In the new February 2017 update, 8 vulnerabilities are rated by Google as critical. Among the critical vulnerabilities is CVE-2017-0405, which is a remote code execution vulnerability in the Android Surfaceflinger graphics library.

“A remote code execution vulnerability in Surfaceflinger could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing,” Google warns in its advisory. “This issue is rated as Critical due to the possibility of remote code execution within the context of the Surfaceflinger process. “

The Surfaceflinger issue was reported by researchers Scott Bauer and Daniel Micay of Copperhead Security. Micay in particular is no stranger to reporting Android vulnerabilities and was credited back in October 2015 for reporting a security flaw that was dubbed ‘Stagefright 2’ at the time. The original Stagefright media server flaw was first disclosed in July 2015 and is the vulnerability that led to Google start its monthly patch process in August 2015.

In the February 2017 update, Google is now patching four stagefright related vulnerabilities. Two of the issues (CVE-2017-0406, CVE-2017-0407) are remote code issues in mediaserver that are rated by Google as critical. Additionally, there are two high severity issues that are being patched including a remote code execution vulnerability (CVE-2017-0409) in the libstagefright library, as well as a privilege escalation vulnerability in mediaserver (CVE-2017-0415).

Among the critical issues patched by Google is CVE-2017-0427 which is a privilege escalation vulnerability in the kernel filesystem.

“An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel,” Google warns in its advisory. “This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.”

Google is also now patching Android for a critical privilege escalation vulnerability (CVE-2014-9914) in the kernel networking subsystem that was first patched in the upstream Linux kernel back in June 2014.

As has been the case in Android updates since August 2015 and the so-called ‘QuadRooter’ flaws, issues with various Qualcomm components are a leading source of patches in the Google update. With the February 2017 update, there are 19 patched Qualcomm flaws including two rated as critical, 15 rated as high and an additional two flaws that have moderate severity. The patched Qualcomm flaws include remote code execution and privilege escalation issues.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Google Patches 58 Android Vulnerabilities in February Security Update appeared first on eWEEK.

The analysis of 163 incidents found that 82 percent could be attributed to cyber-criminals, 11 percent to insiders and 7 percent to nation-state adversaries. The company attributed attacks to financially-motivated cyber-criminals if they included theft of funds, the copying of financial information or personal data, the use of computing power, or ransom of data.

While advanced attacks and zero-day vulnerabilities garner a lot of attention, phishing, exploitation of known vulnerabilities and using websites to launch attacks were the most common methods of compromise. The vast majority—88 percent—of attacks were opportunistic and not targeted, the report stated.

“There are a lot of companies focused on the advanced threats, but when we look at the companies, they don’t have the basics down,” Jeffrey Carpenter, director of threat intelligence and incident response consulting at SecureWorks, told eWEEK. “They are failing at some of the basic, basic components of defense.”

SecureWorks conducts nearly 800 incident-response engagements every year, about half of which were proactive—to check cyber-defenses—and the other half reactive—to help clients clean up after an attack, Carpenter said.

The study involves data from the 163 reactive incident response engagements SecureWorks did in the first half of 2016. The company emphasized that the focus on the victims means that the study reveals the actual attacks that threaten companies.

Malware typically entered a corporate network through the compromise of a vulnerable public-facing system, compromised employee credentials, delivered in an email, downloaded from a website or through a third-party contractor.

Phishing accounted for 38 percent of attacks, while scans for vulnerable systems that were then exploited accounted for 22 percent of attacks. Using a website to host exploits accounted for 21 percent of the attacks.

In one incident, for example, one large-scale manufacturing firm had numerous malware infections. While the company had deployed antivirus software, it did not prevent the attacks, but only created continuous alerts about the infections, SecureWorks stated in the report. Cyber-criminals quickly monetized the attacks by installing banking trojans, bitcoin mining software and remote access trojans.

SecureWorks found that the company had too many users with administrative privileges, still had systems running Windows XP and only a limited ability to respond to an attack.

While phishing is the top attack vector, many companies are not prepared to deal with it, Carpenter said.

“Training alone is not good enough,” he said. “No matter how much you train, you will always have someone who clicks.”

SecureWorks identified many areas where companies could improve their preventative measures, but Carpenter highlighted the need for a strategy balanced between prevention, detection and incident response.

Top preventative strategies included better and more consistent patching, managing user-account privileges and adding web application firewalls or content filters. Companies also have to implement a good endpoint security solution, improve logging and collection capabilities, and help incident responders, he said.

“No matter how many steps you take, you are always going to have an incident,” Carpenter said. “So you need to focus on response as well.”

The post SecureWorks Finds Most Cyber-Threats Involve Phishing, Network Scans appeared first on eWEEK.

Sophos didn’t build the Phish Threat technology on its own, rather the platform was acquired from privately-held security consultancy Silent Break Security in November 2016. Phish Threat enables organizations to simulate phishing attacks to test user responses.

“Our goal with Phish Threat was to make a platform that is effective and easy for organizations,” Brady Bloxham, creator of Phish Threat, told eWEEK.

Bloxham said that while there are other phishing testing platform in the market, in his view, they don’t always reflect the evolving threat landscape. Now as part of Sophos, Phish Threat benefits from the Sophos Central platform, which is an effort to provide a consolidated view of security devices and controls across an organization.

“Everyone in this space is really just a training vendor,” Bloxham said. “With Sophos being a security company, we can now provide customers with a more holistic perspective of an organization’s security,”

The core promise of the Phish Threat platform is that by testing users, lessons will be learned and behavior can improve over time. Bloxham said that he doesn’t expect that the click rate on phishing emails will ever go down to zero. That said, he emphasized that he has seen positive results from the use of Phish Threat in reducing phishing rates among customers.

Bill Lucchini, SVP and GM for Sophos Central Security added that having a phishing testing platform further helps to build a culture of security awareness. From a broader perspective, Lucchini said that in addition to awareness, there are the Sophos security technologies that stand behind employees. for those times when they do actually click on a real phishing attack email.

Sophos has been actively expanding its capabilities in recent years to help secure organizations. Sophos announced a capability called security heartbeat in 2015 that helps to enable a synchronized security approach. In September 2016, Sophos launched its InterceptX next generation endpoint security technology. Lucchini explained that InterceptX has exploit prevention capabilities as well root cause analysis insight to show organizations how threats come into an organization.

The Phish Threat information will now be exposed to Sophos Central users. At a deeper level, Sophos is working on additional integrations to further make use of the Phish Threat information.

“In the background, we’re building up the user profile,” Lucchini told eWEEK. “We’re then exposing the information via private APIs to internal security clients, to be able to consume information about the user and make better decisions.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Sophos Phish Threat Aims to Educate Users on Phishing Risks appeared first on eWEEK.

In updated ratings released on Jan. 15, the company found that more than 70 percent of U.S. government agencies were slow to patch both medium- and high-severity software vulnerabilities. Furthermore the majority of agencies had exposed network ports.

So it no wonder that more than 80 percent of the federal organizations had an instance of malware communicating outside of the network in the last year, Alex Yampolskiy, CEO and Founder of SecurityScorecard, told eWEEK.

“If there is malware inside the organization, they are not doing a great job isolating malicious code or catching the infection, so we can assume maybe that more is going on,” he said.

The evaluation confirms what other security experts have pointed out for many years—defense is difficult, and the government continues to struggle with defending its networks and data. In the past two years, the U.S. government has suffered significant breaches of both the Internal Revenue Service and the Office of Personnel Management, leading to leaks of sensitive data on taxpayers and on background checks into current and prospective federal employees, respectively.

The problems pre-date the Obama administration’s tenure, however. In 2008, for example, the Pentagon suffered a major attack when malware was introduced into its network through an infected USB drive and spread throughout the network, requiring months to clean up. Following that incident, the military banned USB drives.

The size of U.S. agencies and their associated infrastructure makes them difficult to maintain and secure, Yampolskiy said.

“Government organizations take a very long time to patch, even high-severity vulnerabilities—in many situations it takes months and months and months,” he said. “They have a very big attack surface. They do not do a good job patching the holes in exposed software.”

Federal agencies need to focus on triaging and managing vulnerabilities, blocking attacks and unifying the oversight of each organization’s information security teams, Yampolskiy said. SecurityScorecard’s monitoring discovered that more than half, 51 percent, of U.S government organizations used out-of-date browsers—a practice which makes them more vulnerable to attacks using older, well-known vulnerabilities.

Over the past year, there have been some small improvements, but it is hard to know whether the agencies have established metrics to measure the improvement, Yampolskiy said.

“Establishing a clear set of metrics is very important in order to drive improvements in security,” he said.

A little more than a third of federal agencies had signs of a malware infection in the past month, while 11 percent had suffered a leak of their passwords, the company found.

The post Trump Administration Faces Herculean Cyber-Security Task appeared first on eWEEK.

Kroll Report Finds Fraud, Cyber-Attacks Increased in 2016

The Kroll Global Fraud and Risk Report for 2016 shows that cyber-fraud incidents increased during 2016, though not all the news was bad.

Fraud Increased in 2016

According to the Kroll Global Fraud and Risk Report, fraud has been increasing steadily since 2012. For 2016, 82 percent of survey respondents reported experiencing fraud, up from 75 percent in 2015.

The Impact of Fraud Varies

The majority (87 percent) of respondents indicated that fraud losses represented less than 3 percent of revenues in 2016. However, 3 percent of respondents noted that fraud losses represented 7 percent to 10 percent of revenue.

Ransomware not as Prevalent as Viruses

While ransomware has been cited by multiple other 2016 security reports as a growing trend, the Kroll report found that only 13 percent of respondents suffered a ransomware attack in 2016. In contrast, 33 percent identified “virus/worm infestation” as a cyber-incident they experienced in the past 12 months.

Software Vulnerabilities Enable Attacks

Cyber-attacks can be enabled by many different factors and events. The leading reason cited by the Kroll report was software vulnerabilities (26 percent).

Insiders are a Risk

For those companies reporting being the victim of a cyber-attack or information loss incident in 2016, employees were identified as primary perpetrators. Ex-employees were identified as the main cause by 20 percent of respondents, while 14 percent cited freelance or temporary employees as being the perpetrators of a cyber-event.

U.S. Companies Likely to Contact IT Service Vendor After a Breach

The Kroll report is a global study, with many of the statistics for the United States almost mirroring worldwide numbers. One area that differs, however, is the entity most commonly contacted following a cyber-incident. In the United States, 43 percent of respondents said they would contact an IT service vendor, while the global number is only 27 percent.

Most Organizations Already Have Risk Mitigation Policies

Though fraud is on the rise, the report has some positive findings, including the fact that 80 percent of respondents have developed and implemented security policies and procedures at their organizations.

The post Kroll Report Finds Fraud, Cyber-Attacks Increased in 2016 appeared first on eWEEK.

Using public breach reports and information provided by more than a dozen state agencies—along with Freedom of Information Act (FOIA) requests, the ITRC identified more than 1,093 incidents, up from 780 in 2015. The business sector encountered the greatest number of breaches, accounting for 45.2 percent in 2016, followed by the health care and medical sector at 34.5 percent.

While some of the increase may be due to ITRC’s more extensive sources of information, much of the rise in reports is likely due to organizations seeing a greater number of attacks, Adam Levin, founder of CyberScout, told eWEEK.

“I know, based on my experience being out there, that more and more people are experiencing attacks,” Levin said. “And a lot of them don’t report; a lot of organizations do everything they can to avoid reporting an attack.”

More than 36 million records were put at risk in the breaches reported in 2016, according to the survey. CyberScout collaborated with the ITRC on the report.

The most prominent trend is the continued increase in breaches caused by hacking, skimming and phishing. Breaches caused by those three tactics caused 55.5 percent of the overall compromises, increasing for eight consecutive years, according to the survey. Breaches caused by accidental exposure of information through email and the internet occurred in 9.2 percent of cases.

Attackers are increasingly going after medical records because the files contain so much valuable information, including health insurance numbers and often Social Security Numbers. The study found that Social Security Numbers were the most compromised information, with 52 percent of all breaches in 2016 putting SSNs at risk of exposure and misuse.

Medical records are also proving a popular target of attack. And, with the move to electronic health records, health care organizations are putting all of their information in attackers’ sights, Levin said.

“It’s a double-edged sword: More people have access to your information to save your life, but then more people have access to your information in general,” he said.

In the most recent example of attackers’ focus on the medical industry, a ransomware attack against two subcontractors of health care insurer Highmark Blue Cross Blue Shield of Delaware compromised 19,000 members’ medical records, according to reports.

The post Breach Reports Rise 40 Percent in 2016, More Than Half Expose SSNs appeared first on eWEEK.

The 2017 report is the fourth annual State of Security Operations study from HPE and is based on an analysis of 183 Security Operations Centers (SOCs) assessments. A core part of HPE’s approach to understanding the status of a SOC is the Security Operations Maturity Model (SOMM).

The SOMM provides an overall five-point scale to rank SOC maturity.

“A score of less than one is a SOC that still hasn’t properly documented its’ processes and procedures,” Matt Shriner, worldwide VP of Professional Services for Enterprise Security Products at HPE, told eWEEK. “A level five in contrast, is extremely well-documented but also extremely rigid and inflexible.”

Shriner noted that while a level five is the highest SOMM score, it’s actually not the right score for the majority of organizations that need flexibility in their SOCs. Shriner said that if an organization is securing a satellite network or a military defense system, a level five might be appropriate, as precision is a critical attribute. He added that HPE generally recommends that organizations aim for a SOMM score of between three and four, to have the right mix of processes and flexibility.

According to the report, 27 percent of SOCs failed to achieve a SOMM level 1 score. Shriner said there are environments that organizations believe to be a SOC, but are often just a pair of individuals and not a team of trained professional with documented procedures.

“The bigger issue is that 82 percent of SOCs are not meeting business goals,” Shriner said.

In Shriner’s view, an effective SOC is not something that security people are doing because they like researching the latest security threats. Rather, the most effective SOCs should be looking to protect certain aspects of the business.

Shriner noted that many SOCs got started with a perimeter security monitoring mission, managing firewall and intrusion detection systems in a consolidated approach.

“That’s not enough as attackers today are far more sophisticated than just perimeter attacks,” Shriner said.

Simply hunting for bugs and potential vulnerabilities is not the right approach for a mature SOC either. The HPE report found that some organizations have large volumes of data that they will sift through, hunting for Indicators of Compromise (IOCs).

“Hunting is valuable and important, but it’s not enough,” Shriner said. “You have to also be doing real-time monitoring.”

Shriner emphasized that real-time monitoring will not detect all threats either, which is why HPE recommends that mature SOCs use both hunting and monitoring techniques to detect potential threats.

HPE also is recommending that organizations transition from IT metrics for SOCs to more business related metrics. For example, IT metrics could typically include the number of object blocked by firewalls and the amount of virus detections.

“Those metrics look nice on a chart, but they are effectively meaningless when it comes to managing business risk,” Shriner said. “We’re working to implement business metrics that capture the number of actual detections for specific attacks against parts of the business.”

For example, a business metric that can be useful is tracking the number of potentially unauthorized actions from employees.

There is also a growing intersection between the DevOps model and security, though it’s not yet something that is fully reflected in the SOMM score. Shriner said that HPE has a separate security DevOps consulting team, which he leads.

“SOC today is all about the people, processes and technology components related to a cyber-defence initiative,” Shriner said. “Security DevOps fits into application security, which is typically a whole other area today.”

If, for example, an application scanning technology finds a vulnerability, Shriner would like to see some form of co-ordination through a SOC. That said, Shriner said security analysts working in a SOC often have a network security background and don’t tend to be application specialists. He added that HPE has seen some anecdotal evidence that organizations are working to tie their SOC and application security groups together to help limit risks.

“Many breaches happen at the application layer, yet security spending has not been at the application layer, but that’s starting to change,” Shriner said. “We see business leaders asking how they can tie security together in a co-ordinated effort.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post HPE Report Details Global Security Operations Center Maturity Levels appeared first on eWEEK.

From July 12 to Aug. 5, approximately 400 organizations made use of the Duo Insight tool. In that time period, 11,542 employees were exposed to a phishing attack test to see what the response would be and how many would actually open and click on a potentially malicious link.

Nearly a third (31 percent) of tested users ended up clicking on a link that was inside the Duo Insight phishing email test; 17 percent of tested users clicked the link and also entered their username and password information. When Duo Insight was first made public, the company had already done an initial set of 100 tests, in which 27 percent clicked on the link and then 17 percent (same as the new study) actually entered their information.

“We weren’t surprised that the numbers were static,” Jordan Wright, R&D engineer at Duo Security, told eWEEK.

Wright added that he thought the initial test group of 100 users and the larger public test group of 11,542 users were pretty similar, and as such, it’s reasonable to expect similar results.

“The main thing to take away from this is that even if only 17 percent provided their username and password, 31 percent clicked the link, which in itself can lead to a breach through an outdated endpoint,” Wright said.

Duo Security found that, on average, 68 percent of end-users were running with out-of-date operating systems and 62 percent had outdated web browsers. Wright noted that the out-of-date figures for operating systems and browsers are shocking though they are in line with what Duo Security observed in its 2016 Trusted Access Report.

“We keep coming back to the same tried-and-true advice, which is to patch often and make sure the devices accessing your network are secure enough that you’re comfortable with them accessing your data and business applications,” Wright said.

The overall goal with the Duo Insight phishing test is to help identify the problem as well as being a training tool to teach users what not to do. At this point, Wright commented that it’s still too early to give some hard statistics on trends per user and whether behavior changes over time.

“We hope that organizations will use Duo Insight to run campaigns at regular intervals and use them to train and educate their users on how to spot phishing campaigns so that they don’t click links or offer up user credentials when they get a real-life phishing email from a malicious attacker,” Wright said.

The Duo Insight tool itself is improving over time, with new phishing templates added since the initial launch. Duo Security has also worked to make the experience more streamlined for users, Wright said.

“No one else is really offering a free tool like this yet, so a lot of the future for Duo Insight will be reliant on how it’s received,” Wright said. “Hopefully, more easy-to-use tools will be available to help administrators who have very little time and no budget to do these types of risk assessments.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Nearly a Third of Users Fall for Phishing appeared first on eWEEK.

“This flaw would allow a specifically formatted HTTP request to be authenticated as any requested user,” Paul Frields, engineering manager at Red Hat, wrote in a mailing list message. “If the authenticated user had appropriate privileges, the attacker would then be able to add, edit, or remove user or group information.”

The vulnerability has already been patched in the production version of FAS, Frields said, adding that the infrastructure team is in the process of investigating the issue to see if the vulnerability was ever exploited.

That said, the early indication is that the flaw was not exploited and no Fedora accounts or information was altered because of it.

Going a step further, Frields wrote that at this point the Fedora project team is confident that package content in the Fedora product is not affected by this flaw. Typically, when there is some type of administrative account vulnerability, there is a need to reset user passwords, but that’s not happening at this point for any FAS users.

This isn’t the first time the Fedora Linux project has had a security issue with its infrastructure. Back in 2008, both Fedora and Red Hat Enterprise Linux suffered a breach in the back-end infrastructure. That breach resulted in a systems outage for Red Hat and Fedora infrastructure that lasted three weeks, while the investigation and cleanup was ongoing. Despite that breach in 2008, the Fedora 10 release of that same year still came out roughly on schedule.

More recently, multiple Linux vendors in 2016 have reacted promptly to security vulnerabilities that have been reported. In February, there was a breach of the Linux Mint distribution and its user forums. In July, 2 million usernames and emails of Ubuntu Linux users were exposed after a breach resulting from unpatched forum software.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Fedora Linux Account System Patched for Serious Flaw appeared first on eWEEK.

At first glance, it appeared as though the Pokémon Go app asked for permissions to get full access to a user’s Google account, which could have enabled the app vendor to send and read the user’s email as well as see all of the user’s contact information. It’s a situation that Niantic, the lead developer of Pokémon Go, has admitted to and is now fixing.

“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account,” Niantic stated. “However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.”

Niantic now has a client-side fix in place to adjust the permissions request so as not to get access to more data than is needed. The company emphasized that Pokémon Go didn’t actually get more information than what was needed.

Niantic’s quick response to this issue is admirable, and it seems clear to me that this was just an oversight with no intention to violate user privacy. The whole permissions system that is used to connect to Google accounts to validate a user is, however, somewhat problematic. The authentication for Google accounts is granted by way of the OAuth protocol, which is commonly used across the modern Internet.

Security researcher Dan Guido took a look at how OAuth was implemented in Pokémon Go and found it to be somewhat lacking.

“The OAuth login flow fails to adequately describe what permissions are being requested and silently re-enables them after they’ve been revoked,” Guido wrote in a blog post. “Further, the available documentation fails to adequately describe what the token permissions mean to anyone trying to investigate them.”

Pokémon Go, of course, isn’t the only mobile app that makes use of Google accounts or OAuth to authenticate. I’ve had more than my share of concerns about many different applications, mobile and desktop, that implement OAuth in a way that appears to be risky to personal privacy. For example, there are lots of different chat room-type clients that first require an OAuth authorization using the user’s password, and sometimes those apps ask for more permissions than are needed.

As Guido points out, with Google, it’s a good idea to check what apps you’ve granted permission to with the Google Security Checkup. It’s also a good idea to make use of two-factor authentication.

Google isn’t the only OAuth provider that sometimes may be providing too much access. Facebook and Twitter can as well, so be sure to check out the applications you have authorized for those platforms too.

Whether you like Pokémon Go or not, one thing here is for sure: It has now raised the issue of app permissions to a new level.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Pokémon Go Privacy Issues Bring to Light Challenge of Permissions appeared first on eWEEK.