Search the Community

Cyber-attacks against critical infrastructure companies have long since moved out of the realm of science fiction and into reality, and a new report from Trend Micro and the Organization of the American States (OAS) shows just how much. In a new survey, the challenges those organizations are facing today are laid bare. Forty percent of 575 security leaders polled said they had dealt with attempts to shut down their computer networks. Forty-four percent said they had faced attempts by attackers to delete files, while 60 percent have had attackers try to steal their information. Perhaps even more ominous is the fact that 54 percent had dealt with attempts to manipulate their organization's equipment through a control network or system. "This research should serve as a wake-up-call that critical infrastructures have become a prime target for cybercriminals," said Tom Kellermann, chief cybersecurity officer at Trend Micro, in a statement. "These groups have escalated their attacks by leveraging destructive campaigns against the infrastructures of the Western Hemisphere." The respondents came from organizations throughout the Americas. In the U.S., the “ICS-CERT Monitor” newsletter for the period between September 2014 and February 2015 stated that a total of 245 cyber-security incidents were reported to ICS-CERT during fiscal year 2014. According to the report, the energy and critical manufacturing sectors were impacted the most. In the OAS/Trend Micro survey, 53 percent of those surveyed said they have noticed an increase in incidents affecting their networks in the past year. The primary attack was phishing, which was noted by 71 percent. DDoS (42 percent) and SQL injection (32 percent) were commonly reported as well. Just 18 percent reported being targeted by advanced persistent threats (APTs). "A major challenge today is the sophistication of attacks (76% say they are getting more sophisticated) which are difficult to detect," according to the report. "With almost a third of the respondents falling into this category, it is apparent that continuous monitoring controls are a needed requirement within most organizations to improve their visibility across their networks of attacker presence." The good news is that more than half of those surveyed said they have disaster recovery (54 percent) and incident response (52 percent) plans in place. The bad news - 52 percent said their budget for cyber-security did not increase during the past year. Most organizations said they trust the government to advance a cyber-security agenda to protect critical infrastructure companies, and they are willing work with them. "Since critical infrastructure affects everyone within a region, Public-Private Partnerships (PPPs) are key in properly managing the threat associated with threat actors looking to compromise these systems," the report noted. "With only 1 in 5 (21%) respondents stating an active dialogue there is a high level of improvement to be done to effectively deal with the threat." "Governments in the Americas and around the world must recognize the serious vulnerabilities inherent to critical infrastructure and the potential for grave consequences if not properly secured," said Neil Klopfenstein, executive secretary of the OAS Inter-American Committee against Terrorism (CICTE), in a statement. "From electrical grids and water treatment plants, to oil exploration fossil fuel supplies and transportation, these systems are vital to virtually every element of society. This report reinforces a need to continue strengthening protection of critical infrastructures in our member states, while collaborating and sharing information so as to collectively address these issues and foster a secure and resilient cyber space for government, businesses and citizens in the region." Sursa: securityweek.com

Mozilla has patched 16 security vulnerabilities in Firefox, including three critical flaws in the browser. One of the critical vulnerabilities patched with the release of Firefox 36 is a buffer overflow in the libstagefright library that can be exploitable under some circumstances. “Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash,” the Mozilla advisory says. Among the other critical bugs patched in this release is a use-after-free vulnerability in the indexdDB component of the browser. “Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash,” Mozilla said in its advisory. Firefox 36 also includes patches for a variety of memory safety vulnerabilities. The new release also includes fixes for a number of high-risk vulnerabilities, one of which affects the Mozilla updater function in the browser. The bug could let an attacker load malicious files. “Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run directly, the updater will load binary DLL format files from the local working directory or from the Windows temporary directories. This occurs when it is run without the Mozilla Maintenance Service on Windows systems. This allowed for possibly malicious DLL files to execute with elevated privileges if a user agrees when a User Account Control (UAC) prompt from Windows is displayed,” the advisory says. The new browser also includes fixes for a handful of other medium and low-risk security bugs. Source

Depdep is a merciless sentinel which will seek sensitive files containing critical info leaking through your network. Download: https://github.com/galkan/depdep