Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
May 15, 2019.
By the CyberWire staff
Another set of speculative execution flaws similar to Spectre and Meltdown has been found in Intel chips. As VentureBeat explains, the four vulnerabilities (which Intel calls "Microarchitectural Data Sampling" issues, and others "ZombieLoad") enable sidechannel attacks. Researchers at the Vrije Universiteit Amsterdam identified the three Rogue In-Flight Data Load issues. The remaining MDS problem, "Fallout," was discovered by an international team drawn from the University of Michigan, Worcester Polytechnic Institute, Graz University of Technology, KU Leuven, the University of Adelaide, and Data61.
Siemens, Apple, Adobe, and Microsoft all patched yesterday. Apple's patches addressed, among other things, the ZombieLoad sidechannel vulnerability in its products' Intel chips. Cupertino wasn't alone in working on ZombieLoad. As TechCrunch reports, Amazon, Google, Mozilla, and Microsoft also took on the speculative execution flaw. Intel itself has released a set of mitigations for the vulnerability. Fixes for ZombieLoad are thought likely to degrade CPU performance by twenty to forty percent.
Microsoft released sixteen updates in total, resolving seventy-nine distinct vulnerabilities. One involved a bug that could be exploited by a WannaCry-like worm, and Redmond drew particular attention to this issue. It was judged serious enough that Microsoft patched beyond end-of-life software including Windows XP and Windows 2003. Although no longer supported, both remain in wide use.
Siemens addressed issues in its industrial control systems, and Adobe fixed problems with several products, including Acrobat and Reader.
Endpoint protection shop CrowdStrike has filed for its long-expected initial public offering. The company's S-1 reached the Securities and Exchange Commission yesterday.
Today's issue includes events affecting Australia, Belgium, China, Denmark, Estonia, European Union, Finland, France, Iceland, Iran, Japan, Latvia, Lithuania, Netherlands, Norway, Russia, Sweden, United Kingdom, United States.
Bring your own context.
May we offer a grim story? Why, in the old days when armies executed spies and serious defaulters by shooting, did relatively civilized armies use a firing squad and not an officer with a pistol? An ordnance sergeant would load the squad's rifles, one of them with a blank cartridge. The troops wouldn't know who had the blank, and could thus console an uneasy conscience with the chance their rifle had no bullet. Differential privacy is a little like that: consolation with the small chance of lying to a pollster or census-taker. Consider a typical question.
"For example, have you ever used drugs? And so people might not want to give the true answer, especially if that answer is yes. So what you can do, essentially, is have the person flip a coin or flip a couple of coins privately so even the person asking the question doesn't see what the result is, and then to basically give an incorrect answer, so to lie with some small probability.
"So let's just say that, you know, 10% of the time, you'll be told to lie, and 90% of the time, you'll be told to tell the truth. So the point is that now, when somebody asks me - right? - have you used drugs, even if I answer yes, it's not clear whether the true answer is yes or whether the true answer is no and I'm just lying because I'm in the 10% of the time when I'm supposed to lie.
"And so therefore, it gives you a sort of plausible deniability. You can prove it actually gives you some formal notion of privacy. But nevertheless, it turns out that because you're only lying with a small probability, the researchers can still use the answers to those questions to do statistical analysis over the result."
—The University of Maryland's Jonathan Katz, on the CyberWire Daily Podcast, 5.13.19.
Still, on the record, honesty remains the best policy. (You can also just tell a snoopy researcher to take a hike.)
Automation techniques by Coalfire and AWS enable FedRAMP ATO in half the time
Automation is dramatically changing the times and costs to compliance—in many cases by half compared to traditional methods. Furthermore, these techniques can slash the demands on in-house staff and eliminate much of the redundant work across frameworks. Download the white paper explaining the benefits of new automation techniques pioneered by Coalfire and AWS.
Uniting Women in Cyber(Arlington, VA, United States, May 17, 2019) Join us as we celebrate the women in today’s cybersecurity ecosystem at the Uniting Women in Cyber Symposium on May 17, 2019! This full-day event features dynamic women speakers discussing the future of tech, cybersecurity and business. Network among 300–400 business and technical professionals and attend our awards reception recognizing women in tech and business.
DreamPort Event: Tech Talk Series: How DevOps and Automation Can Accelerate Warfighting Readiness(Columbia, Maryland, United States, June 19, 2019) Come hear NetApp's own DevOps journey and lessons learned and see how NetApp has equipped large enterprises to change fast and manage risk, with its deep integration with DevOps tools. In this interactive demonstration and discussion, NetApp will guide conversation towards a DevSecOps vision that can be realized immediately with capabilities that are available today to Defense Department developers.
DreamPort Event: RPE- 006: The Defense at Pemberton Mill(Columbia, Maryland, United States, June 21, 2019) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM is hosting RPE -006: The Defense at Pemberton Mill. For this event, we'll be looking for solutions that monitor a fictitious network for vulnerabilities and detect attacks in progress. We want participants to bring solutions for monitoring both information technology (IT) and operational technology (OT) networks both in live (with network taps) and offline (PCAP) mode. This event is June 21.
Wicked6 Cyber Games(Las Vegas, Nevada, United States, August 6, 2019) Wicked6 is a fundraiser and cybersecurity exhibition in a thrilling esports arena in Las Vegas on August 8, 2019. It’s a week when cybersecurity leaders from around the world come to Las Vegas, and all are welcome to come by to experience this exciting and unique cyber competition as a player, sponsor, or avid fan. Wicked6 will raise funds for the Women’s Society of Cyberjutsu, a national 501(c)(3) nonprofit that promotes training, mentoring and more to advance women and girls in cybersecurity careers.
Reaver: Mapping Connections Between Disparate Chinese APT Groups(Threat Vector) New research links an attack featured in a front-page New York Times story about the theft of sensitive European Union diplomatic cables by an alleged Chinese APT to a whole host of additional attacks on internal Chinese political targets thought to have been carried out by different Chinese APT groups.
Critical Update: Windows Remote Desktop Services Vulnerability(Zscaler) Zscaler security research team found a critical vulnerability in Microsoft Windows Remote Desktop Services. Zscaler Cloud Sandbox provides proactive coverage against worm payloads and advanced threats like ransomware and our team is actively monitoring for in-the-wild exploit attempts to ensure coverage.
Boost Notification(Boost Mobile) Dear Valued Customer: Boost Mobile is writing to inform you of a recent security incident. We take this matter, and all matters involving customer privacy, very seriously.
Siemens S7-400 CPUs (Update A)(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 8.2ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: S7-400 CPUsVulnerabilities: Improper Input Validation2. UPDATE INFORMATIONThis updated advisory is a follow-up to the original advisory titled ICSA-18-317-02 Siemens S7-400 CPUs that was published November 13, 2018, on the NCCIC/ICS-CERT website.
WIBU SYSTEMS AG WibuKey Digital Rights Management (Update D)(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 10.0ATTENTION: Exploitable remotely/low skill level to exploit/public exploits availableVendor: WIBU-SYSTEMS AGEquipment: WibuKey Digital Rights Management (DRM)Vulnerabilities: Information Exposure, Out-of-bounds Write, Heap-based Buffer Overflow2.
Siemens LOGO!8 BM(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 9.4ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: LOGO!8 BMVulnerabilities: Missing Authentication for Critical Function, Improper Handling of Extra Values, Plaintext Storage of a Password2.
Siemens SIMATIC WinCC and SIMATIC PCS 7(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 9.8ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: SIMATIC WinCC and SIMATIC PCS 7Vulnerability: Missing Authentication for Critical Function2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow an unauthenticated attacker with access to the affected devices to execute arbitrary code.
Omron Network Configurator for DeviceNet(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.3ATTENTION: Low skill level to exploitVendor: OmronEquipment: Network Configurator for DeviceNet Vulnerability: Untrusted Search Path2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution under the privileges of the application.
Siemens LOGO! Soft Comfort(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.8ATTENTION: Low skill level to exploitVendor: SiemensEquipment: LOGO! Soft ComfortVulnerability: Deserialization of Untrusted Data2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow an attacker to execute arbitrary code if the attacker tricks a legitimate user into opening a manipulated project.
Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003(KrebsOnSecurity) Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a “wormable” flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.
Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)(MSRC) Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from...
Apple Patches 21 Vulnerabilities in WebKit(SecurityWeek) Security updates Apple released for iOS, macOS, Safari, tvOS and watchOS include patches for 21 vulnerabilities that affect open source web browser engine WebKit.
6 Biggest Cybersecurity Risks to Utilities(ABI Research) This evolution to â€œsmart infrastructureâ€ represents a positive, paradigm shift for the utilities industry. However, the security policies of many utilities have not evolved along with it, leaving them incredibly vulnerable.
Who is NSO, the company tied to the WhatsApp security breach?(CNN) WhatsApp has just pushed a significant update to its 1.5 billion users. That's because the messaging service has discovered a security flaw that enabled attackers to remotely install spyware, possibly without the target of the surveillance even being aware of it.
Telxius enhances its Security service with Radware(Yahoo) Telxius, Telefónica Group’s infrastructure company, announced today that it relies on Radware to ensure the protection of its international network from increasingly complex cyberattacks and provide DDoS mitigation services to its customers, helping them mitigate attacks in seconds, compared to hours
Cybersecurity experts fear fallout from Apple case(TheHill) Cybersecurity experts are worried about the fallout from a Supreme Court ruling allowing customers to sue Apple over the prices in its App Store, claiming it could eventually lead to more unsecured apps being sold to consumers.
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
Gartner Security & Risk Management Summit 2019(National Harbor, Maryland, USA, June 17 - 20, 2019) Make sure you have the latest insights on fast-moving IT trends such as IoT and AI, evolving security technologies and the ever-changing threat landscape. At Gartner Security & Risk Management Summit 2019,...
2020 OurCrowd Global Investor Summit(Jerusalem, Israel, February 11 - 13, 2020) We’re expanding the Summit to three days! Invite-only events will take place February 11-12, with Summit Day on February 13. Summit Week will be packed as ever, with corporate meet ups, VC forums, insider...
Cybertech Midwest 2019(Indianapolis, Indiana, USA, April 24 - July 25, 2019) Cybertech is the cyber industry’s foremost B2B networking platform featuring cutting-edge content by top executives, government officials, and leading decision-makers from the world of cyber. Our Cybertech...
Transport Security Congress(Washington, DC, USA, May 14 - 15, 2019) The Transport Security Congress brings together business and security leaders from all sectors of passenger and goods transportation to discuss solutions to the evolving security and safety risk landscape.
TechNet Cyber(Baltimore, Maryland, USA, May 14 - 16, 2019) TechNet Cyber 2019, formerly the Defensive Cyber Operations Symposium, will be the staging area for military, industry and academia to discuss and plan how to achieve persistent engagement, persistent...
Houston CyberSecurity Conference(Houston, Texas, USA, May 15, 2019) Join us to interact with CISOs & Senior Level Executives who have effectively mitigated the risk of Cyber Attacks. The keynote at Houston will be delivered by Damian Taylor, CISO Landry’s Inc, on "Hiding...
CYBERSEC Brussels Leaders' Foresight 2019(Brussels, Belgium, May 15 - 16, 2019) The aim of the CYBERSEC Brussels Leaders' Foresight 2019 is to give proactive guidance on how to lead, encourage evidence-based desision-making, and develop cybersecurity policy statecraft in the EU and...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.