WebProNews

Category: SecurityProNews

SecurityProNews

  • SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO

    SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO

    “What’s interesting here about the SolarWinds hack, in particular, is that it’s what’s called a supply chain attack,” says Datadog CEO Olivier Pomel. “This means the attack was made on the code that was shipped to the SolarWinds customer. Then there is this new notion in security called shifting left. By left, it means is closer to the developer and earlier in the development process.”

    Datadog CEO Olivier Pomel discusses how the SolarWinds hack signals an increased focus by hackers to target software earlier in its development:

    The SolarWinds hack was definitely a very big one. It’s not especially surprising to see new important hacks like this one but definitely a very impactful one. What it makes very clear is that there’s going to be even more of an arms race when it comes to security. It’s not surprising companies are transforming. They’re having more and more of their activity that is happening online is happening in software. So there’s much more that can be done by attacking that software.

    What we do is we gather as many signals as possible across observability and monitoring. This is the way we come from and across security. What’s interesting here about the SolarWinds hack, in particular, is that it’s what’s called a supply chain attack. This means the attack was made on the code that was shipped to the SolarWinds customer. Then there is this new notion in security called shifting left. By left, it means is closer to the developer and earlier in the development process.

    There’s something really interesting there when it relates to us (Datadog) in how we can solve the problem for our customers by bringing security earlier into the development process and tied in more to the operations and the development of the application. That’s definitely something that we’re investing in and something that we think is going to be a big area of investment for customers in the future.

    SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO Olivier Pomel
  • iPhone and iPad Users Should Run Software Update immediately

    iPhone and iPad Users Should Run Software Update immediately

    iPhone and iPad user should run Software Update immediately and install the latest operating system (OS) version, according to Apple.

    Apple released iOS and iPadOS 14.4 on Tuesday, and the update addressed security issues that may have been actively exploited. The release notes don’t go into detail about the specifics of the security issues, saying that “Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”

    Apple does say the OS update address an issue with the kernel, as well as with WebKit. In the case of the kernel fix, Apple says “a malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.”

    Similarly, in regard to the WebKit issue, Apple says “a remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

    As a result, all iPhone and iPad users should update to version 14.4 immediately.

  • Mozilla Expands VPN to Mac and Linux – Testing Included

    Mozilla Expands VPN to Mac and Linux – Testing Included

    Mozilla has been looking to expand its services and products beyond its Firefox web browser in an effort to diversify its profits. One of those endeavors is its VPN service that started life as a Firefox extension, before transitioning to a closed beta and then a publicly available service.

    The initial releases, however, only supported Windows, Android and iOS. The company has now expanded its support to include macOS and Linux, rounding out support for every major platform.

    Mozilla VPN currently offers service in the US, the UK, Canada, New Zealand, Singapore and Malaysia. This makes its focus far more narrow than competing services, such as ExpressVPN, although Mozilla says more countries will be added.

    Mozilla promises it doesn’t log network activity and doesn’t restrict bandwidth. Like many of its competitors, Mozilla VPN can be run on five different devices from a single account.

    The company has claimed that its service is faster than rivals because it uses less code. In our testing, however, those claims seem highly subjective, based on the selected VPN server.

    For example, starting with an internet connection that averages 35 to 40 Mbps, we connected to Mozilla VPN using the three closest available locations. Two of the locations yielded speeds ranging from 0.37 to 0.44 Mbps. The third location, Chicago, yielded speeds of 32 and 33 Mbps.

    Mozilla VPN Speed Tests
    Mozilla VPN Speed Tests

    While not comprehensive, our brief testing shows Mozilla still has some work to do before it rivals ExpressVPN, widely considered the fastest service available.

    Nonetheless, with Mozilla’s well-established reputation for protecting user privacy, their entry into the market is a welcome one.

  • FBI Warns of Increased Voice Phishing Attacks Over VoIP

    FBI Warns of Increased Voice Phishing Attacks Over VoIP

    The FBI is warning that cyber criminals are taking advantage of VoIP systems to target company employees in sophisticated voice phishing attacks.

    As the pandemic has forced unprecedented numbers of employees to work remotely, maintaining the same level of corporate security has become an issue. Cyber criminals are taking advantage of this by gaining access to VoIP systems and company chatrooms and then convincing employees to log into a fake VPNs in an effort to steal their credentials.

    The FBI issued an advisory to warn companies and help them mitigate the threat.

    As of December 2019, cyber criminals collaborated to target both US-based and international-based employees’ at large companies using social engineering techniques. The cyber criminals vished these employees through the use of VoIP platforms. Vishing attacks are voice phishing, which occurs during a phone call to users of VoIP platforms. During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password. After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.

    In one instance, the cyber criminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cyber criminals. The actors used these credentials to log into the company’s VPN and performed reconnaissance to locate someone with higher privileges. The cyber criminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee’s login credentials.

    The FBI recommends multiple mitigation steps, including enabling multi-factor authentication, starting new employees with minimal security privileges, actively scanning for unauthorized access or modifications, implementing network segmentation and giving administrators two accounts, one with admin privileges and the second for other duties.

  • Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google has announced it was not impacted by the SolarWinds hack, one of the biggest cybersecurity breaches in US history.

    Corporations and government agencies were compromised by a supply chain attack involving SolarWinds’ Orion IT software. Hackers managed to compromise Orion IT, creating a trojanized version that left organizations using it open to attack.

    Despite using SolarWinds software, Google has announced it is not one of the companies impacted. Phil Venables, CISO, Google Cloud, confirmed the information in a blog post:

    Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event. We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.

    This is good news for Google, as well as its cloud customers.

  • Elon Musk: Use Signal

    Elon Musk: Use Signal

    Secure messaging app Signal has received a boost from one of the titans of tech, as Elon Musk tells his Twitter followers to “use Signal.”

    Signal exists in the same space as WhatsApp and Telegram. The app provides end-to-end encrypted chat and voice calls, and is widely considered one of the most secure communication methods on the planet. In fact, the EU commission, US Senate and some military units all recommend their members use it.

    While WhatsApp may be more popular, there have been growing concerns regarding its security and privacy. Most recently, WhatsApp announced a changed to its privacy policies, wherein it will share significant user data with Facebook and other Facebook companies. Needless to say, this has not gone over well with users who value privacy and security.

    Elon Musk is the latest to come out in favor of WhatsApp’s more secure alternative.

    Facebook has shown a repeated lack interest or ability in protecting people’s privacy. Using WhatsApp for secure communication is the equivalent of having the fox guard the henhouse.

    For any individuals concerned with privacy and security, Musk is right: Use Signal.

  • FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    The FBI is trying to determine if JetBrains was compromised as part of the SolarWinds attack.

    The SolarWinds attack was one of the largest, most damaging hacks against US government and corporate entities. Some experts have said it will take months, or even years, to understand the extent of the damage.

    What made the SolarWinds attack so successful was that it was a supply chain attack. Rather than trying a brute force attack, or tricking organizations into installing suspect software, hackers compromised SolarWinds’ Orion IT monitoring and management software. Since this legitimate software is in use by countless organizations, by compromising it and installing a trojan directly in it, hackers were able to hack organizations using Orion IT.

    The FBI is now concerned a second application may have been compromised in a similar nature, according to Reuters. JetBrains makes a project management application called TeamCity. Like Orion IT, TeamCity is used by companies around the world, making it extremely important to determine if it was compromised as well.

    “We are not aware of any investigation nor have we been contacted by any agencies,” a JetBrains spokesman said. “We are not aware of any vulnerabilities in the product or breaches that would allow for this, nor that any of our customers were affected.”

  • iboss Raises $145 Million to Aid Remote Work Security

    iboss Raises $145 Million to Aid Remote Work Security

    Cybersecurity firm iboss has raised an additional $145 million as the company continues to focus on cloud-based security.

    With an unprecedented number of employees working from home, companies have been forced to rethink security. With on-premise security, hardware plays a critical role in keeping corporate networks and resources secure. In contrast, remote work relies more heavily on software-based security.

    Iboss is a cybersecurity firm specializing in cloud-based security. The company recently won “a coveted Platinum 2020 ‘ASTORS’ Homeland Security Award from American Security Today for Best Network Security Solution.” The company has now raised an additional $145 million in funding as it looks to eventually have an IPO.

    “COVID-19 has exposed massive vulnerabilities with outdated, hardware-based cybersecurity solutions and accelerated the timeline of moving away from the old method of securing physical office perimeters,” said iboss CEO Paul Martini. “Implementing modern architecture that provides network security in the cloud is the best way to ensure safety and productivity, even as remote workers rely more and more on fast connections for things like video meetings and online productivity apps.”

    Iboss’ funding round is further evidence of how important cybersecurity has become, especially with the rise of remote work.

  • FBI Warns of Cyberattacks Against Online Learning

    FBI Warns of Cyberattacks Against Online Learning

    The FBI is warning that hackers are increasingly targeting online learning as students get back to class after the holidays.

    While the success of remote work and distance learning have exceeded many people’s expectations, it has also provided new opportunities for hackers and bad actors. Companies have had to take measures to ensure employees can connect remotely and schools have worked to protect their classes from Zoom-bombing and other hacks.

    Even so, the FBI is warning that hackers are increasing their attacks.

    “It’s of greater concern now when it comes to K-12 education, because so many more people are plugged into the technology with schooling because of the distance learning situation,” FBI Cyber Section Chief Dave Ring told ABC News. “So things like distributed denial of service attacks, even ransomware and of course, domain spoofing, because parents are interacting so much more with the schools online.”

    While Zoom-bombing may be one type of attack, ransomware is another common, more dangerous attack. According to the FBI, there has been a nearly 30% increase in ransomware attacks against schools.

    “The broader the move to distance learning, I think the more attacks you’re going to see, just simply because there are more opportunities for it and it’s more disruptive,” Ring said. “Not everybody’s looking to make money when it comes to criminal motivations for these attacks. A lot are they’re looking to steal information. They’re looking to use that for financial gain. They’re looking to collect ransoms.”

  • Exposed Credentials Leave 100,000+ Zyxel Firewalls and VPNS Vulnerable

    Exposed Credentials Leave 100,000+ Zyxel Firewalls and VPNS Vulnerable

    A researcher at Dutch security firm EYE has discovered a critical vulnerability in Zyxel’s firewall and VPN gateways, as a result of exposed credentials.

    Zyxel sells a line of popular firewall and VPN gateway devices. Niels Teusink, a researcher with EYE, discovered a major issues that leaves over 100,000 devices vulnerable.

    When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.

    Teusink goes on to highlight why this vulnerability is so dangerous.

    As the zyfwp user has admin privileges, this is a serious vulnerability. An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.

    Teusink recommends updating to the latest firmware version immediately.

  • SolarWinds Hackers Gained Access to Microsoft Source Code

    SolarWinds Hackers Gained Access to Microsoft Source Code

    Microsoft has revealed that hackers viewed some of its source code as part of the SolarWinds attack that government agencies are still investigating.

    The SolarWinds attack is one of the most devastating cyberattacks perpetrated against US companies and government agencies. Believed to be the work of Russian hackers, the attack was a supply chain attack, compromising SolarWind’s Orion IT monitoring and management software.

    As one of the organizations impacted, Microsoft has now revealed the hackers viewed some of its source code, but did not make any modifications.

    We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.

    Microsoft is not concerned about the source code being viewed, since the company’s security protocols assume its source is being viewed by outside elements.

    At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.

    As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.

    Although Microsoft seems to be containing any damage adequately, the degree to which the attackers compromised one of the biggest tech companies in the world is further evidence just how successful the SolarWinds attack was.

  • T-Mobile Data Breach Exposes 200,000 Customers’ Data

    T-Mobile Data Breach Exposes 200,000 Customers’ Data

    T-Mobile has suffered a major data breach, impacting some 200,000 customers.

    Wireless carriers are prime cybersecurity targets, thanks to the wealth of customer data they have access to. According to T-Mobile’s disclosure, its cybersecurity team discovered unauthorized, malicious access to some of that customer information.

    Fortunately, “the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs.” The hackers may have accessed “phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.”

    The company is working with law enforcement agencies and has begun notifying those customers affected.

    This is the third major breach T-Mobile has suffered, and the second of 2020. Especially with T-Mobile’s newfound status as the second-largest carrier, it will need to do more to keep its customers’ data safe.

  • Security Firm Corellium Wins Copyright Battle Against Apple

    Security Firm Corellium Wins Copyright Battle Against Apple

    A federal judge has sided with Corellium in the case Apple brought against it, ruling the company’s software met the burden of “fair use.”

    Corellium was founded in 2017 by husband and wife Amanda Gorton and Chris Wade. The company’s product allows security researchers to run “virtual” iPhones, eliminating the need to buy iPhones in order to look for bugs and security flaws in iOS.

    According to The Washington Post, Apple initially tried to purchase Corellium, before switching gears and suing the company when the acquisition talks stalled. Apple claimed the company’s software broke its copyrights and violated the Digital Millennium Copyright Act (DMCA) by circumventing Apple’s security measures.

    While the DMCA claim has not yet been thrown out, Judge Rodney Smith sided with Corellium on the copyright issue, finding the company’s software qualified as fair use. In particular, Judge Smith called Apple out for its “puzzling, if not disingenuous” claims that Corellium posed a risk. Apple has said the company’s products could open the way for attacks on actual iPhones if it fell into the wrong hands, and even went so far as to say that Corellium was selling its software indiscriminately.

    Judge Smith found the Corellium had a sufficient vetting process in place to negate those concerns. What’s more, rather than circumventing Apple’s security measures to make a competing product, Corellium’s work benefits all of Apple’s iOS customers.

    Apple works hard to cultivate an image of maintaining the moral high ground, often putting morality above basic profit. In this case, however, Apple got it wrong and Judge Smith’s ruling is a clear win for security researchers and Apple’s own customers.

  • Cellebrite Did NOT Break Signal’s Encryption

    Cellebrite Did NOT Break Signal’s Encryption

    The BBC broke a story that seemingly indicated Cellebrite had broken Signal’s encryption — only it’s not true.

    Signal is a popular messaging app, boasting some — if not the best — security and end-to-end encryption of any messaging platform on the planet. It’s so secure that some military units, the US Senate and the EU Commission all recommend their members use it. In addition to politicians and military personnel, Signal is widely used by journalists, activists, political dissidents and others for whom privacy is paramount. The app even has features, such as the ability to blur faces in photos, to help protect that privacy.

    Celebrate, in contrast, is an Israeli company that specializes in hacking encrypted devices. The company’s products are used by the FBI, other law enforcement agencies, and have even been purchased by school districts for use on students’ phones.

    The BBC reported that Cellebrite claimed to have cracked Signal’s encryption, potentially casting doubt on the platform. In fact, the BBC’s article was entitled: “Signal: Cellebrite claimed to have ‘cracked’ chat app’s encryption.”

    Signal has written a blog post to set the record straight, calling the BBC’s headline “factually untrue.” Even the blog post Cellebrite wrote outlining their efforts, a post Signal called “embarrassing” (for Cellebrite), has been significantly altered and shortened, toning down the company’s claims from the original version (accessible via archives here).

    So what happened? Did Cellebrite break Signal’s encryption? The short answer is No.

    Cellebrite’s entire “success” depended on having physical access to an Android phone that was already unlocked with the screen on. In the realm of computer security, a simple rule is: If someone has physical access to your device, all bets are off. Once physical access is obtained, it’s usually only a matter of time before security measures are compromised to some degree or another.

    More to the point, however, Signal, like other similar apps, is designed to protect messages and communication from electronic eavesdropping — not from someone who has unfettered access to the devices the messages reside on. As Signal’s blog points out, it’s a simple matter to open up any app, take screenshots of the contents and thereby “compromise” the data on the device for which someone already has unlocked, unfettered, physical access.

    In essence, the Cellebrite Physical Analyzer does just that. It simply automates the process of accessing and recording the contents of apps on an unlocked phone. In the world of programming, this is neither complicated nor difficult.

    As a side note, if a person is concerned about that possibility, it’s easy to enable disappearing messages in Signal. This added step ensures there is nothing to recover from a device that has been physically compromised.

    As Signal’s rebuttal post point out, the entire episode is an embarrassing situation for Cellebrite, a company that so many law enforcement agencies depend on.

    It’s hard to know how a post like that got out the door or why anyone thought revealing such limited abilities was in their interest. Based on the initial reception, Cellebrite must have realized that amateur hour was not a good look, and the post was quickly taken down. They then must have realized that a 404 error isn’t any better, and replaced that again with a vague summary.

    It’s also hard to know how such an embarrassing turn of events became anything other than a disaster for Cellebrite, but several news outlets, including the BBC, published articles about Cellebrite’s “success,” despite the existence of clarifying information already available online.

    The takeaway is that Cellebrite essentially accomplished nothing with their so-called “success.” They did not break Signal’s encryption and they did not compromise the messaging platform. Cellebrite’s entire “success” was no more of an accomplishment than being handed an unlocked phone, perusing it and taking screenshots of the contents.

    John Scott-Railton, a senior researcher at internet watchdog Citizen Lab, out of the University of Toronto, agreed with Signal.

    https://twitter.com/jsrailton/status/1341421365371559938?s=21

    The evidence is clear: Signal remains one of — if not THE — most secure messaging platforms on the planet.

  • NSA Warning of On-Premise to Cloud Attacks

    NSA Warning of On-Premise to Cloud Attacks

    The National Security Agency is warning of attacks that target the local network and ultimately compromise organizations’ cloud resources.

    As companies migrate to the cloud, improved security is one of the top selling points. While that is generally true, many security processes need to be reworked to account for cloud computing. This is especially true as many cloud systems and platforms are designed to interoperate with each other.

    One security measure that has become popular is federated single sign-on (SSO). SSO is a way for an individual to use a single set of credentials to log into any number of authorized applications and services. Federated SSO advances that concept to allow a user to log into services across networks and platforms with the same trusted credentials.

    Unfortunately, hackers appear to be using federated SSOs to escalate attacks from compromised local networks to cloud resources.

    The NSA has documented two such type of attacks:

    In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061, T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access®2 and VMware Identity Manager®3 that allowed them to perform this TTP and abuse federated SSO infrastructure. While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017.

    In a variation of the first TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

    In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002).

    The NSA’s document contains migration techniques and should be read immediately by all systems admins.

  • Organizations Compromised in SolarWind Supply Chain Attack

    Organizations Compromised in SolarWind Supply Chain Attack

    FireEye has uncovered a sophisticated intrusion campaign against government and corporate organizations, using a supply chain attack.

    Supply chain attacks are one of the most sophisticated types of hacks in existence. While many hacks rely on convincing a target to download malicious software, a supply chain attack involves inserting malicious code in legitimate software before it’s distributed to customers, hence attacking the software supply chain.

    The attack in question uses a compromised update to SolarWind’s Orion IT monitoring and management software, with FireEye calling the compromised version “SUNBURST.” The trojanized version is incredibly sophisticated, using various methods to avoid detection, all the while communicating with third-party servers.

    “After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” writes FireEye’s team. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

    The trojan has enabled hackers to monitor email communications at the US Treasury and Commerce departments, according to Reuters. FireEye says victims have also “included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.” Since the attack is actively in progress, FireEye suspects there will be additional victims as well.

    To mitigate the attack, “SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. In addition, SolarWinds has released additional mitigation and hardening instructions here.”

    If an organization is not able to update, FireEye has outlined additional mitigation steps that should be taken.

  • Security Firm FireEye Details Hack, State-Sponsored Attack

    Security Firm FireEye Details Hack, State-Sponsored Attack

    Security firm FireEye is the latest victim of a cyberattack, and likely the victim of a state-sponsored attack.

    FireEye is one of the leading cybersecurity firms, providing consulting, services, software and hardware to customers. The company has been involved in detecting and fighting multiple high-profile attacks. Its history and expertise make the news it was attacked all the more concerning.

    CEO Kevin Mandia outlined the attack in a blog post:

    Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.

    Mandia says the attackers used some of the company’s Red Team tools that FireEye uses to test its customers’ security. As a result, FireEye is releasing the necessary information for customers to mitigate the threat those tools now pose.

    We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.

    FireEye is working with the FBI and Microsoft to investigate the incident. Nonetheless, the fact that the attackers are using methods the company has never seen before is not very encouraging for the cybersecurity industry.

  • Cloudflare, Apple and Fastly Create Improved, Private DNS

    Cloudflare, Apple and Fastly Create Improved, Private DNS

    Engineers from Cloudflare, Apple and Fastly have worked together to create an improved DNS protocol that protects user privacy.

    DNS is the backbone of the internet, responsible for mapping domain names (such as WebProNews.com) to the IP addresses where the site and its content resides. Unfortunately, because the internet was conceived and designed at a time when security was not a big concern, DNS queries are sent in clear text. This means it is relatively easy to intercept DNS traffic and see what site a person is trying to reach, as well as the IP address of the device they’re using.

    There have been attempts to address this security issue, including DNS over HTTPS (DoH) and DNS over TLS (DoT). Both of these upgrades, however, rely on an ISP, or similar company, responsible for resolving the DNS queries. As a result, there is still a potential trust issue, as the DNS resolving entity can still see the DNS queries.

    This is where Cloudflare, Apple and Fastly’s work comes into play. The three companies have announced the creation a new protocol: Oblivious DNS over HTTPS (ODoH). This new protocol is designed to separate the client from the DNS resolver, providing total privacy and anonymity.

    “ODoH is a revolutionary new concept designed to keep users’ privacy at the center of everything,” says Michael Glynn, Vice President, Digital Automated Innovation, PCCW Global. “Our ODoH partnership with Cloudflare positions us well in the privacy and ‘Infrastructure of the Internet’ space. As well as the enhanced security and performance of the underlying PCCW Global network, which can be accessed on-demand via Console Connect, the performance of the proxies on our network are now improved by Cloudflare’s 1.1.1.1 resolvers. This model for the first time completely decouples client proxy from the resolvers. This partnership strengthens our existing focus on privacy as the world moves to a more remote model and privacy becomes an even more critical feature.”

    ODoH is an important step forward in privacy and security, and will hopefully see fast and widespread adoption.

  • Sophos Suffers Data Exposure Incident

    Sophos Suffers Data Exposure Incident

    Security firm Sophos has informed customers it suffered a data breach as a result of a misconfigured database.

    According to ZDNet, customers’ personal information was exposed, including names, emails and phone numbers. The company informed impacted customers via email, which ZDNet got a copy of.

    On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support.

    The company confirmed the breach to ZDNet, saying that only a “small subset” of its customers were impacted. Nonetheless, this is the second major security issue this year for Sophos, a major source of embarrassment for a company in the business of providing computer security to its customers.

    The company tried to assure customers it was doing everything it could to address the issue.

    At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers,” the company said. “Additionally, we are implementing additional measures to ensure access permission settings are continuously secure.

  • FCC Upholds ZTE’s ‘National Security Threat’ Status

    FCC Upholds ZTE’s ‘National Security Threat’ Status

    The Federal Communications Commission has denied ZTE’s request to reconsider the decision to label it a national security threat.

    ZTE, along with Huawei, has been labeled a threat to national security over security and espionage concerns. ZTE and Huawei are believed to open the door for Beijing’s spying efforts, through their telecom equipment.

    “We cannot treat Huawei and ZTE as anything less than a threat to our collective security,” FCC Commissioner Brendan Carr stated when the FCC initially labeled the two companies. As a result of the decision, companies are unable to use federal funds to buy, maintain or support equipment from ZTE or Huawei, providing a major incentive to use equipment from other companies.

    There appears to be no relief in sight for ZTE, as the FCC has upheld its initial decision after the its Public Safety and Homeland Security Bureau found no sound basis to reconsider.

    “With today’s order, we are taking another important step in our ongoing efforts to protect U.S. communications networks from security risks,” said FCC Chairman Ajit Pai. “At the next Open Meeting on December 10, the Commission will vote on rules to implement the Secure and Trusted Communications Networks Reimbursement program to help carriers remove and replace untrusted equipment from their networks, months before the statutory deadline. Now it is more vital than ever that Congress appropriate funds so that our communications networks are protected from vendors that threaten our national security.”

  • AWS Network Firewall Unveiled to Help Protect VPCs

    AWS Network Firewall Unveiled to Help Protect VPCs

    AWS has unveiled the AWS Network Firewall in an effort to help customers protect their cloud-based virtual networks.

    AWS is currently the top cloud platform, with 31% of the cloud computing market. One of AWS’ biggest strengths is the breadth and depth of services the platform offers.

    The company is building on that with its latest announcement, AWS Network Firewall, “a high availability, managed network firewall service” for virtual private clouds (VPC). The new service complements the other firewall capabilities AWS currently provides, such as “Security Groups to protect Amazon Elastic Compute Cloud (EC2) instances, Network ACLs to protect Amazon Virtual Private Cloud (VPC) subnets, AWS Web Application Firewall (WAF) to protect web applications running on Amazon CloudFront, Application Load Balancer (ALB) or Amazon API Gateway, and AWS Shield to protect against Distributed Denial of Service (DDoS) attacks.”

    The AWS Network Firewall can be setup with just a few clicks, and the company touts its ability to scale as needed, eliminating the need to manage additional infrastructure.

    “With AWS Network Firewall, you can implement customized rules to prevent your VPCs from accessing unauthorized domains, to block thousands of known-bad IP addresses, or identify malicious activity using signature-based detection,” writes Channy Yun is a Principal Developer Advocate for AWS. “AWS Network Firewall makes firewall activity visible in real-time via CloudWatch metrics and offers increased visibility of network traffic by sending logs to S3, CloudWatch and Kinesis Firehose. Network Firewall is integrated with AWS Firewall Manager, giving customers who use AWS Organizations a single place to enable and monitor firewall activity across all your VPCs and AWS accounts. Network Firewall is interoperable with your existing security ecosystem, including AWS partners such as CrowdStrike, Palo Alto Networks, and Splunk. You can also import existing rules from community maintained Suricata rulesets.”

    The news is a welcome addition to AWS’ cybersecurity services and will help customers keep their VPCs even safer.