CCleaner Server Was Compromised in Early July

A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.
Two versions of the highly popular Windows maintenance tool (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were modified to distribute information stealing malware, and over 2 million users have been impacted by the incident. The infected binary was released on August 15 and remained undetected for four weeks.
CCleaner was developed by Piriform, which was acquired by anti-virus company Avast in July, 2017. After news of the infected installer broke on Monday, the security firm decided to step forward and clarify that the compromise likely happened before the July acquisition.
“Before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017,” an Avast blog post signed by Vince Steckler, CEO, and Ondrej Vlcek, CTO and EVP Consumer Business, reads.
The company also disclosed that they were warned of the infection by security company Morphisec, which says that it first encountered the malicious CCleaner installations on Aug. 20. However, it was only on Sept. 11 that Morphisec received logs from some of its customers and could start an investigation.
On Sept. 12, Morphisec warned Avast of the infection, and the latter was able to resolve the issue within 72 hours. By Sept. 15, the command and control server that the malware was contacting had been taken down and Piriform had already released a clean version of CCleaner.
Avast also claims that no actual harm was done to the impacted computers, despite the fact that 2.27 million users downloaded the infected application release, as the final payload in this attack never activated.
“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” the company says.

CCleaner v5.34 and CCleaner Cloud v1.07.3214 have been released without the malicious code inside, and Avast says that only around 730,000 users are still running the affected version 5.33.6162 on their systems. The free CCleaner variant doesn’t include automatic updates, meaning that users need to manually download and install the clean version.
“We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again,” Avast also says.
Affected users are advised to update to the latest versions of CCleaner as soon as possible, to remove any malicious code from their computers.
Related: Millions Download Maliciously Modified PC Utility
Related: Avast Acquires CCleaner Developer Piriform 


Cyber Security Law 网络安全法宣传视频系列001

Siemens’ New ICS/SCADA Security Service a Sign of the Times

Siemens’ New ICS/SCADA Security Service a Sign of the TimesMajor ICS/SCADA vendors are entering the managed security services business with cloud-based offerings for energy and other industrial sectors.It’s been seven years since the game-changer Stuxnet worm was unearthed and thrust the industrial control sector to a new reality where cyberattacks could sabotage even air-gapped physical plant operations.
Siemens, whose whose process control systems were targeted in the attack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran, was among the first of the traditional ICS/SCADA vendors in the wake of Stuxnet to step up and build secure software development programs as well as roll out new products with built-in security features.
Now meet the next big thing for Siemens and other major ICS/SCADA equipment vendors: managed security services. Siemens today kicked up a notch its existing network monitoring and security services with the addition of anomaly detection technology from PAS that monitors all brands of industrial and computing equipment – not just its own – on a plant network.
Leo Simonovich, vice president for global cyber security for Siemens, says the newly enhanced managed security service – which includes monitoring, incident response, and management – is just the beginning, with more features on the horizon. The network monitoring capability in Siemens’ service that launched earlier this year comes via its partnership with Darktrace.
“We have a vision to bring the best of breed technologies together” for visibility of OT [operational technology] networks, Simonovich says. “That means we have to monitor the network, monitor the control layer, and the assets themselves, like turbines,” for example, he says.
“Control-level coverage solves a core problem for customers: they can’t protect what they can’t see.”
It’s been a long road for Siemens since Stuxnet. The firm in the wake of Stuxnet Siemens doubled down on patching its older and security flaw-ridden ICS/SCADA systems software and launched an internal CERT, as well as focusing on secure software development. In 2012, Siemens launched a new generation of ICS systems with built-in firewall and virtual private network features, the Simatic CP and Scalance communications processors, as well as a new secure router.
“Unfortunately, we were hit by Stuxnet, and since then our journey has been to more secure products” as well as security service offerings “irrespective of the vendor. That’s what our customers are asking of us,” Simonovich says.
Some of its counterparts also are expanding into cloud-based security services for ICS/SCADA operations. Rockwell Automation late last week launched new threat detection services that include similar features to what Siemens is now offering: real-time monitoring as well as asset management. The ICS/SCADA vendor built the service with with threat-detection software from startup Claroty.
Schneider Electric offers a cybersecurity protection service that automatically updates Schneider’s products as well as third-party operating systems and endpoint security products with patches.
Security experts expect more of these traditional large ICS/SCADA vendors to roll out managed security service offerings, as the industrial sector faces new and more advanced threats that many of these organizations don’t have the expertise nor experience to thwart.
Dale Peterson, founder and CEO of ICS firm Digital Bond, has been watching major ICS/SCADA vendors start to build more secure products since Stuxnet’s discovery. Cloud services from these vendors could be the next trend, he notes, as these vendors look for new sources of revenue.
OT: Security Newbies
Many industrial, aka operational technology (OT), teams are still new to cybersecurity. “For many of them, OT is the core focus on on operations of that plant. Cybersecurity is not their day-to-day job,” Siemens’ Simonovich says. That’s where Siemens hopes to step in with its managed security services, he says.
Not unlike IT’s challenge, staying on top of all of the devices and software configurations and updates in an OT network has made these plant networks more vulnerable to attack.
Human error accounts for 70% of incidents in the OT environment, says Eddie Habibi, founder and CEO of PAS. “These systems are wide open to external attacks as well as internal human error,” he says, which ups the ante for better visibility and management of them.

PAS’s technology includes asset discovery and inventory, patch management, vulnerability assessment and recovery, and configuration and change management control, he notes, as well as analytics and visualization of all types of vendors’ systems.
Proprietary ICS/SCADA systems not only are engineered differently, but often configured specifically for a certain plant environment based on operational performance requirements and other parameters, notes Siemens’ Simonovich. “That’s been a hard nut to crack,” he says. “The network-level mentoring doesn’t tell you if a PLC is behaving in a particular way to turn on or off a valve, for example,” he says. That’s something PAS’s technology and Siemens’ analytics features do via the new security service, he notes.
Meanwhile, anomaly detection vendors and products for the ICS/SCADA realm have exploded over the past year or so, with some 20-plus vendors crowding this space, notes Digital Bond’s Peterson, who has tracked them. It’s unclear whether industrial operators will go with these third-party vendors or their traditional ICS/SCADA vendors, he says.
“How successful [traditional ICS/SCADA vendors] will be is too early to know,” Peterson says.
“Do you pick an ICS vendor or a traditional monitoring vendor, or some new specialized ICS monitoring vendor?” he says. “That’s a harder choice” for operators than choosing ICS/SCADA equipment vendors, he says. “A lot of times smaller vendors have more expertise because it’s all they do but they don’t have access to … who engineered those [ICS/SCADA] products,” for example, he says.
Related Content:
Stuxnet Five Years Later: Did We Learn The Right Lesson?
Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered
Anatomy Of A ‘Cyber-Physical’ Attack
Stuxnet’s Earlier Version Much More Powerful And Dangerous, New Analysis Finds
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


网络安全法普法宣传 004《网络安全法》的突出亮点

Low-cost tools making cybercrime more accessible: SecureWorks

Malware as a service, along with the affordability of spam botnets, is providing criminals with a low barrier of entry into the cybercrime space, a report from SecureWorks has said.
In 2017 State of Cybercrime: Exposing the threats techniques and markets that fuel the economy of cybercriminals, the SecureWorks Counter Threat Unit explained that less experienced hackers are able to purchase information-stealing malware for reasonably low prices, and, as a result, this has increased who can conduct malicious activity online.
“The internet underground is thriving with ready-to-purchase malware. In underground forums, inexperienced or less-skilled cybercriminals are able to purchase information-stealing malware for reasonably low prices, typically in the form of pre-compiled binaries or premium builder kits that enable attackers to custom configure their own binaries,” the report explains.
Similarly, spam botnets, labelled the most frequently used method for the distribution of all “wares” by SecureWorks, are readily available for a low cost to budding cybercriminals.
“Today, cybercriminals can tap into large botnets to increase the spread of their spam exponentially, a product that can be thought of as ‘spam as a service’,” the report says.
As one example, the report says one large spam botnet known as Kelihos was charged at as little as $200 per million emails sent for pharmaceutical and counterfeit goods-type messages.
Personal information remains a popular commodity, SecureWorks said, with tested and verified credit card data available in some cases for as little as $10, and highly detailed personal information records also offered for as low as $10.
In total, the report details 11 key findings based on the company’s research. However, in addition to the malware and ransomware explosion that was WannaCry and Petya, as well as the business email compromise (BEC) threat that accounted for $5 billion in losses globally between October 2013 and December 2016, SecureWorks highlighted that online crime is a market economy of its own.
The global financial toll of cybercrime is difficult to quantify, but pointing to a report from the US Federal Bureau of Investigation (FBI), SecureWorks said internet crime led to losses in excess of $1.3 billion [PDF] in 2016.
The report from SecureWorks labelled the online criminal landscape as one that is complex and composed of actors with a diverse range of capabilities.
As defined by SecureWorks, the underground internet is the collection of forums, digital shop fronts, and chat rooms that cybercriminals use to form alliances, trade tools, and techniques, and sell compromised data that can include banking details and personally identifiable information, as well as anything else.
However, SecureWorks concedes that the full extent of cybercrime is not visible solely through this window.
“Lucrative online criminality is run like a business, controlled by organised crime groups who are focused on minimising risk and maximising profit,” the report says. “Such groups have considerable reach, will often be active in other areas of more traditional criminality, and, when necessary, will employ the services of other professional criminals who specialise in certain areas, such as moving money or goods around the world.”
With money in tow, cybercrime organisations are often able to scoop up security talent before the good guys can employ them. This has created an underground job market that SecureWorks said mainly requires skills in malware writing, inject writing, data processing, network and sysadmin, and network exploitation, as well as vendors to perform exploit kit loading.
Money muling, where a “middleman” takes the data and passes it on — knowingly or unknowingly — to the cybercriminal, also continues to be a valuable component of the online criminal landscape, the report explained.
SecureWorks also said the perceived gap between criminality and nation states, in terms of both actors and capabilities, will continue to shrink, pointing to the $81 million Bangladesh heist — and the criminals’ links with North Korea — as its example.
Must-Read: Security
Neiman Marcus: 1.1 million cards compromised
Emerging nations’ security critical to future internet: Microsoft
Most CEOs clueless about cyberattacks – and their response to incidents proves it



美白人男子谋杀亚裔妻子未遂 随后残杀3子女

DigitalOcean Warns of Vulnerability Affecting Cloud Users

DigitalOcean is warning customers that some 1-Click applications running MySQL have an account with the same default password across all instances, and the company says the issue affects other cloud providers as well.
DigitalOcean customers reported on social media that they received an email recommending that they run a script to determine if their Droplets – the name used by the company for its cloud servers – are affected by the vulnerability.
The company allows its users to deploy pre-built and pre-configured applications with only one click. The list of 1-Click (One-Click) applications includes Node.js, Rails, Redis, MongoDB, Docker, GitLab, Magento and many others.
DigitalOcean discovered that 1-Click applications running MySQL on Debian and Ubuntu create a MySQL user named “debian-sys-maint” that has the same password on all Droplets created from a 1-Click image.
The “debian-sys-maint” user is designed for local administration purposes and it should have a random password. However, due to a bug, all instances of an application created from the same 1-Click image have the same password.

山东钢铁:拟10转3 一季度扭亏
DigitalOcean said the vulnerability, which is “potentially remotely exploitable,” affects MySQL and several other applications that use MySQL, including PHPMyAdmin, LAMP, LEMP, WordPress and OwnCloud.
“We will be issuing a public notice regarding this issue, but first wanted to ensure our impacted users had time to take action,” the company said in its email to customers. “As part of our verification process, we have discovered that images on other cloud providers also have this mis-configuration.”
DigitalOcean has provided a script that allows users to determine if their Droplets are affected and updates their password if needed. The script works on Ubuntu 14, 16 and 17, and Debian 7 and 8; Debian 9 is not impacted.
Customers who have changed the password for the “debian-sys-maint” user after installation of a 1-Click app are not affected by the flaw and they don’t need to take any action.
“We have changed our 1-Clicks to ensure that all future Droplets will have unique, auto-generated passwords for this user,” DigitalOcean said.
Related Reading: Cloudflare Leaked Sensitive Customer Data
Related Reading: Oracle Improves Cloud Security Offering
Related Reading: Cloud Security Firm ShieldX Emerges From Stealth


儿子年薪三四十万 他住拆迁房当环卫工

New York Pushes to Regulate Credit Agencies After Equifax Breach

New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year. The move is in response to the massive Equifax breach disclosed on September 7, 2017.

“In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue new regulation making credit reporting agencies to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard,” says the statement.
“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  
In the proposed new regulation (PDF), Maria T. Vullo, Superintendent of Financial Services, makes it clear that her department has been monitoring ‘the deficient practices’ of credit reporting companies (such as Equifax, Experian and TransUnion). She cites failure to safeguard consumer data; failure to maintain accurate data; and failure investigate alleged inaccuracies.
Her proposed solution is to require the credit companies to register with the DFS, to comply with certain prohibited practices, and to comply with the regulations introduced in DFS 500. Failure to comply with this new regulation (23 NYCRR 201) could lead to the revocation of the credit company’s authorization to do business with New York’s regulated financial institutions and consumers — effectively making it impossible to carry on.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo. “This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals.”
It is thought that 8 million New Yorkers may be affected by the Equifax breach.
‘First-in-the-nation’ is how New York describes the DFS 500 regulation. Its two key requirements are that regulated companies (covered entities) must employ a chief information security officer, and that they must deliver an annual cybersecurity report signed off by the board with a certification document to the DFS. The CISO “shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body.” This will effectively be a statement on how the regulation is implemented, including details on ‘material Cybersecurity Events’.
The process effectively makes the DFS the final arbiter on the adequacy of the regulated companies’ cybersecurity policies; and the new proposal brings credit reporting agencies in line with the requirements for the regulated financial services organizations.
The proposed new regulation also introduces a new range of prohibitions on credit reporting agencies designed to protect consumers. These prohibit “any unfair, deceptive or predatory act or practice toward any consumer…  violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act…” and “Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.”
Cuomo makes it clear that he hopes that other states will follow with their own similar regulations on credit companies. This puts New York state in direct opposition to the perceived federal preferences of the Trump administration — which would prefer to ease regulatory restrictions on business. Cuomo believes that tighter regulations are required to protect consumers, rather than looser regulations to promote business.
The new regulation will likely be subject to a public comment period. However, under the current proposal, credit reporting agencies will be required to register with the DFS by February 1, 2018, and annually thereafter. The DFS 500 cybersecurity regulation will need to be implemented on a staggered basis, but the credit companies will need to be in full compliance by October 4, 2019.


为让快车道上的骑车老人 公交失控冲上绿化带





Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识





Cyber Security Law 网络安全法宣传视频系列001

74% of IT leaders say security concerns restrict the move to public cloud




新加坡首位女总统"不战而胜" 遭民众"无声抗议"

How Apple’s New Facial Recognition Technology Will Change Enterprise Security

How Apple’s New Facial Recognition Technology Will Change Enterprise SecurityExpect a trickle-down effect, as tech similar to Face ID becomes offered outside of Apple.Apple’s new Face ID technology promises a security revolution for iPhone users — and it also promises to change all of enterprise security, eventually. While Face ID’s primary audience consists of consumers who buy iPhones, Apple has created a new paradigm for security with a safer, faster authentication system. Similar technology eventually will filter down to devices of all kinds and enable organizations to provide their employees and customers with more secure experiences, protecting their data and keeping cybercrooks at bay.
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
Face ID, introduced by Apple at its product launch on September 12, is a major advance in biometric authentication, both over Touch ID (fingerprint) authentication that Apple devices have used until now and over other facial recognition systems. Apple says Face ID is so accurate that the chance of another random person’s face being used to unlock your phone is 1 in 1,000,000 — much better than the 1 in 50,000 unlock error rate for Touch ID. Face ID bests other facial recognition systems as well; it’s the first consumer-oriented 3-D facial recognition system, beating out systems in devices such as Samsung’s Galaxy S8 and Note8, which are 2-D recognition systems.
The authentication provided by Face ID certainly will prove sufficient for use by organizations as an authentication method to “prove” that a device belongs to the user. Today, however, many organizations — often because of regulations, such as for apps that can access customer account information, or at least as part of best practices — require two-factor authentication. For most organizations, that means requiring users to input a password (something users know) in order to activate an app or log in to a website from a mobile device, coupled with a second authentication factor, such as a biometric marker like a fingerprint (something users are), or a text message sent to a user’s device, which consists of a code that the user must enter into a site or an app (something users have) in order to access it. 
The fact that Face ID is superior to passwords as an authentication method should come as no surprise. The vast majority of major data breaches in recent years (think Sony, Target, major banks, etc.) were due to compromising of login data and password theft. According to a study by Verizon, more than four out of five data breaches are due to stolen passwords or misused credentials; it certainly wouldn’t make sense to have such a weak authentication method to access sensitive data when such a strong authentication method is used to secure the device itself!
That’s why, I believe, Face ID will be the catalyst that sets off a real revolution in data authentication. If Apple can implement such a strong authentication method for its devices, organizations will be searching for something at least as strong to authenticate their data on all devices out there that don’t use Face ID. 
The fastest-growing solution for user authentication in enterprises is phone authentication, in which a mobile device — instead of a hardware token or a password — is used as an authenticator. Organizations that have sought higher levels of security have already ditched passwords, turning instead to authentication systems based on devices, which are considered more secure than passwords and, for an increasing number of organizations, their primary authentication method in a two-factor authentication scheme. 
Seeking better security, more organizations will increasingly dump passwords for device authentication, a system that can be used on any mobile device; the greater security provided by Face ID will, I believe, inspire many organizations to reconsider how they approach authentication, and opt for something more secure, even on devices other than the newest iPhones. 
Fingerprints have often been used as a second factor in a two-factor scheme, but now that second factor has gotten a major upgrade, two-factor authentication based on devices and used with Apple devices that support Face ID will present a formidable challenge — enough to discourage hackers from even trying to breach an Apple device. While Face ID currently is strictly limited to some Apple devices, it’s just a matter of time until 3-D face recognition as an authentication method trickles down to the rest of the industry, as the industry follows in the path of market leader and innovator Apple. 
Combining proven device authentication systems with Face ID truly is a game changer — a revolution, even — and companies seeking to improve their security systems are going to be very attracted to this winning combination. Long live that revolution, I say. 
Related Content:
10 Ways to Prevent Your Mobile Devices From Becoming Bots

Workplace IoT Puts Companies on Notice for Smarter Security
GoT & the Inside Threat: Compromised Insiders Make Powerful Adversaries
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述



Cyber Security Law 网络安全法宣传视频系列001


全面从严治党 习近平用三大创新永葆生机