ICO Analysis: Mandala

With the increasing popularity of cryptocurrencies comes a growing demand for exchanges where the various cryptocurrencies can be traded. And although cryptocurrency exchanges have seen huge growth during the past couple of years, it’s still not showing any signs of slowing down. We now have a large selection of both traditional centralized and newer decentralized […]

The post ICO Analysis: Mandala appeared first on Hacked: Hacking Finance.

Security Affairs: Xenotime, Threat actors Behind Triton Malware broadens its activities

The threat actor behind the Triton malware (aka Trisis, Xenotime, and HatMan) is now targeting organizations worldwide and safety systems.

The attackers are expanding their targets and new variants are able to attacks also other than Schneider Electric’s Triconex systems.

The malware was first spotted in December 2017 by researchers at FireEye that discovered that it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Triton malware

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

According to experts at Dragos, threat actors have been around since at least 2014, they were discovered in 2017 after they caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

Dragos researchers warn of new cyber attacks powered by the same group against organizations globally.

“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” states Dragos Security. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Experts at Dragos have published a collection of reports related to threat groups targeting critical infrastructure, the first one was on the activities of the Russia-linked Allanite group.

Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.

Pierluigi Paganini

(Security Affairs – Triton Malware, Xenotime)

The post Xenotime, Threat actors Behind Triton Malware broadens its activities appeared first on Security Affairs.



Security Affairs

Xenotime, Threat actors Behind Triton Malware broadens its activities

The threat actor behind the Triton malware (aka Trisis, Xenotime, and HatMan) is now targeting organizations worldwide and safety systems.

The attackers are expanding their targets and new variants are able to attacks also other than Schneider Electric’s Triconex systems.

The malware was first spotted in December 2017 by researchers at FireEye that discovered that it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Triton malware

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

According to experts at Dragos, threat actors have been around since at least 2014, they were discovered in 2017 after they caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

Dragos researchers warn of new cyber attacks powered by the same group against organizations globally.

“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” states Dragos Security. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Experts at Dragos have published a collection of reports related to threat groups targeting critical infrastructure, the first one was on the activities of the Russia-linked Allanite group.

Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.

Pierluigi Paganini

(Security Affairs – Triton Malware, Xenotime)

The post Xenotime, Threat actors Behind Triton Malware broadens its activities appeared first on Security Affairs.

HOTforSecurity: Apple users can download all the data the company has on them

Unless you’ve been living under a rock this entire time, you’ve probably heard and already been blasted with emails related to GDPR, the EU’s data privacy regulation. Companies must keep customers informed about how their data is processed and assure them that they will from now on do their best to protect it.

Apple is one of the companies trying to comply with GDPR that goes into effect tomorrow, May 25. The company has released the Data and Privacy portal where you have access to everything Apple knows and stores about you, including online history, Apple ID accounts, iCloud data, contacts, photos, documents, music and store history. Once they log in, users have clear instructions how to download their data.

Because they can download as much as 25GB, the download process may take as much as a week. If interested in the data, users are advised to hurry with the download because otherwise the data will be deleted from Apple’s database in two weeks. Since users will most likely download data they have willingly provided the company with, they shouldn’t be shocked by anything they find in the dataset.

For now, the download option is provided for accounts located in member states of the European Union, as these are directly targeted by the regulation, and the European countries outside the Union – Iceland, Liechtenstein, Norway and Switzerland. In the future, Apple plans on making this feature available for all countries worldwide.



HOTforSecurity

Is the C-suite exempt from cyber-crime anxiety?

If recent cyber-attacks are anything to go by, cyber-criminals are capable of causing colossal damage to organisations of all sizes. With vital public services such as the NHS succumbing to attacks, it seems that nothing is off the table when it comes down to cyber-criminals deciding who to target. However, according to some reports, the C-suite isn’t sweating over the potential of an attack or the financial fallout if such an attack is successful.

 

According to one report covered by City A.M., just one third of businesses in Britain have a financial strategy prepared should they become the subject of a cyber-attack. What’s more, only half of companies actually discuss the possibility of a cyber-attack at board level, according to research from Lloyds Bank.

 

Business leaders must think beyond simply signing off budgets for safeguarding software and physical hardware. They must also consider the financial consequences of a potential attack, including the seemingly far-fetched but increasingly likely concept of paying a ransom to regain access to systems in the control of cyber-criminals, or to release data that cyber-criminals have swiped from their systems.

 

On the former, the survey suggests one third of companies would pay such a demand to unlock their systems. But aren’t you just opening the door to even more attacks in doing so? Even if you were willing to stump up the money, how much would you be prepared to pay and has this amount been insured for? Only a quarter of those surveyed by Lloyds Bank had policies covering such scenarios.

 

Though the problem remains that these ‘cyber insurance’ policies simply don’t cover everything – how could they when the threat landscape changes daily and it is an immature market for insurers? And when hackers have locked your systems and threatened to delete data if you don’t hand over money, the decision on whether to pay or not can be a tough call; risking huge reputational and day-to-day damage, even putting lives at risk in some cases.

 

You only have to look at last year’s NHS cyber-attack and the recent attack on the city of Atlanta’s servers to imagine the fallout and destruction that could ensue. Of course, the best form of defence is a proactive defence, especially when cyber-attacks are getting far smarter at outwitting the checks and balances many currently have in place.

 

The biggest source of infiltration by criminal malware is email and all it takes is one member of staff to click on a seemingly innocent attachment in an email that appears to have been sent from a known email contact. In fact, 74 percent of all successful malware and ransomware attacks find their way on to IT systems and to sensitive data through email attachments. Being that email is the lifeblood of organisations, it can’t simply be switched off to safeguard the business from attacks.

 

This does not mean your current security technology is entirely useless, but it does mean you must continually analyse its ability to protect you and ensure every border is protected. We’re still witnessing companies applying a one-size-fits-all approach to cyber security, as if it’s simply another tick-in-the-box exercise. This is a grave mistake. Every border needs innovative technology in place to keep threats at bay because the traditional anti-virus methods cannot keep up with the dynamic threat landscape that we see today.

 

But how often would a company run education sessions for employees to ensure they know what they should click and what they shouldn’t? The old adage of ‘if it looks too good to be true, it probably is’ still has value, but cyber-attacks are becoming even more sophisticated and clever at disguising themselves in realistic-looking documents and links.

 

Alongside this, it is reported that only one in 10 cases cyber-crime cases are actually investigated by police; leaving the door wide open for the problem to grow out of hand in the coming years, with crooks knowing they are likely to get away with it if they just try their luck. The power is firmly in the hands of the cyber-criminal.

 

The advent of GDPR regulation, coming into effect in May, also raises fears. It means enterprises face much larger financial penalties should they suffer a data breach. The recent compromising of 150 million MyFitnessPal accounts is just another example in a long line of such attacks, which are increasingly becoming everyday news.

 

It’s disconcerting to learn that just half of companies are discussing these issues at the most senior levels. The problem must be taken seriously rather than parked as something that ‘won’t ever happen to us’. Then it must be tackled head on – proactively rather than reactively.

 

Unless you are thinking proactively and embracing innovation to regularly close down attack vectors, you’ll forever be on the backfoot with potential fixes and patches, watching helplessly as cyber criminals race ahead with new and successful attempts to bypass them.

The post Is the C-suite exempt from cyber-crime anxiety? appeared first on IT SECURITY GURU.

Solving the problem of insider threats to enterprise cybersecurity

There are many threats to enterprise cyber security with most coming from external threat actors. One of the most overlooked threats that companies are not safe from is insider threats. Security professionals are constantly being warned about insider threats and in A10 Networks AIR report earlier this year almost half (48 percent) of IT leaders say they agree or strongly agree that their employees do not care about its security practices. With companies aware of the issue, what are enterprises doing to fight back against these threats and why is it such a major concern?

 

How big is the problem of insider threats? 

The simple answer is very big. Generally cyber threats present a big issue to many companies, but many can be dealt with by using the appropriate solutions and having trained employees. To tackle insider threats, managers and IT leaders need to take an entirely different approach which can vary depending on the business environment.

 

All insider threats can often be classified into two distinct groups: the malicious, criminal employee and the unknowing, ignorant, employee. Both of these groups have to be approached with in different ways, whilst identifying which employee falls into which group is not simple. Employers have to figure out what motive its staff has to be acting in a malicious way, whilst identifying them from the clumsy employees.

 

It’s a sabotage

The motive behind an employee looking to sabotage a business could be inspired from many sources like holding a grudge over a bad personal assessment, peer or management conflicts, differing ideological views or pressure from an outside force. Identifying a motive can be difficult but, favourably, desire alone will not give such employees a chance to act. There needs to be an opportunity as well and this is where those in charge can work to prevent sabotage.

 

Many opportunities can be reached simply by that employee having increased or existing access to delicate points of information and so it is important that managers ensure that all of their employees only have access to the minimum required for their role. Then there are more sinister attempts at disrupting businesses like social engineering tactics – setting up the right scenario for this malicious employee to get access through someone else’s computer/network.

 

Additional actions that security professionals should take notice of are the unusual behaviors of some employees, such as arriving early or leaving after everyone else, recent changes in access, frequency of downloads or failed login request from a use system. Anyone of these could be a sign of an ulterior motive and are good places to start when trying to identify malicious employees in the business. Behaviour is the key and it is important to determine the behaviour patterns of individuals, whether it be done with technology, physical apparatus or digital monitoring tools.

 

Did I do that?

With the next group – the unknowing, ignorant, employee – a different approach is needed. The cyber threat from this group can come from many places but it all stems from one issue: they do not realise they are a risk. So, the simple solution to solving this problem is to properly educate staff, and not just the IT department but the entire business, as these risks can come from any department.

 

88 percent of IT heads say that employees need better education on the best security practices and while many companies do inform their staff of these practices, 29 percent of IT professionals noted a lack of corporate commitment to policies and enforcement. So, while enterprises know the best practices to stop insider cyber threats most of the employees don’t care, so perhaps the area that needs fixing is the method in which enterprises explain these practices?

 

According to the AIR report, password policies are communicated to employees through email reminders (66 percent) followed by employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent). E-mail reminders are highlighted here as the main way of communication and this should not be the case. In today’s busy work environment employees are receiving e-mails non-stop and, by distributing such vital security information to an already crowded information network, are bound to skip over it. Potentially, they have more pressing work to deal with and so the internal security information is not the priority. Eventually it will be forgotten.

 

The solution is simple. More direct communication with staff and more workshops around cybersecurity could bring these issues to the forefront of employees and make them more aware. Then, regarding passwords, it could be made mandatory to have them changed on a regular basis, with two-step authentication for extra protection. If password change isn’t enforced, then employees are most likely going to be too busy to change them.

 

Passwords not being updated isn’t the most pressing issue regarding insider threats. Every employee can bring with them a vulnerability to the mainframe. The most common threat an unknowing employee can bring with them is opening an entryway with unverified or unsecure apps, both on computers and on phones. Every employee has a mobile phone and most likely a smartphone with multiple apps that they may use throughout the day. Apps that require online connections may end up being connected to the office mainframe and allow a gateway for hackers. Then on computers some apps like Photoshop and Skype are common practice but there are other, less secure, apps that could bring malware with their installation.

 

To tackle this issue, a regulation should be placed on what can and cannot be used in the office, at least on laptops and PC. If an employee wants to install new software, they should need to be granted permission from an admin who can verify that the app is secure. For mobile apps this is harder to control as they aren’t strictly for work but if employees are properly taught about these threats and regularly informed about how to avoid suspect apps themselves then they can stay more aware of potential threats.

 

Is there hope?

Almost a quarter of IT decision-makers think there will be no improvement in security behavior at their company, but 75 percent are more optimistic. Cybersecurity is increasingly becoming more mainstream in the business world and many enterprises are beginning to shift more resources to fight back. Funding is going towards technology to deal with malware and other malicious outsider threats, but insider threats do not appear to be a focus yet. As more people take notice, hopefully this will change. Getting the balance between having a warm, open working environment vs. a police state-esque look and feel is not easy, but with correct training and observation of employee behaviours there is hope for enterprises to deal with insider threats.

The post Solving the problem of insider threats to enterprise cybersecurity appeared first on IT SECURITY GURU.

Search Msdn: Entity Framework Core 2.1 Roadmap | .NET Blog

As mentioned in the announcement of the .NET Core 2.1 roadmap earlier today, at this point we know the overall shape of our next release and we have decided on a general schedule for it. As we approach the release of our first preview later this month, we also wanted to expand on what we have ...

Search Msdn

Search Msdn: What Happened to Bower? | ASP.NET Blog

Bower is a popular package management system for managing static content used by client-side web applications. Visual Studio provides rich support for Bower, including templates and package management tools. Though it doesn’t say it explicitly, it implies that Bower is deprecated. Existing ...

Search Msdn

Search Msdn: ASP.NET Core 2.1 roadmap | ASP.NET Blog

Five months ago, we shipped ASP.NET Core 2.0 as a foundational release for our high performance, cross-platform web framework for .NET and .NET Core. Since then we have been hard at work to deliver the next wave of features in ASP.NET Core 2.1. Below is an outline of the features and improvements ...

Search Msdn

Search Msdn: Community – MSDN Blogs

Today’s guest blog post comes from the amazing James Donaldson, in a repurposed ALN/SEND specific blog post taken from his own blog site which can be found here.

Search Msdn

Search Msdn: Announcing Entity Framework Core 2.1 Preview 2 | .NET Blog

Today we’re releasing the second preview of EF Core 2.1, alongside .NET Core 2.1 Preview 2 and ASP.NET Core 2.1 Preview 2. Thank you so much to everyone who has tried our early builds and has helped shape this release with their feedback and code contributions! For a more complete description of ...

Search Msdn

Search Msdn: MSDN Blogs

Get the latest information, insights, announcements, and news from Microsoft experts and developers in the MSDN blogs.

Search Msdn

Search Msdn: Entity Framework 6.2 Runtime Released | .NET Blog

Today we announce the availability of EF 6.2 runtime in NuGet.org. Entity Framework (EF) is Microsoft’s traditional object/relational mapper (O/RM) for .NET Framework. To understand the difference between EF6 and EF Core, please refer to our documentation. You can install EF 6.2 either using the ...

Search Msdn

Everybody reboot! VPNFilter Malware infects 500k Routers

Newly discovered malicious software dubbed VPNFilter has infected hundreds of thousands of routers and network attached storage (NAS) devices globally and could be used to steal sensitive data or wipe out (“brick”) the devices, the company said.  Cisco’s Talos research group warned on Wednesday that newly discovered malware,...

Read the whole entry... »

Related Stories

Security spring cleaning: Tidying up messy firewall rules to reduce complexity

Most security teams are waging a daily battle against complex IT infrastructures, advanced malware and a severe skills shortage – a trifecta that has forced them to tackle select “priorities,” while letting other important initiatives fall by the wayside. One such task that usually falls to the bottom of the security “to-do” list is firewall rule cleanup. With so many things to do (managing next-gen architectures and combating sophisticated cyber criminals, for example) and so … More

The post Security spring cleaning: Tidying up messy firewall rules to reduce complexity appeared first on Help Net Security.

Time for a Troll Party!

Hi Everyone, It’s no secret that President Donald Trump enjoys tweeting. In fact, some might say that he’s built his political career on the micro-blogging platform. One of the features that he seems to use quite often is the “block” button. Once blocked, users no longer have the option to respond to any of the […]

The post Time for a Troll Party! appeared first on Hacked: Hacking Finance.

Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education. 

read more

Password pattern analysis: Risky, lazy passwords the norm

Dashlane announced the findings of an analysis of over 61 million passwords. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech. Researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. They found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, … More

The post Password pattern analysis: Risky, lazy passwords the norm appeared first on Help Net Security.

CryptON Ransomware used to hack remote desktop services

A new and active campaign for the CryptON Ransomware is currently underway where attackers are hacking into computers with Internet accessible Remote Desktop Services. Once the attackers gain access to the computer they manually execute the ransomware and encrypt your files. This new campaign was first discovered by Malwarebytes security researcher S!Ri who posted about it on Twitter.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post CryptON Ransomware used to hack remote desktop services appeared first on IT SECURITY GURU.

WordPress sites targeted by hackers installing backdoored plugins

Hackers have come up with a never-before-seen method of installing backdoored plugins on websites running the open-source WordPress CMS, and this new technique relies on using weakly protected WordPress.com accounts and the Jetpack plugin. The technique is highly complex, and to compromise a site, a hacker must go through different steps, during which multiple things can prevent the attack from being successful.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post WordPress sites targeted by hackers installing backdoored plugins appeared first on IT SECURITY GURU.

Cryptocurrency Verge (XVG) hit by DDOS attack

Verge (XVG), a cryptocurrency designed for everyday use and an improvement upon the original Bitcoin blockchain, is currently experiencing a DDOS cyber-attack. The company confirmed this with a statement on Twitter, “It appears some mining pools are under ddos attack, and we are experiencing a delay in our blocks, we are working to resolve this.” Ocminer on a BitcoinTalk forum suggests an attacker appears to have altered the Verge blockchain. The attacker manipulated a bug in the Verge code allowing malicious miners to set false timestamps on blocks and then rapidly and quickly mine new ones.

View Full Story 

ORIGINAL SOURCE: CBR Online

The post Cryptocurrency Verge (XVG) hit by DDOS attack appeared first on IT SECURITY GURU.

Pressures impacting security pros are up, threats are turning up the heat

Trustwave released the 2018 Security Pressures Report based on a global survey of 1,600 full-time IT professionals who are security decision makers or security influencers within their organization. Findings show that a majority of IT and cybersecurity professionals experienced increased pressures in 2017 when compared to the previous year, driven largely by a steep rise in sophisticated malware, continued deficit of high-level security talent and budget constraints. This report marks the fifth consecutive year pressures … More

The post Pressures impacting security pros are up, threats are turning up the heat appeared first on Help Net Security.

VPNFilter compromising 500,000 routers

A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes. Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine. “Both the scale and the capability of this operation are concerning,” Talos writes in its alert.

View Full Story

ORIGINAL SOURCE: The Register

The post VPNFilter compromising 500,000 routers appeared first on IT SECURITY GURU.

It’s time to embrace GDPR

The noise around the General Data Protection Regulation (GDPR) has been unavoidable, and for good reason. GDPR is coming into effect in a few short days (May 25 to be exact). The large fines associated with not complying with the regulation have encouraged organizations to prey on the large number of businesses that are unprepared. Everyone claims to have the one cure-all solution that will solve the compliance challenge. The truth is, there’s no universal … More

The post It’s time to embrace GDPR appeared first on Help Net Security.

Crypto Update: Coins Spike Lower amid Regulatory Woes, Technical Breakdown

Following a period of directionless range trading in the segment, cryptocurrencies got hit hard yesterday, on a very busy day in financial markets. The largest coins and small caps are down by 20% in two days on average, with the total value of the market declining by around $70 billion. The Indian tax plan, and […]

The post Crypto Update: Coins Spike Lower amid Regulatory Woes, Technical Breakdown appeared first on Hacked: Hacking Finance.

Crypto Me0wing attacks: Kitty cashes in on Monero

It’s been a month since the first Drupalgeddon 2.0 RCE (SA-CORE-2018-002/CVE-2018-7600) exploit was first published, unleashing its destruction into the wild… and through our cloud monitoring systems. As expected, since then we’ve been picking up various attack variants piggybacking on the Drupalgeddon 2.0 exploit, including remote scanners and backdoor attempts. In accordance with the latest dark web app hype, it wasn’t long until we started picking up cryptojacking exploit attempts directed at remote servers as … More

The post Crypto Me0wing attacks: Kitty cashes in on Monero appeared first on Help Net Security.

Mixed Reality Meets Its Full Potential

Virtual reality (VR) use cases have expanded — and innovation continues to drive adoption beyond just the video game industry. In fact, recent advancements have paved the way for the creation of a new, hybrid technology: mixed reality (MR).

With MR, users wear a headset that displays interactive holograms within the environment around them in real time. This technology allows them to physically engage in unique experiences in many popular industries, such as entertainment, education and health.

Developers are taking notice of the possibilities of MR — and are also exploring how it can add value to leisure and workplace productivity.

Bringing Mixed Reality Into the Enterprise

Nearly every industry can utilize MR to gain insights and expand communication in ways never experienced before. Industries can also save time and money by facilitating faster, more efficient collaboration.

Here are examples of how some industries are using MR:

  • Architects at construction companies can see their AutoCAD blueprints in full 3D, interact with the space to make changes and achieve a better sense of how their building looks before construction even begins.
  • Medical students can use holograms of human anatomy to gain a better understanding of how the body works. This form of interactive education is already in use at Case Western Reserve University, and these applications of MR can be life-saving.
  • Technicians who need assistance repairing critical pieces of equipment can use MR to show their colleagues what they’re seeing — and get step-by-step visual guidance on adequately facilitating necessary repairs.
  • Companies in all industries can also build highly engaging applications for quicker onboarding of new employees and interaction with customers.

Mixed Reality Meets Unified Endpoint Management

There are dozens of companies working on MR applications to further advance the technology and its capabilities. Some specialize in a single industry, while others target the market with specific devices.

One of the more easily recognized names is Microsoft, which has developed an MR headset dubbed the HoloLens. The device sits on the users’ heads — much like a crown. The display is built into a tinted visor that resembles a motorcycle helmet visor. The HoloLens gained notoriety as the first MR device that runs on the Microsoft Windows 10 operating system. This allows developers to create MR applications for the HoloLens and utilize Windows application programming interfaces to work with other products.

IBM MaaS360 with Watson announced the ability to support and manage Microsoft HoloLens devices in May 2018. Just like any Windows 10 device, HoloLens follows the same security commands, policies and compliance rules, which can be applied using MaaS360.

As MR gains a more significant presence in the workforce, IT security leaders are going to need to manage these devices. Unified endpoint management (UEM) combines the capabilities of multiple solutions into one. By addressing the security concerns of managing MR devices, IT and security leaders can manage mobile devices, laptops, mobile applications, mobile content, user identity and access and more.

From designing buildings to saving lives, MR’s potential is vast — and it will only expand. Having the right tools in place will help your company stay ahead of security concerns and move forward with confidence.

Register for a free trial of IBM MaaS360 Mobile Device Management (MDM)

The post Mixed Reality Meets Its Full Potential appeared first on Security Intelligence.

You Should Be Aware of These 10 Social Engineering Attacks

By Venu Rao, CEO and Founder  at WebSecureApp, Have you ever received an email with no text and just an attachment? We all know about social engineering attacks or at

The post You Should Be Aware of These 10 Social Engineering Attacks appeared first on The Cyber Security Place.

Here’s How to Download All the Data Apple Collects About You

Apple is making it easier for its users to download their data the company has collected about them so far. On Wednesday, Apple just launched a new Data and Privacy website that allows you to download everything that the company knows about you, from Apple ID info, device info, App Store activity, AppleCare history, your online shopping habits to all of your data stored in its iCloud. A

CISO Chat – Shaan Mulchandani, Chief Global Security Strategy Officer at Aricent

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

On the back of what was a fantastic first round of questioning with insightful responses from leading figures in the IT security industry, the CISO Chat segment on the IT Security Guru has returned for the second round of questioning.

Leading the second round of the CISO Chat is Shaan Mulchandani, Chief Global Security Strategy Officer at Aricent:

 

At RSA 2018, Facebook, Microsoft and 32 other technology and cybersecurity organizations formed a cyber consortium with the objective to work together and increase cybersecurity awareness. How beneficial do you see this move and should it be open for others to join?

It’s a move in the right direction, and appears well-timed given RSA as a backdrop for the announcement, the past year has been witness to some of the largest security breaches, the fallout from the Facebook Cambridge Analytica scandal, and the onset of GDPR.

The presence of certain cloud vendors (e.g. Microsoft, Oracle), social media networks (Facebook, LinkedIn), chip companies (e.g. ARM), networking technology vendors (e.g. Cisco, Juniper), and various security firms amongst others coming together makes for a good, complementary mix. Given increased cloud-adoption, expansive social media presences, richer edge devices, developments in software-defined networking, and the wealth in the choice of security technologies – consumers and businesses alike are increasingly anxious about security. The consortium’s pledge to not only embed security in their technologies but also promote awareness of how to leverage native security capabilities is important in two ways:

  • Consumers can leverage technology more securely, and utilize it to boost productivity
  • Businesses can capitalize on the ‘security by configuration’ trend that is soon becoming prevalent as we migrate to cloud environments, subscribe to more ‘as a service’ offerings, and scale in a distributed, heterogeneous economy.

Regarding benefits and efficacy – the consortium, as indicated, appears to be a well-timed, positive step. It may not yet be to anyone’s benefit for additional firms to join just yet – as any output beyond verbal declarations remains to be seen, and the foundation for best practices to be laid. Perhaps the success of such an alliance contrasted with how regulation (e.g. GDPR) mandates firms to boost security or actions stemming from firms’ reactions to fallout from future publicly-known breaches is worth studying as we move forward to find optimal solutions.

 Security should be a top priority for any business. How true is this statement and do you believe organizations treat it as such?

Cloud adoption, migration, and acceleration are at record highs. Containers, microservices, serverless computing, and distributed architectures are all redefining infrastructure and we have smaller, decentralized compute/store units that require a security rethink. Adversaries (including nation states) are leveraging offensive/weaponized AI.  Taking all these into consideration – security should absolutely be a 100% top priority for every business.

I believe organizations are increasingly treating it as such, as they become aware (first-hand or otherwise) of the reputational damage and loss of consumer trust that breaches can instil. The impact of how security impacts top and bottom lines is being understood – that it isn’t an overhead, rather an enabler and a value creator. Moreover, security isn’t an afterthought – it is finally a boardroom issue.

An interesting personal takeaway from the RSA 2018 Expo was the apparent increase in number of phishing prevention and security education firms over previous years. The trend appears to indicate an influx of capital into the security education and awareness sector.

 

To give people insight, what are the most rewarding and challenging aspects of the CISO position and how do you think it has evolved over the past couple of years?

 Objectively describing what’s most rewarding as a CISO can be challenging; subjectively. It can be based on a need to succeed in an extremely challenging environment, master a role that’s often more about collaboration (with executives, partners, vendors, occasionally law enforcement, and even clients) than technology.

As organizations increasingly become aware of threats, cyber risks and malicious actors pose, the CISO position has fortunately evolved in many cases to report to CEOs, CROs, and on occasion CFOs (often in parallel to a CIO). While it empowers CISOs to be more effective, this change also stems from CISOs being perceived as overhead and necessary for the business (particularly in the wake of GDPR-like regulation that fines revenue). Organizational evolution aside, three broad yet closely-related factors to consider are budgets, people, and technology.

CISOs must also contend with how to advance their AI/ML capabilities to combat weaponized AI (which brings about its own threats of spear-phishing, ransomware, etc.), while ‘holding down the fort’ and laying process-based groundwork for such advances. Technology-wise, the CISO role has also grown to encompass more in-house capabilities – especially when leveraging AI-based security capabilities needs careful evaluation and tools; when decentralized architectures demands a revaluation of security mechanisms.

 

If you have one gripe about the cybersecurity industry what is it and how would you address it?

There are far too many vendors billing products as “the best in ___” or “the only ___” without explicitly clarifying their focus or acknowledging the competition out there. There is no silver bullet in cybersecurity, and if there was – it certainly isn’t a product! Most vendors now pitch how they can “orchestrate remediation” or “launch adaptive honeypots.” This may be exacerbated by how rapidly people understand the importance of security, and liquidity in investment markets over the last few years. Knowledgeable professionals get what these vendors are trying to say, but how much of it is feature overload coupled with marketing buzzwords and jargon vs. addressing business-related security challenges? That’s my gripe!

Perhaps the best way to address this is to simply ignore all of it. CISOs should focus on identifying what their business needs vs. what stringing together certain tools can provide, and come out emphasizing this fact.

 

With the development of Blockchain technology, what industries do you think will benefit most from its introduction and why?

Blockchain, and distributed ledger technologies at large, have profound implications on several industry verticals – Finance, Supply Chain, Manufacturing, and Energy amongst many others. Perhaps the first two show the most promise. We recently conducted a proof of concept on blockchain-enabled DevSecOps.

Blockchains, known for distributed ledgers, smart contracts, and reconciliations present themselves as a natural fit for an industry which is not only the intended target of more attacks or fraud attempts than other sectors, but continues to be reliant on a slew of intermediaries. Several use cases relating to trading platforms, know your customer policies, inter/intra bank or cross-border payment reconciliation, trade finance, and others lend themselves to implementation with potential efficiency gains (and cost savings!) should appropriate implementations be realized.

Democratic, fast, and collaborative are the words that come to mind in the context of blockchain and supply chains – wherein facilitation of automated workflows or data provenance are key requirements that blockchain-based solutions can streamline. Consider the simple examples of how the IBM/Maersk shipping container pilot can be extended to include additional parties such as port authorities, government immigration and customs bureaus, and regional freight networks. All currently store same/similar information, albeit with large paper trails, and have high-degrees of inefficiency or manually-induced bottlenecks. Blockchain streamlines this.

Walmart’s ability to track the origin of food in as little as 2 seconds due to a blockchain-based implementation – and its impact when massive amounts of food/produce are to be recalled or the enablement of food exports from one country to others due to food safety standards is now trackable. Certain blockchain benefits in the field of smart manufacturing and supply chain analytics also appear incredibly promising.

The post CISO Chat – Shaan Mulchandani, Chief Global Security Strategy Officer at Aricent appeared first on IT SECURITY GURU.

How to Convert Your Cryptocurrency Back to Fiat Currency

It is possible that at some point in your cryptocurrency investing journey, you feel the need to sell off some of your crypto. Most of the time, this means you are just converting it back into the USD of cryptocurrency, bitcoin, but you could also be trying to get your money out of cryptocurrency entirely. […]

The post How to Convert Your Cryptocurrency Back to Fiat Currency appeared first on Hacked: Hacking Finance.

Why Encryption Is Now a ‘Need to Have,’ Not Just a ‘Nice to Have’

By Linus Chang, CEO and Founder at Scram Software, Cloud-based services are so commonplace today that it’s tempting to simply trust them with your data. After all, everyone else is

The post Why Encryption Is Now a ‘Need to Have,’ Not Just a ‘Nice to Have’ appeared first on The Cyber Security Place.

Security Shifts Focus From Defense to Response

Despite more organizations feeling that they are getting worse at preventing data breaches, the number of businesses that feel better prepared to respond to incidents is on the rise, according to

The post Security Shifts Focus From Defense to Response appeared first on The Cyber Security Place.

End-to-end security requires multi-vendor automation

To make it easier to use security tools from multiple vendors, as well as bake security into the development process, Fortinet introduces Fabric Connectors and DevOps integration.The concept of “end-to-end”

The post End-to-end security requires multi-vendor automation appeared first on The Cyber Security Place.

Qualcomm Announces Snapdragon 710 Platform For Midrange Android Phones

An anonymous reader quotes a report from AnandTech: Today Qualcomm announces a new entry to the Snapdragon lineup with the first 700-series SoC platform. The Snapdragon 710 is a direct successor to the Snapdragon 660 but comes with a new branding more worthy of the increased performance characteristics of the SoC. The big IP blocks found on the Snapdragon 710 are very much derivatives of what's found on the flagship Snapdragon 845. On the CPU side we see the same 2.2GHz maximum clock on the big cores, but the Kryo 360 Cortex A75 based CPUs are microarchitectural upgrade over last year's A72 based Kryo 260. The little cores are also based on the newer Cortex A55's and are clocked at up to 1.7GHz. The performance improvements are quoted as an overall 20% uplift in SPECint2000 and 25% faster performance in Octane and Kraken versus the SD660. The SoC now also uses the new system cache first introduced in the Snapdragon 845 -- although I'm expecting a smaller, yet unconfirmed 1MB size in the SD710. The 700-series SoC platform sports the new 600 series Adreno GPUs. They have an expected frequency of around 750MHz and up to 35% higher performance versus the Adreno 512 in the SD660. "In terms of connectivity the new SoC implements an X15 modem which is capable of UE Category 15 in the downstream with up to 800Mbps in 4x carrier aggregation and up to UE Category 7 in the upload with up to 2x CA and 256 QAM," reports AnandTech. "The new chipset now also offers 2x2 802.11ac digital backend for Wi-Fi -- however it'll still need an external discrete analog RF frontend."

Read more of this story at Slashdot.

FBI seizes control of a massive botnet that infected over 500,000 routers

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack. Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and

Tulin’s CyberSec Talk – Introduction

The ISBuzz Post: This Post Tulin’s CyberSec Talk – Introduction appeared first on Information Security Buzz.

This is introductory video of Tulin’s CyberSec Talk series. In this series, Tulin covers number of topic related to cyber security particularly focus on cyber risk management.

About Tulin Sevgin
Cyber Risk Management Lead, Senior Consultant

Tulin is a strategic thinker and cyber risk management specialist with experience in public and private sectors.  Tulin has held senior positions with Commonwealth Bank, Westpac, Optiver and Deloitte. Whilst Tulin’s working experience spans enterprise risk management, business continuity, risk culture analysis, project management, issues management, IT audit, data analytics, internal audit and external audit, Tulin specializes in cyber risk management including cyber risk threat analysis, prevention, control and assurance. Linkedin: https://www.linkedin.com/in/tulin-sevgin/

The ISBuzz Post: This Post Tulin’s CyberSec Talk – Introduction appeared first on Information Security Buzz.

Robots learning war from video games – MoD

bbc.com - Robots that train themselves in battle tactics by playing video games could be used to mount cyber-attacks, the UK military fears. The warning is in a Ministry of Defence report on artificial intelli…


Tweeted by @iyouport_news https://twitter.com/iyouport_news/status/999561782325755904

New Pluralsight Course: Bug Bounties for Companies

Presently sponsored by: Build scalable, reliable and secure cloud native applications with Tech Fabric

New Pluralsight Course: Bug Bounties for Companies

Try publishing something to the internet - anything - and see how it long it takes before something nasty is probing away at it. Brand new website, new domain and it's mere hours (if not minutes) before requests for wp-admin are in the logs. Yes, I know it's not a Wordpress site but that doesn't matter, the bots don't care. But that's just indiscriminate scanning, nothing personal; how about deliberate and concerted attacks more specifically designed to get into your things? As the value of what you have increases, so do the attacks and there's absolutely nothing you can do about it. There's a lot you can do in terms of defences, but nothing you can do to stop randoms on the internet having a red hot go at breaking into your things.

This is why the discussion around bug bounties confounds me because every time I raise them as being a rather good thing for your security posture, I inevitably get a response along these lines:

But doesn't a bug bounty mean hackers will try and break into our things?

I hate to break it to you, but that's business as usual whether you have a bounty program or not, the only difference is going to be what they do if they successfully get in. That's oversimplifying things, of course, but to me that's always been a cornerstone of why bug bounties make so much sense: they change the ROI of bugs such that it incentivises people of all ethical positions to disclose them to the organisation involved rather than run amuck with them. Plus, it draws people to the site and encourages them to seek out vulnerabilities thus improving the overall security posture. Which brings me to this:

New Pluralsight Course: Bug Bounties for Companies

I'm sitting with Casey Ellis in a studio in San Franciso recording a Pluralsight course per the title of this blog post. Casey is the founder of Bugcrowd and they help companies ranging from MasterCard to NETGEAR to Western Union run managed bug bounty programs. Casey and I have been mates for about 5 years now, in fact I went back and checked my email and it was Jan 2013 when we first caught up over beers in Sydney and he shared his vision for Bugcrowd. That vision ultimately got him funded and led him to Silicon Valley. When we caught up to do this course, Bugcrowd had just received another $26M, and that's on top of the $23M that had already been invested in the company. Whilst this course isn't specifically about Bugcrowd, I wanted to share that background because I couldn't think of a better person in the world to have recorded this course with.

So, getting onto the course, I really wanted to tackle the barriers organisations typically see to implementing a bug bounty program; does it really put them at greater risk? How do you price bugs? How do you decide on the scope? When's the right time to run one? Understandably, people have many questions about running a bounty and I reckon we've done a great job of addressing them here. It's a 48 minute "Play by Play" course so it's just Casey and I sitting around chatting (along with visuals from his screen), so it's easily consumable material. This is also the first of 2 courses we recorded with "Bug Bounties for Researchers" still to go live. That one will focus on individuals who want to get involved in bug hunting so it comes at things from quite a different angle.

Incidentally, my favourite password manager 1Password has a $100k top reward on Bugcrowd. They're so confident in the security of their solution and the value of a successful exploit is so high that they'll reward you very handsomely if you manage to break into a 1Password vault. Given the value of my own things I put in their care, I'm pretty happy to see that!

Bug Bounties for Companies is now live!

Smashing Security #079: Mugshots, mobile mania, and back end gurus

Smashing Security #079: Mugshots, mobile mania, and back end gurus

A website which demands money if you want your mugshot removed, could “sharenting” lead to a rise in fraud and identity theft, and how could the FBI have overcounted encrypted phones so badly?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.

Justice Department announces actions to disrupt the VPNFilter botnet

The Justice Department announced an effort to disrupt the VPNFilter botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a Russia-linked APT group.

Yesterday Talos and other security firm revealed the discovery of a huge botnet tracked as VPNFilter composed of more than 500,000 compromised routers and network-attached storage (NAS) devices, now more details emerged on the case.

The experts believe the VPNFilter was developed by Russia, the associated malware compromised devices across 54 countries, most of them in Ukraine.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

The US Justice Department announced it had seized a domain used as part of the command and control infrastructure, it explicitly refers the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).” reads the press release published by the DoJ.

“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.

The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.

Technically the operation conducted by the US authorities is called “sink holing,” the seizure of the domain will allow law enforcement and security experts to analyze the traffic associated with the botnet to gather further info on the threat and temporarily neutralize it.

“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure.” continues the DoJ.

“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).”  

The owners of the compromised SOHO and NAS devices should reboot their devices as soon as possible, the operation will temporarily remove the second stage malware and will cause the first stage malware to connect the C&C domain for instructions.

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.” continues the DoJ.

VPNFilter malware

Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.

Experts believe that the attack could be launched by threat actors during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.

Pierluigi Paganini

(Security Affairs – VPNFilter botnet, hacking)

The post Justice Department announces actions to disrupt the VPNFilter botnet appeared first on Security Affairs.

Security Affairs: Justice Department announces actions to disrupt the VPNFilter botnet

The Justice Department announced an effort to disrupt the VPNFilter botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a Russia-linked APT group.

Yesterday Talos and other security firm revealed the discovery of a huge botnet tracked as VPNFilter composed of more than 500,000 compromised routers and network-attached storage (NAS) devices, now more details emerged on the case.

The experts believe the VPNFilter was developed by Russia, the associated malware compromised devices across 54 countries, most of them in Ukraine.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

The US Justice Department announced it had seized a domain used as part of the command and control infrastructure, it explicitly refers the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).” reads the press release published by the DoJ.

“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.

The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.

Technically the operation conducted by the US authorities is called “sink holing,” the seizure of the domain will allow law enforcement and security experts to analyze the traffic associated with the botnet to gather further info on the threat and temporarily neutralize it.

“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure.” continues the DoJ.

“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).”  

The owners of the compromised SOHO and NAS devices should reboot their devices as soon as possible, the operation will temporarily remove the second stage malware and will cause the first stage malware to connect the C&C domain for instructions.

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.” continues the DoJ.

VPNFilter malware

Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.

Experts believe that the attack could be launched by threat actors during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.

Pierluigi Paganini

(Security Affairs – VPNFilter botnet, hacking)

The post Justice Department announces actions to disrupt the VPNFilter botnet appeared first on Security Affairs.



Security Affairs

British Attorney General States Cyber Attack On Nation Will Be An Act Of War

The UK Attorney General said today that, hostile states that have been targeting essential infrastructures as well as key services

British Attorney General States Cyber Attack On Nation Will Be An Act Of War on Latest Hacking News.

CVE-2018-11410

An issue was discovered in Liblouis 3.5.0. A invalid free in the compileRule function in compileTranslationTable.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

SOC Automation: Good or Evil?

Many security operations centers (SOCs) face the same recurring problem — too many alerts and too few people to handle them. Over time, the problem worsens because the number of devices generating alerts increases at a much faster rate than the number of people available to analyze them. Consequently, alerts that truly matter can get buried in the noise.

Most companies look at this problem and see only two solutions:  decrease the number of alerts, or increase the number of staff. Luckily, there’s a third option: automation, which can greatly maximize the efficiency of analysts’ time

Traditionally, automation has been viewed as an all-or-nothing proposition. But, times change. Companies can implement automation at various points of the incident response process to free analysts from mundane, repetitive tasks, while maintaining human control over how they monitor and react to alerts. Ultimately, the goal should be to strike a balance between low-risk processes that can be automated with minimal impact and the higher-risk ones that need to be handled by analysts.

Before launching into some level of SOC automation, the following should be considered: 1) Is the organization winning or losing the cyber battle?; 2) if it is winning, does it have the right tools to continue doing so?; and 3) if its is losing: what should it do?

Whether an organization is winning or losing, understanding the pros and cons of automation is critical to any project’s success.

Benefits of Automation

Automation has typically been favored in low-impact environments, but it has been frowned upon in high-impact environments such as utility and healthcare because of the negative impact false positives can cause.

The main benefits of SOC automation include:

  • More consistent response to alerts and tickets
  • Higher volume of ticket closure and response to incidents
  • Better focus by analysts on higher priority items
  • Improved visibility into what is happening
  • Coverage of a larger area and a larger number of tickets

Downsides of Automation

Nothing is more taxing than dealing with a false positive, which happens when a system interprets legitimate activity and flags it as an attack. In some industries, a false positive can disrupt business processes resulting in lost revenue, downtime for industrial organizations and even put lives at risk in hospital settings.

Major downsides include:

  • Shutting down operations
  • Misclassifying an attack so the wrong action is taken
  • Automating tickets that should have been handled manually
  • Missing key information or data
  • Making the wrong or inappropriate decision

Best Practices for Automation

In the past, companies typically looked at automation’s potential downsides and then decided to avoid it because doing so seemed safer. However, today, more companies are realizing that if they do not implement some degree of automation, they increase their chances of missing an attack, which could cause more damage than the negative effects of automation.

Given this scenario, security practitioners should look at adopting the following best practices for automation.

Create a Thorough Strategy

The plan should address the following key questions:

  • What areas generate the most alerts?
  • What alerts take up most of the analysts’ time?
  • Which responses are very structured and which ones do the analysts respond to in a predictable way?
  • Can an automated playbook be used to handle certain events?

Take a Measured Approach

One of the key rules of security is to always avoid extremes. For example, automating everything can open a can of worms — forcing security executives to justify the approach by claiming analysts could not keep up with the tickets.

Finding a balance by automating tasks/tickets that are manually intensive, are highly repeatable, and distract analysts from important  functions -- is a good starting point. Automation should allow the company to improve SOC efficiency while maintaining acceptable levels of risk — both on the operational side and the security side.

The trick is to manage and control false positives, not eliminate them.

Know, and Don’t Automate, Tasks that Require Human Analysis

These include alerts that affect:

  • Critical applications or systems
  • Business process, financial and operational systems
  • Systems that contain large amounts of sensitive data
  • Large-scale compromise indicators

Conclusion

The need for SOC automation is increasing in urgency since adversaries are also harnessing software and hardware to develop and carry out attacks. Consequently, the velocity and sophistication of threats is rising. Keeping pace with programmatic attacks inevitably requires automating certain SOC functions and processes. Following the recommendations outlined above can help determine those that should be automated, and those that shouldn't.

About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.

Copyright 2010 Respective Author at Infosec Island

Information Warfare and Cyber Security

tobem.com - This digital document is an article from Air Force Law Review, published by U.S. Air Force Academy, Department of Law on December 22, 2009. The length of the article is 22724 words. The page length s…


Tweeted by @CyberToolsBooks https://twitter.com/CyberToolsBooks/status/999552057341349889

Ariane Chief Seems Frustrated With SpaceX For Driving Down Launch Costs

schwit1 shares a report from Ars Technica: Like United Launch Alliance, the [France-based] Ariane Group faces pricing pressure from SpaceX, which offers launch prices as low as $62 million for its Falcon 9 rocket. It has specifically developed the Ariane 6 rocket to compete with the Falcon 9 booster. But there are a couple of problems with this. Despite efforts to cut costs, the two variants of the Ariane 6 will still cost at least 25 percent more than SpaceX's present-day prices. Moreover, the Ariane 6 will not fly until 2020 at the earliest, by which time Falcon 9 could offer significantly cheaper prices on used Falcon 9 boosters if it needed to. (The Ariane 6 rocket is entirely expendable). With this background in mind, the chief executive of Ariane Group, Alain Charmeau, gave an interview to the German publication Der Spiegel. The interview was published in German, but a credible translation can be found here. During the interview, Charmeau expressed frustration with SpaceX and attributed its success to subsidized launches for the U.S. government. When pressed on the price pressure that SpaceX has introduced into the launch market, Charmeau's central argument is that this has only been possible because, "SpaceX is charging the U.S. government 100 million dollar per launch, but launches for European customers are much cheaper." Essentially, he says, launches for the U.S. military and NASA are subsidizing SpaceX's commercial launch business. However, the pay-for-service prices that SpaceX offers to the U.S. Department of Defense for spy satellites and cargo and crew launches for NASA are below those of what other launch companies charge. And while $100 million or more for a military launch is significantly higher than a $62 million commercial launch, government contracts come with extra restrictions, reviews, and requirements that drive up this price.

Read more of this story at Slashdot.

The emerging threat of cyber warfare

jltspecialty.com - Recent months have seen growing tensions between western countries and Russia, highlighting the growing risk of cyber-attacks by nation states and their allies. Russia has been accused of waging a di…


Tweeted by @cyber_reim https://twitter.com/cyber_reim/status/999536663016673280

NBlog May 24 – Business Continuity Manager

One of the items in June's awareness module is a model job description for a Business Continuity Manager.

It's generic since NoticeBored customers are unique and we don't know precisely what any of them might expect from a BCM. We do know, however, the kinds of things that a BCM would typically be expected to do, and the personal qualities that make for an effective BCM. Well at least we believe so.

Don't forget that NoticeBored is a security awareness and training service. Its purpose is to support customers' security awareness and training programs. So, the job description doesn't have to be perfect: it has to be stimulating, something that some customers might like to use as a starting point to prompt a discussion with management around whether it might perhaps be worth appointing a BCM.  

It matters to our customers but not to us whether the eventual decision is yes or no. We want them to have a fruitful, informed and productive discussion, leading them to make the decision that's right for them, either way. 

For customers who already have a BCM or a similar role (we're not dead-set on that specific job title), we hope the job description might prompt management to review the role, discuss it with the person in-role and other colleagues, and if appropriate make changes to bring theirs closer into line with good practice. For example, if the current role is defined in terms of recovery, how about pumping up the resilience and contingency aspects to complement recovery? If it is myopically focused on IT or compliance, why not broaden the role to support wider business objectives such as the supply chain aspects? If the person performing the role isn't willing, suitable or able to take on the wider brief, might the role be split among several people, whether full or part-timers?

The NoticeBored BCM job description fills just one side of paper, 400 carefully-chosen words saying enough to be a stimulating awareness piece, hopefully, without being so prescriptive that customers feel coerced into our particular way of thinking. Email me for a copy if this has caught your eye. 


Linux Privilege Escalation using Sudo Rights

In our previous articles, we have discussed Linux Privilege Escalation using SUID Binaries and /etc/passwd file and today we are posting another method of “Linux privilege Escalation using Sudoers file”. While solving CTF challenges, for privilege escalation we always check root permissions for any user to execute any file or command by executing sudo -l command. You can read our previous article where we had applied this trick for privilege escalation.

Let’s Start with Theoretical Concept!!

In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. We all know the power of sudo command, the word sudo represent Super User Do root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user. Take a look at the following image.

When you run any command along with sudo, it needs root privileges for execution, Linux checks that particular username within the sudoers file. And it concluded, that the particular username is in the list of sudoers file or not, if not then you cannot run the command or program using sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command.

Sudoer File Syntax

 If you (root user) wish to grant sudo right to any particular user then type visudo command which will open the sudoers file for editing. Under “user privilege specification” you will observe default root permission “root ALL=(ALL:ALL) ALL” BUT in actual, there is Tag option also available which is optional, as explained below in the following image.

Consider the given example where we want to assign sudo rights for user:raaz to access the terminal and run copy command with root privilege. Here NOPASSWD tag that means no password will be requested for the user.

NOTE:

  1. (ALL:ALL) can also represent as (ALL)
  2. If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root.
  3. If nothing is mention for user/group then it means sudo defaults to the root user.

Let’s Begin!!

Let’s get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “raaz” who’s UID is 1002 and GID is 1002 and hence raaz is non-root user.

 

Traditional Method to assign Root Privilege 

If system administrator wants to give ALL permission to user raaz then he can follow below steps to add user raaz under User Privilege Specification category.

visudo
raaz ALL=(ALL:ALL) ALL
or
raaz ALL=(ALL) ALL

Spawn Root Access

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command.

sudo -l

In the traditional method, PASSWD option is enabled for user authentication while executing above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that current user is authorized to execute all command. Therefore we have obtained root access by executing the command.

sudo su
id

Default Method to assign Root Privilege 

If system administrator wants to give root permission to user raaz to execute all command and program then he can follow below steps to add user raaz under User Privilege Specification category.

visudo
raaz ALL=ALL
or
raaz ALL=(root) ALL

Here also Default PASSWD option is enabled for user authentication.

Spawn Root Access

Again compromise the target system and then move for privilege escalation stage as done above and execute below command to view sudo user list.

sudo -l

Here you can perceive the highlighted text which is representative that the user raaz can run all command as root user. Therefore we can achieve root access by performing further down steps.

sudo su
or
sudo bash

Note: Above both methods will ask user’s password for authentication at the time of execution of sudo -l command because by Default PASSWD option is enabled.

Allow Root Privilege to Binary commands

Sometimes the user has the authorization to execute any file or command of a particular directory such as /bin/cp, /bin/cat or /usr/bin/ find, this type of permission lead to privilege escalation for root access and it can be implemented with help of following steps.

raaz ALL=(root) NOPASSWD: /usr/bin/find

 NOTE: Here NOPASSWD tag that means no password will be requested for the user while running sudo -l command.

 

Spawn Root Access using Find Command

Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

sudo -l

At this point, you can notice the highlighted text is indicating that the user raaz can run any command through find command. Therefore we got root access by executing below commands.

sudo find /home -exec /bin/bash \;
id

 

Allow Root Privilege to Binary Programs

Sometimes admin assigns delicate authorities to a particular user to run binary programs which allow a user to edit any system files such as /etc/passwd and so on. There are certain binary programs which can lead to privilege escalation if authorized to a user. In given below command we have assign sudo rights to the following program which can be run as root user.

raaz ALL= (root) NOPASSWD: usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/vi

Spawn shell using Perl one-liner

At the time of privilege, escalation phase executes below command to view sudo user list.

sudo -l

Now you can observe the highlighted text is showing that the user raaz can run Perl language program or script as root user. Therefore we got root access by executing Perl one-liner.

perl -e 'exec "/bin/bash";'

id

 

Spawn shell using Python one-liner

After compromising the target system and then move for privilege escalation phase as done above and execute below command to view sudo user list.

sudo -l

At this point, you can perceive the highlighted text is indicating that the user raaz can run Python language program or script as root user. Thus we acquired root access by executing Python one-liner.

python -c 'import pty;pty.spawn("/bin/bash")'
id

Spawn shell using Less Command

For the privilege, escalation phase executes below command to view sudo user list.

sudo -l

Here you can observe the highlighted text which is indicating that the user raaz can run less command as root user. Hence we obtained root access by executing following.

sudo less /etc/hosts

It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter.

You will get root access as shown in the below image.

Spawn shell using AWK one-liner

After compromise, the target system then moves for privilege escalation phase as done above and execute below command to view sudo user list.

sudo -l

At this phase, you can notice the highlighted text is representing that the user raaz can run AWK language program or script as root user. Therefore we obtained root access by executing AWK one-liner.

sudo awk 'BEGIN {system("/bin/bash")}'
id

Spawn shell using Man Command (Manual page)

For privilege escalation and execute below command to view sudo user list.

sudo -l

Here you can observe the highlighted text is indicating that the user raaz can run man command as root user. Therefore we got root access by executing following.

sudo man man

It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented below and hit enter, you get root access as done above using Less command.

Spawn shell using Vi-editor (Visual editor)

After compromising the target system and then move for privilege escalation phase as done above and execute below command to view sudo user list.

sudo -l

Here you can observe the highlighted text which is indicating that user raaz can run vi command as root user. Consequently, we got root access by executing following.

sudo vi

Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit enter, you get root access as done above using Less command.

You will get root access as shown in the below image.

id
whoami

NOTE: sudo permission for less, nano, man, vi and man is very dangerous as they allow user to edit system file and lead to Privilege Escalation. 

 

 Allow Root Privilege to Shell Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either Bash, PHP, Python or C language script. Suppose you (system admin) want to give sudo permission to any script which will provide bash shell on execution.

For example, we have some scripts which will provide root terminal on execution, in given below image you can observe that we have written 3 programs for obtaining bash shell by using different programing language and saved all three files: asroot.py, asroot.sh, asroot.c (compiled file shell) inside bin/script.

NOTE: While solving OSCP challenges you will find that some script is hidden by the author for exploit kernel or for root shell and set sudo permission to any particular user to execute that script.

Now allow raaz to run all above script as root user by editing sudoers file with the help of following command.

raaz ALL= (root) NOPASSWD: /bin/script/asroot.sh, /bin/script/asroot.py, /bin/script/shell

 

Spawn root shell by Executing Bash script

For the privilege, escalation phase executes below command to view sudo user list.

sudo -l             

The highlighted text is indicating that the user raaz can run asroot.sh as root user. Therefore we got root access by running asroot.sh script.

sudo /bin/script/asroot.sh
id

 

Spawn root shell by Executing Python script

Execute below command for privilege escalation to view sudo user list.

sudo -l

At this time the highlighted text is showing that user raaz can run asroot.py as root user. Therefore we acquired root access by executing following script.

sudo /bin/script/asroot.py
id

Spawn root shell by Executing C Language script

After compromising the target system and then move for privilege escalation and execute below command to view sudo user list.

sudo -l

Here you can perceive the highlighted text is indicating that the user raaz can run shell (asroot.c complied file) as root user. So we obtained root access by executing following shell.

sudo /bin/script/shell
id

Today we have demonstrated the various method to spawn root terminal of victim’s machine if any user is a member of sudoers file and has root permission.

HAPPY HACKING!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Linux Privilege Escalation using Sudo Rights appeared first on Hacking Articles.

Kaspersky discovered a backdoor account and other issues in D-Link DIR-620 Routers

Security experts from Kaspersky have discovered a backdoor account and other three vulnerabilities in D-Link DIR-620 Routers.

Security researchers from Kaspersky Lab have uncovered a backdoor account (CVE-2018-6213) in the firmware of D-Link DIR-620 routers that could be exploited by attackers to access to the device’s web panel and take over devices exposed online.

“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords.” reads the blog post published by Kaspersky.

“The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).”

To prevent abuse, the experts did not disclose the credentials for the backdoor account.

D-Link DIR-620 rev-F1

The bad news is that it is impossible to disable the backdoor account, the only way to mitigate the issue is to avoid exposing the admin panel online.

The firmware version containing the backdoor account is 1.0.37.

Kaspersky researchers have discovered other three vulnerabilities in the firmware of the D-Link DIR-620 routers. The remaining issues are:

  • CVE-2018-6210 – Hardcoded default credentials for Telnet.
  • CVE-2018-6211 – OS command injection
  • CVE-2018-6212 – Weakness in user data validation (reflected cross-site scripting)

Fortunately, there aren’t many D-Link DIR-620 devices exposed online because it is an old model.

The flawed devices were distributed by ISPs in Russia, CIS, and Eastern Europe ISPs (most of them in Russia), Kaspersky already reported the flaws to the ISPs.

D-Link DIR-620 shodan

D-Link was notified the vulnerabilities by said it will not issue firmware updates to address them.

To mitigate the issues Kaspersky recommends:

  • Restrict any access to the web dashboard using a whitelist of trusted IPs
  • Restrict any access to Telnet
  • Regularly change your router admin username and password

Pierluigi Paganini

(Security Affairs – D-Link DIR-620, hacking)

The post Kaspersky discovered a backdoor account and other issues in D-Link DIR-620 Routers appeared first on Security Affairs.

CVE-2018-11399

SimpliSafe Original has Unencrypted Sensor Transmissions, which allows physically proximate attackers to obtain potentially sensitive information about the specific times when alarm-system events occur.

CVE-2018-11400

In SimpliSafe Original, the Base Station fails to detect tamper attempts: it does not send a notification if a physically proximate attacker removes the battery and external power.

Imagery for Cyber-Security and Cyber-Warfare

freelancer.com - Imagery used in media for cyber-security and cyber-warfare has become stale. We are all used to (and tired of) the Matrix style green lines of code streaming across a screen, we have all seen dozens …


Tweeted by @WarOnTheRocks https://twitter.com/WarOnTheRocks/status/999495218071261184

Cyber Intelligence Analyst (GCO) | Poland

raketera.com - Job Position: Cyber Intelligence Analyst (GCO) Job Description: HRO Recruitment – Krakow, Malopolskie – HRO Recruitment is a specialist traditional recruitment business. HRO Recruitment is a brand of…


Tweeted by @raketeradotcom https://twitter.com/raketeradotcom/status/999495089062858752

Money’s Better Than E-Cigs Or Nicotine Gum At Helping Smokers Quit, Says Study

An anonymous reader quotes a report from Reuters: Providing free electronic cigarettes or other stop-smoking products to employees to get them to give up real cigarettes is less effective than the threat of taking away a cash reward for quitting, according to a new study that weighs the effectiveness of a variety of workplace incentive programs. The findings, published in The New England Journal of Medicine, call into question the claims by e-cigarette enthusiasts that the devices may be better than traditional quit aids at helping smokers to stop. The study is also significant because it may be the first to look at programs to get all smoking employees to quit, whether or not they've decided they want to do so. The results show that if the motivation isn't there, neither are the positive results. 9.5 percent of participants who got the free smoking cessation products plus a cash reward ($100 for the first month, an additional $200 at the three-month mark and $300 if they stayed smoke-free for six months) for staying away from tobacco quit.

Read more of this story at Slashdot.

Why You Need to Master the Basics – A Three Step Campaign

When I was growing up, my father enrolled me in martial arts at an early age. I liked everything about it. I liked the friends I made, I liked the sense of achievement getting the next belt, I liked breaking boards ,but more than anything, I liked to fight. Furthermore, I liked to win. The […]… Read More

The post Why You Need to Master the Basics – A Three Step Campaign appeared first on The State of Security.

The State of Security: Why You Need to Master the Basics – A Three Step Campaign

When I was growing up, my father enrolled me in martial arts at an early age. I liked everything about it. I liked the friends I made, I liked the sense of achievement getting the next belt, I liked breaking boards ,but more than anything, I liked to fight. Furthermore, I liked to win. The […]… Read More

The post Why You Need to Master the Basics – A Three Step Campaign appeared first on The State of Security.



The State of Security

Trade Recommendation: Omisego

Although we have had a difficult period today with the major selloff in Cryptoland there are some bright spots of hope. The Omisego chart has shown us a short term bias shift to the upside with the Daily Pivot Range beneath our current price. This is our support level for the near term with good […]

The post Trade Recommendation: Omisego appeared first on Hacked: Hacking Finance.

FBI exaggerated inability to access encrypted devices in promotion of ‘Going Dark’ problem

The FBI has mislead Congress and the public about the extent to which encrypted cellphones are hampering federal investigations by preventing authorities from accessing the devices–presumably to support the agency’s own agenda to gain backdoor access to them. The FBI claimed that its investigators were locked out of nearly 7,800...

Read the whole entry... »

Related Stories

Top cyber security companies to invest in

ig.com - The Facebook crisis has been a reminder of the potential attraction of an alternative approach to technology investments – investing in cyber security. Cyber—related threats are ranked as higher thre…


Tweeted by @CybersecuritySF https://twitter.com/CybersecuritySF/status/999468628394303488