Until recently, researchers had to take Microsoft’s word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
Citrix confirmed that the hackers who successfully breached the company’s network stole sensitive personal information of both former and current employees and were able to access internal assets for about six months.— Sergiu Gatlan
Even somewhat unsophisticated attacks like password spraying or credential stuffing can give someone the foothold they need to access sensitive information. In this case it sounds like an HR system. What surprised me about this story was that it was the FBI that notified Citrix of the breach on March 6th.
NBC News says that the attackers were Iranian-backed and managed to make off with 6-10TB of documents.
President by Putin
Everything you do on free hotel Wi-Fi is monitored by criminals.
A Law-abiding Citizen’s Guide to Privacy
It’s time to secure Microsoft Office
This week in the office my systems have blocked 150,000 malicious Office documents. All have Office macros attached, or OLE objects. The 90s never finished as attackers learn to automate attacks using Office and old technology. If anything is a sign that the security industry needs to shift up a gear, this is it.
Kevin Beaumont has posted a fantastic (and pragmatic!) guide for best practices when working with Office documents. His guide to simple configuration management will dramatically improve your security posture by making some changes to how trustworthy Office documents are.
OLE is more popular than ever, and for all the wrong reasons.
Millions of Android devices have flawed full disk encryption
Even though modern Android devices use this security feature, Beniamini’s research found that an attacker can exploit kernel flaws and vulnerabilities in some of Qualcomm’s security measures to get that encryption key. Then, all that stands between the hacker and a device’s information is a password.
Source: Millions of Android devices have flawed full disk encryption
Seagate Phish Exposes All Employee W-2’s — Krebs on Security
Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.
Source: Seagate Phish Exposes All Employee W-2’s — Krebs on Security
Verizon’s 2015 Data Breach Investigations Report
Verizon’s Data Breach Investigations Report (DBIR) is always a great resource — not only does it have the sort of broad overview that helps explain risk and threats, but digs into some of the metrics without taking a hairpin turn into absurdity and hand-wringing that so often dominates this part of the industry.
Whenever I’m asked to give a talk, I refer to the DBIR because the data is good, the information is digestible, and it always manages to steer me into topics that are relevant and realistic rather than lurching off into hypotheticals and Doom and Glooming.
Adobe Security Bulletin
The relevant CVEs ((Common Vulnerabilities and Exposures reference number used by researchers and vendors)) are:
And from Adobe’s release, the list of vulnerable versions is quite broad:
Affected software versions
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh
- Adobe Flash Player 22.214.171.1246 and earlier versions for Linux
- Adobe AIR 126.96.36.1990 and earlier versions for Android
- Adobe AIR 188.8.131.520 SDK and earlier versions
- Adobe AIR 184.108.40.2060 SDK & Compiler and earlier versions
Essentially, if you didn’t download a new version of Adobe Flash today, you’re probably vulnerable.
Adobe has released security updates for Adobe Flash Player 220.127.116.11 and earlier versions for Windows and Macintosh and Adobe Flash Player 18.104.22.1686 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.