10Fold – Security Never Sleeps – 70

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  Adobe Systems released a security update for Flash Player to fix 24 critical vulnerabilities, including one that hackers have been exploiting to infect computers with ransomware over the past week. Yesterday, news broke that The National Childbirth Trust has apologized to their 15,000 new and expectant parents after their registration details were accessed in a “data breach” where email addresses, usernames and passwords were “compromised.” At this very moment in New York City, you can walk up to one of 65 futuristic kiosks, punch in an email address on your phone and instantly receive a wireless Internet connection that follows you around town. While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion.

Adobe patches actively exploited Flash Player vulnerability in 24 flaw fix – Publication: PC World – Reporter name: Lucian Constantin

Adobe Systems released a security update for Flash Player to fix 24 critical vulnerabilities, including one that hackers have been exploiting to infect computers with ransomware over the past week. The company advised users Thursday to upgrade to the newly released Flash Player on Windows and Mac and Flash Player on Linux. The Flash Player was build bundled with Google Chrome on all platforms, Microsoft Edge and Internet Explorer. Twenty-two of the newly patched vulnerabilities can result in remote code execution on users’ computers, one can lead to a security feature bypass and one can be used to bypass the memory layout randomization mitigation that’s supposed to make exploitation harder in general.


National Childbirth Trust data breach: Industry reaction – Publication: ITProPortal – Reporter name: Sam Pudwell

Yesterday, news broke that The National Childbirth Trust has apologized to their 15,000 new and expectant parents after their registration details were accessed in a “data breach” where email addresses, usernames and passwords were “compromised.” Various industry professionals have offered their analysis and insight into yet another example of the security landscape threatening organizations all over the world. Simon Crosby, CTO and co-founder of Bromium said, “When we hear about attacks that have persisted on a compromised system for weeks or even months before detection, it is unlikely that hackers were waiting to take advantage of the breach, but far more likely that existing detection-based systems failed to properly respond to the attack.”


The tremendous ambitions behind New York City’s free WiFi – Publication: The Washington Post – Reporter name: Brian Fung

At this very moment in New York City, you can walk up to one of 65 futuristic kiosks, punch in an email address on your phone and instantly receive a wireless Internet connection that follows you around town. In a city of more than 8 million, that might not sound like much. But the WiFi kiosks, known individually as Links, offer a proof-of-concept for a wider planned network of some 7,500 hotspots across the city. Imagine if you switched them all on at once. This public connectivity could someday wind up supplementing — if not replacing — some New Yorkers’ existing Internet subscriptions, said Intersection’s chief innovation officer, Colin O’Donnell. Instead of browsing the Web through your home WiFi or 4G LTE, just pop onto the nearest Link’s WiFi signal.  The sheer volume of information gathered by this powerful network will create a massive database of information that will present attractive opportunities for hackers.


Ok, panic – newly evolved ransomware is bad news for everyone – Publication: Ars Technica – Reporter name: Sean Gallagher

While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion. And that means that there’s now a financial incentive for going after just about anything. While the payoff of going after businesses’ networks used to depend on the long play—working deep into the network, finding and packaging data, smuggling it back out—ransomware attacks don’t require that level of sophistication today. It’s now much easier to convert hacks into cash. This week’s randomware attack at Maryland’s MedStar Health hospital network is a prime example. For more than a week, 10 hospitals operated without access to their central networks, because the Windows servers controlling MedStar’s domains were locked down by the ransomware variant known as Samsam.