, home and work addresses, telephone numbers, and password information.

“I would like to apologize publicly to the people who were affected by my actions. At the time, I thought what I was doing would draw attention to an injustice. But looking back, I realize that it hurt more people, and people who had nothing to do with the tragic death of Philando Castile” Crowley told the court, Security Week reported.

Worth noting – Crowley also apologized to the victims whose information was compromised.

He went onto apologizing to Castile’s family, saying, “I now realize that while my actions may have drawn more attention to Mr. Castile’s death, it does not honor his memory to do things that are harmful to others in his name.”

The plea agreement stated that the estimated amount of loss is between $40,000 and $90,000, however, the amount Crowley will have to repay his victims will be decided by the judge. It is noted that Crowley will be sentenced on July 17.

End of the Line for Windows 7: Open Road for Hackers

Microsoft has been urging customers to upgrade from its Windows 7 operating system, while attempting to ease the transition with several options for extended support. It will stop providing routine fixes and security patches effective January 2020. Regular support for Windows Server 2008 also is scheduled to end at that time.

Windows 7 enterprise customers can subscribe to Extended Security Updates (ESU) to receive security fixes for uncovered or reported vulnerabilities in the OS. However, patches will be issued only in cases of threats rated “Critical” or “Important” by Microsoft.

Those are the two top rankings in Microsoft’s four-step scoring system, meaning that performance issues might not be addressed. Moreover, ESU will be available only in one-year increments, and for just three years. It will be sold on a per-device basis instead of the per-user basis that Microsoft has offered for Windows 10.

ESU will be available for US$25 to $50 per year per device, but the cost will double each year, so that by 2022, support for the aging Windows 7 OS will cost $100 or $200 per device. Customers who subscribe to Microsoft 365 Enterprise will be offered the lower-tier pricing.

Computers running Windows 7 account for 37.9 of PCs today, while Windows 10 accounts for 40.9 market share, according to data from Netmaketshare. On the business side of the market, Windows 10 accounts for more than 50 percent of the market.

Windows 7 was released in 2009 as a replacement for the unpopular Windows Vista, as well as 2001’s Windows XP.

Server Side

Microsoft also plans to end support for Windows Server 2008 and SQL Server applications early next year, and the company has been encouraging clients to migrate to Azure.

Unlike with Windows 7, no ESU is planned, leaving customers with limited options.

The end of Windows Server 2008 support is why nearly one-third of companies surveyed said that they were considering purchasing new server hardware, according to the recent Spiceworks 2019 State of Servers report.

“Windows 2008 Server is the most widely used server on the planet,” said Zohar Pinhasi, CEO of MonsterCloud, provider of managed cybersecurity services.

As a result, it could make a tempting target to hackers once support ends.

“A lot of organizations moved to Server 2012, but migration isn’t an easy task, and too often companies take the approach ‘if it ain’t broken don’t fix it,'” he told TechNewsWorld.

“Criminals are already aware that Microsoft will discontinue the support for the OS next year, and our research suggests they could be cooking up something big — like taking advantage of zero-day vulnerabilities,” Pinhasi added.

Ending 7

Windows 7 was released as a follow-up to the underwhelming Windows Vista. It received a warm reception, widely seen as offering the best features and functionality of Windows XP and Vista.

In 2012, however — just three years after the release of Windows 7 — Microsoft took the OS in a completely new direction with Windows 8, which offered what the company dubbed a “Modern User Interface” with touchscreen options.

The new interface, which also was meant to bridge tablets and PCs, failed to catch on. Microsoft then released Windows 10 in 2015. Whereas Windows 7 combined the best aspects of XP and Vista, Windows 10 offered the best of Windows 7 and 8/8.1.

Yet, perhaps because Windows 10 resembles Windows 7 so closely, users have been slow to adopt it. Nearly four years later, 10 has only just surpassed 7 in total users. Microsoft has had to support three operating systems, so it is no surprise that the company decided to pull the plug on the oldest.

“Windows 7 was introduced 10 years ago in 2009 — that is 70 dog years or Internet years — a human lifespan,” said Paul Teich, principal analyst atLiftrCloud.

“It had to happen sometime; Microsoft has extended Windows 7’s life a number of times,” noted Roger Kay, principal analyst at Endpoint Technologies Associates.

Out With the Old OS

What makes this transition difficult is that Windows 7 has done its job quite well, remaining a very stable operating system. Still, supporting multiple OSes is not only a drain on resources, but also is inconsistent with Microsoft’s new direction.

“Microsoft is committed to pushing everyone onto Windows 10, which is better adapted to a services revenue stream,” Kay told TechNewsWorld.

“In fact, there may never be another Windows,” he suggested. “The company will keep updating the Windows 10 code essentially indefinitely. Now, beta versions of new code get pushed out, bug reports come back, and the team patches whatever needs it.”

Hardware Improvements

In the past, a barrier to upgrading was the hardware that past versions of Windows ran on, and making a move from Windows 3.1 to Windows 95 almost certainly required that users purchase a new computer. The same trend continued with Windows 98, Windows Millennium, Windows XP and notably Windows Vista.

By the time Windows 7 came along, Moore’s Law of ever-faster processors seemed to slow down. More importantly, apart from some PC games, most software really didn’t require vastly improved hardware. That made the transition from Windows Vista to Windows 7 much easier, and even today an upgrade to a new OS isn’t really that much of a stretch.

“Windows 7 first shipped on 45nm Intel Core processors code-named ‘Yorkfield’ (desktop) and ‘Penryn’ (mobile), which both debuted in 2008,” explained LiftrCloud’sTeich.

“The 45nm Core i5 ‘Lynfield’ (desktop) processor was introduced at the same time as Windows 7, as was the 45nm Core i7 ‘Clarksfield’ (mobile) processor,” he told TechNewsWorld.

The “sweet spot” for Intel Core processors at the time was quad-core for both mobile and desktop, while the core clock frequency ranges for all of those processors started at 2.3 GHz and topped out above 3 GHz.

“A current generation Core i5 ‘Skylake’ desktop processor has a base frequency of 2.6 GHz to 3.6 GHz, and two dual-threaded cores running four threads is still a sweet spot,” added Teich.

Today Mobile Core i3 versions have base frequencies of 2.3 GHz to 3.6 GHz using two dual-threaded cores.

“In 10 years, we didn’t get faster clock speeds except at the very high end of Intel’s product lines,” said Teich. “AMD could not do any better, because physics is physics. We got some speed-ups due to architectural improvements, but really, Moore’s Law is dead, dead, dead.”

Old PC With New OS

Given that we haven’t seen a great leap forward in hardware has meant in most cases those older PCs could be upgraded — something Microsoft initially offered for free.

“Hardware-wise, any system that can run Windows 7 can run Windows 10,” said Kay.

“That part is easy, and I’ve upgraded a bunch of older systems,” he added.

Even though that window to upgrade Windows for free has closed, Kay said it isn’t really that difficult and still can be accomplished easily.

“The Windows10 updater essentially looks for a valid Windows 7 or Windows 8 license, and off you go,” Kay explained.

“Windows 7 was designed to run well on whatever was running Windows Vista, so it didn’t require more compute power than was available several years before it shipped,” added Teich.

Moreover, Windows 10 was designed to run well on any PC that can run Windows 7, in order to appeal to both Windows 7 and Windows 8 upgrades.

“It wasn’t a hard goal, because Windows 10 focused on an easy-to-install and easy-to-update architecture, better security, and improving the user experience — none of which required more processor speed,” said Teich. “I have personally installed Windows 10 on at least four of my own Windows 7-era notebooks and self-built media PCs. All have performed well.”

Security Concerns

The biggest reason to upgrade from Windows 7 remains the security concern. Even with the ESU from Microsoft, users could be putting themselves at risk.

“It is already known that criminals are cooking up stuff in their labs,” warned MonsterCloud’s Pinhasi.

“Once they have those tools they can exploit the older versions of Windows to make billions from it,” he added.

Ransomware, such as the WannaCry cryptoworm, which targeted Windows machines in May 2017, could be unleashed after Microsoft’s support for Windows 7 ends.

That particular ransomware was propagated through EternalBlue, an exploit developed by the United States National Security Agency.

“The hackers dropped a package that was stolen from the NSA, and hackers could use something similar,” Pinhasi warned.

The best course of action isn’t to invest in the ESU from Microsoft, but to upgrade the OS and if necessary even the PC hardware.

“It’s time to move on; the demise of a loved operating system is hard, but inevitable,” said Roger Entner, principal analyst at Recon Analytics.

“Windows 7 stopped being the flagship Windows OS seven years ago, so it is time to upgrade, and a laptop for $179 at Best Buy runs Windows 10 and is probably more powerful than anything that was made in 2012,” he told TechNewsWorld.

“There is no reason that anyone running Windows 7 should stick with it, other than pure ornery stubbornness, and it’s not like you have to learn a new OS,” added Teich.

Of course, it isn’t just individual users who should heed these warnings.

“Companies really should get off Windows 7 as soon as they can,” warned Kay.

“Security attacks are getting more frequent, more sophisticated and more automated — and don’t imagine that just because you’re a small fish, they won’t come after you,” he explained. “Small firms are sometimes used as an attack vector against larger firms. And if companies need to turn over their PC base once every 10 years, that’s a good thing. Employees might even be more productive.”

Google reveals Chrome zero-day vulnerability was under active attacks at the time of patch

  • The vulnerability is a use-after-free vulnerability, a type of memory error that allows an app to access memory after it has been deleted from Chrome’s allocated memory.
  • Google Chrome users are advised to update to Google Chrome version 72.0.3626.121.

Google disclosed that the zero-day vulnerability that was patched on March 1, 2019, was under active attacks at the time of the patch. The vulnerability tracked as CVE-2019-5786 was patched in Chrome 72.0.3626.121 version.

The big picture – Google described the vulnerability as a memory management error in Google Chrome’s FileReader. FileReader is a web API that allows web apps to read the contents of files stored on the user’s system.

To be precise, the vulnerability is a use-after-free vulnerability, a type of memory error that allows an app to access memory after it has been deleted from Chrome’s allocated memory. This type of memory access operation could lead to the execution of malicious code.

Chaouki Bekrar, CEO of exploit acquisition platform Zerodium, tweeted that the vulnerability lets malicious code to bypass Chrome’s security sandbox and run commands on the operating system.

“Google discovered a Chrome RCE #0day in the wild (CVE-2019-5786). Reportedly, a full chain with a sandbox escape. In 2019, I expect epic 0days to be found in the wild: Android, iOS, Windows, Office, virtualization, and more. Stay safe and enjoy the show,” Chaouki Bekrar tweeted.

Memory management issues

According to Microsoft security engineer Matt Miller, roughly 70 percent of all vulnerabilities that Microsoft patches every year are memory management errors.

Most of the errors come from using C and C++, two ‘memory-unsafe’ programming languages, are also used for the Chromium source code, the open source project on which Google Chrome is based on.

The bottom line – Google Chrome users are advised to update to Google Chrome version 72.0.3626.121.

Hackers Revive Microsoft Office Equation Editor Exploit

Hackers used specially-crafted Microsoft Word documents during the last few months to abuse an Integer Overflow bug that helped them bypass sandbox and anti-malware solutions and exploit the Microsoft Office Equation Editor vulnerability patched 15 months ago.

According to Microsoft’s security advisory, this memory corruption vulnerability tracked as CVE-2017-11882 impacts unpatched Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.

While the vulnerability was patched as part of the November 2017 Patch Tuesday, successful exploitation leads to arbitrary code run in the context of the current user, but it can also enable potential attackers to completely taking control of compromised systems if the victim is logged on with administrative user rights.

Overflow bug can be chained with any vulnerability

Mimecast’s Meni Farjon, the security researcher who described the inner workings of the bug used to revive the tried-and-tested Equation Editor Exploit, told BleepingComputer that “The bug can be used to carry any payload into an OLE file, so this can be chained to pretty much any Word vulnerabilty. Consider this as a vehicle which can cloak the payload, or a stealth jet armed with any missile.”

According to Farjon, “Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format.”

Once the overflow bug present in the “Object Linking and Embedding (OLE) file format and the way it’s handled in Microsoft Office Word” is triggered and the attackers leverage the Equation Editor Exploit, they can drop any malware payload after gaining administrative user rights either by chaining other vulnerabilities or by taking advantage of the victim’s choice of using an account with full user rights.

OLE Integer Overflow bug left unpatched

During one of the attacks detected by the researcher, the hacking group “dropped a new variant of Java JACKSBOT, a remote access backdoor that could only be active or infect its target if Java was installed. JACKSBOT is capable of taking complete control of the compromised system.”

Although Mimecast contacted Microsoft after discovering this security issue following their Coordinated Vulnerability Disclosure (CVD) and also provided a working proof-of-concept (PoC), Redmond chose not to release a security patch because “the issue on its own does not result in memory corruption or code execution” although it “acknowledged it was unintended behavior.”

“Microsoft did not fix the issue, and did not assign a CVE number to it. Their response was that the issue doesn’t meet the severity bar for servicing via a security update because it doesn’t result in a memory corruption or code execution by itself,” told Farjon to BleepingComputer.

Besides, even though “There is no ‘right’ thing to do here” according to the researcher, “Leaving it undisclosed is bad, because limited attacks can still be happening, but publishing this without a fix might get more attacks to learn and implement that in higher volumes.”

Police warn of fake anti-virus alert scam

WINCHESTER, Va. (WHSV) — A scam involving fake anti-virus alerts on computers is becoming increasing popular in the Winchester area, prompting the Winchester Police Department to issue a warning to citizens.

In one recent case, a woman lost $350 to the scam, while another man lost $250.

This is not a new scam by any means, but it remains a dangerous one and it’s one becoming more common in the area of the Shenandoah Valley. When someone thinks they’re clicking an alert about a virus, crooks actually infect that computer with a virus, causing it to lock up. They then have complete remote access to the computer, leading them to be able to access personal data such as passwords, bank accounts or credit card information.

—HOW THE SCAM WORKS—

Victims receive a pop-up on their computer screen. It says their computer has been infected with a dangerous virus and they need to pay to have it removed. The scammer provides a phone number with the pop-up message.

If someone calls that number, the scammers ask for a check or credit card number so they can repair the computer remotely. Those who have fallen victim report the callers often have thick accents and claim to be with Microsoft.

—WHAT YOU SHOULD DO—

First of all, NEVER click on pop-up alerts that you did not request to open. Don’t even click on the ‘X’ in the corner of the window to close the alert, because that can actually cause more pop-ups to appear.

Instead, hit control + alt + delete to view a list of programs currently running and delete the pop-up alert from the list of running programs.

Alternatively, you can use the Alt + F4 keyboard shortcut to manually close whatever window is active on your computer.

—ADDITIONAL WARNINGS—

Police offer additional warnings about computer scams:

• Microsoft will never prompt you to call an 800 number for tech support – you should always be the one to initiate a call for help.
• Use reputable pop-up blocker software to avoid pop-ups on your computer. Keep your computer updated with the latest anti-virus and anti-spyware software.
• NEVER open email attachments unless you can verify the sender and you trust them.
• NEVER click on the links in spam email.
• Scammers commonly use high pressure sales tactics to convince you to buy NOW! Practice a healthy dose of skepticism.

Adwind RAT resurfaces again, relies on another malware for infection

  • It now comes as a variant that uses different payloads and spreads mainly through JAR files.
  • In this camapign, the VBS-based infamous worm Houdini is leveraged to infect computer systems.

Adwind, a well-known multifunctional malware program which made news in late 2017 has sprung back. A report by McAfee Labs indicated that the remote access tool (RAT) now relies on another malware known as Houdini to infect systems. On top of this, the new variant contained various payloads for deployment.

Worth noting

  • Adwind mainly targets platforms compatible with Java applications and running the Java Runtime Environment.
  • It primarily uses a malicious JAR file as an attachment in spam emails, evident in earlier campaigns.
  • Once the JAR file runs in the system, Adwind gets installed and communicates with a remote server to conduct other malicious activities.
  • The latest variant collaborates with H-Worm/Houdini VBS-based worm to successfully infect systems.
  • A file called operational.Jrat drops the final payload thus completely compromising the system.
  • Consequently, another file called Bymqzbfsrg.vbs enables attackers to control the infected machine.

What can the malware do?

Adwind is known to possess many malicious capabilities. This includes collecting keystrokes, stealing passwords and data from web forms, taking screenshots and video from webcams, and lastly transferring files to the remote server.

Adwind has also evolved to steal from cryptocurrency wallets as well as exploit VPN certificates.

In 2017, most campaigns concerning Adwind spam were found to evade detection from antivirus and similar software. This was due to the presence of complex, layered function calls in multiple JAR files.

Students from Carnegie Mellon University Win 2019 Deloitte Foundation Cyber Threat Competition

College students representing 15 universities compete at Deloitte University for a real-world challenge of cyber and business complexity.

Four students from Carnegie Mellon University won the 2019 Deloitte Foundation Cyber Threat Competition. Team members Karttik Panda, Veera Nandiraju, Sanika Suwant and Nishith Yadav each received $2,000 in scholarship money. Carnegie Mellon University teams have competed since the competition began five years ago, and always rank amongst top performing teams. This is the first win for the university.

The competition consisted of three rounds over the last two month that culminated Saturday, Feb. 23, 2019. The first round was an online cyber competency quiz and the second was an online technical challenge. In both, students competed individually. Then, the top qualifying student competitors from each university were invited to Deloitte’s leadership center, Deloitte University in Westlake, Texas, to represent their schools as teams and compete in the final round — the Cyber Wargame event. In this competition, the teams faced off during a two-day challenge that simulated a real corporate environment during a cyber-attack. Teams had to evaluate the information available and return a response plan recommendation to a fictitious team of corporate executives, made up of Deloitte cyber professionals.

“In the first rounds, we test their technical cyber chops, but the final round is quite different from most cyber hackathon competitions, as we also test their business acumen,” said Anthony Russo, a Cyber Risk Services principal in Risk and Financial Advisory at Deloitte & Touche LLP. “Real-world cyber incidents test even the most capable business leaders and impact an entire organization not merely their information technology environments. It’s important for students to experience how corporations today may be responding to such events, and to test the critical thinking, communication and problem-solving skills they will need as they head into the workforce.”

The first-place team received $2,000 in scholarship money per student, the second-place team received $1,000 per student and the third-place team received $500 in scholarship per student. Students from Purdue University placed second overall, and the university was a new entrant to the competition this year. Four undergraduate students from Terry College of Business at The University of Georgia finished third.

“The Deloitte Foundation recognizes cybersecurity as one of the most complex challenges that students can face as they enter the working world, and as one of the largest talent voids organizations are struggling to address,” said John Rooney, principal, Deloitte Transaction & Business Analytics LLP and Deloitte Foundation board member. “Our mission is to accelerate education innovation and we’re excited to see the interest in and growth of the Cyber Threat Competition over the past five years. The Foundation is committed to finding creative and impactful ways to prepare students for the future.”

Barathi Krishnamurthy, a student in the masters program in information systems represented the University of Washington during the competition and had this to say about the importance of such experiences, “In business school, we learn cyber concepts but it’s a base upon which to build. The competition gives us the flavor of work that real cyber professionals do. This simulation experience put me directly in their shoes when a cyber incident occurs. I was able to connect a lot of dots from the classroom with what I learned in the competition and confirmed this is the industry where I want to be involved.”

Students preparing to enter the workforce are facing an evolving cyber landscape and therefore should prepare themselves differently to meet these growing needs of organizations. Universities must now equip their students with the tools to meet those needs and become successful in this new landscape. To help accomplish this, this year’s competition also featured a separate session for educators from the attending schools in Deloitte’s Greenhouse™ Lab. In the Cyber Faculty Greenhouse™ Lab, educators participated in a full-day of dynamic engagement and collaborative brainstorming exercises. The lab was designed to equip educators with the tools they need to prepare the talent of tomorrow to face the changing the nature of cyber work, including the adaption of IoT, robotics and increased globalization.

“These competitions and experiences are invaluable for our students to understand the scope of cyber outside of solving puzzles and technical challenges,” said Jeff Jenkins, a professor in the masters in cybersecurity program at Brigham Young University. “However, the Cyber Faculty Greenhouse Lab led by Deloitte was an outstanding opportunity to collaborate, discuss and plan for the cyber education opportunities and challenges of the future.”

Experian: More Than a Third of Companies are Unprepared to Respond to a Data Breach

Sixth annual corporate preparedness study also reveals that businesses lack confidence in preventing an attack.

Are companies ready for today’s sophisticated cybercriminals and impact of data breaches? Experian’s  annual corporate preparedness study, Is Your Company Ready for a Big Data Breach?, reveals that progress has been made, but companies need to do better. Conducted by the Ponemon Institute, the findings reveal that only 36 percent of businesses are prepared to respond to a data breach and confidence levels to control growing threats is low.

The study identified these key areas for improvement:

• C-Suite Engagement: 49 percent of survey respondents say their executives are unknowledgeable about plans to deal with a data breach. A majority (81 percent) feel that increased participation and oversight from senior executives would make their response plan more effective.

• Security Processes: The biggest barrier to improving security is lack of visibility into end-user access of sensitive information (63 percent) while 60 percent say it’s the proliferation of cloud services. Hindering improvement is investment in security technologies with a third not planning any investments in the next year.

• Employee Training: More than a quarter of organizations (27 percent) don’t have a privacy/data protection awareness and training program for employees with access to sensitive or confidential information. Less than half of companies (47 percent) tackle spear phishing attacks.

• Response Plan: 42 percent of professionals surveyed say their company doesn’t have a set time period for reviewing and updating their data breach response plan, and 23 percent haven’t updated their plan since it was put into place. Less than half (46 percent) have procedures for responding to a data breach involving overseas locations.

“We’d like to see 100 percent of companies prepared and trained to handle any kind of data breach whether it’s malware infiltration or ransomware. Prevention is the key, but if an incident occurs, swift management afterward will greatly minimize the damage,” said Michael Bruemmer, vice president of Data Breach Resolution at Experian. “Organizations should implement a strong security posture staying up to date with the latest attack threats, engage in pre-breach agreements with security partners and hold a practice drill every year with a dedicated response team.”

Lack of preparation leads to low confidence levels

Executives still feel challenged and concerned about being fully prepared for a data breach. Only 52 percent rated their plans as very effective, just a slight increase over 2017 (49 percent). When it comes to responding to a data breach involving business confidential information and intellectual property, only 36 percent feel prepared to respond. More than half (59 percent) aren’t confident that they could handle ransomware.

Consequently, businesses continue to struggle with preventing security incidents. The study found that 35 percent had two to three data breaches in the past two years, and approximately 1 out of 10 companies (11 percent) experienced more than five data breach incidents in this timeframe. Among the respondents who had a data breach, 43 percent were global in nature. The report further recognized that businesses are struggling to comply with the General Data Protection Regulation (GDPR) — only 36 percent are following the rule.

After a data breach occurs, companies feel even less confident about managing the aftermath:

• Less than a quarter (21 percent) feel confident in their ability to minimize the financial and reputational consequences.

• Only 4 in 10 say they’re effective at doing what needs to be done to prevent the loss of customers and keep business partners’ trust and confidence after a breach.

• 53 percent don’t have a cyber insurance policy that can help recoup expenses and cover damages.

Data leaks, default passwords exposed in visitor management systems

Researchers have uncovered a swathe of vulnerabilities which impact visitor management systems in which automation has replaced human assistants.

Automation, artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT), and mobility have begun to permeate every aspect of our daily lives. In the hospitality industry, these technologies have presented an opportunity to improve the security of visitors and guests, as well as reduce the human workforce required to maintain protective measures.

So-called visitor management systems which replace your average security guard or reception desk are becoming big business which is expected to become a market worth over $1.3 billion by 2025.

However, the moment you add Internet connectivity to a device, you are inviting potential attacks — and security vulnerabilities found in badges and digital control systems can be just as susceptible to exploit as any other.

See also: Cloudflare expands government warrant canaries in transparency bid

For cyberattackers, the ability to tamper with access controls may give them unauthorized access to buildings and areas for criminal schemes. While this may seem an outlandish prospect, social engineering — such as a man dressing as a maintenance worker to pass through buildings without challenge — is already a well-known tactic.

“If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted,” IBM says. “If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.”

The company’s cybersecurity team, IBM X-Force Red, recently investigated the security posture of five popular visitor management systems offered by Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist.

TechRepublic: Why businesses fear cyberattacks from ex-employees more than nation states

The team found a total of 19 zero-day vulnerabilities across the vendors’ products; Jolly Technologies’ Lobby Track Desktop, HID Global’s EasyLobby Solo, Threshold Security’s eVisitorPass, Envoy’s Envoy Passport, and The Receptionist system.

IBM X-Force Red’s findings included information disclosure vulnerabilities, the use of default administrator credentials, privilege escalation bugs which could permit information breakouts of kiosk environments, and data leakage including visitor records, social security numbers, and driving license numbers.

CNET: At hearing on federal data-privacy law, debate flares over state rules

“Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders,” the researchers say. “Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.”

The vendors impacted by the researchers’ findings were notified before public disclosure. Several of the vulnerabilities have been patched, other fixes will be issued in the near future, and some of the bugs will be mitigated through isolation techniques.

Read More »