Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open*:
- A critical and unpatched vulnerability in the widely deployed Cisco Small Business Switch software leaves the door open to remote, unauthenticated attackers gaining full administrative control over the device – and therefore the network.
- Cisco Small Business Switches were developed for small office and home office (SOHO) environments, to manage and control small local area networks with no more than a handful of workstations.
- They come in cloud-based, managed and unmanaged “flavors,” and are an affordable (under $300) solution for resource-strapped small businesses.
- The vulnerability (CVE-2018-15439), which has a critical base CVSS severity rating of 9.8, exists because the default configuration on the devices includes a default, privileged user account that is used for the initial login and cannot be removed from the system.
- An administrator may disable this account by configuring other user accounts with access privilege set to level 15.
- However, if all user-configured privilege level 15 accounts are removed from the device configuration, it re-enables the default privileged user account without notifying administrators of the system.
- “Under these circumstances, an attacker can use this account to log in to an affected device and execute commands with full admin rights,” Cisco explained in its advisory on Wednesday. “[It] could allow an unauthenticated, remote attacker to bypass the user-authentication mechanism of an affected device.”
- Since the switches are used to manage a LAN, a successful exploit means that a remote attacker would gain access to network security functions such as firewalls, as well as the management interface for administering voice, data and wireless connectivity for network devices.
- There’s no patch to address the vulnerability, though one is expected at some (as yet unannounced) point in the future, Cisco said.
- There is however a simple workaround: Just add at least one user account with access privilege set to level 15 in the device configuration.
- Users can “configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing with a complex password chosen by the user,” according to the advisory.
- The flaw affects Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches.
- The Cisco 220 Series and 200E Series Smart Switches aren’t affected, and neither are devices running Cisco IOS Software, Cisco IOS XE Software or Cisco NX-OS Software, according to the networking giant.
- Earlier in January Cisco issued 18 fixes as part of its monthly update, including two serious vulnerabilities for another small-business stalwart – its security appliance tool.
- Two bugs, one critical and one high-severity, could ultimately lead to a permanent denial of service (DoS) on impacted devices – and can be exploited by an attacker who simply sends an email.
*Source: ThreatPost, January 18, 2019
BlackRock Exposes Confidential Data On Thousands Of Advisers On iShares Site*:
- BlackRock Inc., the world’s largest asset manager, inadvertently posted confidential information about thousands of financial adviser clients on its website.
- The data appeared in three spreadsheets, linked on one of the New York-based company’s web pages dedicated to its iShares exchange-traded funds.
- The documents included names and email addresses of financial advisers who buy BlackRock’s ETFs on behalf of customers.
- They also appeared to show the assets under management each adviser had in the firm’s iShares ETFs.
- The links were dated Dec. 5, 2018, but it’s unclear how long they were public.
- The documents were seen by Bloomberg and removed Friday.
- BlackRock, which oversees assets of almost $6 trillion, is the world’s largest issuer of ETFs.
- One of the spreadsheets appears to list more than 12,000 entries of advisers and their sales representatives at BlackRock.
- On another, the advisers were categorized in a variety of ways such as “dabblers” or “power users.”
- A column noted their “Club Level” including the “Patriots Club” or “Directors Club.”
- A review is being conducted as per the spokesperson of BlackRock.
- Securing data is known to keep Wall Street leaders awake at night.
- But most often, senior executives cite a fear of hackers, which has prompted some of the nation’s biggest banks to pour upwards of $1 billion a year into cybersecurity.
- It’s one area where financial firms set aside bitter rivalries, sharing tips and collaborating on projects to ensure the public remains confident in the industry -- and that it never suffers a catastrophic loss.
- But even data breaches that don’t expose client assets risk reputational harm.
- In 2014, JPMorgan Chase & Co. suffered one of the industry’s largest losses of information, estimating at the time that hackers had accessed contact information on more than 80 million clients.
- Chief Executive Officer Jamie Dimon vowed to increase the bank’s security budget and embarked on a hiring spree to build out those operations for what he called “a permanent battle.”
- He has repeatedly updated investors on those efforts in annual letters.
- Firms can’t avoid breaches entirely, but they can react to them in a way that rebuilds trust, said John Reed Stark, who focused on internet crimes while working in the Securities and Exchange Commission’s enforcement division and now runs a cybersecurity consulting business.
*Source: Bloomberg, January 19, 2019
Cumbria Health Trust Hit By 147 Cyber Attacks In Five Years*:
- The NHS in Cumbria has been hit by more than 150 cyber attacks in five years, the BBC can reveal.
- Of these, 147 were directed at University Hospitals of Morecambe Bay NHS Trust (UHMBT), which runs hospitals in Barrow, Kendal, Morecambe and Lancaster.
- The trust said it had spent £29,600 in 2017 dealing with the effects of cyber attacks.
- The "vast majority" were "untargeted and unsuccessful", it said.
- Lee Coward, the trust's head of information technology, said its "very rigorous reporting" process mean it was possible it had reported "higher volumes of identified cyber 'attacks' than other organisations".
- University of Cumbria senior lecturer in policing and criminology Iain Stainton said the number of attacks on UHMBT was "extraordinary".
- The National Cyber Security Centre average was 10 per week across the UK, he said.
- A Freedom of Information (FOI) request by BBC News found the rest of the county's councils and NHS trusts were, by comparison, targeted 14 times in total between 2014 and 2018.
- Emergency patients had to be transferred from Whitehaven to Carlisle in 2017 because hackers demanding ransom money had locked NHS staff out of computer systems.
- Copeland Borough Council spent £2m recovering from an attack later the same year, it said.
- Independent elected mayor Mike Starkie said the effect on the council had been "devastating".
*Source: BBC UK, January 19, 2019
Oklahoma Department Of Securities Breached*:
- The Oklahoma Department of Securities is the latest governmental body to report a breach.
- This time over a million files consisting of department files and FBI investigation records were disclosed via an open server, making it all available to the public.
- A security researcher of UpGuard discovered the vulnerability in security.
- The breach compromised a total of 3TB of data.
- In December the security researcher did not enter a password to gain access into the server.
- Companies affected included Goldman Sachs and the Lehman Brothers, UpGuard notified the Department who swiftly removed public access.
- This comes after the compromise of Chinese jobseekers CVs.
- This added up to 854 GB of data.
- In the last weeks of December 2018, weak security led to the exploitation of another system, this time a database.
- The South China Morning Post reported a US-based database in China was allegedly responsible.
- However other claimed bj.58.com was responsible. It is still not known who is accountable.
- Data leaked included names of job seekers, addresses, contact information as well as their educational and occupational background.
- The organisation accountable for the database shortly took the database offline after HackenProof reported their findings.
- Lessons for organisations to take from these breaches include implementing practices such as password management, have someone responsible for ensuring all these measures are in place and have policies detail this requirement.
- The policy should be managed and organisations should check staff are complying with it.
- Access control was another weak area in both cases.
- Implementing and monitoring access control will preserve the confidentiality of data.
*Source: Latest Hacking News, January 10, 2019
Cybercrime Could Cost Companies $5.2 Trillion Over Next Five Years*:
- Companies globally could incur US$5.2 trillion in additional costs and lost revenue over the next five years due to cyber attacks, as dependency on complex internet-enabled business models outpaces the ability to introduce adequate safeguards that protect critical assets, according to a new report from Accenture.
- Based on a survey of more than 1,700 CEOs and other C-suite executives around the globe, the report, Securing the Digital Economy: Reinventing the Internet for Trust, explores the complexities of the internet-related challenges facing business and outlines imperatives for the CEO’s evolving role in technology, business architecture and governance.
- The report notes that cybercrime from a wide range of malicious activities poses significant challenges that can threaten business operations, innovation and growth, and the expansion into new products and services, ultimately costing companies trillions of dollars.
- The high-tech industry faces the highest risk, with more than US$753 billion hanging in the balance, followed by the life sciences and automotive industries, with US$642 billion and US$505 billion at risk, respectively.
- Accenture communications, media, and technology operating group lead Omar Abbosh “Internet security is lagging behind the sophistication of cyber criminals and is leading to an erosion of trust in the digital economy.”
- Among the key findings: Four in five respondents (79%) believe that the advancement of the digital economy will be severely hindered unless there is dramatic improvement to internet security, and more than half (59%) of respondents said the internet is getting increasingly unstable from a cybersecurity standpoint and they are unsure how to react.
- At the same time, three-quarters (75%) of respondents believe that addressing cybersecurity challenges will require an organised group effort, as no single organisation can solve the challenge on its own.
- With heightened concerns about internet security, more than half (56%) of executives would also welcome stricter business regulations imposed by a central organisation or governing body.
- The rapid emergence of new technologies is creating additional challenges, as four in five respondents (79%) admit that their organisation is adopting new and emerging technologies faster than they can address related cybersecurity issues, with three-quarters (76%) noting that cybersecurity issues have escaped their control due to new technologies such as the internet of things (IoT) and the industrial internet of things (IIoT).
- A majority (80%) also said protecting their companies from weaknesses in third parties is increasingly difficult, which isn’t surprising given the complexity of today’s sprawling internet ecosystems.
- Also, consumer data protection is on the minds of many senior executives.
- Fuelled by security concerns, 76% of respondents believe that consumers can’t trust the safety of their online identities when too much of their personal data is already available without restrictions.
*Source: Channel Life, January 21, 2019