14.12.17

It’s time to patch your Microsoft and Adobe software again against vulnerabilities



It’s the second Tuesday of the month, and you know what that means… Yep, it’s time for another bundle of essential security updates from Microsoft.
For its final scheduled batch of updates for 2017, Microsoft has released fixes for over 30 security vulnerabilities in its software, impacting users of the likes of Microsoft Windows, Microsoft Office, Exchange Server, Microsoft Edge, and the malware protection engine built into security products such as Windows Defender.
That fix for Microsoft’s malware protection engine is particularly interesting, as the security hole it patches was discovered by the National Cyber Security Centre (NCSC), part of the UK’s intelligence agency GCHQ.
Experts at NCSC discovered a way to exploit two critical remote code execution flaws in Microsoft’s anti-malware code that could potentially be exploited when it attempts to scan a boobytrapped file, allowing an attacker to compromise targeted systems.
The flaw was fixed in an out-of-band patch earlier this month, and Windows users should already have received an automatic update to the anti-malware engine itself, but the company was probably correct in being cautious, and including the fix again in this regular round-up of patches.
Among the other critical flaws patched this month, is a memory corruption vulnerability in the Edge browser:
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Although details of the Edge vulnerability have not been publicly disclosed, and there has not (to date) been any sightings of attacks exploiting the vulnerability, Microsoft has assessed that the chances of it being used in attacks is “more likely” than not.
And it’s not just Microsoft customers who will be ensuring that their software is up-to-date. Flash Player users would also be sensible to update their systems, after Adobe released version 28.0.0.126 for the Windows, Macintosh, Linux and Chrome OS platforms.
In a security bulletin, Adobe detailed its latest security update, that contains a single solitary bug fix and does not appear to be of anything more than moderate severity.
“The important thing is, of course, not to turn a blind eye to security updates – whichever of your software vendors they come from”
Your experience may differ, but I’ve found it quite easy in recent years to live without Adobe Flash Player on my computer. If you’re not quite ready to desert Flash entirely and uninstall it, you may want to consider enabling a browser security feature called “Click to Play.”
“Click to Play” can reduce your attack surface by telling your browser not to render potentially malicious Flash content unless it has been given the permission to run. In other words, a maliciously coded Flash file will not execute unless given the green light, rather than automatically running when you visit a poisoned webpage.
The important thing is, of course, not to turn a blind eye to security updates – whichever of your software vendors they come from. Increasingly, software can be automatically updated, reducing the window of opportunity for hackers to exploit newly-discovered flaws – although many companies still prefer to stagger the roll-out of a patch across their enterprise until they feel confident that it won’t cause more problems than it was designed to fix.

Onderzoek: agile in opmars in internationale handel en logistiek




      Agile project management biedt duidelijk concurrentie voordeel, leidt tot superieure resultaten
      Belangrijkste succesfactor: open bedrijfscultuur
      Ervaringsgegevens over agile projecten in internationale handel en logistiek blijven echter schaars

Agile project management stijgt met stip in de internationale handel en logistiek: 84 procent van de bedrijven gelooft dat een agile aanpak een duidelijk competitief voordeel verschaft. Twee derde verwacht dat agile project management uiteindelijk de traditionele project management methoden in internationale handel en logistiek zal vervangen. Dat is de conclusie van ‘Agile Future – How Agile Project Management Is Transforming Global Trade and Logistics’, een studie van softwarehuis AEB en de Baden-Württemberg Cooperative State University (DHBW) in Stuttgart. Voor dit onderzoeksrapport, gratis te downloaden op www.aeb.com/gtm-study, zijn 155 experts uit de vakgebieden logistiek, internationale handel en IT ondervraagd. Het rapport bevat ook praktische tips voor implementatie van agile project management.
Experts kiezen agile project management vanwege betere resultaten
De meeste deelnemers aan het onderzoek hebben een voorkeur voor een agile aanpak: 87 procent verwacht efficiëntere processen, 86 procent voorziet snellere implementaties en 79 procent voorspelt betere resultaten. Agile project management scoort ook hoog vanuit kostenperspectief, aangezien 60 procent de projectkosten ziet dalen. Daarnaast verwacht 83 procent van de respondenten dat agile project management een flinke injectie geeft aan de motivatie van medewerkers. “Deze ervaringen zijn in lijn met de uitgangspunten van zelforganiserende teams in agile projecten”, stelt Dr. Dirk Hartel van de Baden-Württemberg Cooperative State University (DHBW), co-auteur van het rapport. “Een grotere vrijheid leidt gegarandeerd tot een sterker verantwoordelijkheidsgevoel en sterkere motivatie van individuele teamleden.”
Belangrijkste succesfactor: bedrijfscultuur
De meest belangrijke randvoorwaarde voor succes met agile project management is een bedrijfscultuur die open staat voor deze aanpak. Bijna driekwart van de respondenten, vooral die ouder dan vijftig jaar zijn, noemen dit cruciaal. Andere belangrijke factoren zijn de steun van supervisors en een grote bereidheid van managers zelf om zich de agile aanpak eigen te maken. “Dit benodigd  een nieuw bewustzijn dat doorwerkt binnen het hele bedrijf’, verklaart Dr. Ulrich Lison, directielid van AEB en co-auteur van het rapport. “Agile project management werkt alleen in combinatie met een moderne visie op management.”
Experts vrezen gebrek aan discipline
Naast de vele positieve verwachtingen uiten enkele experts ook hun bezorgdheid omtrent de toepassing van agile project management. Bijna een derde vreest dat de grotere vrijheid van zelforganiserende teams leidt tot een gebrek aan discipline. Om dit risico te vermijden waarschuwt Lison dat het noodzakelijk is het juiste team samen te stellen en dat iedereen de juiste kwalificaties bezit. “Het is bovendien belangrijk om medewerkers goed te trainen in deze methodologie”, stelt hij.
De grootste bezorgdheid omtrent agile project management betreft het vermogen om binnen het vastgestelde budget te blijven. 56 procent acht het waarschijnlijk dat budgetten overschreden worden. Bijna evenveel respondenten voorziet problemen door een gebrek aan coördinatie (54 procent) en ontoereikende projectdocumentatie (51 procent).
Hoge verwachtingen vs schaarse ervaringscijfers
De meeste respondenten beschouwen de adoptie van agile project management in internationale handel en logistiek als een positieve ontwikkeling en een concurrentie voordeel. Echter, nog maar 36 procent van de bedrijven is begonnen met het hanteren van deze methode. Een op de vijf bedrijven heeft plannen om agile project management te implementeren, maar 44 procent – vooral bedrijven met minder dan 2000 medewerkers – heeft nog geen enkel voornemen daartoe. De reden is niet zozeer dat agile project management geen kansen biedt voor deze bedrijven. Het probleem is vooral een gebrek aan de juiste expertise en het ontbreken van standaarden. “We verwachten dat deze kloof de komende jaren zal worden gedicht door gerichte training van de talenten in bedrijven”, zegt professor Hartel. “Maar beroepsverenigingen zouden ook stappen moeten zetten en de kleinere bedrijven meer ondersteuning moeten bieden bij de introductie van een agile aanpak en implementatie van agile projecten.”
Over het onderzoek
Het rapport ‘Agile Future – How Agile Project Management Is Transforming Global Trade and Logistics’ is gebaseerd op een onderzoek onder 155 experts in de vakgebieden logistiek, internationale en IT. De respondenten zijn afkomstig uit verschillende sectoren. Ze werken bij bedrijven van uiteenlopende grootte in verschillende landen. Een op de tien is directielid en meer dan de helft (55 procent) heeft een middenkaderfunctie als hoofd van een business unit of afdeling. Softwareleverancier AEB en de Baden-Württemberg Cooperative State University (DHBW) doen sinds 2013 jaarlijks onderzoek. Alle onderzoeksrapporten zijn beschikbaar op www.aeb.com/gtm-study.
Over AEB (www.aeb.com – www.aeb.com/nl) 
AEB ontwikkelt al meer dan 35 jaar software voor de ondersteuning van internationale handel en logistieke processen van bedrijven in de industriële, commerciële en dienstverlenende sectoren. Meer dan 5000 klanten uit meer dan 35 landen gebruiken de oplossingen van AEB voor transport en warehouse management, voor import en export management, preferentie management en veel meer. Zij profiteren van een verbeterde efficiëntie, compliancy en transparantie – in binnen- en buitenland – dankzij toepassingen zoals dounane- en embargocontroles, verbeterde samenwerking met supply chain partners en automatisering va verzendprocessen. AEB’s portfolio strekt zich uit van online plug-and-play oplossingen tot uitgebreide logistieke systemen.
AEB heeft zijn hoofdkantoor en datacenters in Stuttgart en beschikt daarnaast over internationale vestigingen in het Verenigd Koninkrijk, Singapore, Zwitserland, Zweden, Tsjechië, Frankrijk en de Verenigde Staten. Het Nederlandse kantoor is gevestigd in Capelle aan den IJssel.

De Baden-Württemberg Cooperative State University (DHBW), met circa 8400 bachelor-studenten, behoort tot de grootste instellingen voor hoger onderwijs in de regio Stuttgart. De Schools of Business, Engineering en Social Work werken samen met ongeveer 2000 zorgvuldig geselecteerde bedrijven en maatschappelijke instituten om meer dan 40 nationaal en internationaal erkende opleidingen te geven. Om de drie maanden switchen de studenten tussen de universiteit en de bedrijven, wat hen in staat stelt om al tijdens hun studie waardevolle werkervaring op te doen. Studenten genieten belangrijke voordelen variërend van financiële onafhankelijkheid, betere kansen op de arbeidsmarkt, kleine studiegroepen en internationale ervaring. 


13.12.17

Un logiciel malveillant sur Google Play cible les banques polonaises


Un autre groupe de chevaux de Troie bancaires a réussi à franchir les mécanismes de sécurité de Google Play, ciblant cette fois plusieurs banques polonaises. Le logiciel malveillant est parvenu à se faufiler dans Google Play en se faisant passer pour des applications apparemment légitimes : « Crypto Monitor », une application de suivi des prix de cryptomonnaie et « StorySaver », un outil tiers pour télécharger des histoires provenant d’Instagram.
En plus de fournir les fonctionnalités promises, les applications malveillantes peuvent afficher de fausses notifications et des formulaires de connexion apparemment issus d’applications bancaires légitimes, récolter des informations d’identification saisies dans les faux formulaires, ainsi qu’intercepter des messages texte pour contourner l’authentification à deux facteurs par message texte.
Ce même cheval de Troie, sous un déguisement différent, a récemment été repéré sur Google Play par des chercheurs de RiskIQ, qui ont publié leur analyse de cette menace dans un rapport publié le 9 novembre. 
Les applications malveillantes
La première des applications malveillantes que nous avons rencontrées, « Crypto Monitor », a été téléversée au Google Store le 25 novembre 2017 sous le nom de développeur walltestudio. L’autre application, « StorySaver », est apparue sur Google Play le 29 novembre, sous le nom de développeur kirillsamsonov45.
Ensemble, les applications avaient atteint entre 1000 et 5000 téléchargements au moment où nous les avons signalés à Google, soit le 4 décembre. Les deux applications ont depuis été retirées du magasin.

Une fois que les applications malveillantes sont lancées, elles comparent les applications installées sur le périphérique compromis avec une liste d’applications bancaires ciblées – dans ce cas, les applications officielles de quatorze banques polonaises (la liste des applications bancaires spécifiques se trouve à la fin).Si l’une des quatorze applications est trouvée sur l’appareil, le logiciel malveillant peut afficher de faux formulaires de connexion, imitant ceux des applications légitimes ciblées. Cela peut se produire sans aucune action de la part de l’utilisateur, ou après que l’utilisateur ait cliqué sur une fausse notification affichée par le logiciel malveillant, apparemment au nom de la banque.

Les systèmes de sécurité d’ESET détectent cette menace sous le nom Android/Spy.Banker.QL et l’empêche de s’installer.
La télémétrie ESET montre que 96% des détections proviennent de Pologne (les 4% restants d’Autriche), apparemment en raison de campagnes locales d’ingénierie sociale propageant ces applications malveillantes.
Comment demeurer en sécurité?
La bonne nouvelle est que ce logiciel malveillant bancaire n’utilise aucune astuce avancée pour assurer sa persistance sur les périphériques affectés. Par conséquent, si vous avez installé l’une des applications malveillantes décrites ci-dessus, vous pouvez les supprimer en allant dans Paramètres > (Généraux) > Gestionnaire d’application/Applications (ou Settings > (General) > Application manager/Apps), pour rechercher « StorySaver » et « Crypto Monitor » avant de les désinstaller.
Mauvaise nouvelle cependant : si vous avez installé l’une de ces applications sur un appareil sur lequel vous utilisez l’une des quatorze applications bancaires ciblées énumérées ci-dessous, les escrocs pourraient déjà avoir accès à votre compte bancaire. Nous vous conseillons de vérifier si votre compte bancaire contient des transactions suspectes et d’envisager sérieusement de changer votre code PIN.
Pour éviter de devenir la proie des logiciels malveillants mobiles à l’avenir, assurez-vous de toujours vérifier les évaluations et les critiques des applications, de porter attention aux autorisations que vous accordez aux applications et d’utiliser une solution de sécurité mobile réputée pour détecter et bloquer les dernières menaces.
Applications bancaires ciblées
Afficher éléments
Rechercher:
Nom de l’application
Nom du paquet
Alior Mobile
com.comarch.mobile
BZWBK24 mobile
pl.bzwbk.bzwbk24
Getin Mobile
com.getingroup.mobilebanking
IKO
pl.pkobp.iko
Moje ING mobile
pl.ing.mojeing
Bank Millennium
wit.android.bcpBankingApp.millenniumPL
mBank PL
pl.mbank
BusinessPro
pl.bph
Nest Bank
pl.fmbank.smart
Bank Pekao
eu.eleader.mobilebanking.pekao
Affichage des éléments 1 à 10 sur 14 éléments
PrécédentSuivant

Afficher éléments
Rechercher:
Nom du paquet
Chaîne de hachage
Serveur d'hameçonnage
in.crypto.monitor.coins
57A96D024E61F683020BE46173D74FAD4CF05806
nelis.at
com.app.storysavernew
757EA52DB39E9CDBF5E2E95485801E3E4B19020D
sdljfkh1313.win
Affichage des éléments 1 à 2 sur 2 éléments
PrécédentSuivant

Un merci tout particulier à Witold Precikowski, qui a porté à notre attention l’une de ces applications malveillantes.

Cryptocurrency in kilowatt hours: Counting the costs of anonymous transactions



Over the course of last week, bitcoin reached an all-time high value of just under US$17,000, and currently hovers close to that record high. The increase has generated many media articles and much commentary from financial experts. Before we look at the reasons behind the increase, let’s consider the infrastructure.
Society sorts its garbage for recycling and attempts to save energy in many different ways: some speculators in bitcoin may be shocked by the statistics on power consumption of the bitcoin network published by Digiconomist.
To understand the power consumption issue it’s important to have a conceptual overview of how bitcoin works. The system comprises a blockchain, a ledger of records that contain all the transactions and timestamps. A new block is created approximately every 10 minutes by so-called miners. These are a distributed network calculating complex algorithms to create blocks to extend the blockchain. Every miner attempts to calculate the next block, the first to calculate a valid block distributes it to the other miners.
The miners are paid for their services to the network with additionally created bitcoins, diluting the value of existing bitcoins. This is not an issue today, as the increasing value means the dilution has no negative effect. Current revenues paid to Miners are $9.9bn and their estimated mining costs are $1.58bn, making mining a lucrative business and the reason people are keen to create miners.
Bitcoin’s estimated annual power consumption is 31.6 TWh, that’s more power than Ireland uses on an annual basis. The electricity consumed for a single transaction is 251 kWh, which is sufficient to power 8.49 typical households in the US for a day.
If you grab lunch from one of the many restaurants that accept bitcoin, and lunch costs under $15, it will cost more to process the payment than you paid for lunch. Using The average cost of a kWh in California, which according to Electric Choice, is $0.1816, so the cost of a single bitcoin transaction would be approximately $45.
The energy costs are not the only charges in a transaction: the bitcoin network itself levies a charge which, according to a blog from Valve, the gaming provider behind the Steam network, has skyrocketed from $0.20 in 2016 to $20 per transaction today. Based on this and the current volatility in value Valve has decided to discontinue accepting payment using bitcoin.
Logic indicates there is a serious flaw in this business model when you look at the energy costs and the transaction fees. However, as long as the price of bitcoin continues to rise then the flaw may be acceptable to those spending their newly found wealth.
“If you grab lunch from one of the many restaurants that accept bitcoin, and lunch costs under $15, it will cost more to process the payment than you paid for lunch”
With the heightened interest around bitcoin, I have been actively asking people I meet if they hold any of the digital currency. Not surprisingly I have found a few… none of whom use the currency for daily transactions, but are investors or speculators looking for capital gain. And here lies the problem: the currency’s value appears to be inflated by the demand from organizations and individuals looking to make a quick buck.
Sir John Cunliffe, the Deputy Governor of the Bank of England, was quoted in a BBC article as saying “investors should do their homework and think carefully”. He points out that there is no government or central bank behind bitcoin, that it is not an official currency, and that it should be viewed more as a commodity.
Speculation on the recent surge in value is varied: Derek Thompson, a journalist for The Atlantic describes the recent rise as an ‘unsustainable paroxysm’ and compares it to the 17th-century tulip bulb bubble. No one actually knows what is causing the surge, other than demand, and an important factor in this could be that so far 16.5 million bitcoins have been issued, and since in its current format there is a theoretical limit of 21 million, maybe people are just scared of missing out?
One other important element to this is that bitcoin is popular with criminals due to its lack of regulation and pseudo-anonymous character. The UK Treasury recently stated that it believes anti-money-laundering regulations should be updated to include bitcoin and other virtual currencies. Detective Superintendent Nick Stevens from the Serious and Organised Crime Command of the Metropolitan Police stated that “Organised criminal groups have been early adopters of crypto-currencies to evade traditional money laundering checks and statutory regulations”.
I am curious whether the speculators investing in bitcoin have considered that as they push the price up, they are increasing the value for criminals too?
What is apparent is that we are in unchartered territory, a new era of digital currency. While there are problems, for example with currency exchanges being knocked offline by DDoS attacks, and potentially greed playing its part in todays inflated valuation at present, there are likely to be real uses for a digital currency in the future. When the bitcoin bubble inevitably bursts, as all bubbles do, then it will only be a matter of time before another currency appears and those behind, we hope, will have learned from the mistakes of the first.

12.12.17

Happy holidays, scam spotters!

The Identity Theft Resource Center – @ITRCSD – invited researchers from ESET North America to take part in a Twitter chat, a holiday edition of their #IDTheftChat. The conversation related to scams targeting businesses and consumers, which always seem to increase dramatically at this time of year. The chat took place on December 7th 2017, and you can read the whole thing using that hashtag. However, here are the contributions from Lysa Myers, Aryeh Goretsky, and David Harley.
@ITRCSD: Q1: An @AARP survey discovered that 70% of U.S shoppers failed a short quiz on how to stay safe from holiday #scams. What are some tips for safe #shopping this season?
Aryeh: Scams often prey on victims by offering something which sounds “too good to be true.” If it sounds too good to be true, it probably should be avoided.
Lysa: Enable 2-Factor Authentication on your online accounts wherever it’s available. Use credit rather than debit cards if you can, especially online.
Q2: How are #businesses also targeted by Grinches looking to steal valuable data?
Aryeh: Businesses are often sent fake invoices and waybills which install ransomware. Teach staff to avoid these. If questionable, ask your IT dept to look at it. E-cards have been a target in the past and may be used again in holiday-themed attacked.
Lysa: Many breaches are facilitated by stolen credentials. Make sure staff get regular, positive training for recognizing and avoiding phishing and other scams that use social engineering.
Lysa: Thieves often enter networks by exploiting vulnerabilities in software. Updating promptly can help, but for those systems that can’t be quickly updated, utilize layers of protection to help mitigate risk.
Q3: What kind of impact can #DataBreaches have on businesses and their customers?
Aryeh: A data breach can put a company out of business and subject its owners to fines in the 100Ks to millions range.
Lysa: Lost time and productivity are the most obvious impact. Regulatory fines, lawsuits are also a huge potential impact. Don’t discount the loss of reputation – studies show that this can be a significant $$$$ hit.
Q4: If a #breach does occur, it can feel like a real lump of coal. What are some tips for businesses to stay on the nice list with customers?
Aryeh: Create a policy for handling a data breach, and test it 1-2× a year to see how well it works.
Lysa: Businesses’ response in the wake of a breach can make a huge impact on the loss of reputation. Notifications that are quick, orderly and informative are a much easier pill to swallow.
Lysa: Have a breach-response policy in place (and kept updated!) beforehand so that you know who must do what, and when. This will decrease the number & severity of possible errors that could compound loss of trust.
Q5: Mail theft also increases during the holidays. How can you stop a shady snowman?
Aryeh: Get your mail promptly and don’t leave it out all day. Consider a locked mailbox. Place a security camera on your mailbox to record thieves.
Q6: Looking to be Santa’s helper? What kind of employment scams should you look out for?
Aryeh: Be aware of employment scams that offer guaranteed work-from-home, secret shopper or shipping of packages are usually scams.
David: Some job scams are seasonal. Here are some tips that apply to job scams in general, though.
·         Check that the company offering the job exists before you respond to job offers by email. Especially if you haven’t been looking for job offers.
·         If the company exists, check with them directly – and not via the email or contact points linked in the message –that the jobs exist.
·         Be suspicious of poor English and presentation. But don’t assume that good presentation = a genuine offer.
·         If they insist on making your travel and visa arrangements, be deeply suspicious. Run like the wind in the opposite direction if they want you to pay in advance.
·         Many email providers offer free addresses with minimal or no identity checking. Reputable, reliable companies don’t usually use them to make job offers.
·         An organization large enough to have a Human Resources Department yet so tightfisted as to restrict it to a free email account on mail.com (for example)? Unlikely…
·         An old article here, but has lots more points to watch for:
Q7: Ho-ho-hold on. What are some common holiday #phone scams & tips to protect your information & #finances?
Aryeh: Watch out for fake callers pretending to be from banks, Microsoft support, businesses saying you’ve won a prize or surveys offering a free cruise. They are scams.
Lysa: If you haven’t already, now is a good time to consider freezing your credit.
Lysa: Do you make (and test!) regular backups of your data? Do you encrypt sensitive files on your hard drive or on mobile devices? Have you enabled 2 Factor Authentication?
Q8: Don’t follow that scammer under the mistletoe! How can you spot a sweetheart #scam?
Aryeh: Romance scams prey on older single people. Watch out for unexpected friend requests from people across the country or that claim to be serving overseas.
Q9: “But first, let me take an #Elfie.” Best tips for not oversharing on #social media?
Aryeh: Don’t share information that contains your address/location or holiday travel plans. These let crooks know what, where and when to rob you.
Lysa: The Internet is forever: you can’t put the metaphorical toothpaste back in the tube. Before sharing, ask yourself if you would be comfortable with a total stranger, law enforcement, your boss, or your mom/child seeing this?
David: Remember that even if you only share info with people you trust, they may not be as careful as you are. Your friends may be well-intentioned, but they aren’t necessarily security-savvy.
Q10: Please share more resources to having a merry and safe holiday season both online and offline!
Aryeh: Visit welivesecurity.com for the latest on scams, tricks and threats.
@ESET: And don’t forget our #GiveSecurity contest is still running on Instagram! Enter by 12/22 and you could win a MacBook Air, Samsung Tab S3 and more! https://www.eset.com/us/givesecurity/