Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document’s terms are a threat tot he information security industry.

The pitch is the result of brainstorming by the group to redefine the core aims of the Arrangement, which aims to restrict export of both weapons and “dual-use” items that have military potential beyond their main functions. The Arrangement was negotiated and signed behind closed doors in 2013, without the infosec industry’s participation.

Source: Microsoft and pals re-write arms control pact to save infosec industry

When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.

MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.

Source: Carson Block’s Attack on St. Jude Reveals a New Front in Hacking for Profit

This is a very clever way to make money off hard security research. If it seems a bit mercenary, the hackers say that they took this extreme step for the following reasons:

“We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing,” said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. “We partnered with Muddy Waters because they have a great history of holding large corporations accountable.”

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.

Microsoft’s update for version 1607 doesn’t fix two widespread problems with Windows 10 Anniversary Update, and it causes problems with PowerShell DSC operations

Source: Windows 10 cumulative update KB 3176934 breaks PowerShell

This update contained a fix for the borked update below:

The Windows 10 Anniversary Update has reportedly broken millions of webcams. If your webcam has been affected, there’s a workaround to get it back if you don’t mind tweaking your registry a bit.

Source: Windows 10 Anniversary Update Broke Millions of Webcams, Here’s How to Fix It

​Exactly a year ago, attackers used an advertisement on Yahoo to redirect users to a site infected by the Angler exploit kit. Just weeks before, users were exposed to more malicious software through compromised advertisements that showed up across the web. In total, at least 910 million users were potentially exposed to malware through these attacks. The common thread? The malware was hidden from firewalls by SSL/TLS encryption.
[…]
Companies can stop SSL/TLS attacks, however most don’t have their existing security features properly enabled to do so. Legacy network security solutions typically don’t have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

Source: Can Good Encryption be a Double-Edged Sword for Security in Australia?

Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.
[…]

Tweet
Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware
Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these “root causes” though, were not zero-days or malware at all.

The top five activities in the cyber kill chain — sometimes used alone, sometimes used in combination — were:

1. abuse of weak domain user passwords — used in 66% of Praetorian pen testers’ successful attacks
2. broadcast name resolution poisoning (like WPAD) — 64%
3. local admin password attacks (pass-the-hash attacks) — 61%
4. attacks on cleartext passwords in memory (like those using Mimikatz) — 59%
5. insufficient network segmentation — 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

Source: Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature
[…]
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
[…]
The mail explains the company’s stance as follows:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your email address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Source: Beauty site lets anyone read customers’ personal information

For anyone wondering, this is incredibly stupid behaviour.

Two hackers were able to steal email addresses and easily crackable passwords from three separate forums in this latest hack.

Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data — a little under 13 million records; the other two forums make up over 12 million records.

The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases.

The hackers’ names aren’t known, but they used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases.

Source: Millions of accounts stolen after Russian forums hacked