Inside | Real news, curated by real humans
Inside Security

Inside Security (Oct 28th, 2016)

David’s Take
I was inspired by the tale of the top 15 security researchers, all of whom happen to be under 15 years old. The latest attack on industrial control software made by Schneider Electric is worth reading, along with why a 3D-printed hand can be both good and bad for biometric readers. Plus some new products to help improve your security posture.

-- David Strom, editor of Inside Security
Threat of the week: Schneider Electric Unity Pro
 

A major vulnerability in popular industrial control management software called Unity Pro has been found. The flaw allows hackers to remotely execute code on various industrial networks, using an exploit in Windows PCs that run the control software.  The attacker needs to create a large project file with enough random binary control code, and then replace this code with a malicious payload. The attacker also needs to overcome several checksum calculations. Those of you familiar with how Stuxnet operated will see similarities.
 
In response to the issue, Schneider acknowledged the problem and released a patch for the Unity Pro software that fixes the vulnerability.  Last year, Schneider Electric reported a number of vulnerabilities affecting other control modules, as documented by Threatpost.  – INDEGY BLOG
 
New products
 
AvailabilityGuard v7.2 features a new infrastructure resiliency report, providing IT executives with one-click visibility to server and network downtime and data loss risks. The tool examines best practices and configuration issues along with single points of failure. Pricing is based on size of the environment ranging from a free one-time health check to $2,000 per server for an annual subscription. – CONTINUITY SOFTWARE
 

Here is a free tool to uncover malware. Called Forensic Analysis, it examines all your PC’s files to find previously undetected malware. The service is also part of a paid Default Deny Platform sold by the company.  -- COMODO  (reg. req.)
YAAFP*
 
There have been so many Adobe Flash patches they deserve their own category here (*Yet Another Adobe Flash Patch). Since October 2015, there have been 16 such updates. This week’s patch fixes what is called use-after-free errors, something commonly observed on numerous software products. Users are advised to upgrade to Flash Player 23.0.0.205 on Windows and Mac and to version 11.2.202.643 on Linux.  -– DARK READING
 
Methods and tools
 
This is the story of a little-known New Zealand company called Endace and what they have been working on. They are one of the key technologies behind the UK’s GCHQ scooping up private emails and other online traffic, and is well worth reading. The company is mentioned in one of the Snowden documents.  – THE INTERCEPT
 


The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, have developed sophisticated attack tools that have targeted high-profile organizations (such as the DNC hack earlier this year) and individuals. Here is a discussion of how these tools work.WE LIVE SECURITY
 

A wonderful story of meeting 15 rising cybersecurity stars who are under 15 years old from across the US. These aren’t script kiddies: some have been responsible for finding big bugs, mobile zero day exploits and other major vulnerabilities. All the stories are pretty amazing, made even more so considering their ages. -- PASSCODE
 

Researchers at Michigan State University say they’re able to 3D print a full hand, complete with fingerprints on all 10 fingers. Their goal is more legit than nefarious: to standardize the calibration of fingerprint scanners in airport immigration, police departments, banks and more. The paper talks about how ordinary 2D copies can’t adequately simulate how users interact with the readers. The same researchers were able to unlock a murder victim’s phone by cloning one finger earlier this year. -- NEXTGOV
 

ZapFraud has been awarded a patent that addresses how to manage increasingly sophisticated email attacks using a hybrid approach that combines machine learning and fraud expert systems with human intervention. The technology provides intelligent escalation when automated detection identifies undetermined or high-risk cases. The company sells a Fraud Firewall that implements this notion. -- MARKETWIRED
 
Reports
 
CTOs are warming up to implementing microservices, or so they say. Many enterprises have accepted that cloud strategies are now a must and that microservices could be a steppingstone to cloud computing, moving small pieces to the cloud gradually, building in useful APIs and obtaining a quick ROI. – THE NEW STACK
 

It is time for security predictions for next year, and early out of the gate are those from CheckPoint, based on their recent security report. Mobile attacks and industrial IoT sources are growing, and  ransomware and DDoS attacks are happening more frequently. In case you didn’t know, the days of signature-based antivirus being enough to screen out malware are long gone.  -- CHECKPOINT BLOG
 

Can you name the only global social network not banned in China? It’s LinkedIn, which agreed to cooperate with the Chinese government and remove controversial content. Now LinkedIn might be in trouble in neighboring Russia, which has a law that went into effect last year that requires networks to keep data on Russian users inside the country. Many tech companies have moved servers to Russia to comply, but some such as Facebook and Microsoft haven’t. Now Russian officials are going after LinkedIn as a first test case and are seeking a court order to compel them to have local servers. A decision is expected in the next few weeks. – THE HACKER NEWS
 
Just for fun
 
A great animated GIF about teamwork that is quite telling. -- ROBBOMB (NSFW)

 Follow this threat on Facebook on funny WiFi access point names, including Wu Tan Lan, Tell My Wifi Love her, Ashly Madison's hack proof Wifi, and A LAN Down Under -- KEVIN WELLS
How likely are you to recommend Inside Security to a friend or colleague?

          

MORE FROM INSIDE

Did you know we have a whole stable of newsletters, and plans to launch many more? Here are a few you might like:

Inside VR & AR – ReadThisThing
Inside Electric Vehicles – Inside Drones – Inside Daily Brief 
Inside San Francisco

Copyright © 2016 Inside, All rights reserved.


You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security